Authored By: Arthur Ng, Country Manager, Malaysia, Check Point Software Technologies
According to Check Point Research, banks globally were attacked on average 700 times every week during the past year, a 53% year-on-year increase in comparison to previous year. From phishing scams and Denial-of-Service attacks to sophisticated attacks by nation-state actors, cyber threats targeting banks are continually on the rise.
In Malaysia, all sorts of banking scams have been surfacing and frequently gracing national news, it’s hard not to notice. Most recently, scammers are exploiting victims by coaxing them to send money through manipulating the trust between family and loved ones. Banks in Malaysia are also warning their customers of an Android malware that is actively stealing online banking credentials of unsuspecting victims. These attacks are usually carried out by compromising the victim’s mobile phones through malicious websites or application downloads.
Mobile devices can be attacked at different levels. This includes the potential for malicious apps, network-level attacks, and exploitation of vulnerabilities within the devices and the mobile OS. As mobile devices become increasingly important, they have received additional attention from cybercriminals. As a result, cyber threats against these devices have become more diverse. According to Check Point Threat Intelligence Report, globally in the last 30 days:
- 1 out of every 6 organisations suffered from a malicious incident
- 1 out of every 5 entrances to malicious websites is to a phishing website
- 1 out of every 3 phishing attack is over Secure Sockets Layer (SSL)
- 1 out of every 11 organisations suffered from a man-in-the-middle (MitM) malicious activity while connecting to Wi-Fi network.
- 438 different malicious applications and 16,359 risky applications were found.
What does that mean for the average Malaysian?
It means that if you are not careful, you can fall victim. The mobile platform is an easy target for attackers. The screen is a small form factor so people tend not to pick up on fake sites. People also tend to trust the platform especially when the message sent to them looks to come from a trusted sender. However, banking frauds are very real and and despite the banking industry being highly regulated, it is critical to always double check and be careful when you are asked to click on any links or downloads.
What are some of the common scam tactics Check Point is seeing around the banking scams in Malaysia?
One of the most common scam tactics Check Point observe is tricking victims into clicking on fake sites that look similar to its legitimate sites. The attackers then look to use this site to trick the users into installing an application that will install malware on to the victims’ phone. Once this is done, they use this to steal the victims data and identity, using this information to scam the user and stealing money from the victims’ bank.
According to Check Point Threat Intelligence Report, in Malaysia, an organisation is being attacked 1,286 times per week on average in the last 6 months. 87% of the malicious files in Malaysia were delivered via email in the last 30 days, and the most common vulnerability exploit type in Malaysia is Remote Code Execution, impacting 57% of the organisations.
As scams and cyber attacks increase both in terms of numbers and level of sophistication, it is imperative that banks implement a prevention-first security approach, not just to block, but to prevent cyber attacks from unknown malware and other attackers.
In other countries like Singapore, banks affected by scam attacks have fully refunded affected victims. Are we doing this here in Malaysia and what is your opinion on this?
In the recent OCBC banking scam seen in Singapore, almost 800 customers were affected by an SMS phishing scam, with losses totalling S$13.7 million. Out of goodwill, the affected customers were provided a full refund.
Whilst there is no easy answer on this, industry analysts have put forward suggestions for key players in the banking industry to work with government authorities on certain industry standards around whether banks should reimburse their affected customers and the amounts to be paid, following along actions taken in the United Kingdom, where standards have already been developed for a reimbursement process assessment on a case-by-case basis.
Whilst we can expect growing and evolving sophisticated scams to continue, we strongly suggest a prevention-first security stance for all banks and banking customers, from ensuring a strong password to vigilance on email and mobile banking notices.
If I am a victim, what are the immediate steps I should take?
Contact your bank and notify them of any malicious transactions. Remove any suspicious application from your phone and look to install security software on your device. Another step that victims can do is to restore their phone back to factory defaults.
In an ideal world, what do you think needs to be done to achieve optimum security for the banking industry in Malaysia?
In order to curtail the problem, I believe this must span from legislation. The government, telecommunication providers and banks all have an active role to play in protecting the consumers. However, it does take a lot of time, planning and resources for these plans to come to fruition. A long term plan will require a multi-layered calibrated management. The good news is the banks and government have already started taking steps in the right direction to help with the situation.
What we have seen is a shift to more in application activities such as multi-factor authentication for transactions rather than relying on third party messaging systems such as SMS. Doing this move the control back into the banks hands, and will help prevent similar attacks from happening in future. It is also important to implement security products into the application through Application Programming Interface (API) where the bank can leverage on a third party security application to help secure users’ devices and application further to optimise security.
What are some tips for mobile phone users to protect themselves from falling victim?
Some tips for consumers to protect themselves from becoming victim are:
- Practice good cyber hygiene. Do not trust any calls, texts and click on any links sent to you, unless you are absolutely sure of the source and sender. It is also critical not to give out any passwords, One-Time Passwords (OTP), and personal information for no good reason.
- Enable two-factor authentication wherever available. This is essentially a 2-step verification process to protect your accounts and personal information
- As a precaution, it is good to install mobile security software on your devices to protect you from suspicious websites, malware, prevent data theft and keep you safe while you visit sites, download applications and transact online.
