Technologies change, but cybercriminals will always dream up new ways to fool you into handing over your bank details – whether via phishing emails, SMS or by phone.
Hesperbot – a new Trojan detected by ESET – uses hi-tech methods to bypass bank security systems, and clever social engineering to ensure victims play along.
These days cybercriminals will use phone calls, SMS messages, emails – and even couriers – in an effort to get your money. Many of these attacks can seem very convincing – at least at first.
The key to staying safe is to recognize behavior that isn’t quite “right”. Here are ten things a bank will never do – but a fraudster, phisher, or thief will.
Text you asking for details to “confirm” it’s you
Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords in a text. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them. More advice on avoiding SMS phishing scams can be found here.
Give you a deadline of 24 hours before your bank account erases itself
Many legitimate messages from your bank will be marked “urgent” – particularly those related to suspected fraud – but any message with a deadline should be treated with extreme suspicion. Cybercriminals have to work fast – their websites may be flagged, blocked or closed down rapidly – and need you to click without thinking. Banks just want you to get in touch – they won’t usually set a deadline.
Send you a link with a “new version” of your banking app
The new banking Trojan Hesperbot, discovered by ESET and reported here uses a malicious webpage to instruct users to enter their cellphone number and make, and attempts to install a malicious app that bypasses security systems. Your bank will not distribute apps in this way – instead, download from official app stores, and ensure yours is up to date. Advanced malware such as Hesperbot can compromise both PCs and smartphones, making it difficult for victims to tell if they are being scammed. “ESET products like ESET Smart Security and ESET Mobile Security protect against this malware,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.
Use shortened URLs in an email
Cybercriminals use a variety of tricks to make a malicious web page appear more “real” in an email that’s supposedly from your bank – one of the most basic is URL-shortening services. Don’t ever click a shortened link, whether in an SMS or an email from your bank. Go to the bank’s website instead (the usual URL you use),, or call them on an official number (ie not the one in the email). A detailed ESET guide to phishing scams can be found here.
Send a courier to pick up your “faulty” bank card
The courier scam is a new one – your phone rings, it’s your bank, and they need to replace a faulty bank card. One of the new services they offer is courier replacement – and the bank tells you that a courier will arrive shortly to collect the faulty card. A courier turns up, asks for your PIN as “confirmation” – and your money magically vanishes. This scam has targeted thousands of people in some countries, especially the UK. If your card is faulty, a real bank will instruct you to destroy it, and send you a replacement by post.
Call your landline and “prove” it’s the bank by asking you to call back
A common new scam is a phone call from either “the police” or “your bank”, saying that fraudulent transactions have been detected on your card. The criminals will then “prove” their identity by “hanging up” and asking you to dial the real bank number – but they’ve actually just played a dial tone, and when you dial in, you’re talking to the same gang, who will then ask for credit card details and passwords.
Email you at a new address without warning
If your bank suddenly contacts you on your work address (or any other address than the one they usually use), this is not usually because they’ve thought, “Oh, it’s the working day, this is probably the best email to get him on.” Banks will not add new email addresses off their own bat. If you want to be ultra-secure, create a special email address just for your bank, don’t publish it anywhere, or use it for anything else – that way, emails that appear to be from your bank probably ARE from your bank. As ever, stay cautious.
Use an unsecured web page
If you’re on a “real” online banking page, it should display a symbol in your browser’s address bar to show it’s secure, such as a locked padlock or unbroken key symbol. If that symbol’s missing, be very, very wary. This is one reason why it’s best to browse an online banking page from your PC – on a smartphone browser, it can be more difficult to see which pages are secure.
Address you as “Dear customer” or dear “email@example.com”
Banks will usually address you with your name and title – ie Mr Smith, and often add another layer of security such as quoting the last four digits of your account number, to reassure you it’s a real email, and not phish. Any emails addressed to “Dear customer” or “Dear [email address]” are instantly suspicious – often automated spam sent out in vast quantities to snare the unwary.
Send a personal message with a blank address field
If you receive a personal message from your bank, it should be addressed to you – not just in the message, but in the email header. Check that it’s addressed to your email address – if it’s blank, or addressed to “Customer List” or similar, be suspicious.
Email you asking for your mother’s maiden name
When banks get in touch – for instance in a case of suspected fraud – they may ask for a password, or a secret number. What they won’t do is ask for a whole lot more information “to be on the safe side”. If you see a form asking for a large amount of information, close the link and phone your bank.
Author Rob Waugh, We Live Security