My bank sent me an email recently warning of an increase in phishing attacks. Today I heard a director of the bank talk about the attacks on the radio, stating that the fake website targeting their users not only asks for account number, PIN number, password etc but also for the user’s email credentials – and reportedly, users are falling for this!
The reason these credentials are being asked for is because the internet banking system sends out a one time password (OTP) via SMS or email when certain transactions are conducted – so if the attacker can own your inbox as well as your login, they can transfer all your money to an account of their choosing.
However, I disagree with the bank’s advice. The email stated:
Remember, it is safer to type Standard Bank’s web address (www.standardbank.co.za) into your browser instead of clicking on a link in an email.
For sure, don’t click on a link in an email to get to your internet banking – but typo-squatters are just waiting for you to mis-type such an important URL and if you got it wrong, would you notice if the site looked just the way you expected it to?
My advice, for all important websites: The first time you go there, type the address – and make very sure you are on the right site. Then bookmark it, and only use the bookmark to get there. This will avoid the risk of spelling it wrong when you are a bit more relaxed and ending up at a fraudulent site.
Even better: Use the petname plugin for Firefox. This will clearly show you if you are visiting the same site (with the same SSL certificate) as you visited before.