‘How phishing emails target banks accounts, e-payment channels’

ACTIVITIES of cybercriminals appear to be on the upward swing, as fraudsters continued to make several attempts at getting unauthorised access to peoples’ bank accounts and other electronic payments platforms.

Checks by The Guardian showed that customers of some top commercial banks in the country, including Zenith Bank, Guaranty Trust Bank (GTB), United Bank for Africa (UBA) and Access Bank, are currently being bombarded with suspecting electronics mails targeted at their daily Internet banking activities, which are purported to have been sent from their respective banks, by so doing making them vulnerable to cyber attacks.

Already, a Nigeria Interbank Settlement System Plc (NIBSS) 2014 report, informed that there were 1, 461 cases of fraud last year involving N7.7 billion-attempted value. But that about N6.2 billion were actually lost to e-fraud.

The fraud is projected to come through several scam mails, technically called phishing, which are being received on a daily basis by customers of some of the banks. Phishing emails try to trick user into revealing some personal information. They look like they are from a legitimate source, such as the bank, Google or Yahoo, but they’re not.

The scam emails are aimed at luring unsuspecting bank customers by asking them to open a link to either update their online banking profile or change their Personal Identification Numbers (PINs).

According to one such scam email purportedly sent by Access Bank, through AccessOnline, the scam mail reads: “Dear Customer, we got a request to reset your AccessOnline password and if you did not make this request, kindly follow the below link (provided in the email) to cancel the password request on your online account.”

Also, the target customers receiving the scam email are also told: “If you made this request, kindly follow the below link to proceed with the password request on your online account.”

There was also another, purported to have been sent by Access Bank, which goes thus: “Dear Customer, This is a confirmation that the password for your AccessOnline account has just been changed, If you didn’t request or make this password change, Kindly follow the secured link https://ibank.accessbankplc.com/RetailBank/ for security purpose.

If you made this password change kindly follow this link to review your account information https://ibank.accessbankplc.com/RetailBank/” The one from Zenith Direct, Zenith Bank’s online platform, customers are told that a beneficiary has been added to their online account and that they should click a link if they have not authorized such a beneficiary.

“Dear customer, the beneficiary with the details below was successfully added to your Internet banking profile: Beneficiary name: Essien Samuel; beneficiary account: 6075971165; beneficiary bank: Keystone Bank. If you did not add the beneficiary, kindly follow our site below to suspend/de-activate unauthorized access on your account.”

The scammers, thus, provide a Universal Resource Locator (URL) link, which the unsuspecting customers are implored to click to go and ‘de-activate the beneficiary.’ It was also gathered at the weekend that a similar phishing emails are being received by UBA customers too, asking them to update their online banking profiles.

A Senior Management staff of Access Bank, who preferred anonymity, told The Guardian that the bank was not the one sending such emails, saying that they were being sent by online scammers, with the intent to defraud their unsuspecting targets.

She said that Access Bank, like other banks too will not advice their customers to change their PIN online or reveal some vital information in the cloud, “we have times without number told our customers that Access Bank will not ask them to change their PIN online or send such mails that would warrant them revealing vital information that can make them vulnerable to attacks from fraudsters. Not even now that access to Internet is high.”

She said banks would need to continually engage in public enlightenment on the need for their customers to always disregard such spurious emails that are usually presented as though the banks were sending them. “Once a customer gets this kind of email, he or she should know that it is not from their banks but from scammers,” said a source at one the banks.

Speaking on the issue, Google West Africa’s Communications and Public Affairs Manager, Taiwo Kola-Ogunlade, said Phishing emails try to trick people into revealing personal information.

Ogunlade said through phishing, the type of information targeted from customers include; demographic; personally identifiable information (Those that can be used to identify, contact, or locate a person or can be used with other sources to uniquely identify a single individual.

Name, address, phone number, social security, birthday, birthplace, credit card information, account numbers); behavioral (purchasing habits, websites visited, credit card transactions), among others.

The Google Chief, explained that customers information are collected atimes, unknowingly when they provide information to a website; cookies; HTTP header; links clicked; server logs; tracking codes; websites; third-parties (advertisers or service providers); shopping carts; location data; ISP data; web activity; information hi-jacked on unencrypted websites.

On what can be done, especially o such scam emails, Ogunlade explained that users must verify the real sender of an email in Gmail; click the drop-down next to the “Reply” button; click show original; make sure the “From” address and the “Reply-to” address match and check that the address on the “Message-id” also matches the “From” address domain.

Speaking on the development in an Interview, Executive Secretary, Electronic Payment Providers Association of Nigeria (E-PPAN), Mrs. Regha Onajite, called for increased awareness of the antics of scammers in the nascent electronic payment region.

Onajite urged banks to also invest in customer enlightenment initiative, saying that banks are also liable in some cases, where the customer’s money deposited with them is taken by scammers, depending on the circumstances.