The cybercriminals They use increasingly sophisticated tricks to try to deceive and obtain personal and confidential information, such as bank passwords or credit card details. To the phishing, the most common internet scam that consists of sending fraudulent emails, other sophisticated techniques have been added to make the user fall into the trap. The so-called smishing or attack by text message (SMS) sent to the mobile phone pretending to be a bank that asks to click on a link.
Messages such as “We invite you to quickly confirm your information to avoid an account restriction or suspension. Click here ”(an http link appears below) or, from a certain date,“ you cannot use your account ”or“ you cannot use your card ”and“ you have to activate the new web security system ”, followed also from a web link, they are used as bait.
In recent weeks, clients of Santander, CaixaBank, the former Liberbank and ING have received alerts of this type. The entities insist that they never send messages of such characteristics or ask for passwords or personal data by SMS or e-mail. All offer advice to clients to avoid this type of fraud.
And it is that, when clicking on the links, the user is directed to a fraudulent web page that pretends to be the access portal of the entity itself. This is where sensitive data begins to be requested, such as the username, password or even the pin. Once the information is provided, the cybercriminal uses this data on the bank’s real page, being able to request legitimate confirmation messages from the user’s mobile. This, always thinking that it is his bank, enters the codes received on the fake page. And the scam is complete. With this, the attacker has been able to perform any operation since he has been able to validate the double authentication factor (password and verification code sent to the mobile).
From Banco Santander they confirm that these false messages are random and are received by both clients and non-clients. “As soon as it is reported, the bank manages it quickly and cancels those links so that they do not work,” they assure the entity, which urges clients to communicate cases as soon as possible in order to act. In addition, through the link https://www.bancosantander.es/particulares/banca-digital/seguridad-online it gives security recommendations.
ING has detected that several clients have received these SMS from third party databases in which they appear to have been compromised. “Our main work is prevention and awareness so that our clients can identify this type of fraud and know how to act.” That is why the entity has created a complete guide on digital security on its website. In addition, it has “detection and anticipation tools to manage the closure of these threat portals with third parties,” as well as professionals who analyze incidents in real time.
For their part, the clients of Liberbank (now Unicaja Banco after the merger of both entities) periodically receive information with advice to prevent ‘phishing’ and new forms of online fraud, such as checking the origin of the links received by electronic means before to click on them, to be wary of a language with spelling errors or to keep the antivirus updated. “Unicaja Banco maintains constant monitoring of possible cases of cyber fraud that may affect its clients and also performs mitigation work so that the negative impact is minimal,” indicate sources from the entity, which stress that banks have all the customer data and there is no reason to ask for information they already know.
CaixaBank maintains that the cases are “managed and controlled” and recommends that customers, in the event of any suspicious request, immediately contact the entity’s Customer Service number. In addition, it informs its clients from different channels. It periodically sends them newsletters informing them about the most frequent frauds and the measures they must take to avoid being victims of this type of deception. In addition, they publish news on their website. It has also developed a campaign with online sessions and conferences.
At Bankinter, they affirm that no smishing attacks have been registered, but they carry out “constant surveillance” from the digital security department to prevent this type of fraudulent operation attempt.
MS was a victim of phishing a couple of years ago and found that a large sum of money had been swindled from him. “You never think that you are going to fall into the trap, until you do. I thought it was an email from my bank and I did everything not to do. In the past bull, you realize the serious mistake, but at the moment it is not so easy to detect it ”. He adds that “long ago the linked pages were very poorly made, but now they have improved and it seems that they are the real ones. In addition, they technically use secure connections (https) and have registered domains ”.
It is difficult to get a refund of the money scammed in the bank, since it is considered negligence on the part of the client who has not properly guarded his secret data (such as keys or passwords). Normally, claims are made to the Customer Service department of the same entity in the first instance and, if the resolution is negative, that is when you can go to the Bank of Spain. However, sometimes it is possible to recover the capital, although it is up to the goodwill of the entity.
Likewise, many people suffer the ‘vising’ or scam through a phone call, in which the user is informed that they have won a contest or have been given discount coupons. Cybercriminals ask to confirm the bank account.
From the Internet User Security Office (OSI) by INCIBE They point out that we must be wary of messages that speak of jobs that do not exist, prizes without having played or packages received without having asked for them. They advise not to provide bank or similar details and regularly monitor consumption.