A third of phishing websites are impersonating banks. What can we do?

The recent focus on banking-related phishing scams has somehow reminded me of “Mission Impossible” movies. In the films’ climax, Ethan Hunt, the protagonist played by Tom Cruise, would always rip off his mask to reveal that he has been in disguise all along to trick the villain into giving out crucial information.

The difference between the movie and the phishing scams is that the villains are the ones doing the impersonating, and they are pretending to be banks, so they can trick unsuspecting users into giving out login credentials and one-time passwords (OTP).

Recently, ESET researchers have found that almost one out of three phishing websites out there are impersonating financial organisations. There are also hundreds of unique phishing websites impersonating Singapore local banks, with most of them being fake login pages designed to steal usernames, passwords and OTPs.

The modus operandi used by the cybercriminals in the recent spate of phishing scams targeting bank users in Singapore involved SMS phishing. The victims would receive an SMS from a “bank”, and be urged to click a link directing them to a fake login page.

I laud the efforts by the Monetary Authority of Singapore and the Association of Banks in Singapore to bolster digital security and fight internet fraud, which include the removal of clickable links in emails or text messages sent to retail customers. While this is effective in stopping SMS phishing, we have seen instances where cybercriminals are upping the ante by using increasingly sophisticated methods that do not involve SMS or email phishing to steal bank credentials.

In April, ESET researchers warned bank customers in Malaysia about malicious mobile applications that are able to exfiltrate customers’ credentials of eight Malaysian banks. These malicious applications impersonate legitimate consumer services and shops, and when the time comes to pay, the victims are required to key in their financial credentials to complete the payment. These applications are also able to extract the OTPs that the victims received from their banks via SMS.

What we should be wary of is that cybercriminals can also adopt such malicious mobile applications to target victims of another country by impersonating the banks and payment systems used there.

Everyone has a role to play in combating phishing scams

Truth to be told, cyberthreats such as phishing scams have inevitably become part and parcel of the digital world that we live in today. There is no silver bullet to address these scams, as multiple approaches that complement each other are required to ensure we stay safe online. These approaches can include public education and cooperative efforts from private and public sectors.

Education plays a key role on an individual level, as consumers need a higher level of understanding of how online scams work to avoid falling victim. Consumers should keep themselves updated on the latest scam methods that are reported in the media; understand how to spot a fake website; and always remain vigilant when asked to reveal personal information or click links. It is always a good idea to call the bank directly or type the bank’s URL instead of clicking the links found in text messages or emails.

Besides education, technology can also be used to stop phishing scams. For instance, consumers should consider installing reliable security or antivirus applications with an anti-phishing feature on their personal devices. Telcos and internet service providers (or ISPs) can also play a role by offering services in the form of network or DNS (Domain Name System)-level protection to consumers. For instance, when a bank customer clicks a link to a fake bank website, the website is automatically blocked at the DNS server to prevent the customer from falling victim to phishing.

In essence, we must continuously explore innovative ways to combat online scams beyond the measures currently in place. Tackling online scams requires concerted efforts across a range of stakeholders, in order to pave the way for a safer online environment and build a cyber resilient nation.