The text message that arrives gives Poste Italiane as the sender. The smartphone places it among the real messages of Poste, such as the confirmation of an appointment received months before.
But this last message is a scam. Possibly the scariest hour out there. It has been emptying thousands of euros from postal current accounts in recent weeks.
We received it too. The hook used now by criminals to lure us is very refined: it plays on urgency. In our case: “Dear customer, an expense of 284 euros has been requested, if it is not you, follow the link”. The number can change.
How the scam works
At the link there is a page similar to that of Poste. Asks for login details and mobile phone. In short, the scammers ask us to insert them to block the alleged transfer, which in reality never happened. The real transfer is what they will do to our detriment and to their advantage if we take the deception. They’ll call us right away to get the one-time password from us, which we get via text message, and with that they’ll have everything they need to make a bank transfer. In this phone call they will be alarming at best, insisting on the urgency of giving us the password immediately, to block the fake bank transfer. It happened to many people as reported by a post office in Taranto. Damages from 5 to 15 thousand euros, which customers can lose forever.
But does the bank pay back?
«These are frequent cases and there is no clear jurisprudence on reimbursements. Sometimes the bank does it, sometimes it gives 50 percent, sometimes it denies it», explains Paolo Dal Checco, one of the best-known computer forensic engineers. “Sometimes when in doubt they pay back at first and then take it all back. And the judicial disputes between the user and the bank last a long time ”, he adds. In fact, the decisions of the Cassation and the Financial Banking Arbitrator are fluctuating. According to the regulations, the bank can deny the refund only if two conditions are met: it demonstrates that it has implemented the appropriate security measures and if there is malice, fraud or gross negligence on the part of the user. “In the case of phishing, there is gross negligence if the customer is directly involved in providing the temporary password,” explains Dario Fadda, an IT security expert who works for a large bank. The case of sim swapping is different, which mostly occurred in the past, where the temporary password was in fact intercepted by criminals.
How to defend yourself
The first defense weapon is prevention. In a note, the Post Office itself never asks in any way (email, text message, social network chat, call center operators, post office and fraud prevention) and for any purpose: “your login credentials for the website www .poste.it and Poste Italiane Apps (username and password, posteid code)”; “your card data (the PIN, the card number with the expiration date and the CVV)”; “the secret codes to authorize the operations (posteid code, the account code, the OTP- One Time Passwords received by sms)”. “You will never be asked to arrange transactions of any kind fearing false security problems on your account or the your card, let alone prompting you to go to the Post Office or ATM to carry them out”. so don’t give them to anyone”. We therefore cancel emails and text messages that ask us for these things. Criminals can alter the Sender ID to any name. A scam against which the Communications Authority a few days ago opened the work of a “New Alias Register”, which will be ready in the coming months, to block these falsified identifiers. Another useful tip: “type the Internet address directly www .poste.it in the address bar of the web browser to visit the Poste Italiane website”. And if we have already fallen for the scam, all is not lost. We dispute the charges through the bank’s official channels and possibly open a dispute. As we have seen, neither the repayment nor its refusal by the bank is taken for granted.
