According to the Anti-Phishing Working Group, more brands are under attack than ever before. Globally, individual bank brands are each paying tens of thousands of dollars annually to hire international firms tasked with detecting phishing attacks and shutting down the websites that support them. Phishers are increasingly targeting the GCC due to the poor economic conditions elsewhere, the growing use of credit cards and online resources in the region, and an unfortunate lack of awareness of the crime.
Both local banks and local consumers are being damaged by phishing and Greg Day, principal security analyst EMEA, McAfee believes that fighting these criminals must become a shared responsibility. Online banking services are more cost effective for the banks, so they are encouraging consumers to use them. Consumers are also being issued with credit cards which are not only convenient, but profitable for the banks.
“You wouldn’t buy a car that wasn’t equipped with brakes. Yes, the car would take you places but without brakes it would be too dangerous to drive,” said Day. “That’s why there needs to be awareness of and compliance with the security requirements for doing online banking and using credit cards - so convenience is coupled with safety.”
First, consumers need to be aware of the terms and conditions for the use of online banking systems and credit cards. At the minimum, most Saudi banks, require that consumers advise the bank of any fraudulent transaction within 20 days of the statement issuance date. Liability can differ considerably depending on the banking product used.
“Around the world, liability for fraudulent transactions on credit cards usually varies,” said Day. “My understanding is that in the USA you can only be liable for the first $50. That regulation was something implemented by the government to increase consumer confidence and spending. In most of mainland Europe, it depends on the terms and conditions of the bank, especially with things such as credit cards. I’ve seen it from 14 days to two or three months for notification of fraud. Consumers have a responsibility to monitor their statements.”
Saudi banks offer not only paper statements but also online account access and even notification of transactions through SMS to mobile phones. Sign up for every form of notification possible to be aware of all transactions on credit cards and bank accounts.
Additionally, don’t do online banking or make online purchases using unsecure Internet connections such as those at an Internet café or by using WiFi at a coffee shop. It’s all right to use a public network to find directions or to check out information on a website, but never enter personal information or passwords. The computers at an Internet café could have key loggers installed and public networks could have compromised security. Day stated that there have been stories of organized criminals in different countries setting up Internet cafes to steal personal and financial information. If you do use your own PC with a public connection, make sure you have up-to-date security software in place before connecting to the network. It would be nasty to take a “bug” back home.
Remember too that online banking and credit card transactions are only done though secure online resources. The web address or URL of any online banking page or site requesting a credit card or a personal identification number (PIN) should begin with https: instead of http:. If it doesn’t, don’t use it! The “s” after http: is an indication of security, but it is not infallible. That is why it is still very important to know the URL of your online banking site and be cautious in using online retailers. Never provide personal or financial details by e-mail or in response to an e-mail.
One other point that Day mentioned was to be wary of “sharing” the personal aspects of your life in a public way through social networking sites, even those that are supposed to be for business use.
“Social networking is something that people don’t necessarily link to their online banking but it’s amazing if you have a password for your online banking how many people either insinuate it or give it away through the information they expose through social networking sites,” he commented. “Mother’s maiden name, pet’s name, favorite football team, etc. are often chosen as a password or answer to a memorable question that can recover a password. Such information is too often posted on social networking sites.”
Day also discussed a more frightening form of phishing attack in which publicly available online information is combined with social engineering to collect credit card or banking information.
“The itineraries of executives in bigger companies can be publicly available,” said Day. “There have been incidents in which someone has called these executives out of the blue, claiming to be from their bank saying, ‘We know you are in this country today. We think there has been a fraudulent transaction already. We need the following information from you.’ And the executives have given up their personal details.”
If phishing attacks stopped netting profits, they would cease. Help in the fight. Forward phishing e-mails to the management of the brand under attack so they can shut down the criminals.
