How safe is online banking?

Online banking is safe with the proper precautions. The following sections detail types of fraudulent attacks you may encounter, safety steps for online banking as well as ways your personal and business information may become compromised.

Phishing Email: Many attackers get into a bank account by tricking a user into thinking they are logging into their bank account when in fact they are not. This technique, known as phishing, is often done by e-mail. Phishing emails are sent by fraudsters who pose as genuine companies such as a bank, PayPal or HMRC. The email informs you that you need to change your online information, verify a purchase, or something else that requires you to log into your bank account via a link in the e-mail. Clicking on the link takes you to a fake website that records your account information. Here, fraudsters steal your financial or personal details to use for their own gain.

Phishing Malware: Untrusted links in an email can install malicious software (‘malware’) on your computer as another way to capture your personal and business details. Criminals can steal your password by tricking you into installing a program on your computer that records what you type in. For example, a warning sign that states Your computer is compromised. Click on this link to fix it. The next time you log into your online bank account, the malware program secretly records your password details. It then sends them to a fraudster over the internet who can then access your bank account.

Vishing / SMiShing (Telephone Fraud / SMS text fraud): Fraudsters call and pretend to represent the police, debt collection agencies, late payment notifications, a bank’s fraud department etc. They may warn that your account has been compromised to trick you into moving your money somewhere safe. Some tell you to call a genuine number for your bank to ‘verify’ the call, play a dial tone while they stay on the line, and then pose as your bank. This way they obtain your sensitive personal and business information and can access your funds. Alternatively, they may use spamming software to spam text numbers with urgent messages, and collect responses that confirm the user’s identity which are then used for fraud.

Phishing: can be avoided by NEVER clicking on a link to visit your online bank. Instead, if you need to log into your bank, always visit it through a bookmark created in your browser or by typing your bank’s URL directly into the address bar. Make sure the page is secure when entering data. Look for a web page that encrypts data; it has a small padlock icon (Internet browser security ‘lock’) either in the bottom corner of the window or next to the address bar. The URL will start with https:// instead of http://. If you can’t see this, your data is not secure; anything you enter into the page could be captured and read by a criminal. When you visit your online bank login page, make sure you see this ‘lock’ before you enter your username and password. If you do not see this ‘lock’, do not log into the website.

Vishing: can be avoided when you are aware of your bank’s practices and challenge the caller with sceptical questions. A common sense approach is the best protection against such calls. If a caller pressures you to give your bank account details or to move money using fear-based messages (for example, Your account has been compromised you must challenge them. If prompted for personal information, ask for the name of the company conducting the call (not who the call is being conducted for) and request the contact information of its fraud department. If you are not satisfied simply hang up. If you want to double check the caller is genuine, hang up and ring your bank/card company directly using the numbers given to you when you originally opened your account or obtained your bank card(s), cheque or paying in books.

SMiShing: operates in a similar way to vishing, except the fraudster spam texts a large number of phone numbers with fear-based messages (for example, Call your bank on 123-456-7890 about a recent unauthorised transaction on your account). Do not respond to such texts from unrecognised numbers: even a brief message from you confirms your telephone number. This number can then be used as a means of identification. A criminal could then pretend to be you and conduct a fraudulent attack against you and your bank account(s). If your phone has the ability to block or report such texts as spam, use this functionality to help reduce SMiShing attacks.

Business Networks
For most business users BFC Bank suggests to only log into your personal online portal while at home on your own trusted Wi-Fi network. Your place of work can install keyloggers or use other methods of monitoring you while online. Someone who has access to this information could access these logs that can contain all keystrokes including usernames and passwords.

Wireless network
When on a wireless network it is important to understand that all information sent to and from your computer to the wireless router can be intercepted and read by someone nearby. Ensure your home network is secure and password protected from any intruders. If you need to log into your online portal while on a wireless network, make sure the network you are connected to is secure using WPA (Wi-Fi Protected Access). This is particularly true of public access wireless networks (for example, in a coffee shop or library) where you should be even more vigilant.

The password you use to log into your online bank account should be strong and difficult to guess. This means is that it should not be something easy for someone else to know such as your mother’s name, your street name, or your birthday. Your banking password should have a mixture of numbers, special characters, and upper/lower case. Never write your password anywhere.

Make sure your computer is protected and follow good practices

Finally, it is always a good idea to keep your computer protected. Trustworthy security software will protect your computer against the installation of malware. You will also be protected against the installation of malware if you do not open any unexpected email attachments and avoid downloading files from websites that you do not trust. When an attacker attacks or infects a computer they could install a key-logger that logs each keystroke you enter. These can capture your username, password, and other confidential data. Ensure you have effective and updated antivirus/antispyware software and firewall running before you log in to your bank account.

Be aware of ‘shoulder surfers’ viewing your screen.

Never send usernames, passwords, etc. through e-mail. No bank will ever request you to send personal information over e-mail. Never send or share your username, password, PIN, account information, credit card, etc. over e-mail or on the phone. E-mail is unencrypted and if intercepted by a third-party could be read. It is also often stored on a server; if that server was to become compromised the attacker could read that e-mail with your personal information. Remember your bank would never ask for your full PIN or passwords.

Also visit:
The Global Anti-phishing Working Group

Identity Theft website