Bank Windhoek has noticed that fraudsters have increased their criminal activities by targeting senior banking citizens by persuading them into providing their login credentials, including their banking Personal Identity Numbers (PINs). These fraudsters usually contact senior citizens during the evenings when they are at their most vulnerable.
This is a social engineering cybercrime tactic. Social engineering is defined as using manipulation or deception techniques to persuade individuals into providing their confidential or personal information to be use for fraudulent purposes. Fraudsters fool the victims of their intended cybercrime by impersonating someone in a position of trust, like a bank official, or a position of authority like a police official. Regardless of who they are impersonating, a fraudster's motivation is always the same – to extract money, data or personal information from their victim.
Social engineering is mainly used because it is easier to trick someone into divulging confidential personal information than it is to get through protective layers of technological controls and firewalls. Attackers have been known to name-drop important and well-known personalities to intimidate the individual and to create a sense of urgency for an immediate response to the request. The following are tips on how to avoid being a victim of social engineering through phishing:
Phishing is fraudulently trying to obtain sensitive information such as user accounts, passwords and credit card information from an unsuspecting victim by pretending to be a trusted entity in an electronic communication such as an email. A person receives a fraudulent email that claims to be from their bank. The email appears legitimate and contains a link to a website asking for an online banking identity and password. The email could also request that an individual reply with their login details which is then collected by the fraudsters.
Vishing: A customer receives a phone call from a caller who claims to be from their bank and suggests a problem with their computer or user account. They may even ask for a customer's username and password claiming to be able to rectify the urgent problem while on the phone with the victim, during which time the customer's account is compromised.
Characteristics of phishing
Customers should always check for misspellings and grammatical errors. The message often claims to be from a bank, technical support, social media or other legitimate business and has an urgent tone, prompting an immediate response. The site linked to the message asks for identification and password, and the message asks customers to update certain personal information. The message has an unusual "from" address, and the listed Uniform Resource Locators (URL) does not match the official URL of the organisation. In this case, a customer can hover the cursor over - but not click on - an email address or URL in the text of the mail, will show the actual address or URL. Fraudsters are known to mask these URLs to make them look authentic or include attachments to the email that, once clicked on, gives fraudsters access to the information on the victim's computer or mobile device.
What to do and what not to do
To be vigilant, customers should always be sceptical and ask questions about unsolicited phone calls, emails, SMS and WhatsApp messages. They should also use common sense when answering messages. They can report this suspicious message to their bank or financial institution.
Customers should always verify the identity of anyone before providing any information to them. If in doubt about an email or phone call, they should contact the organisation directly by using the phone number provided on the official website or telephone directory, not the number in the suspicious message. Customers should never respond to unsolicited emails or give their password to anyone. As a general rule when buying goods from unknown persons on social media, never part with money before the goods were received because the transaction may be the result of social engineering.
Bank Windhoek will always raise awareness to alert and discourage customers from sharing their login credentials with anyone, because the Bank will never request such information from its customers. Such information must be kept confidential. If customers suspect someone is attempting to access their bank account, they should contact the Bank's Customer Contact Centre at +264 61 299 1200 for immediate assistance.