How does phishing work?
Phishing is usually done over email or instant messaging, and involves sending the user a link to a site where fraudsters can obtain the user’s data or infect their device by using malware, a software that is specifically developed to damage or gain unauthorized access to a computing system.
There is no one-size-fits-all defense against phishing campaigns as a malicious attack can come in all shapes and forms in the fast-evolving digital economy. Criminals can launch targeted phishing campaigns directed at employees, organizations, their customers or the general public. It’s a bit like a criminal marketing campaign.
In the same way that marketing is becoming more innovative and intrusive, phishing has become more targeted and effective.
All banks around the world are heavily targeted by fraudsters whose phishing practices have evolved to better compromise banking and financial information. One out of four phishing targets involves bank information and these attacks are becoming more and more frequent.
What are State Of Cards responsibilities to prevent phishing?
While it’s impossible to completely eliminate cyber crime at the hands of fraudsters, there are certain measures State Of Cards takes to fight off attacks and better protect your money and identity.
State Of Cards customer support agents will never ask customers via phone or written for the following details:
- Credit card number
- Card expiration date
- Transfer PIN
- Card PIN
State Of Cards meets both national and international regulatory requirements under the Swedish Money Laundering Regulations to ensure we are taking steps towards diminishing financial crime not only on our platform, but in the wider digital economy.
How do you protect yourself from phishing?
A phishing attack normally works by creating a false feeling of security. Most phishing emails or websites look just like real ones. The whole point is to fool you into giving away your access information.
Here are some important tips to protect yourself from phishing attempts:
- Do not share your bank login with anyone, even if the person claims to be a North Star employee.
- Choose an email provider that offers two-factor authentication as well as spam, malware and phishing filters and will display an alert if something looks suspicious.
- Copy and paste URLs from emails and check them before visiting.
- But particularly — don’t click on a link if you received an email that asks you to perform an action that you didn’t initiate (reset password, validate your account…)
- Always check a link before clicking on it. Hover over it to preview the URL, and look carefully for misspelling or other irregularities.
Bank / finance company websites always make use of HTTPS on their websites. If you cannot see the green lock icon (är viktigt att lägga till) in the browser or see the “https” prefix before the site’s URL, \ it’s likely that the site isn’t secure. Here is how State Of Cards should appear in different browsers.
Here are some clues indicating a phishing attack that is after your bank information:
- Messages with misspellings and typos, multiple fonts or oddly-placed accents.
- Messages that claim to have your password attached. A bank / Finance company should never send you your password as an attachment.
- Mismatched links. Hover over a link and make sure the link actually goes to the place shown in the email.
- Messages asking for your personal information. If you’re an State Of Cards customer, we will never ask you for:
- Your account password
- Your social security number or tax identification number
- Your full credit card number or PIN
How does smishing work?
In smishing, cybercriminals take advantage of the fact that people are sometimes more trusting of messages they receive on their phone than messages that reach them over email. But smishing attacks can be just as dangerous as email-based ones.
Smishing messages usually use something called social engineering to get you to reply or click on a link. Social engineering is a type of psychological manipulation that taps into feelings like fear, guilt, or greed, to convince people to engage with a message. The scammer will often create a sense of urgency, prompting victims to act without thinking in order to avoid perceived risks.
Common smishing scams
A smishing attack will most often look like a message from an organization you trust. This might be your bank, the government or tax authority, the police, or an insurance company. Scammers pretend to be from these organizations since they know people are more likely to trust them.
Here are three common smishing scams to watch out for:
- Bank smishing—This scam tries to get you to act by saying your bank account has been hacked, when in reality, this is the hacking attempt itself. It usually starts with a text message claiming to be from your bank. This message is designed to alarm you, perhaps telling you that your security has been breached, that there’s been an abnormally large transfer, or a new payment recipient has been added to your account. It will then encourage you to click on a link, call a phone number, or reply with your PIN or login details. Under no circumstances should you follow any of these instructions or prompts. Instead, ignore the message and contact your bank to verify your account status.
- Malware smishing—While not as common as bank smishing, malware smishing can be just as damaging. You may receive a text message encouraging you to download something onto your phone, like an app. This app may look like it’s from a trusted source, but it could be used to harvest sensitive data from your phone, like credit card details stored in other apps. These scams are commonplace over email, but have now been adapted for phones, too. Never download anything unless you are sure it’s from a trusted source.
- Money smishing—In this case, fraudsters will try to persuade you to send someone money. It might look like a plea for money from someone you know, like a friend, colleague, or family member. It could also look like a text from an important organization, like a tax collector, insurance broker, church, or the police. For these scams, social engineering plays a huge role. They’ll try to make you feel panicked or guilty, so you’ll be tempted to send money quickly before you can identify it as a fraudulent request. By the time you’ve realized the truth, the scammer may have already accessed your accounts. Be on alert for messages with these types of panic-inducing content, and know that this is usually a big indicator of suspicious activity.
How to spot a smishing scam
It’s important to take smishing scams seriously, but there’s no need to panic. There are ways to protect yourself and minimize risks. The first thing to look out for when trying to identify a smishing attack is a text from a number you don’t recognize. This text will most likely be asking you to:
- Send money to someone
- Click on a link
- Download an app or software
- Reply with your personal details, like your PIN, passwords, or email address
- Call another unknown number
Because smishing scams use social engineering techniques, if this text message makes you feel frightened or guilty, you should be on your guard. But fear isn’t the only motivator in social engineering—if someone messages you with an offer that sounds too good to be true, it probably is. If you get a message saying you’ve won a prize or contest you don’t remember entering, don’t share any information with the sender.
How to protect yourself from smishing
We receive so many messagings that avoiding smishing scams might seem tricky, but there are ways to make it easier. Keep the following steps in mind to avoid falling prey to SMS fraud:
- Don’t reply or interact with a text from a number you don’t recognize. If it looks suspicious, delete it straightaway. Don’t even reply with ‘STOP’ or a similar message.
- If a text message has a link or phone number, don’t click on it. Instead, look it up separately with an internet search to see if it’s legitimate.
- Never share your PIN, passwords, or email address by text. Your bank will never ask for these details in this way, and neither would any other credible institution.
- Protect your phone number online. Try to avoid sharing your number on social media or public websites to prevent it from falling into the wrong hands.