To do so, they employ various techniques that, if they find unprotected, unsuspecting, or careless users, usually pay off. ESET, a leading company in proactive threat detection, reviews the 5 main techniques and how to protect yourself from the theft of sensitive and critical information.

ESET shares the five main strategies used by cybercrime to steal banking passwords, and how to protect yourself from these attacks:

1.Fake sites: Fraudsters use a URL that includes the bank's name and even looks like the official one.

The name of the site is often almost identical to the name used by the bank on its Twitter and Instagram accounts, with a minimal difference (it can sometimes be a single letter). In fact, a Google search can lead to these fraudulent sites that manage to appear among the first search results, often in the form of ads.

Once on the fake site, the aesthetics and design are identical to those of the official site.

And to access the supposed homebanking is that it includes fields in which victims must enter login credentials, which will be for cybercriminals.

Once the person enters their username and password, the site usually pretends to verify the data provided, when the cybercriminals log in with the stolen credentials on the bank's legitimate site.

Recently, two fake sites were identified that pretended to be the official website of Banco Itaú (a well-known entity with presence in several Latin American countries), with the aim of stealing the banking credentials of customers in Argentina and also in Brazil.

In cases like this, it is necessary to clarify that the bank is also a victim since its name is used to deceive its customers. In fact, on the official website the entity shares various tips to prevent people from falling into different types of fraud in its name.

Previously compromised sites: Another route used by cybercriminals is to compromise sites previously to obtain users' banking credentials from there.

Cybercriminals can exploit a vulnerability in scripts or plugins that have not been updated, or security flaws that have not been discovered.

Thus, they can add a redirect from the victim site to the attacker's site, from which they can obtain the credentials.

Attackers often create an apocryphal page within the official website, pretending to be an entity. Once the victims are inside these fake pages, it is very likely that they will be asked to enter their banking data.

2. Malware: Malware has evolved by leaps and bounds, with different types of malicious code being marketed. Banking Trojans, with a strong presence throughout the region, have caused damage amounting to 110 million euros. Mekotio, Casbaneiro, Amavaldo or Grandoreiro are just some of the families capable of performing different malicious actions, but which stand out for impersonating banks through fake pop-up windows and thus stealing sensitive information from victims.

There are different ways in which cybercriminals can place this type of malware on their victims' computers. Through phishing emails or text messages. Also, through malicious advertisements, the compromise of a website that receives many visits (certain malicious codes are automatically downloaded and installed on the computer as soon as the user visits the site) and can even be hidden in malicious mobile applications that pretend to be legitimate.

3.     Phone calls: Since fraudsters are professionals in their field and often tell very convincing stories, they use social engineering to trick and steal sensitive information, such as bank passwords.

Attackers can reach the victim through mass phone calls, with the sole objective of achieving a more personal communication than through an email: this way the manipulation is easier to carry out. As an excuse for the call, they may use the information about a specific problem with the bank account or a fraudulent transaction associated with the victim. For the supposed resolution is that they will request personal information and passwords to the account.

Another excuse used for this type of deception was the payment of a bonus by the Ministry of Social Development in Argentina (which asked for the bank's accesses to deliver it), but there are also deceptions that include impersonating the customer service of a bank or recognized entity.

In fact, several banks warn about this threat on their websites and provide very useful prevention information for their users.

4.   Fake profiles on social networks: Another common and very efficient tactic is to set up fake profiles on social networks (read Facebook, Instagram, or Twitter), and from there carry out the scam that ends in obtaining banking access credentials from unsuspecting or uninformed victims.

There are multiple examples on Twitter and Instagram that evidence how fraudsters monitor the comments made by users with certain keywords or when they tag a verified profile. They take advantage of the urgency that these messages usually carry (they are usually claims or some kind of inconvenience to be solved) and through these fake profiles (without verification mark) they send direct messages pretending to be the official account of the bank.

So much so that they use the same logo and a variation of the official name, and even offer the customer service contact or ask for a contact number. Finally, victims are contacted by fake customer service representatives who will try to extract information such as passwords, tokens, or other data to access and empty their accounts.

5. Scraping: Scraping or "scratching" works once a person begins to follow the official account of a bank on social networks to make a query, cyber attackers contact them privately, immediately, pretending to be the bank in question. If the victim responds to the message without verifying whether it is a real or fake account, the supposed advisor will ask for a phone number to continue with the query through that channel.

There they will use all the information available on social networks and the internet in general to make the victim believe that they are really a collaborator of the bank and that they are there to provide support. Once the victim trusts them, the supposed advisor will ask for the bank information, which will be used to empty the account.

ESET shares good practices that can significantly reduce the risk of becoming a victim of scams:

• Verify the web address visited and confirm that it is the correct one.
• Check that the website has a valid security certificate, signed by the company it claims to be.
• Do not provide personal or financial information if you are not sure that the website is legitimate.
• Do not divulge any details over the phone, even if the person on the other end sounds convincing. Ask where they are calling from and then call that organization back to verify. It is key not to use contact numbers provided by that person.
• Do not click on links or download files from suspicious emails, social media messages, instant messaging (WhatsApp, Telegram), or text messages or from unknown senders.
• Always use security software to protect your computer against malware and other threats, and keep it updated.
• Download applications from official stores, such as the App Store or Google Play.

Translated by: A.M