Have you ever received e-mails purporting to be sent from your bank which urged you, due to urgent system upgrade, to click on an embedded hyperlink to access the bank’s Internet banking website and provide your sensitive personal and account information? These are what we called “phishing” e-mails. Phishing comes from the term fishing, but with fraudulent e-mails and websites acting as “baits” used in hopes to acquire sensitive information such as logon ID and password from potential victims. It is typically carried out by fraudsters through sending e-mails purporting to be coming from a legitimate institution such as a bank. Usually the e-mail recipient is prompted to click on an embedded hyperlink, which will take the recipient to a fraudulent website that looks very similar to the authentic website, thus tricking the recipient into disclosing sensitive information to the fraudsters.
Phishing e-mails and fraudulent websites are reported both locally and overseas. The number of phishing e-mail/fraudulent bank website reports received by the Hong Kong Monetary Authority (HKMA) reached a peak of 34 in 2004 and then declined after two-factor authentication was implemented in Hong Kong in 2005. Nevertheless, the HKMA still receives reports on phishing e-mails/fraudulent bank websites from time to time. For example, in 2010, we received 17 reports and in the first seven months of 2011, we received 14 reports.
It might not be too difficult to spot some dubious signs in phishing e-mails of earlier generations e.g. typing errors in the e-mails, having website addresses obviously different from the official ones. As fraudsters’ technique evolved, phishing e-mails have become more carefully crafted and the associated fraudulent websites could look almost indistinguishable from the official ones. In a recently reported case, it was also found that multiple channels were used by a fraudster to obtain sensitive information from a victim. An Internet banking customer firstly fell victim to a phishing e-mail and disclosed his sensitive information (including logon ID and password, and contact details, etc.). He later received an SMS one-time password (OTP) sent from the bank to his mobile phone and also a telephone call from a person who purported to be a bank staff. Unfortunately, the victim disclosed the OTP to the caller and later found that funds in his bank account were transferred to the fraudster’s accounts. It was believed that with the information obtained from the phishing e-mail, the fraudster was able to log into the victim’s account and then initiated a fraudulent Internet banking transaction which required two-factor authentication. The victim was then tricked into disclosing the OTP sent to his mobile phone to the caller (a fraudster) who in turn completed the fraudulent transaction using the OTP, causing financial loss to the victim.
Bank customers should be reminded that banks in Hong Kong will NOT send e-mails to their customers with embedded links to the transactional websites and will NEVER ask customers for sensitive information such as logon passwords or one-time passwords, by e-mail, over the phone or in person. If customers receive requests purporting to be from bank staff for such sensitive information, they should refuse the requests and notify their bank immediately. This is the most straightforward approach for protecting oneself from fraudsters.
Internet banking customers should also continue to observe the normal security precaution of never accessing bank websites through hyperlinks embedded in e-mails, Internet search engines or suspicious pop-up windows. This measure is also effective in safeguarding against cross-site scripting (XSS) attacks, which is the subject of a recent report in a local magazine. XSS attack is typically carried out by fraudsters through delivering an innocent-looking website address (i.e. a genuine address of a trusted website appended with some carefully crafted malicious code) to a victim through e-mails or posting it as a hyperlink on a dubious website. Upon clicking on the hyperlink, the malicious code could be executed at the victim’s web browser. As XSS attacks target at the end user’s browser (without compromising the trusted website), the malicious code may be crafted, for example, to display an authentic-looking fraudulent website at the victim’s browser to trick the victim into disclosing sensitive information to it, or to steal sensitive information (e.g. cookies) from the victim’s computer. To avoid falling into the trap of XSS attack, Internet banking users should NEVER click on hyperlinks to access their Internet banking account. Instead, they should connect to a bank website through typing the authentic website address in the address bar of the browser or by bookmarking the genuine website and using that for subsequent access.
Internet banking customers should also install personal firewall and anti-virus software in their computers and keep such software up-to-date. They should avoid visiting or downloading software from dubious websites, and be very careful about handling suspicious e-mails with attachments from unknown senders. There are some useful tips on Internet banking security on our website.
Bank customers are also strongly advised to make the best use of two-factor authentication provided by banks for the Internet banking services. In particular, one of the important security measures is that banks are required to notify their customers immediately via an effective means (e.g. SMS message) after completing an online high-risk transaction (e.g. transferring fund to an unregistered third-party account) with the transaction details. Bank customers should verify the transaction details and notify their bank immediately if they discover any suspected unauthorised transactions. If their banks use SMS OTP in the context of two-factor authentication for Internet banking, the customers should also verify the transaction details shown together with the SMS OTP and notify their bank immediately if any suspected attempt for unauthorised transaction is detected.
As the technological landscape relating to the provision of Internet services is ever changing and fraudster may become smarter over time, the HKMA will continue to monitor the development and trend of Internet banking services and to review and, if necessary, strengthen the relevant controls where appropriate
Nelson Man
Executive Director (Banking Supervision)
23 August 2011