Scammers are mimicking new security measures designed to keep you safe online, by sending fake emails that attempt to steal your banking credentials and personal data. Banks, card providers and retailers across the EU are asking customers to provide up-to-date contact information, as part of new checks for online card payments known as strong customer authentication (SCA), Which? reported.
Over recent years, hackers have evolved phishing attacks to mimic original brands or reputable websites to evade detection and, unfortunately, they are proving successful. Ultimately, they are targeted at an individual user so appropriate training and awareness is vital to remind users to remain vigilant to unsolicited or unexpected emails which ask for credentials, payment, or any other action that seems out of the ordinary.
Your bank will never ask for your personal data or password is the advice to aid anti-fraud. It is sad to see an industry turning resorting to this very thing, thinking they would prevent scammers. This likely will end on most lists of worst security ideas of the year.
As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails. Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.
We can’t simultaneously tell consumers not to click on links in email, yet continue to send them emails full of links we want them to click on. I guarantee that somewhere this very story about fraudulent emails will get shared as a link in an email.
Cyber criminals are quick to jump on any event to launch phishing campaigns, whether this be off the back of a major event like a natural disaster, or something like this, where banks are asking for details and customers are expecting the communication.
There are often telltale signs when it comes to phishing emails, Users should look out for the email address the mail has come from, hover over links to see where they are going and look out for spelling, grammar, and the tone of the email.
However, for requesting sensitive data, email is not a good medium and should not be used. Banks should remind customers repeatedly to not follow links in emails and not to provide any sensitive information via email. Rather, this information could be collected via post, in a branch, or online once a user has logged onto their online banking platform.
If banks ask for sensitive information via email, or ask customers to click on links in emails, it sets a bad precedent and primes users to be more likely to fall victim to phishing scams.
This attempt to capitalise on users following security best practices – such as resetting their password or creating stronger credentials for their online payments – is a common tactic used by fraudsters, and demonstrates that caution alone is never enough when it comes to email security.
While thankfully banks are heavily invested in protecting their customers, it is also important that they make their communications with customers as difficult to replicate as possible. Banks – but, more broadly, every organisation that holds sensitive data – should avoid asking customers to complete any action as a result of an email, even if that is changing a password or downloading an app.
Meanwhile, users should protect themselves by taking the time to check the legitimacy of the messages they receive, conscious that taking a little longer to complete an action is always preferable to having one\’s financial and personal information compromised.