Image by Gerd Altmann from Pixabay |
The latest heartbreaking story I heard preyed upon a person's fear. Remember how your credit card provider would call you when it detects unauthorized transaction/s? That was the scammer's entry point. The scammer called the unsuspecting victim and informed her that they detected unauthorized transactions amounting to an obscene amount and that they need to immediately cancel the transactions one by one. The victim said that the caller sounded legit - English-proficient and there was even an office background noise. The caller then informed the victim that they will trigger OTPs to her account and all she needs to do is to give the OTP one after another so each transaction will be cancelled. And she did. At the end of the call, she was informed not to use her credit card anymore as they will cancel it and that she will be sent a new credit card within 7 days. Right after the call, the victim thought of calling the bank's hotline and that's when she found out that an obscene amount was charged to her credit card. 😱 Though the victim explained to the bank that she was scammed for those transactions (and they were apparently even overseas transactions), she is still liable to pay for them since she technically gave authorization via sharing her OTPs. 😭
Now let's take a step back and analyze what were the tell-tale signs that it was a scam.
When a bank calls you when they detect unauthorized transactions, they will just ask you to confirm if they are indeed unauthorized. If you say they are unauthorized, they will block the transaction/s and inform you that your card will be cancelled as it has been compromised and that you will be sent a new card within xx days. That's it. All of these were done by the scammer which was his attempt to mimic a legit bank transaction, except that the scammer added some additional elements that a bank would never do.
A legit bank call (or any kind of communication triggered by the bank) will never ask you for any kind of personal or private information. The only time you are asked for personal information is when you are the one calling the bank's official hotline to prove that you are really the account holder. In the scam scenario above, the red flag was the request for OTPs because the purpose of OTPs is solely for the user. A One-Time Password (OTP) is a secondary security layer so that if your password has been compromised, a third party won't still be able to access your account as you are the only one who can receive an OTP via your mobile phone.
But how can a scammer able to trigger OTPs to the account holder's phone? This could mean that a scammer was either (1) able to log into the person's online account - usually they are able to get your login credentials via email or SMS phishing attempts at an earlier time (the phishing attempt could have happened on a different day from the call), or (2) in the case of credit cards, a scammer may know your 16 digit + 3 digit security code at the back of your card (to complete an online transaction, some banks require an OTP as a final step of confirmation).
As scammers' tactics are getting more believable and they prey upon one's emotions (so that even the smartest people won't be able to think clearly while it is happening), we really need to learn how to protect ourselves.
Here are some ways to protect yourself:
Ways to protect your personal and private info:
- Never share your log-in credentials.
- Always secure your phone (as OTPs are sent on your mobile phone).
- OTPs are for your own use only - they are your secondary layer of security next to passwords.
- Always secure your wallet or where you keep your ATM and credit cards.
- For credit and debit cards, cover the 3 digits at the back of your card with a small strip of sticker or tape a piece of paper to cover the 3 digits (make sure though the sticker or tape doesn't overlap with the magnetic stripe). Just memorize the 3 digits or note the 3 digits somewhere. As you know, anyone who has the 16 digits + 3 digits of your card can already use your card to transact (as not all banks have OTPs in place).
- Avoid using public wifi hotspots when making online payments or accessing your bank accounts.
- Only use your credit cards and debit cards with reputable online sites and as an additional protection, don't save your card credentials in the site.
- If you want to check your bank account or make changes in your account, always log in via your mobile app or by directly going to your bank's website (never through a link sent via email, SMS or any kind of communication).
- Ignore all bank-related emails and SMS. Phishing attempts mimic the same email template design that your bank uses to make it seem legit so it's hard to tell at the onset if it's legit or not unless you check the sender's email address and other tell-tale signs. For SMS, senders can mask the sender's name so it appears as your bank name so it's also difficult to tell. Not everyone is tech-savvy to detect phishing attempts so my general advice is to just ignore all bank-related emails and text messages. Ignore them even if the email says your account is about to be deactivated, that there have been unusual log-in attempts, that they detected unauthorized transactions, that you need to change your password, that you are entitled to some rewards, etc. The primary objective of all these kinds of email is to trigger you to click on a link (that leads you to a landing page which exactly looks like your bank's website but it is a fake website). What you can do instead is if you're worried that what the email says may be true, then call your bank's hotline or log in to your account via the mobile app or by directly going to the official website (but never ever by clicking on a link from an email or SMS or any kind of means of communication).
- Never ever click on a link or open an attachment from a bank's email or SMS. File attachments may contain malware and once opened, they could crawl into your device and steal personal info or get access to your accounts. Even for emails where the bank sends you your statement of account, instead of opening the attachment, you can just log into your mobile app or log in to the website to access your SOA. For interesting deals you see in emails or SMS, just also go to the website to find out more information.
- As a general rule, always remember banks would never lead you to a landing page where you are asked to log in to your account or any landing page that asks you for any kind of personal information or account-related information.
- If you get a call who claims to be from your bank, just know what the issue is about and immediately end the call. At the most, you can confirm if the transactions in question are authorized or not authorized, but that's about it. If the caller asks for any other info, end the call. Don't give any kind of personal info or account-related info. Some scammer-callers may also send you a link to your email or via SMS while you're in the call where you will be asked to log-in and/or input your OTP. Ignore all of those and end the call. Instead, right after the call, call your bank's hotline to verify if there is an issue with your account. Make sure to save all your bank's official hotlines on your mobile phone so it's easy to call them even when you're in panic mode. Never trust the hotline number featured in an email as that could also be a fake one.
- As a general rule, banks would never get any of your personal information via phone call that is triggered by the bank.