Mr Ho had been using internet banking as an easy and convenient channel to conduct his online banking transactions. A few months ago, he received an email purportedly from his bank asking him to log on to its website to update his personal account information. He followed the email instructions asking him to click on the link to access the bank's website. Having accessed what looked like the bank's website, he entered his UserID, PIN, One Time Password (OTP) generated by his security token and other confidential details into the website.
Since he had never received such an email before, he decided to check with his bank to see if there was indeed such an exercise being carried out by the bank. He found out from the bank that the website he had accessed was a fake website designed to look like the bank's real website. The fake website had the bank's logo and similar design to mislead customers into believing that it belonged to the bank.
The bank immediately worked with the relevant authorities to shut down the fraudulent website and locked Mr Ho's account to protect it from unauthorized access. As a result of the quick actions by Mr Ho and the bank, Mr Ho did not suffer any financial loss. A new PIN was promptly issued to Mr Ho to enable him to regain access to his Internet Banking account. He was also advised by his bank to read and follow the security guidelines and procedures set out in its website.
What is phishing?
Phishing (pronounced "fishing") is a technique used by fraudsters to obtain sensitive personal information such as your account details, PIN, OTP, credit card number, user ID or password through the Internet. Once such sensitive information is obtained from you, the fraudsters will have access to your account to perform unauthorised transactions.
What are the tell-tale signs?
Many tricks are involved in phishing scams. The most common method is sending you a spoofed email purporting to be from your bank, credit card company or service provider. The email will usually use one of the following tactics to trick you into acting on their instructions:
- "Your account is currently being updated as we are introducing a new security system. Follow the instructions below to reactivate your account."
- "Your credit card is the subject of a police investigation for fraud. Please follow the instructions below."
- "Our records indicate that payment for your Internet account is due. We are also currently introducing a new e-payment service. Please follow the instructions below."
- "You are the lucky winner of our lucky draw. Please submit your credit card details so
that we can verify your identity."
The following are examples of the instructions you may be asked to follow:
- "Please provide a return email with your account details, PIN, OTP or credit card number. We will reactivate your account as soon as we receive your email."
- "Please click on the hyperlink below to update your personal details."
- "Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you."
The motive of these instructions is to make you disclose your personal details such as your PIN, OTP or credit card number, which the fraudsters can use to access your account. If you follow the links or attachments in the email, you may be directed to a fake website that looks almost identical to the website of your bank or credit card company. These fake websites are created to trick you into divulging your login credentials and personal information. There are also some emails with attachments containing viruses, worms, spyware or trojans which may infect your PC and allow fraudsters to monitor your every keystroke and capture your personal information.
Tips to protect yourself
- Your bank will never send you emails asking you to divulge any confidential or personal information. You should report such emails to your bank and then discard them.
- You should never reveal your PIN or OTP to anyone. No bank should ever ask you for your PIN or OTP for whatever reasons.
- Do not click on any link to log on to bank websites or open attachments in emails purportedly sent to you by your bank, credit card company or service provider.
- Always enter the full URL or domain name of your bank or credit card company into your browser address bar. If you are unsure of their web address, contact them for the information.
- Always check your credit card and bank account statements for any suspicious or unauthorized transactions. If you detect anything unusual, contact your bank immediately.
- Do check your bank's website for more information on Internet security. In the event that you think you have become a victim of phishing scam, contact your bank immediately.
- Install firewall, anti-virus and anti-spyware in your computer and update them regularly.
- Avoid performing online banking using computers in public areas such as cybercafes.
- Remember to log off each time you finished your online banking activities.
- Select passwords that are difficult to guess and change your passwords regularly.
You can protect yourself from phishing scams if you take the necessary precautions to safeguard your personal information.