There has been merry hell playing out in the financial community of late in the form of the EU’s PSD2 requirement “Strong Customer Authentication” or SCA.
The requirement D-Day was 14th September and many firms sent out emails to let customers know of certain changes. As is usual, the scammers took advantage in the lead up to the SCA, by using it as the basis for a phishing campaign. If scammers do anything well, it is in taking advantage of anything where consumers are sent mass-mail outs to warn them of a technical or legislation change. The GDPR, for example, resulted in a rush of scam emails.
What is the SCA?
Strong Customer Authentication (SCA) is part of a wider set of legislative changes in the financial sector. Anyone who processes a payment has to abide by these new rules. The SCA, in a nutshell, requires that during the checkout process, extra authentication checks are made. So, for example, when you buy that new pair of trainers you will be asked to enter an additional credential like a passphrase, SMS code, etc.
Phishing Emails That Are Taking Advantage of the SCA Emails
As part of the SCA mandate, lots of emails are going out to customers warning them of the change. According to consumer group, Which, customers of Santander, HSBC and Royal Bank of Scotland are receiving emails which are pretending to be from the bank on the subject of SCA.
The email scam centres around updating your bank account details because of the new SCA ruling. The sting is that if you don’t update you may lose access to your bank account. You can imagine a concerned person may easily fall for this. The scam plays on the worry of being unable to access funds.
The scam emails all follow a typical phishing scam format, a link to a malicious website. Click on the link and you either become infected with malware and/or if you enter any personal details they will be stolen.
Good Practises and SCA Emails
Below is an image of an actual email that is introducing the SCA changes.
This is NOT a spoof, it is real. Importantly, this email has several clues to its legitimacy:
- The salutation uses the recipient’s actual name (blacked out in this image for privacy reasons).
- The email was from a real Dropbox domain (as shown in the from field).
- There was no urgency or warning of loss of service unless you click on a link.
- There were two links in the email to legitimate pages – hovering over the links showed they were Dropbox domains – ideally Drobox should have removed all links in this email, but at least they were optional links.
If you receive an email about the changes around Strong Customer Authentication, be extra careful about clicking on links or downloading attachments. Always navigate directly to any website and enter your account details once you are certain it is the real site.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Strong Customer Authentication (SCA) Scam
New EU regulation brought in on the 14th of September is seeing a rush of copycat scam emails. The emails are often spoofed bank communications which threaten to close a bank account unless it is updated.
DO NOT CLICK ANY LINKS IN THESE EMAILS
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”
Don’t forget to share this with your colleagues and friends and help them stay safe.