/ 8 October 2009

Bank clients warned of rise in ‘phishing’ attacks

The South African Banking Risk Information Centre on Thursday warned of a rise in ''phishing'' attacks.

The South African Banking Risk Information Centre (Sabric) on Thursday warned of a rise in ”phishing” attacks.

”We are presently observing an unusual increase in phishing attacks across the industry and would like to warn bank clients to be extra vigilant,” said Sabric chief executive officer Kalyani Pillay.

”The worrying trend about the recent surge in phishing attacks is that the phished information is now being used by criminals quicker than in the past,” she said.

The period between the compromising of banking customers’ information and its use had narrowed.

”We also observe an unusual level of persistence accompanying the latest attacks. There are incidents where people are receiving the same phishing email daily,” Pillay said.

”Phishing” involves criminals deceitfully obtaining bank clients’ personal information such as passwords, identity numbers and credit card details by sending emails that look as if they have been sent by banks.

Typically, phishing emails were sent to millions of bank clients asking them to click on a link to access information purporting to be from the bank or to update their details, Sabric said.

Instead, they were directed to a fake website which appeared almost identical to the legitimate bank’s website and were tricked into disclosing their personal information on bogus online forms on that site.

The criminals used the information to commit fraud.

The recent phishing attacks were made to resemble security alerts from banks’ online or security divisions and required more detailed customer information.

”The current crop of spam requires customers to confirm information such as cellphone numbers and email details,” said Pillay.

”This is done purely for purposes of intercepting customers’ one-time-password [OTP],” she said.

They did this through cellphone SIM swaps or by asking bank customers to confirm their OTPs immediately after accessing the account with the phished information.

”Sabric advises bank clients to ignore any emails that require them to provide personal information, even if the emails look credible or seem to contain very useful information.

”Some of the spoof sites … contain what would appear, to unsuspecting eyes, to be crime awareness information on phishing.”

Pillay said it only took a few successes to make the attacks a worthy and profitable undertaking for cyber criminals.

She said people who suspected they might have already responded to emails requesting their personal information should immediately notify their banking institutions. — Sapa