Phishing is defined as a form of social engineering which attempts to acquire sensitive information or data (such as usernames, passwords, email addresses, account numbers, and One-Time Passwords, etc.) through fraudulent means. The pandemic pushed us to bank online to make transactions more convenient throughout prolonged lockdowns. Since then, phishers have become more creative, and continue to find innovative ways to trick people into clicking links or buttons and divulging confidential information.
Before presenting the steps that phishers take to maliciously acquire data, one fact needs to be underscored: contrary to the stereotype that movies often romanticize, phishers are not necessarily socially awkward hackers that spend their entire day in front of a computer. Moreover, they do not use complicated programs or devices to manipulate bank records. Phishers are all about efficiency, thus, their preferred method is to trick their victims into unwittingly giving them the information they need.
That said, phishers use psychology to make us give up our personal and financial information that will allow them access to our accounts. Metrobank, one of the country’s top financial institutions, gave us a peek on how phishers think.
Choosing a Pond
Phishers randomly collect as many email addresses and phone numbers as they can. This is usually done by snooping around in social media, looking for profiles that have their email addresses and/or phone numbers in full display. Other sources that have email addresses and mobile numbers are those that may have been exposed to the public, mobile apps that were compromised/hacked, etc. Once they have a suitable number of potential victims, it’s time to cast the net.
It is best to use an alternate email address or mobile number for non-financial transactions to avoid compromising the email addresses and mobile numbers we use for banking purposes.
Setting the Bait
Phishers will now attempt to contact potential victims via phone call, text, or email. They do this to get more personal information that may be used in security verification procedures. In truth, phishers don’t really know for sure if a potential victim does indeed have an account with a specific bank, but they play the odds and hope that there are matches.
There are many ways to do this, but the most common way is to send alarming messages about how our accounts have supposedly been compromised, or that we need to verify our accounts in light of “new security measures”. These emails and messages are designed to elicit an emotional response--to fool us into thinking that it is an urgent message that came from the bank. These messages will usually have “spoofed” or faked email addresses or phone IDs to make it look official. It will then include a link or buttons to what seems to be the bank’s log-in page.
One thing we all must remember is disregard the message and NEVER click any links or buttons coming from these kinds of emails. As a rule, banks will never give you a shortcut link via email or SMS that will lead you to their online platforms, and in case these logins are needed, customers are encouraged to manually log-in via a web browser or through their official apps.
The pages that are linked from these scam emails are fake. If we enter our username and password, phishers can take over our accounts and will have all the information they need for their next step.
Less than a decade ago, usernames and passwords were enough to get into our accounts. Passwords became easy to crack, hence banks added an extra layer of security by using technology like two-factor authentication to verify your identity or transaction.
Two-factor authentication uses either a One-Time Password (OTP) that is sent to our registered mobile phones, or randomized codes generated via an official app to verify logins and transactions.
To completely access our accounts, the phishers will once again attempt to contact us via phone and text, usually pretending to be personnel from our bank. They will then try to convince us to give OTP that was sent to our phone. By this time, they have already collected various personal information, and will therefore sound quite legitimate.
As always reiterated by bank advisories, we should NEVER give our OTPs or generated codes to anyone, even if they seem like they have all the other information that only our banks would have. Once we are fooled into giving our OTP, that is the final key that they need to open our accounts and have their way with it.
Hook, Line, and Sinker
In case we are victimized by phishers through the methods outlined above, there is little that we, or our banks, can do. We can file a complaint with the bank, and they will investigate what really happened, but likely it will be determined that our accounts were accessed solely through the standard log-in process, because correct login information and OTPs were shared and that’s how we are fooled by phishers.
It must be emphasized that security is a shared responsibility. Phishers do not attack banks -- they attack us: the customers. We should be aware of our responsibility in securing our account. We must keep our log-in information and OTPs from falling into the hands of phishers. We must be careful not to give them to anyone else.
That is why banks are also doing their best to inform us about these modus operandi. Currently, Metrobank is leading an industry-wide information campaign called Scamproof.PH. Scamproof is a website that has information on the latest scams and reminders on how to spot and avoid them. Visitors of the site can also submit scams that they have encountered. Submitted scams are then investigated then added into the database so more people would know about them.
We need to be educated on how we can spot a scam and prevent ourselves from getting victimized by phishers. Visit https://www.scamproof.ph/ or https://metrobank.com.ph/fight-fraud/ for more fraud tips and advisories. In case we do encounter scams, it would also be prudent to report them by contacting our respective banks.