Scammers spoofing banks & retailers in emails to steal PII of citizens
4 September 2019
Online scammers have initiated a new strategy to gain access to citizens’ Personally Identifiable Information (PII) as well as payment card details with CVV numbers and this involves spoofing major banks and retailers and mimicking genuine emails that require customers to undergo additional security checks to preserve their privacy.
The Payment Services Regulations 2017 or PSD2 requires providers of online shopping and online banking services, such as banks, retailers, and e-commerce firms, to strengthen their customer identification protocols via additional security checks to prevent fraud and to prevent scammers from using citizens’ payment card details to make fraudulent purchases.
In order to comply with the regulation, a number of banks and e-commerce firms have started sending emails to their customers, asking them to verify their email addresses, home addresses, phone numbers, biometric details such as fingerprint, voice pattern or facial recognition, as well as payment card information including card numbers, names, expiry dates and CVV codes.
This new approach will help banks, financial institutions, and e-commerce firms in accurately identifying genuine customers and preventing fraudulent attempts by scammers to commit identity fraud or access information about existing customers.
Scammers exploiting additional security checks to steal PII
However, since these institutions are using email to communicate with their customers, online scammers are using this as an opportunity to spoof genuine firms in fraudulent emails to lure unsuspecting people into sharing their personal information and payment card details with them via email.
According to Which?, scammers have already started impersonating well-known banks such as Santander, Royal Bank of Scotland, and HSBC and are sending emails to people, asking them to immediately verify their personal and financial information by clicking on links accompanying such emails.
The market research firm noted that some of these scams could prove successful during the next eighteen months (by which time the “additional security checks” procedure is expected to be completed) as many banks and e-commerce firms use multiple web domains to authenticate customers, thereby making it difficult for customers to differentiate genuine domains from fraudulent ones.
Aside from creating urgency by asking people to immediately verify their personal information, scammers are also displaying names of legitimate brands in the name field that appears beside the email address to make recipients believe that such emails are sent by genuine brands.
“To find the real destination of a link, hover your mouse (without clicking) to preview the website it’s pointing to. If an email seems important but you’re concerned it could be fake, contact the company in question yourself using a trusted method,” Which? suggests.
“Over recent years, hackers have evolved phishing attacks to mimic original brands or reputable websites to evade detection and, unfortunately, they are proving successful,” says Bindu Sundaresan, director at AT&T Cybersecurity.
“Ultimately, they are targeted at an individual user so appropriate training and awareness is vital to remind users to remain vigilant to unsolicited or unexpected emails which ask for credentials, payment, or any other action that seems out of the ordinary,” she adds.
“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails. Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold,” says Tim Erlin, VP at Tripwire.
“We can’t simultaneously tell consumers not to click on links in email, yet continue to send them emails full of links we want them to click on. I guarantee that somewhere this very story about fraudulent emails will get shared as a link in an email,” he adds.
Domain spoofing continues to threaten user privacy on a large scale
The issue of domain-spoofing is not a new phenomenon but has been tried out by online scammers for years with varying degrees of success. The fact that online spoofing continues to be among the greatest threats to online privacy confirms that this technique is both inexpensive and highly rewarding for scammers who can use stolen credentials and financial details to carry out identity fraud and to sell such details on the Dark Web with handsome returns.
Earlier this year, a report from Proofpoint revealed that prior to the tax-filing deadline, cyber criminals created hundreds of thousands of fake websites that were designed to mimic the domains of official government tax-collection departments with the hope that taxpayers will type in their financial information on their fake sites.
Proofpoint found that cyber criminals were using these fake websites as watering holes and were infesting them with malware and credential-stealing trojans. One such malware was NetWire, a multiplatform RAT typically delivered via spammed email attachments that contained Microsoft Office files with embedded executables, including .jar files.
In order to lure taxpayers into downloaded such malware-ridden Microsoft Office files, fraudsters also used subject lines in emails that invoked a sense of urgency or created an air of legitimacy such as “Notice of Outstanding Income Tax Demand”, “IRS Update for 1099 Employees”, or “Your IRAS 2018 Tax Report”.
According to Proofpoint researchers, to ensure that the phishing attempts remained undetected, fraudsters also redirected victims to the official tax authority websites after stealing their credentials. As a result, many victims were likely unaware that they had just disclosed their tax information to scammers.