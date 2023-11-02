As of: October 30, 2023 9:59 a.m

Online banking has become an integral part of our everyday lives. Fraudsters take advantage of this: they use phishing emails or SMS to gain access to other people’s accounts – and thus steal the money.

Nine out of ten Internet users in Germany now do their banking online, according to a survey commissioned by the digital association Bitkom. But the quick and convenient way of carrying out financial transactions and managing accounts from home or on the go also has its pitfalls.

Phishing: Fraud via email or SMS

Although banks’ security procedures have become increasingly secure over the years (two-factor authentication, special TAN apps, security algorithms), increasingly well-organized perpetrators are managing to gain access to bank accounts using sophisticated fraud schemes. The most common form of this fraud is so-called phishing – a derivative of the English term “fishing”. A scammer drops a bait – often in the form of an email or text message purporting to be from a bank – and waits for a victim to “bite.”

Fraudsters steal your account number and password

“The perpetrators’ focus is primarily on banks that citizens use for their checking accounts. Volksbanks, Sparkassen, Postbank, Commerzbank. The perpetrators specialize in this. With a phishing site you potentially have many, many victims,” ​​says Henning Dibbern from the Cybercrime Investigations Department of the Kiel Police Department.

For years, the chief detective has been working on gaps in online banking systems that criminals use to obtain sensitive data such as account numbers, passwords or even TANs (transaction numbers).

Phishing is the most common form of fraud in online banking

“The number of phishing attacks in online banking in Germany is higher than ever before,” says Henning Dibbern.

It usually goes like this:

A scammer sends an email or a text message. The sender: supposedly a bank that asks the customer to log in using their own access data via an attached link. The reason is often security updates, unauthorized account access or technical problems. The message: “If you don’t act quickly, you’ll have problems!” The emails and websites often look deceptively real, so they suggest: This message comes from your bank and is trustworthy. However, the link leads to a fake website where the perpetrators can “read” the data entered. They use this to steal the user name and password for online banking. What the perpetrators are now missing is the TAN, i.e. the individual transaction number, which is only made available to the account holder via a separate procedure. To get this, they may create another input portal or call the victims personally. If the perpetrators have all the necessary information, they can make a transfer in the victim’s name and, in the worst case, empty the account.

Fraudsters primarily use real-time transfers

These frauds are facilitated by so-called real-time transfers – i.e. transactions in which the money leaves your own account and reaches the recipient’s account within seconds. “Then it’s gone. You have no chance of stopping it,” explains Christoph Wolf, security expert at GLS Bank. Unless an internal bank algorithm notices an irregularity and prevents the transfer. According to Wolf, this artificial intelligence can notice that, for example, more real-time transfers are being made than usual or transfers are being made to unusual countries.

Recognize phishing warning signs

It’s not just artificial intelligence that can intervene. Even as a customer you can recognize the often very well-done scams – because there are clear warnings:

Die E-Mail or the SMS: Banks never ask customers to take security-related actions via their private email inbox. Communication takes place exclusively via the mailbox in the online banking app – or by Post.Der time and the Message: Fraudsters often contact you in the evening or on weekends, meaning you can no longer reach a bank. In addition, pressure is built up so that the customer acts quickly and without thinking Link: Customers should look very carefully at the URL they click on and compare it with the actual bank’s Internet address. Often scam links are cryptic or do not have a .de, but a .com, .net or .org address. The Website: Even if it seems authentic at first glance, many of the links there often lead nowhere, or the imprint is incorrect or incomplete.The Call and the TAN: Bank employees never ask their customers to pass on a TAN. The TAN is only requested directly in the banking app and always refers to an action previously entered by the customer, for example a transfer.

Behavior after a phishing incident

Once the fraud is noticed, customers should do the following:

Immediately Emergency hotline your own bank call and report the fraud. With a bit of luck, the transfer can still be stopped, but if not, the bank can contact the recipient bank and ask them for a return transfer or to block the account. The accountData Recipient note. At least the IBAN must be real and gives the investigators the opportunity to take action against the fraudster immediately Report to the police refund and pass on the recipient’s account details. Only through a report will an official procedure be initiated, which authorizes the banks to stop transfers or block accounts.Immediately Contact the recipient bank – and inform that an account registered there was used for fraud. Because banks are service providers and are only allowed to withhold transfers for a longer period of time if there is proven suspicion of criminal offenses. Even if the money was automatically frozen by an algorithm, it could be released again if no injured party comes forward.

Basically, the most effective weapon in the fight against cybercriminals and online phishing is the customer themselves: careful handling of confidential data, a critical examination of every email or SMS and a healthy skepticism when passing on information on the Internet are important. Because: It is often the case that customers are not even aware that they have clicked somewhere, says Henning Dibbern. “Experience shows that in nine out of ten cases the error was the customer’s.”

