Receive a contact, supposedly from your bank, requesting personal information? The Bank of Portugal (BdP) has issued a statement explaining what you should do.
“You receive an email, message, or phone call allegedly from your bank, warning you that your account may be compromised or blocked and asking you to log in to recover access or share a code sent via SMS to your mobile. Be alert! You are likely facing a common form of phishing, an attack designed to capture your personal data“, warns the banking supervisor.
What is at stake?
#1 Contact from a supposed reliable entity
“The hacker contacts you by email, phone, or via social networks, posing as, for instance, a bank or another payment service provider, a public entity, or a service provider.
Sometimes, hackers use spoofing, which means copying phone numbers or emails and the appearance of official entities to be more convincing.”
#2 Creation of a credible scenario
“The hacker creates a seemingly legitimate reason to convince you to provide your personal data, such as home banking credentials, credit card information, or a code sent via SMS to your mobile (directly or by providing you a link to a fake, yet seemingly legitimate, page).
The reason may be related, for example, to the need to update personal data in home banking, to unlock your account due to detected suspicious activity, or to confirm your data to receive a certain transfer/refund.”
#3 Personalization and knowledge of the victim
“To gain your trust, the hacker, during the conversation, may show they know some personal details about you, such as name or address. These details may have been obtained illicitly or through your social networks, for instance.”
#4 Tone of urgency and intimidation
“Fraudulent contacts are typically made with a sense of urgency to quickly disclose personal data, without having time to think about the best way to act. Sometimes, negative consequences are mentioned if you do not comply, such as the blocking of your bank account.”
How can you protect yourself?
According to the BdP, you should follow these steps:
- Evaluate information requests carefully – “Evaluate all information requests carefully, regardless of the channel used for contact. Phishing attempts can occur via email, but also through text messages (smishing), phone calls (vishing), or via social networks.
Be cautious even if the contacting number or email address appears legitimate.
Check the sender’s address (and not just the name), the language, the type and tone of the language used, and the graphic presentation of the received message. Fraudulent messages often adopt a less formal presentation or language, with spelling or semantic errors, and are written to convey a sense of urgency to the reader.
Do not open and immediately delete suspicious emails.” - Protect your data – “Never disclose personal information or access credentials to your digital channels or authentication codes for transactions. A bank or another payment service provider would never request that kind of information via email, SMS, or phone.
Do not share personal or confidential information in unsolicited phone calls.
Do not enter confidential data and other personal information on sites whose authenticity is not assured.
Always type the website address of the entity you intend to access (for example, to access your online bank), rather than using an existing link in an email message, addresses saved in “Favorites” or in the “History”, or search engine results. Thus, you avoid accessing programs that allow the appropriation of confidential information or that redirect you to an internet page with the same appearance as the financial institution’s page, but false (“mirror page”).” - Consider before clicking – “Do not click on links, open QR codes, or download attachments included in messages without being sure that the source is secure. Some of these links may redirect you to fake pages or install malware on your device and compromise the security of your data.”
- Contact the entity in question using official contacts – “Even if you believe it is a legitimate contact, do not immediately disclose information and contact the entity in question using official contacts (and never using the contacts provided in emails, SMS, or received phone calls). In case of suspected fraud, immediately report the situation to your bank or another payment service provider through the usual channels and to the police authorities.”
The BdP also provides the following tips:
- If in doubt, do not share personal data;
- Contact your bank or another payment service provider immediately if you detect unauthorized movements in your account;
- If you are a victim of fraud, report the situation to the nearest criminal police authority (PSP, GNR, or PJ) or the Public Prosecutor’s Office.
