personal data. In the wake of a court decision that forced one bank to compensate a client harmed in such an attack, the issue is drawing increased attention.
In most cases phishing takes the form of a fake email masquerading as an official communication from a client’s bank. In this email the fraudster politely asks for verification of the client’s personal data. Phishing can occur via mobile applications or malware installed on a client’s personal computer, which can alter or damage the user’s data or send it to other people, according to warnings issued by Slovenská Sporiteľňa (SLSP).
“Recently, VÚB faced another wave of phishing attempts,” VÚB Bank spokesperson Alena Walterová told the Trend weekly. “Fortunately, our clients are sufficiently information literate to distinguish fake emails.”
Several clients contacted the VÚB call centre after receiving emails asking for online banking details in the name of VÚB in late October, Walterová said. The emails contained a link to a fraudulent VÚB inquiry where clients were directed to fill in their personal data, including their name, account number, date of birth, account name and password.
Criminals also need notification via SMS or GRID card numbers, a security tool containing an authentication code generated by means of an electronic personal key. Therefore, the fake email also asked clients for their phone number and email address.
It is impossible to determine the exact number of attacks since criminals send numerous fake emails to bank clients and banks are only alerted if clients report them, Walterová said, adding that such attacks are increasing in frequency.
SLSP also noticed an increasing number of attacks; moreover, some of them were not focused on the bank's clients but the bank itself, Štefan Frimmer, a spokesperson for SLSP, told The Slovak Spectator.
The police cannot confirm that phishing attacks are on the rise since they do not keep such statistics, said police spokesperson Michal Slivka to The Slovak Spectator. Internet-based banks such as Zuno and mBank say they have not noticed any fraud attempts this year.
Fraudsters usually lure authorisation data from clients’ cards and data to gain access to their internet banking. They send fabricated payment orders which need to be paid, Frimmer said.
People should not respond to these e-mails, Mária Kecsoová, a spokesperson for Zuno bank, told The Slovak Spectator. Do not send personal data related to bank accounts, she emphasized.
“The Internet is a place where people should not neglect the basic principles of safety, especially when handling their own money,” mBank spokesperson Matej Kubinec told The Slovak Spectator. “The basic principle is to care about the security of computers, meaning the use of legal and regularly updated software together with updated anti-virus software.”
Who is responsible?
In one high profile fraud case involving VÚB Bank in 2010, a bank client unwittingly gave his internet banking security codes to fraudsters who used a computer virus that redirected the clinet to a fake version of the bank’s website. The bank refused to return the money to its client, arguing his computer was not secured sufficiently and that the bank’s internet banking site contains a warning about working securely with the service, the TASR newswire reported.
A court later ordered the bank to return the missing money, including interest, based on the law on payment services and the regional court in Trenčín upheld the ruling. VÚB was ordered to compensate the client, who had lost €3,000 in the phishing attack. VÚB paid the sum.
“An ordinary client with common knowledge about working with a computer may not have enough expertise to distinguish whether or not he or she is working with a fictitious internet banking webpage created by a virus, or to know in detail the working procedures of the bank,” Judge Emília Zimová wrote in the regional court’s ruling, Trend reported on October 31.
“We, however, don’t agree with the ruling and the argumentation for the decision and we consider it wrong,” Walterová of VÚB said.
The bank maintains that the client behaved negligently with his internet banking authorisation data and does not believe that the client fulfilled his legal duty to perform all that was necessary to secure protection of personalised security data, TASR reported.
Walterová said the court’s ruling contradicts reality because the client did not secure the configuration of his computer, which the bank believes would have prevented the infiltration of the malicious code, adding that it is not the bank’s obligation to ensure that clients have properly secured their computers and that they do not give their personalised authorisation data to unkown persons.