Logo Banca Ifis
Menu

Protect your online security

In an ever-evolving digital environment, it is becoming increasingly important to learn how to protect our personal data from cyber attacks. The main threats we can run into when using web services or applications include: 

  • Malware: programs used to compromise a computer system; 
  • Phishing, smishing and vishing attacks: situations in which an attacker pretends to be a trusted sender in order to obtain your personal information, such as your login credentials or financial data (e.g. your credit card number).

We want to give you a few simple tips to help you protect your banking data on the web.   

 

Smishing

Smishing is a type of scam that uses text messages and messaging systems (SMS or social media chats). It aims to deceive the victim into providing personal information (e.g. access codes), by means of an apparently innocuous message, often traceable to an entity or interlocutor deemed trustworthy.

Here are some tips on how to protect yourself:

  • Do not open links in SMS messages from unknown numbers.
  • Check the sender of the message via search engines. If you receive a message that appears to come from a trusted source (such as a bank), contact the institution directly via the official phone number.
  • Do not send your personal data by SMS (tax code, ATM PIN, card security code).

Vishing

Also known as “voice phishing”, it is a form of fraud that aims to obtain sensitive information from users through telephone calls. The fraudsters make calls posing as apparently trustworthy financial operators in order to gain the victim’s trust and extort sensitive data from them.

Here are some tips on how to protect yourself:

  • Verify the identity of the sender: make sure you talk to a trustworthy person, asking for their name or information about the company they work for.
  • Always keep track of your transactions: always monitor your spending, it will be easier to detect unauthorised access or unusual transactions.
  • Do not provide personal information: never share sensitive data such as account numbers, PINs, passwords or personal information during an unsolicited call.

Malware

A malware is malicious software whose purpose is to gain access to a device through different techniques (malicious websites, phishing emails, infected files) in order to retrieve a user’s personal credentials so that they can then be resold or make payments against the victim. Malware is difficult to identify, only through good prevention and a trained eye can it be recognised.

Here are some tips on how to protect yourself:

  • Always make backups, keep confidential data and images up-to-date on hard disks or other devices that are not connected to the internet.
  • Apply the Zero Trust model, an approach that relies on the presence of several security steps so that a mini-perimeter can be created to make the ingress of malware more difficult.
  • Always keep abreast of developments, many malware attacks stem from unverified software downloads, these actions can be avoided through awareness-raising courses.

SIM Swapping

It is a service, designed for legitimate purposes, that allows you to transfer your telephone number to a new SIM card. However, it can be used illegally to extort personal information from users.

Here are some tips on how to protect yourself:

  • Configure your social accounts so that your mobile phone number and other sensitive information is not publicly visible.
  • Set a security PIN on your SIM.

Spoofing

Spoofing is a technique used to falsify one’s identity. The fraudster tampers with data and protocols by pretending to be another person in order to appear as the sender of an apparently harmless SMS or email.

Here are some tips on how to protect yourself:

  • Protect your devices, use security systems, such as spam filters, to protect your personal accounts.
  • Examine what you receive, pay attention to messages sent to you, checking the sender and suspicious links.
  • Do not share your data on the internet.

Money Muling

Money Muling is an illegal activity where victims are tricked into transferring and thus laundering money that typically comes from illegal activities. Fraudsters often pretend to offer employment via e-mail, social media or online advertisements. In this way, the victim is often unaware that he or she is committing a crime by transferring third-party money.

Here are some tips on how to protect yourself:

  • Be wary of offers of easy money; scams often hide behind overly tempting proposals.
  • Do not transfer money on behalf of others.
  • Avoid following up on suspicious job offers, always do research on the company or person offering you a job.

Ransomware

Ransomware are malicious computer programmes that have become a real problem for society over the years. The hackers who programme them can encrypt data, block access to files on the victim’s computer, and then demand a ransom to unlock them. Every day, new variants of ransomware are perfected and spread, putting the information security of companies and private individuals at risk.

Here are some tips on how to protect yourself:

  • Make regular backups of your files, copy your files to the cloud or external media and store them safely.
  • Update your software, keep your operating system, software and security applications up-to-date, to correct any vulnerabilities.
  • Antivirus and antimalware, use a good antivirus and antimalware software, updating it frequently. Protect yourself in real time against threats.
  • Control access permissions, limit access permissions to files and folders, especially for users who do not need full access.

Cryptojacking

Cryptojacking is a cyber-attack in which a hacker exploits the capabilities of a computer, server or device without a user’s consent to generate cryptocurrency (so-called mining).In practice, the criminal installs a programme that uses system resources to perform these operations illicitly and without the knowledge of the computer owner.

Here are some tips on how to protect yourself:

  • Disable Javascript (if possible) in your browser or use modes that limit it to reduce the risk of attack by malicious scripts.
  • Monitor system resources, if you notice that your computer suddenly slows down, it could be an attack. Use resource-monitoring tools.
  • Check your browser permissions, some cryptojacking attacks can be performed via compromised pop-ups or banner ads. Disable auto-play or permissions for suspicious content.

DDoS attack

It is an attack in which devices are used to overload a server, network or application making them inaccessible to users. In practice, the attacker creates a “river” of malicious traffic that overwhelms the target system, preventing it from functioning properly or its services from being available.

Here are some tips on how to protect yourself:

  • Use an advanced firewall, set up a network firewall that can detect and block suspicious traffic. Some firewalls are designed to identify traffic patterns typical of DDoS attacks and are thus able to stop them before they reach the server.
  • Monitor traffic, maintain a constant surveillance system of network traffic.
  • Enable app protections, make sure software and apps are up-to-date and configured correctly to best handle possible attacks.

AI attacks

These attacks leverage artificial intelligence models to create malicious, deceptive, or persuasive content with the goal of manipulating a user. Generative AI, such as that used to create text, images, can be used for different types of attacks such as: Advanced phishing, Deepfake, or automatic malware generation.

Here are some tips on how to protect yourself:

  • Verify the authenticity of the content, in case of suspicious videos or images, use verification tools such as software and platforms that allow you to analyse potentially malicious content to detect manipulations.
  • Multi-Factor Authentication (MFA) enables multi-factor authentication across all your online accounts, reducing the risk of AI attacks.
  • Check sources, use fact-checking tools such as Snopes or PolitiFact, to actually confirm the reliability of the information you are viewing

Typosquatting

It is a form of cyber-attack that exploits common typing errors in web domain names. Malicious persons register domains that resemble legitimate ones, but with minor modifications, such as the inversion of letters. They attempt to get users to misleading websites with the intention of stealing sensitive information or to trick them into falling for phishing.

Here are some tips on how to protect yourself:

  • Always check the web address, before entering sensitive data, make sure it is exactly that of the official site. Watch out for typos and minor variations in the domain.
  • Use browser autocomplete, browsers offer some suggestions during the search process, through this feature the possibility of making typing errors is reduced.
  • Check the “https” protocol, make sure that the website you are using has the secure protocol (represented by the final S), not simply http, and that the SSL certificate is correctly configured. This helps protect security and identify the site you are viewing.

Manage your passwords carefully

Creating a password is a very common task in the computing world. Here are some tips on how to increase password security: 

  • Complexity: it is important not to be predictable, so avoid using your name or surname, date of birth, or names of people that are closely related to you, especially if they use social media.  
  • Compound characters: for your password, you should use more than 8 characters, including letters (upper and lower case), and numbers. A password will be stronger if random characters are used.  
  • Diversification: use a different password for each website. In fact, the risk of an attacker finding out your login credentials and gaining access to all your profiles will significantly increase if you use a single password for all your activities. Additionally, make sure you change your passwords frequently. 

Safely stored: make sure you keep your passwords in a safe place and away from prying eyes.

Sito sicuro

Recognise secure websites

Check whether these elements are in website URLs to make sure that communication is secure: 

  • Use of the HTTPS protocol: if a website URL has ‘https://’ in the address line, this certifies that you are browsing a secure website. The presence of the letter ‘S’ (for ‘secure’) indicates that communication between the devices is encrypted and, consequently, protected from prying eyes.  
  • The SSL certificate: another element to take into consideration when checking if communication is secure is whether an SSL certificate is present on the website you are browsing. By clicking on the lock icon in the address bar, you can check for yourself whether the website has an SSL certificate and view certificate information. 
  • Check the URL: check the website’s web address and make sure it doesn’t have any spelling mistakes and any unusual characters (e.g. ‘. xyz’). Any errors might be a hint that the website is not secure or that it is a fake website.
sicurezza email

Check sender and content of emails

E-mails or text messages are the main ways in which hackers can illegally obtain your login credentials and sensitive information. We sometimes receive e-mails from seemingly trustworthy senders in which they ask us to click on a link and enter our data so that we can access a service or log into the reserved area of our home banking service. You should always check the sender e-mail address and remember to never click on unknown links. Never enter your login credentials on websites you do not know. In order to recognise potential cyber attacks, make sure you check the following carefully: 

  • If there are spelling mistakes, translation errors or incorrect formatting in the message, this is a red flag and is best not to bother reading such communications. 
  • If you don’t know the sender or if the message contains very long words or unusual characters, it is best to be wary.  
  • Even if the sender is Banca Ifis, please carefully read the content of the message and what you are being asked to do.

Keep your data secure, also in your everyday activities

The following is a list of good practices to bear in mind in your everyday life to mitigate the risk of cyber attacks: 

  • Try to avoid connecting to public Wi-Fi or unprotected networks without authentication: these networks are not very secure, so there is a greater risk that they will be intercepted by a malicious attacker. 
  • Set up your home Wi-Fi network with a complex password: you should always replace the default password with a new one, as this will make it more difficult for unauthorised users to access your Wi-Fi. 
  • Never leave your devices unattended and avoid leaving your passwords in plain sight. 

Do not write down your PC password anywhere where it can easily be found by others. 

 

Bear in mind that: under no circumstances will Banca Ifis contact you to make transactions on your current account, nor will it request authorisation to access it. It will also never ask you to provide your login password or PIN code via e-mail, text message or phone.

These tips can help you make these online scams less effective, so you should always keep them in mind in order to spot them and be better prepared to avoid them in the future. 

Do you know what social engineering is?

Social engineering is a cyber attack technique based on the study of people’s behaviour with the aim of encouraging the victim to perform risky actions. It is based on human psychology and takes advantage of the emotions and impulses of victims to obtain confidential data (passwords, account information, financial information), extort money or even steal the identity of the person targeted.

Below are some common social engineering practices and some tips on how to avoid them:

Wangiri

The wangiri is also called the telephone ring scam: a person receives a ring on their mobile phone, coming from a foreign number; if they call this number back, to find out who the call is from, an answering machine is activated or nothing is heard on the other end of the call.

However, the call causes a charge against the mobile phone credit, because the international number called is actually a specially charged number, which can cost up to several dozen euros per minute.

There are even more dangerous variants of wangiri that activate subscription services without the knowledge of the defrauded person. In this case, it is only later that the event becomes clear and it is very difficult to find out who the culprit is.

A good method to protect against wangiri is to avoid calling unknown numbers from which you receive calls.

WhatsApp scam

In the WhatsApp scam, the scammer contacts the victim with a message on WhatsApp, pretending to be a relative who has lost his mobile phone and needs money because he is in difficulty. The unfortunate person, believing he is talking to a loved one, sends the money as requested and, of course, loses it.

Here are some tips to combat WhatsApp scams:

  • Check the identity of the sender by means of a call or a separate message;
  • Do not reply to the message; delete the conversation and delete the number from contacts;
  • If you open the message, do not click on any links present.

Fraudulent inducement to pay

The victim voluntarily authorises the transfer of funds, often via online banking or telephone, because it is requested by someone he or she trusts. In actual fact, it is a fraudster who gets the money.

For instance, a fake bank employee may request a payment from a customer, pretending that this is necessary to solve a problem on his account.

Here are some tips to combat this type of scam:

  • Check the requests you receive, keep track of every payment you make, and always watch out for unexpected requests or requests from strangers;
  • Keep your antivirus software up-to-date, working with state-of-the-art computer systems ensures greater security.

Romantic scam

In the romantic scam, the scammer pretends to be a person seeking friendship or relationships and contacts lonely people, mainly via social networks. They start a “digital friendship”, becoming attached to the person who is scamming them. Finally, the impostor will ask them for sums of money using fanciful motives.

Here are some tips on how not to fall for this type of scam:

  • Check a search engine for the name and profile pictures of the person requesting friendship, verifying that there are no reports from other users already;
  • Do not trust those anyone who asks for money insistently;
  • Report what is happening, do not give money to potential strangers.

Investment scam

The scam may begin with contact via social networks by someone claiming to be a financial intermediary, offering membership of an online trading platform and promising major investments and profits. The fraudster will then ask the victim for a small amount of money to invest, which will initially appear to lead to a profit. The requests for money will continue and increasingly larger amounts will be demanded from time to time, suggesting the prospect of “easy money”.

Once the money has been invested, you will never hear from the fake financial intermediary again, thus losing everything you have earned and invested.

Here is how to protect yourself from this type of scam:

  • Be wary of what appears to be “easy money” and unverified lending institutions;
  • Make sure that the financial intermediary offering online trading is authorised by visiting the websites of Consob and the Bank of Italy;
  • Check internet search engines for any reviews or comments on the trading company or website that contacted you.
  • Check for grammatical and/or spelling errors present in the SMS content.