Rabo Scanner launch
A while back, Rabo (a big Dutch bank) introduced the Rabo Scanner to replace the Rabo Random Reader. Seeing an opening, crooks quickly started sending out fake e-mails linked to the launch. The slick-looking e-mails came complete with digital signatures and were sent from a domain name very like the one used by Rabo. Lots of people therefore fell for the request to go through an activation procedure in readiness for the Scanner going live. The 'activation process' was, of course, a trick for getting hold of sensitive information. Notably, the fake messages were signed 'Frank Smeerlinker': the same name used for an earlier scam aimed at Rabo customers when internationally standardised IBAN account numbers came in. "Rabobank recently announced that it's working on a successor to the Rabo Scanner," says Pim Pastoors, SIDN's DBS Product Manager. "That alone was enough to trigger a spike in fraudulent activity."
The rise of on-line payment apps
More recently, on-line payment apps such as Tikkie started to take off. Payment apps do away with the hassle of managing account numbers and waiting to get paid. Unfortunately, they're also attractive to crooks, who prey on ordinary people selling things in on-line marketplaces. A crook will use, say, WhatsApp to ask a private seller to make a payment of a single cent. It's an innocent-sounding request, because lots of reputable firms (including streaming services, insurers and energy firms) use low-value transactions for customer identification. What the crook does, however, is send the request with a link to a phishing site mocked up to look like a real bank website, with the amount and account number pre-filled. The one-cent payment will seemingly go through as normal, giving no cause for concern. But, because the user was actually on a phishing site, the information provided enables the crook to set up a much larger payment into an account they control.
Another cautionary tale concerns the General Data Protection Regulation, a new European privacy law introduced in May. Countless businesses revised their privacy policies, then sent out mailshots informing their customers. For weeks on end, mailboxes across the continent were full of the associated messages. Most of the messages were genuine, but some came from scammers who spotted an opening.
How to avoid getting scammed
- Watch out for scams when new tools and services are introduced.
- Use your browser to visit the official website of a company that seems to have mailed you. Is there information about the product or service there?
- If necessary, give them a call to see whether they really did send the mail.
- Last but not least, check the sender's address. Is the domain name right? Does the mail come from a genuine address?
- Check the Fraudehelpdesk website for details of phishing and other scams doing the rounds.
What businesses can do to protect customers
"First, make sure that there's clear information on your website," advises Pastoors. "Launching a new app or service? Put a message on your homepage explaining the details. It's also a good idea to look out for scammers trying to cash in on your reputation. For example, you can use the Domain Name Surveillance Service to keep abreast of domain registrations that resemble your brand or include the name of your new product or service. So you can respond quickly to anything malicious."