#toptip campaign: Digital financial fraud: would you fall for it too?
You receive an email or message from your bank, or other payment service provider or from an entity you have contracted a service with. They tell you that your account may be compromised or blocked and ask you to log in to regain access. Do you click on the link and enter your credentials or provide them over the phone without giving it a second thought?
This is likely to be a common form of phishing, i.e. an attack designed to steal your personal details. And there are other fraudulent techniques, seemingly harmless but just as effective, that are used by people all over the world to get hold of your data. Hackers often use information they find on social media and use psychological manipulation to gain the trust of the victim and thus obtain confidential information.
Know the risks
A hacker contacts you by e-mail, by phone or by posting on social media, pretending to be, for example, a bank or other payment service provider, a public entity or a service provider. Sometimes, hackers use spoofing, by copying the phone numbers or emails and masquerading as an official entity to be more convincing. In these contacts, apparently for a legitimate reason, they try to convince you to provide your personal data (either directly or by providing you with a link to a fake page, even if seemingly legitimate). This type of attack is called phishing (also known as vishing or smishing, if the contact is made via a call or SMS respectively).
By downloading an apparently harmless file, you could be installing a computer virus on your device. When you access a correct address, this virus redirects you to a false internet page, through which your personal data is wrongfully obtained. This type of attack is called pharming.
Other people can get hold of your data by installing malicious programs that collect your information. This type of attack is called spyware.
Another way third parties can get hold of your data is by directly observing information you are typing on your mobile phone, tablet or computer in crowded places, such as public transport or shopping centres. This type of attack is called shoulder surfing.
What can you do to protect your data?
#1 Carefully assess the requests for information you receive.
- Never disclose personal information or access credentials to your digital channels or transaction authentication codes to third parties. A bank or other payment service provider would never ask you for this kind of information by email, SMS or phone.
- Don’t disclose personal or confidential information via a phone call that you have not requested. Be suspicious of messages that indicate that a certain service has been blocked and needs to be activated or that request payment for an order you have not placed. Contacts with fraudulent intentions are usually made in an urgent tone, so that you quickly disclose personal data, without having time to think about the best way to act.
- If you receive a call, don’t automatically assume that it is genuine just because the caller has your basic personal details. This information can be found online (for example, through social media).
- Don’t open and immediately delete suspicious emails. Check the sender's address (not just the name), the language, the type and tone of the language used and the graphic presentation of the message received. Fraudulent messages often adopt less formal language, with spelling mistakes or semantic errors and are written to convey a sense of urgency to the reader.
- Don’t click on links, don’t perform the actions requested (don’t run suggested programs) and don’t open attachments from unknown sources.
- Don’t enter confidential data and other personal information on sites whose authenticity is not guaranteed.
#2 Contact the entity concerned through the official contacts.
- Even if you think it is a legitimate contact, don’t immediately disclose information and contact the entity concerned through the official contacts (and never using the contact details provided in the emails, SMS or phone calls received).
- If you suspect fraud, report it immediately to your bank or other payment service provider, through the usual channels, and to law enforcement agencies.
#3 Avoid sharing personal data when it is not essential to the service being provided.
- Many platforms and apps ask for access to personal information, such as your geographical location, contacts, microphone, camera and photo album, which is not relevant for the provision of the services concerned. This information can then be shared with others without your knowledge.
#4 Check your privacy and security settings.
- Before you start using a new app or when you create a new internet user account, check your privacy and security settings and set them to a level of information sharing you are comfortable with.
- Every device, app or browser you use has different features to limit how and with whom you share information: explore the options and, if in doubt, find out more.
#5 Don’t put off updates and always delete accounts and apps you no longer use.
- Updates to programs and apps allow you to correct security problems detected in the meantime. An app on your phone that you don’t use and don’t update may be a “doorway” to possible cyber-attacks.
#6 Remain vigilant.
- Check your account movements regularly and contact your bank or other payment service provider immediately if you notice movements that you have not authorised.