The former is known as “spam”, the latter “phishing”, and most people immediately reach for the delete button. But last week it emerged seven Bank of Ireland (BoI) customers had been conned out of a total of almost €115,000 after being duped into giving their bank details to online fraudsters, who cleared out their accounts.
The days when masked bank robbers stormed the counter yelling “stick ’em up” at terrified tellers have largely given way in developed economies to more sophisticated, technological approaches that net thieves millions of euros every year courtesy of customer naivety. Allegations of fraud and misconduct regarding online purchases made to Dublin’s European Consumer Centre quadrupled last year.
The message from banks remains clear: never disclose account details in reply to an unsolicited request whether it is online, via e-mail or over the phone. If such a request is received, it is almost certainly a hoax.
With card skimming seemingly under control — it was down 60% in the first quarter of 2006 against the final quarter of last year, according to the Irish Payment Services Organisation (Ipso), which runs the clearing system for Irish banks — AIB says phishing is now the main threat.
“Phishing is still the mass-market financial fraud,” said Sean Jevens, the head of e-channel development at AIB. “Our point of view is pretty simple. We never, ever, ever send our customers an e-mail asking them to click on a link and fill in their details. Do not follow the instructions in these e-mails. Just ring or e-mail us and let us know.”
Advertisement
According to Ipso, reliable statistics regarding the actual level of phishing here are hard to come by.
“It’s not that clear, as banks have to rely on customers informing them when they have received a phishing e-mail. But it is generally accepted that something like 2m e-mails are sent daily and up to 9% of people respond to them in the United States. But in practice, banks in Ireland anecdotally refer to a handful of cases where customers have actually been defrauded,” said Una Dillon of Ipso.
Customers need to be aware that if they get caught out from now on they may find themselves out of pocket. BoI appears to be taking a harder line with the latest cases, with the victims claiming the bank has refused to compensate them on the basis that they gave out their details themselves, through no fault of the bank.
“With all the information and warnings banks are sending out to their customers on this one, they need to ensure that the customers were genuinely unaware of the threat,” said Dillon.
In an effort to combat phishing, AIB has introduced a unique “code card” for every customer that contains a matrix of random digits.
Advertisement
“We asked ourselves how could we limit fraud even if people continued to click on phishing links. So now, for higher-risk actions when using online banking, such as transferring money, you need a random code from the card,” said Jevens. “It is a low-tech solution to a high-tech problem. There have been no AIB phishing incidents since it was launched.”
RaboDirect has given its Irish customers a device that generates a unique password every few seconds. This way, they have to input a different code every time they access their accounts.
Customers can also reduce the risk of fraud by keeping their online security software up to date in order to stave off keylogger viruses, which record a customer’s keystrokes while they are logged onto their bank’s website.
Phishing scams are not restricted to the customers of banks. Some people have reported receiving bogus e-mails that appeared to have come from PayPal, eBay’s online payment service, seeking their account details. Customers of the online auction site have also complained of receiving e-mails offering to sell them goods that they had previously unsuccessfully bid for, and requesting payment via Western Union money transfers abroad. eBay advises customers never to send money this way.
When purchasing goods online, customers are advised to ensure that they are in a secure website, which will be indicated by the presence of the prefix “https” to the site’s address, as opposed to the usual “http”.
Advertisement
Scam-savvy customers who sidestep phishing attempts are now also being targeted with a new type of deception, called “vishing”.
With this swindle, internet telephony VoIP (voice over internet protocol) customers receive voice messages claiming to be from banks, asking the customer to ring what appears to be a local number. When the number is dialled, an automated message from a bogus bank employee asks for the customer’s details, usually with the justification that their account security has been breached.
AIB customers should check out its new fraud alert centre at www.aib.ie/securitycentre for details on the latest phishing alerts and online scams. Ipso’s www.safecard.ie also keeps track of internet fraud news.