Phishing text/email errors

Phishing, smishing, vishing, spoofing are terms that have been with us for a very long time. Criminals use these various forms of attacks most often to extort from us login details for electronic banking. However, they have one thing in common – when we read about them, about the details and scenarios of their implementation, we wonder how something like this could have happened at all?

Under today’s article on Niebezpiecznik.plwarning against one such attack, there is an interesting comment that gives food for thought.

speaking of language errors in the message, I once came across an article that suggested that those who would catch these errors and pay attention to them would still catch the ruse at a later stage. Criminals do not pay to correct the spelling because it also acts as a filter – it sifts out people on whom criminals would waste their time unnecessarily. Only those who believe in everything remain.

Indeed, as far as I remember all such attacks, they were usually accompanied by numerous language errors, which should alert the potential victim at the very stage of the message. That is why banks and various institutions in their information or educational campaigns respect and sensitize to pay attention to the content of messages or links that we open from their level.

But what if these mistakes are intentionally made? What if those language errors are weapons, not criminal ineptitude? I do not want to believe that for at least a decade the criminals did not come up with the idea to construct these attacks with flawless Polish. Google Translate or DeepL would be able to handle it for sure. In addition, it is not said that these are attacks of criminals only from abroad. Criminals who are fluent in Polish can also make such mistakes on purpose, precisely because of what the Niebiezpiecznika Reader points out.

Today, the UOKiK website published information about charges against four more banks in Poland, which, as a result of such attacks, did not return the stolen funds to the victims the next day. The President of UOKiK explains these allegations as follows:

The law defines the obligations of payment service providers, e.g. banks, when a consumer reports to them that a transaction has taken place for which he has not consented. In such a situation, the bank should return the money to the customer on the next business day, unless it has a reasonable suspicion that the consumer has committed fraud and reports it to law enforcement authorities, or if more than 13 months have passed since the transaction.

Where does this law come from? The President of UOKiK further explains that:

For many years, this construction of regulations has been aimed at mobilizing the sector to continuously improve the level of security of funds in bank accounts.

So I wonder what else would banks have to do to protect people like this who don’t even pay attention to the content, links and numerous errors in phishing emails?

Logging in to banking, adding a trusted recipient, transfer to an unknown account or other significant changes to the account – all this requires additional authorization, either via SMS codes or via mobile authorization on a smartphone in the bank’s mobile application.

However, these safeguards are useless, because such victims pass them on to criminals anyway. Let’s pay attention to the attack scenarios provided by UOKiK, as a result of which complaints are rejected by banks:

Konsumentka 1 – a nurse – was abroad on her way to the airport when she received a call from a scammer who introduced himself as an employee of her bank’s technical department and informed about detected hacked transfers in her account. The number of the bank branch was displayed on her phone. The scammer demanded to send “essential” text messages to cancel the transfers.

There is no information here about the content of these text messages, but since all the money was removed from her account and her details were taken for credit, I presume that she provided login details for her electronic banking – another possibility given the consequences I do not see.

Consumer 2 put things up for sale on the website. He received an e-mail that the money from the sale is ready for collection. He clicked on the “receive funds” icon and was redirected to the bank’s website – as it later turned out – fake. He received an SMS with a code he was supposed to enter in online banking. When he learned from another SMS that he was adding a virtual card in online banking, he realized that something was wrong with his account.

A typical phishing attack in an e-mail, the victim clicks on the link in the message to the fake website of his bank, enters the login and password – the same is entered by the criminal on the real bank’s website, traditionally an SMS from the bank comes to the victim’s phone with an authorization code – similarly, the victim enters him on the fake site, the criminal on the real one.

Konsumentka 3 – in a very difficult financial situation and during the beginning of paid extramural studies – she decided to sell a coat on one of the portals. During this transaction, she was deceived by a criminal who swindled her login details (she was convinced that they were necessary to complete the transaction) and got into the online banking system.

The victim provided all login details, believing that they were necessary to complete the transaction. I wonder again, how in such a situation is the bank supposed to protect such a victim from the effects of such an attack? What other safeguards should it implement?

I’m afraid that over time, banks will be forced in such a situation – the need to return funds and imposed penalties – to return to offering their services in a model known from the times before the era of smartphones. We will have to arrange everything in bank branches, or before each online transfer, the bank will call us and make sure that we really want to make such a transaction. We will forget about online loans, setting up accounts or transferring them without visiting a branch.

Of course, there is also behavioral biometrics in perspective, i.e. identifying customers by the way they use the keyboard or mouse. However, mBank has been working on it since 2018 and nothing has been heard about its final implementation yet.

Moreover, recently, when introducing behavioral biometrics for card payments, mBank made a reservation that customers who do not agree to the collection of biometric data will have to start using mobile authorization instead of authorization with SMS codes. So you can see that it’s a bit of a change and a return to the starting point, i.e. the only proven – at least in the case of most customers – mobile transaction authorization.

Collecting biometric data and expressing consent to them is one thing, but on the other hand, it is also a potential problem – changing the computer, keyboard or mouse is another way of typing, which algorithms or scripts have to learn anew, blocking the account of a real client along the way. In addition, we spend most of our time on a smartphone, where behavioral biometrics has not yet been introduced. I have seen its tests, although effective, but only in the case of a desktop computer controlled by a physical keyboard and mouse and online banking in the browser.

To sum up, I do not see a sensible solution to this situation today. The police can do little – they accept reports, but stipulate that stolen funds will be difficult to recover. Even if it was an organized crime group and they manage to break it, its members end up in prison, and customers do not get back the stolen money anyway. Therefore, UOKiK is trying to recover them from the banks with its own interpretation of EU regulations (more about it here), which as a result may affect all of us – unfortunately, in terms of convenience and the introduction of modern payment solutions, which not all customers are able to safely use.

Source: UOKiK.
Stock Image from Depositphotos.


Source: AntyWeb by antyweb.pl.

*The article has been translated based on the content of AntyWeb by antyweb.pl. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!