ISLAMABAD: A global cybersecurity company has strongly recommended Pakistani online users to avoid opening links of suspicious email messages, as banks and financial institutions never call to obtain login credentials to verify the identity of their clients.
According to a report of the cybersecurity company, Kaspersky has uncovered a sophisticated evolution of phishing techniques used by cybercriminals to bypass two-factor authentication (2FA), a crucial security measure designed to protect online accounts.
The security experts of the company explained that two-factor authentication (2FA) is a security feature that requires users to verify their identity using a second form of authentication, usually a one-time password (OTP) sent via text message, email, or an authentication app. This extra layer of security is intended to protect users’ accounts even if their passwords are compromised. However, scammers have developed ways to trick users into revealing these OTPs, allowing them to bypass 2FA protections.
An OTP bot is a tool used by scammers to intercept OTPs through social engineering techniques. Attackers usually attempt to obtain the victim’s login credentials through phishing or data leaks, then log in to the victim’s account, triggering an OTP to be sent to the victim’s phone. After that, the OTP bot calls the victim, pretending to be a representative from a trusted organization, and uses a pre-scripted dialogue to persuade the victim to share the OTP. Finally, the attacker receives the OTP through the bot and uses it to gain access to the victim’s account.
Scammers often use phishing websites that look like legitimate login pages for banks, email services, or other online accounts. When the victim enters their username and password, the cybercriminals capture this information in real-time.
Kaspersky’s research shows the significant impact of these phishing and OTP bot attacks. From March, 1 to May 31, 2024, the Kaspersky’s products prevented 653,088 attempts at visiting sites generated by the phishing kits targeting the banking sector, the data from which is often used in attacks with OTP bots. During the same period, Kaspersky’s technology detected 4,721 phishing pages generated by the kits that are aimed at bypassing two-factor authentication in real time.
While 2FA is an important security measure, it’s not foolproof. To protect yourself from these sophisticated scams, Kaspersky recommended avoid opening links you receive in suspicious email messages. If you need to sign in to your account with the organization, type in the address manually or use a bookmark.
Do not pronounce or punch in the one-time code while you’re on the phone, no matter how convincing the caller sounds. Real banks and other companies never use this method to verify the identity of their clients, security experts added.
Copyright Business Recorder, 2024