Attacks That Target Online Bank Accounts
Several types of electronic fraud specifically target online banking. Some of the more popular types are described below:
Phishing attacks use fake email messages from from someone pretending to be your bank or other service. These emails asks you to provide sensitive information (name, password, account number, etc) and provides links to a counterfeit web site. If you follow the link and provide the requested information, intruders can access your personal account information and finances. In some cases, pop-up windows can appear in front of a copy of a genuine bank web site. The real web site address is displayed; however, any information you type directly into the pop-up will go to unauthorized users. (In a similar scheme, called “Vishing,” a person calls you and pretends to be a bank representative seeking to verify account information.)
Malware is the term for maliciously crafted software code. Special computer programs now exist that enable intruders to fool you into believing that traditional security is protecting you during online banking transactions. Attacks involving malware are a factor in online financial crime. In fact, it is possible for this type of malicious software to perform the following operations:
- Account information theft Malware can capture the keystrokes for your login information. Malware can also monitor and capture other data you use to authenticate your identity (for example, special images that you selected or “magic words” you chose).
- Fake web site substitution Malware can generate web pages that appear to be legitimate but are not. They replace your bank’s legitimate web site with a page that can look identical, except that the web address will vary in some way. Such a “man-in-the-middle attack” site enables an attacker to intercept your user information. The attacker adds additional fields to the copy of the web page opened in your browser. When you submit the information, it is sent to both the bank and the malicious attacker without your knowledge.
- Account hijacking Malware can hijack your browser and transfer funds without your knowledge. When you attempt to login at a bank web site, the software launches a hidden browser window on your computer, logs in to your bank, reads your account balance, and creates a secret fund transfer to the intruder-owned account.
Pharming attacks involve the installation of malicious code on your computer; however, they can take place without any conscious action on your part. In one type of pharming attack, you open an email, or an email attachment, that installs malicious code on your computer. Later, you go to a fake web site that closely resembles your bank or financial institution. Any information you provide during a visit to the fake site is made available to malicious users.
- All the attack types listed above share one characteristic; they are created using technology but, in order to succeed, they need you to provide information:
- In phishing attacks, you must provide the information or visit links.
- With malware, you must be tricked into performing actions you would not normally do.
- You would have to install the malware on your computer either by running a program, such as an email attachment, or by visiting a web site through email or instant message link. Then, you would have to submit your bank login information. Your financial information would be at risk only after you performed all these steps.
- With pharming attacks, you must open an email, or email attachment, to become vulnerable. You then visit a fake website and, without your knowledge, provide information that compromises your financial identity.