Spotting & Stopping Banking/Fintech Frauds

In the world of banking and fintech, scams have become an unfortunate reality.?

As technology continues to advance, so do the tactics used by scammers.?

The range of techniques used can be overwhelming from phishing emails to SIM swap scams.?

This article will explore some of the most common scams in banking and fintech, how they work, and what you can do to protect yourself.

Smishing

What is it?

Smishing is a type of scam that uses text messages (SMS) to deceive people into revealing their personal information or performing a specific action, such as clicking on a link or downloading an attachment. The name "smishing" comes from the combination of "SMS" and "phishing", which is a similar type of scam that uses email.

How it’s done

Here's an example of how a smishing scam might work:

• You receive a text message that appears to be from your bank.?
• The message tells you that there has been suspicious activity in your account and asks you to confirm your account information by clicking on a link provided in the text.
• The link takes you to a website that looks like your bank's website, complete with the bank's logo and branding.?
• The site asks you to enter your username and password to log in, which you do.
• In reality, the text message and the website are both fake, created by scammers to steal your personal information.?
• Once they have your login credentials and other sensitive data, they can use them to access your bank account, steal your identity, or commit other types of fraud.

Example

How to avoid it

• Always be skeptical of unsolicited text messages
• Never click on links or download attachments unless you are absolutely certain they are legitimate.?
• Verify the authenticity of any text messages or emails you receive by contacting the bank directly using a phone number or email address you know to be genuine.

Phishing

What is it?

Phishing is a type of scam that involves the use of fraudulent emails or websites to trick people into revealing their personal information, such as passwords, and credit card numbers. The goal of a phishing scam is usually to steal the victim's identity or money.

How it’s done

Here's an example of how a phishing scam might work:

• You receive an email from a famous online retailer (e.g. Amazon).
• The email advises you that your account has a problem and that you must change your payment details by clicking on a link.
• The link takes you to a website that looks like Amazon's website, complete with the company's logo and branding.?
• The site asks you to enter your login credentials, as well as your credit card number and expiration date.
• In reality, the email and the website are both fake, created by scammers to steal your personal information.?
• Once they have your login credentials and credit card information, they can use it to make fraudulent purchases, access your other accounts, or commit other types of identity theft.

Example

How to avoid it

• Always be skeptical of unsolicited emails and never click on links or download attachments unless you are absolutely certain that they are legitimate.?
• Look for signs that an email or website is a phishing scam, such as poor grammar and spelling, a sense of urgency, or a request for personal information.

Vishing

What is it?

Vishing is a type of scam that involves the use of phone calls or voice messages to trick people into revealing their personal information or performing a certain action, such as transferring money or providing access to a computer or network. The name "vishing" comes from the combination of "voice" and "phishing".

How it’s done

Here's an example of how a vishing scam might work:

• You get a call from someone who claims to be from your bank.?
• The caller claims your account has had unusual activity and requests your account information and other personal information to verify it.
• The caller might also create a sense of urgency or fear.
• In reality, the caller is a scammer who is tricking you into revealing your personal information.?
• Once they have your information, they can use it to commit identity theft or other types of fraud.

Example

How to avoid it

• Always be skeptical of unsolicited phone calls and never provide personal information unless you are absolutely certain that the caller is legitimate.?
• It's also a good idea to verify the authenticity by contacting the company directly using a phone number you know to be genuine.?
• Look for signs that a phone call is a vishing scam, such as a sense of urgency, a request for personal information, or a threat of consequences if you don't comply.

Man-in-the-middle (MitM)

What is it?

A Man-in-the-middle (MitM) scam is a type of attack in which a third party intercepts and alters the communication between two parties who believe they are communicating directly with each other. In this type of scam, the attacker can eavesdrop on the communication, steal sensitive information, or inject malicious content into the conversation.

How it’s done

Here's an example of how a MitM scam might work:

• You are using public Wi-Fi at a coffee shop to connect to your bank's website to transfer some funds.?
• Unknown to you, an attacker sitting nearby has set up a fake Wi-Fi hotspot with a name similar to the coffee shop's legitimate network.?
• You accidentally connect to the attacker's fake Wi-Fi instead of the real one.
• When you try to log in to your bank's website, the attacker intercepts your communication and steals your login credentials.?
• In some cases, the attacker might even redirect you to a fake bank website.?

Example

How to avoid it

• Be cautious when using public Wi-Fi and avoid accessing sensitive information, such as bank accounts, on unsecured networks.?
• Verify that the website is legitimate by checking for the padlock icon and HTTPS in the address bar, which indicates that the connection is encrypted and secure.?
• Use a virtual private network (VPN) or other encryption tools to protect your communication from interception and alteration by third parties.

SIM swap

What is it?

A SIM swap scam is a type of fraud in which a scammer convinces a mobile carrier to transfer a victim's phone number to a new SIM card that the scammer controls. They can gain access to the victim's accounts that use two-factor authentication via text message.

How it’s done

Here's an example of how a SIM swap scam might work:

• You receive a text message from your mobile carrier saying there's a problem with your account and you need to contact a certain number to fix it.?
• When you call the number, the scammer asks you to verify your identity.
• The scammer then convinces you to provide personal information.
• Using this information, the scammer contacts your mobile carrier and requests a SIM swap, claiming that they have lost their phone or that their phone has been stolen.
• Once the mobile carrier transfers your phone number to the scammer's SIM card, the scammer can use your phone number to receive text messages with two-factor authentication codes for your accounts, such as your email or bank account.?

Example

How to avoid it

• Be cautious when receiving unsolicited text messages or phone calls from people claiming to be from your mobile carrier.?
• If you receive such a message or call, do not provide personal information or click on any links. Instead, call your mobile carrier directly using a phone number you know to be genuine.?
• You can set up a PIN or password with your mobile carrier to add an extra layer of security to your account.

Business Email Compromise(BEC)

Business Email Compromise (BEC) is a type of scam that involves the compromise of a legitimate business email account. In this type of scam, the attacker gains access to an email account and uses it to send emails that appear to be from a trusted source, such as a CEO, to trick people into performing fraudulent actions..

How it’s done?

Here's an example of how a BEC scam might work:

• A scammer gains access to the email account of a company executive, such as the CEO, CFO, or someone in the finance department.?
• The scammer then sends an email to the company's finance department, requesting an urgent wire transfer to a vendor or supplier for a large amount of money.
• The email appears to be from the executive and includes the executive's signature and other identifying information, such as the executive's title and contact information.?
• The email might also include a sense of urgency, such as a tight deadline or a threat of negative consequences if the transfer is not made.
• Believing the email to be legitimate, the finance department initiates the wire transfer. However, the money is actually sent to an account controlled by the scammer.

Example

How to avoid it?

• Be cautious when receiving emails that request the transfer of money or sensitive information.?
• Verify the authenticity of the email by checking the sender's email address, looking for any suspicious signs, such as spelling errors or a different writing style, and confirming the request with the sender using a different communication channel, such as a phone call or a face-to-face meeting.?

Bonus Tip

UPI (Unified Payments Interface) scams are becoming increasingly common as digital payments become more popular. Here are some ways to avoid UPI scams:

• Never share your UPI PIN or any other sensitive information with anyone.
• Verify the details of the recipient and the payment amount before making a payment.
• Use trusted payment apps and verify the authenticity of the app before downloading.
• Enable two-factor authentication and set up transaction limits.
• Be cautious of unsolicited requests for payments or personal information, and verify the identity of the person making the request.
• Avoid clicking on links in messages or emails that claim to be from your bank or payment app.
• Keep your device and payment app up-to-date with the latest security patches.
• If you suspect fraudulent activity, immediately report it to your bank or payment app.

Compiled by Abilash Jeno | Fraud Investigation | Risk Team | Freo