Phishing


What is phishing?

Phishing (pronounced "fishing") is a way of obtaining sensitive personal information such as your account details, PIN, One Time Password, credit card number, user ID or password through the Internet. People who have such sensitive information will have access to your account to perform unauthorised transactions.

What must you watch out for?

The most common phishing method is to send you a spoofed email purporting to be from your bank, credit card issuer or service provider. The email will usually use one of the following tactics to get you to release your personal information:

  • "Your account is currently being updated as we are introducing a new security system. Follow the instructions below to reactivate your account."
  • "Your credit card is the subject of a police investigation for fraud. Please follow the instructions below."
  • "Our records indicate that payment for your Internet account is due. We are also currently introducing a new e-payment service. Please follow the instructions below."
  • "You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity."

Here are examples of instructions you may be given:

  • "Please provide a return email with your account details, PIN, One Time Password or credit card number. We will reactivate your account as soon as we receive your email."
  • "Please click on the hyperlink below to update your personal details."
  • "Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you."

The instructions are to get you to disclose your personal details such as your PIN, One Time Password or credit card number, which can then be used to access your account. If you follow the links or attachments in the email, you may be directed to a fake website that looks almost identical to the website of your bank or credit card issuer. These websites are created to get you to reveal your login credentials and personal information. There are also some emails with attachments containing viruses, worms, spyware or trojans which may infect your PC and allow others to monitor your every keystroke and capture your personal information.

Case study:
Mr Ho uses internet banking to conduct his online banking transactions. Recently, he received an email purportedly from his bank asking him to log on to its website to update his personal account information. He followed the email instructions asking him to click on the link to access the bank's website. On accessing what looked like the bank's website, he entered his userID, PIN, One Time Password (OTP) generated by his security token and other confidential details into the website.

Having never received such an email before, he decided to check with his bank to see if there was indeed such an exercise being carried out by the bank. The bank told him that the website he had accessed was a fake website designed to look like the bank's real website. The fake website had the bank's logo and similar design intentionally to mislead customers into believing that it belonged to the bank.

The bank immediately worked with the relevant authorities to shut down the fraudulent website and locked Mr Ho's account to protect it from unauthorised access. As a result of quick action, Mr Ho did not suffer any financial loss. A new PIN was promptly issued to Mr Ho to enable him to regain access to his internet banking account. He was also advised by his bank to read and follow the security guidelines and procedures set out in its website.

Tips to protect you against phishing scams:

  • Your bank will never send you emails asking you to divulge any confidential or personal information. You should report such emails to your bank and then discard them.
  • You should never reveal your PIN or One Time Password to anyone. No bank should ever ask you for your PIN or One Time Password for whatever reasons.
  • Do not click on any link to log on to bank websites or open attachments in emails purportedly sent to you by your bank, credit card issuer or service provider.
  • Always enter the full URL or domain name of your bank or credit card issuer into your browser address bar. If you are unsure of the web address, contact them for the information.
  • Always check your credit card and bank account statements for any suspicious or unauthorised transactions. If you detect anything unusual, contact your bank immediately.
  • Do check your bank's website for more information on Internet security. If you think you have become a victim of phishing, contact your bank immediately.
  • Install firewall, anti-virus and anti-spyware in your computer and update them regularly.
  • Avoid performing online banking using computers in public areas such as cyber-cafes.
  • Remember to log off each time you finish your online banking activities.
  • Select passwords that are difficult to guess and change your passwords regularly.

What is vishing? What must you watch out for?

Vishing is similar to phishing but involves a phone call made to trick victims into disclosing their account details. The call could be made asking a consumer to provide confidential information to verify, update or reactivate his or her bank account. Similar to Phishing, scammers want to get hold of your login PIN, OTP and user ID to access your bank account.

Bank employees will never ask consumers to reveal their login details. However, banks usually verify the consumer’s identity by asking questions which relate to personal details that the bank already has.

Tips to protect you against against vishing scams:

  • Never disclose your login details to anyone (not even bank employees)
  • Verify with the bank if you are uncertain of the caller’s identity. You may wish to hang up and place a call directly to the bank.

 

The above information is prepared in collaboration with the Association of Banks in Singapore and Consumers Association of Singapore.