Standard Chartered Bank - Online Banking - Security Tips - The reality of online threats
Online Banking

Security Tips

The reality of online threats

Suspicious email

Vishing

Phishing

Trojan Horses

Mule Operations

Types of emails that should be suspicious
Such emails include advance fee fraud and variants including lottery scams, employment scams and fund transfers. An advance fee fraud is a trick in which the target is persuaded to advance relatively small sums of money in the hope of realising a much larger gain. Typically, such scams begin with a letter-form email sent to many target recipients making an offer that will purportedly result in a large payoff for the intended victim. The stories behind the offers vary, but the standard plot is that a person or government entity is in possession of a large amount of money or gold. This person (who are fictional or characters impersonated by the scammer), for various reasons, is either unable to access the wealth directly or is no longer in need of it. The target recipients are promised a large share of the money or gold if they will assist the scammer in retrieving the money from holding and/or dispensing of it.

The lottery scam involves fake notices of lottery wins. The winner will usually be asked to send sensitive information to a free email account. The scammer will then notify the victim that in order to release the funds, some small fee (insurance, registration, shipping etc.) is required. Once the fee has been sent, the scammer will invent another fee and attempt to collect it.

The employment scam usually involves emails offering employment opportunities with extremely attractive terms and conditions. Generally, after the applicants have been "accepted", they will be asked to pay a fee either to process a visa or as a deposit on accommodation. (Source: Wikipedia) In general, caution should be exercised when the email asks for your confidential information or login details, or directs you to a webpage that asks for such information.

Top

How to spot a suspicious email
Typically, a suspicious email does not address the recipient personally. There may be spelling / grammatical errors in the email. As set out above, such email usually request for personal information. Further, the email address of the author of the email and return email addresses provided in the text of the email (e.g. xxx@standardchabnk.com) and the use of webmail are additional indicators that an email may be suspicious.

Top

What to do in the event you receive a suspicious email
If you do receive suspicious emails, do not respond or provide any information. In addition, do not click on any link contained in the email or provide any Internet or telephone banking login details. Please contact Standard Chartered by forwarding the suspicious email (with full email headers) and all attachments to group.webmaster@standardchartered.com.

As email programmes often display abbreviated headers (e.g. "Mr. X" instead of the actual email address, xxx@yahoo.com), please obtain the full email headers which sets out the specific route the message took. For more information on how to obtain the full email headers, you may wish to visit http://www.haltabuse.org/help/headers/index.shtml.

Top

What is Vishing?
Vishing is the term given to the practice of leveraging Voice over Internet Protoco (VoIP) technology to trick people into providing personal and financial details over the phone for financial reward, by pretending to represent real companies such as banks, which the fraudster then uses to achieve some financial gain. The term is a combination of "voice" and phishing. A "visher" is a person who perpetrates a Vishing attack.

Vishing exploits the public's trust of landline telephone services. Traditional land line services end in a physical location which is known to the telephone company, and is associated with a bill payer. With the advent of VoIP, telephone services may now terminate in computers, which make illegal acts easier to achieve than with traditional "dumb" telephony endpoints.( Source: Wikipedia )

A typical Vishing attack could follow a sequence such as described below:

  • The fraudster sets up an automatic dialler which uses a modem to call all the phone numbers in a given region.
  • When the phone is answered, an automated recording is played to alert the customer that his/her credit card has had illegal activity and the customer should call the recorded phone number immediately. The phone number could be a toll free number often with a caller identifier that makes it appear that they are calling from the financial company they are pretending to represent. Net phone technology makes it easy to fake the number someone is calling from.
  • When the customer calls the number, it is answered by a computer generated voice that tells the customer they have reached 'account verification' and instructs the consumer to enter their 16-digit credit card number on the key pad.
  • Once the customer enters their credit card number, the "visher" has all of the information necessary to place fraudulent charges on the consumer's card. Those responding are also asked for the security number found on the rear of the card.
  • The call can then be used to obtain additional details such as security PIN, expiry date, date of birth, bank account number, etc.
Top

How to avoid becoming a victim of Vishing
Take steps to protect your personal information and bank account. If you are called by a so-called "Bank" or an organisation purporting to be a "Bank", be aware of the following:

  • Legitimate banks would have knowledge of some of your personal details. Be suspicious of any call that appears to be ignorant of basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to your bank.
  • Do not call and leave any personal or account details on any telephone system that you are directed to by a telephone message or from a telephone number provided in a phone message, an email or an SMS especially if it is regarding possible security issues with your credit card or bank account. When a telephone number is given, you should first call the phone number on the back of your credit card or on your bank statement to verify if the number given is actually an office number of the bank.
  • Make sure you call your bank or the company that is the subject of the call to check that the call is legitimate before disclosing any personal information.
Top

Who are the intended victims?
Vishing calls are indiscriminate and randomly target people. The fraudsters are cunning and they may not know your real name nor any other real information about you but they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms, like "sir" or "madam".

Top

What to do in the event you receive a Vishing call:
If you do receive a suspicious call/email/phone message, please contact Standard Chartered Bank by using the contact number on your statement or on the back of your bank card.

You can also report the incident directly to your regional organisation who are set up to combat electronic incidents including fraudster acts such as vishing.

Top

Important points to remember

  • Standard Chartered Bank will never randomly call you requesting that you provide personal details including your PIN over the phone.
  • If you receive a suspicious call, report it by contacting Standard Chartered Bank on the number provided on your statement or on the back of your bank card.
  • If you have disclosed information verbally or via your phone key pad, immediately contact Standard Chartered Bank as above and the police
Top

What is Phishing?
Phishing is the term given to the criminal practice of sending random emails purporting to come from genuine companies such as banks and ecommerce organisations. The emails try to convince customers of those companies to disclose personal information on fake websites operated by criminals. The emails often contain emotive messages and claim that it is necessary to "validate" or "update" customer account information. The emails contain instructions to click on a link within the email which takes the recipient of the email to the fake website. Here all information entered is collected by the criminals. Information captured through Phishing may be used to perpetrate different criminal acts. Your funds may be stolen and used to finance other criminal activities such as human trafficking, drugs and prostitution and your identity may be cloned and other criminal acts undertaken in your name.

Top

How to avoid becoming a victim of Phishing?
It is important to remain vigilant and be suspicious of all unsolicited or unexpected emails you receive, even if they appear to originate from a trusted source such as Standard Chartered Bank. It is important to remember that Standard Chartered Bank will never ask you to reconfirm any personal information by clicking on a link in an email and visiting a website.

Top

The structure of a Phishing email - Who is the email from?
The structure of the Internet makes it relatively simple for criminals to create fake entries in the "From:" box of an email. This means that Phishing emails often look like they come from a real bank email address. Phishing e-mails often look like they come from a real bank e-mail adress.

Phishing e-mails often look like they come from a real bank e-mail adress.

It is important to remember that the email address you see in the "From" field may not be from the person or organisation that it claims. The message is also likely to contain odd "spe11ings" or cApitALs in the "Subject:" box - this is designed to bypass spam filter software and increase their chances of delivery to a potential victim.

Top

The structure of a Phishing email - Who are the intended victims?
Phishing emails are sent out randomly using bulk email lists. The criminals are cunning and whilst they may not know your real name or indeed anything else about you they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms such as "Dear Customer". The email may well include grammatical and spelling errors as it is likely that English is not their first language.

The email may well included grammatical and spelling errors as it is likely that english is not their first language.

Some emails may also contain a login form directly in the body of the email to add authenticity to the scam.

Top

Fake hyperlinks
As with forging email addresses in the 'From' box, it is also very simple to hide a hyperlink's true destination. This means that the link displayed in an email and anything which shows up in the status bar at the bottom of your email programme can be faked.

Links displayed in an e-mail and anything which shows up in the status bar at the bottom of your e-mail program can be faked.
Top

The Structure of a Phishing website - The URL
The criminals are clever and use a number of techniques to hide the true location of a fake website in the address bar. The website address may begin with the genuine site's domain name (eg: online-banking.standardchartered.com.hk), but unfortunately that is no guarantee that it points to the real site. Other techniques may include using addresses made up of numbers (IP addresses), registering a similar domain name, or even inserting an image of the real address into the browser window. To add credibility to their fake sites, many criminals create direct links from their pages to the genuine website.

Criminal use a number and techniques to hide the true location of a fake website in the address bar, such as using addresses made up of numbers (IP addresses).
Top

The Structure of a Phishing website - Pop-up windows
Another technique involves loading a genuine website into your web browser and then creating a fake 'pop-up' window over the top of it. Again this technique is employed by criminals to add credibility to the scam. When used you can see the real website in the background, however any information you type into the pop-up window will be captured by the criminals and used for their criminal purposes.

It is important to remember that you should always access your online banking account, by typing the address into a new window.

Top

What to do in the event you receive a Phishing email:
If you do receive a suspicious email, please contact Standard Chartered Bank by forwarding the suspect email to group.webmaster@standardchartered.com .

You can also report the incident directly to your regional organisation who designed to combat electronic incidents including criminal acts such as Phishing.

Top

Important points to remember

  • Standard Chartered Bank will never send you an email requesting for you to "verify" or "update" your password or any personal information by clicking on hyperlink and visiting a website.
  • Be cautious about all unsolicited emails and never click on hyperlinks from these emails and provide personal information.
  • To connect to Internet banking, open your web browser and type the address in yourself (http://online-banking.standardcharted.com.hk).
  • If you are in any doubt about the validity of an email, or if you believe that you may have disclosed information on a fake website, contact Standard Chartered Bank by sending an email to group.webmaster@standardchartered.com .
Top

What is a Trojan horse?
Trojans are a type of computer virus and their name is derived from the term 'Trojan Horse' from Greek mythology. They can be downloaded and installed on a computer without the computer owner's knowledge. Trojans are capable of performing sophisticated tasks; some variants can install a "keystroke logger", which will capture all keystrokes entered into a computer by a keyboard, others are designed to capture specific information entered at specific websites such as banks or ecommerce stores, either by keystroke logging or taking screen shots. As with Phishing, the information is then sent to the criminals over the Internet, however this time directly by your computer.

Criminals typically send out random emails containing emotive or intriguing messages in an attempt to lure people to click on a hyperlink contained in the email and visit a malicious website. These websites may contain Latent vulnerabilities various web browsers are exploited to download and install the specific Trojan.

It is important to remember to be cautious if you receive unsolicited emails from unknown sources and never click on hyperlinks in emails to visit unknown websites.

Top

How can I prevent installing a Trojan?
At present Trojans take advantage of vulnerabilities in web browsers. It is strongly advisable that you ensure your operating system and web browser remain patched with the latest version or security updates as issued by the vendor. Many of the patches are designed to prevent criminals from exploiting vulnerabilities in current software versions. It may also be worth reviewing your current choice of browser to one less popular as many of the Trojans are created to exploit vulnerabilities in the most popular browsers.

Using simple PC security routines such as ensuring you use up to date Antivirus software, installing a personal firewall (software or hardware based) and taking advantage of the latest security updates for your browser and operating system software will help to prevent infection by Trojans.

Top

Important points to remember

  • Be cautious about all unsolicited email (especially those from unknown senders) and never click on hyperlinks from these emails to visit unknown websites.
  • Install and keep updated Anti-virus software and run regular scans (once a week as a minimum).
  • Install and use a personal firewall (hardware or software based).
  • Install the latest security updates, for your browser and operating system.
  • Some criminals use emails to trigger the download and installation of Trojans when your email programme uses HTML (Hypertext Markup Language) to display the message - HTML settings allow you to view images in your emails. It is always safer to open all your emails in 'plain text' format.
Top

Suspicious emails
In addition to targeted emails requesting bank account details, the criminals behind Trojan emails often use emotive or intriguing subjects such as ('Typhoon Warning' or 'Your ISP account is expiring) to lure people into clicking a hyperlink from the email to visit an unknown website. By employing a good anti-spam filter you should be able to significantly lessen the chances of receiving Trojan related emails.

Top

Malicious Websites
These websites try to harm your computer by installing malicious programmes (malware) such as viruses, Trojans or Spyware. The websites themselves can appear to be completely benign as they install the malware in the background although you might notice your computer running slower than normal or you might notice your Internet connection is very busy.

Top

What are mules?
As the criminals behind these frauds are mainly located overseas they attempt to recruit "mules" or "money transfer agents" to launder the funds obtained as a result of phishing and Trojan crimes. Following recruitment the criminals transfer money from the stolen accounts to the mules and they in turn withdraw the money and make overseas payments normally using wire transfer services minus commission as payment.

The criminals recruit mules through a variety of methods including spam emails, by placing adverts on genuine recruitment sites and in newspapers. They have also been known to have approached people directly who have placed their CV's online.

Typically the criminals create fake companies or charities which they use to recruit for positions such as "shipping manager", "financial manager" or "donations manager". The offers give people the chance to earn money easily for a few hours work each week. The only requirements are usually that you have a bank account (often from a specific list) and a private Internet connection.

Top

How to avoid becoming involved in a scam
As with Phishing and Trojans, be wary of any unsolicited job offers or too good to be true offers. You should be particularly cautious of offers from companies or individuals located overseas, as it is harder to verify who they really are. You should make all reasonable effort to verify any company which makes you a job offer. This should include checking with the appropriate chamber of commerce or government office for corporate registrations or charity registrations. A simple search on Google with the company name or email address may also reveal whether the company is known to be a criminal front.

It is important to remember that by simply allowing someone to use your bank account to launder the proceeds of Phishing or Trojan activity you will be committing a criminal act. Mules are also the easiest part of the criminal organisation to identify.

Top

Mule recruitment campaigns
The adverts and offers may take a number of different forms. Criminals may copy a genuine company's or charities website and register a similar domain names to increase its legitimacy. There are common threads to the adverts; most will claim to be overseas companies or charities seeking representatives or agents to act on their behalf. You may find that the advert is written in poor English with simple grammatical and spelling errors.

In mule recruitement campaigns, criminals usually will claim to be overseas companies or charity seeking representatives or agents to act on their behalf. Criminals use internet addresses made up of numbers (IP adresses) to hide the true location of a fake website.
Top

How to report a mule scam
If you believe you may have disclosed your bank account details or received funds into your account as part of what you now believe may be mule activity, you should contact us at group.webmaster@standardchartered.com .

Top

Important Points to remember

  • Exercise caution if you receive unsolicited offers or opportunities for work, especially if the company is based overseas.
  • Attempt to verify the details of any organisation you are actively considering dealing with (including searching on the Internet for their name and reputation).
  • Never give your bank account details to someone you don't know or trust.
  • Contact at your local enforcement authority if you believe you may have become involved in or are a victim of mule activity.
Top