Your bank's got a new log-in system? Watch out for scams!

One of the main tricks used by internet scammers is to cash in on the introduction of new tools and services by trusted organisations. Banks, travel companies and other service providers are constantly launching handy new authentication and payment apps, booking tools and the like. Crooks know that and are taking advantage. After all, it takes a little while to get used to a new tool or service. You aren't immediately sure how it works or what you should expect. As a result, you may not see at first that you're dealing with a fake. Here are a few recent examples.

Thumb-Rabobank

Rabo Scanner launch

A while back, Rabo (a big Dutch bank) introduced the Rabo Scanner to replace the Rabo Random Reader. Seeing an opening, crooks quickly started sending out fake e-mails linked to the launch. The slick-looking e-mails came complete with digital signatures and were sent from a domain name very like the one used by Rabo. Lots of people therefore fell for the request to go through an activation procedure in readiness for the Scanner going live. The 'activation process' was, of course, a trick for getting hold of sensitive information. Notably, the fake messages were signed 'Frank Smeerlinker': the same name used for an earlier scam aimed at Rabo customers when internationally standardised IBAN account numbers came in. "Rabobank recently announced that it's working on a successor to the Rabo Scanner," says Pim Pastoors, SIDN's DBS Product Manager. "That alone was enough to trigger a spike in fraudulent activity."

The rise of on-line payment apps

More recently, on-line payment apps such as Tikkie started to take off. Payment apps do away with the hassle of managing account numbers and waiting to get paid. Unfortunately, they're also attractive to crooks, who prey on ordinary people selling things in on-line marketplaces. A crook will use, say, WhatsApp to ask a private seller to make a payment of a single cent. It's an innocent-sounding request, because lots of reputable firms (including streaming services, insurers and energy firms) use low-value transactions for customer identification. What the crook does, however, is send the request with a link to a phishing site mocked up to look like a real bank website, with the amount and account number pre-filled. The one-cent payment will seemingly go through as normal, giving no cause for concern. But, because the user was actually on a phishing site, the information provided enables the crook to set up a much larger payment into an account they control.

GDPR Introduction

Another cautionary tale concerns the General Data Protection Regulation, a new European privacy law introduced in May. Countless businesses revised their privacy policies, then sent out mailshots informing their customers. For weeks on end, mailboxes across the continent were full of the associated messages. Most of the messages were genuine, but some came from scammers who spotted an opening.

The Dutch Consumers' Association warned the public about a phishing mail written in Dutch, claiming to be from ABN AMRO Bank, and one in English, supposedly from Airbnb. Both mails asked recipients to confirm acceptance of a new privacy policy in order to go on receiving the sender's services. And the true purpose of both was to harvest users' log-in details. "It's easy to see why people fell for it," says Pastoors. "When something new comes in, if you haven't been warned, an unfamiliar-looking mail asking you to do something different doesn't seem suspicious. Crooks can be very skilful in taking advantage of that."

How to avoid getting scammed

  • Watch out for scams when new tools and services are introduced.

  • Use your browser to visit the official website of a company that seems to have mailed you. Is there information about the product or service there?

  • If necessary, give them a call to see whether they really did send the mail.

  • Last but not least, check the sender's address. Is the domain name right? Does the mail come from a genuine address?

  • Check theĀ Fraudehelpdesk website for details of phishing and other scams doing the rounds.

What businesses can do to protect customers

"First, make sure that there's clear information on your website," advises Pastoors. "Launching a new app or service? Put a message on your homepage explaining the details. It's also a good idea to look out for scammers trying to cash in on your reputation. For example, you can use the Domain Name Surveillance Service to keep abreast of domain registrations that resemble your brand or include the name of your new product or service. So you can respond quickly to anything malicious."

Comments

Pim-Pastoors

Pim Pastoors

Productmanager

+31 6 570 454 07

pim.pastoors@sidn.nl

  • Tuesday 7 May 2019

    Internet security

    Most businesses don't see cybercrime as a threat

    Trends in Online Security & e-Identity -thumbnail

    SIDN and Connectis call for more awareness

    Read more
  • Thursday 4 July 2019

    Internet security

    CGNAT frustrates all IP address-based technologies

    Thumb-abstract-futuristic-cyberspace-with-a-hacked-array-of-binary-data

    IPv4 is creaking at the seams

    Read more
  • Monday 10 December 2018

    DNSSEC

    XS4ALL enables DANE validation for outgoing mail

    Thumb-XS4ALL

    "Client interface to feature DANE support soon"

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.