Bank customers who fall victim to cybercrime through phishing or other fraudulent methods are not only harmed in terms of the psychological stress and often onerous process of reversing the damage, but can even find it difficult to get their money back.
Meanwhile, the scams used by cyber criminals to fleece their victims have become increasingly sophisticated, making it even more imperative that customers be vigilant of the signs that fraud may be afoot.
1. Alleged bank transfers
“Notice of upcoming direct debit,” “Confirmation of your transaction” — these or similar are the subject lines in emails purporting to be from your own bank, usually followed by a sum in the mid three-digit range. In other words, not utopian amounts, but just enough to make a small dent in the budget and frighten the unsuspecting bank customer.
It is precisely this emotional reaction that the fraudsters are banking on. The message usually contains a link that leads to a website that looks confusingly similar to the online offering of a real bank.
Here, the fraud victims log in with their access data (which falls into the hands of the fraudsters) and cancel the alleged transaction with a transaction authorization number (which also falls into the hands of the fraudsters). The fraudsters then use the captured information to transfer money from their victim’s account (usually automatically within seconds).
Of course, this only works if the recipients of the emails actually have an account with the bank named as the sender. However, as the criminals send their emails to hundreds of thousands of recipients, they often end up with people to whom this applies.
How to protect yourself: This scam works because emotions, such as the fear of financial loss, trigger a strong impulse to act. The fraudsters give this impulse to act a direction with a message such as “You can check the transaction via the link below and cancel it if necessary.” Simply knowing this mechanism of action can help you not to give in to the impulse.
If you are unsure whether it is an authentic message from your bank, access your online banking in the usual way. In other words, use the banking app on your smartphone or type the address directly into your browser. If you are still not completely reassured, call your bank.
Important: Never use the link or contact details sent to you in the dodgy message.
2. Bank employee calls
A scam that uses similar mechanisms to the one mentioned above works via the telephone.
Sometimes the callers pretend to be employees of the victim’s bank if they have managed to spy on them beforehand. More often, however, they claim to be from a police authority, a cyber security company, or Microsoft.
They then tell the potential fraud victim that they have noticed “unusual activity,” such as atypical account access, strange data streams from and to the IP address of the person called, or that sensitive information about the person has appeared on the darknet. Nothing has happened yet, but they now need the person’s support to prevent financial damage.
In the conversation that follows, the callers ask for all kinds of personal data, allegedly always to “cross-check” it.
From access to online banking to credit card security codes or life insurance policy numbers, skillful fraudsters have already obtained all kinds of personal data in this way. On the one hand, to drain their victims’ accounts, and on the other, to use their identity for further scams.
How to protect yourself: This scam is based on the influence factor “authority” and often also on the fact that the callers can already give their victims some of their personal information. In preparation for such a scam, the scammers often search their victims’ social media profiles.
If you receive such a call, do not engage in a conversation. Ask for the caller’s telephone number and promise to call them back. If the caller refuses, end the call. If they give you a telephone number, do a reverse search to find out who is behind it. You will then have something more to report to the police.
3. IBAN trap
IBAN stands for “international bank account number.” A typical promise made by fraudsters using the IBAN trap is: “4.5 percent on overnight money!” This is not a spectacular amount, but it is one or two percentage points more than most banks offer.
Victims usually come across such offers in a roundabout way, for example via ominous “financial comparisons.” The offers of numerous reputable banks are compared, but the first place is regularly taken by a bank with a rather unknown name (which one varies) and a registered office outside the country.
Via a link on the price comparison page, the prospective victim of fraud can then set up an account with this bank, receive his IBAN minutes later, and can then transfer his savings there.
The trick: The bank really exists, but the IBAN belongs to an existing account that the fraudster has access to. Theoretically, the recipient bank could notice that the name of the recipient on the transfer does not match the name of the account holder.
In practice, banks are not obliged to pay attention to this. Once the money has arrived there, the fraudster clears the account. Instead of receiving high interest rates, the customer loses their money. Unlike direct debits, transfers cannot be cancelled once the money has arrived in the other account. And it can take months before the fraudster realizes the damage.
How to protect yourself: “Greed eats brains” is a stock market adage. If an offer is unusually good, check whether this offer is even known elsewhere — for example on some of the better-known, reputable comparison platforms. If there is only this one source where the high-interest account is advertised: Hands off!
4. Banking in open WLANs
IDG
They are commonplace at airports, hotels, and cafes: Free WLAN access points. The official airport or hotel Wi-Fi networks would generally be trustworthy if criminals hadn’t come up with the idea of setting up “evil twins” of these networks:
“Evil Twins” or “Rogue Access Points” look like legitimate WLANs from airports, hotels, or other public places. If users connect to these fake access points, in the worst case scenario, the fraudsters can intercept all data traffic and steal sensitive information such as passwords, credit card details, or other personal data.
How to protect yourself: The bad news is that evil twins are virtually indistinguishable from their trustworthy siblings. If you need to access your banking services while travelling and have to use open WLANs, a VPN service (such as Cyberghost, NordVPN or ExpressVPN) is a sensible investment.
The VPN ensures that all your data traffic to and from your device is encrypted. This means that any intercepted data loses its value for criminals.
5. Fake SMS from the bank
Smishing works on the same principle as phishing by email, except that here the criminals communicate by text message. Bank customers in particular who use two-factor authentication via SMS or confirm their transactions via SMS-TAN do not initially suspect anything if they receive a notification from their bank in this way.
How to protect yourself: If you are unsure whether the message actually comes from your bank, access your online banking via the bank’s official website. Never click on the link you received by text message. No trustworthy bank sends SMS messages containing links.
6. Man-in-the-middle browser attacks
Man-in-the-middle browser attacks are one of the most insidious dangers in online banking. Cyber criminals inoculate their victims’ browsers with malware.
To do this, they exploit unpatched security vulnerabilities or offer seemingly useful software for download that infects the browser on the side. If a user wants to initiate a bank transfer, the malware can intercept and manipulate the transactions.
For example, it can change transfer data — in particular the amount and the recipient. The user is still shown the correct information, while the bank receives manipulated data.
How to protect yourself: Always use the latest version of your browser and operating system and do not put off installing updates. An antivirus program is a matter of course.
7. Session hijacking
With session hijacking, cyber criminals also exploit technical security gaps in their victims’ browsers and/or operating systems — and have to wait until they start an online banking session.
They then obtain the user’s session ID, which is used to authenticate the session, either by monitoring network traffic, injecting code, or exploiting vulnerabilities during generation.
With this session ID, cyber criminals can then take over the user’s session and do everything that the user could do when banking online.
How to protect yourself: As with the trap above, you are safest with an up-to-date browser in its latest version and a patched, up-to-date operating system. You can create additional security by logging out as soon as you no longer need the banking application and closing the browser window.
8. Missing limits
With a high transaction limit, cyber criminals with access to your online banking only need a single stolen TAN (transaction authorization number) to drain the account of the entire balance plus the overdraft facility granted.
How to protect yourself: Set a transaction limit that is not significantly higher than the transfers you make in everyday life. If a transfer is made that exceeds your set limit, increase the limit temporarily and then reset it again immediately. The slightly higher effort is well worth the added security.
9. Outdated operating systems
Microsoft does not publish any information on security vulnerabilities in old operating systems and does not provide any updates against them. However, cyber criminals are still targeting Windows XP and 7: They track down previously undiscovered security gaps and often exploit them for attacks without being noticed.
How to protect yourself: A license for Windows 10 or 11 doesn’t cost the earth. Invest in your security. Another option is to carry out your banking transactions via smartphone. There is significantly less malware for Android and iOS than for Windows.