Credit card firms warn vs phishing, acct takeover

MANILA, Philippines - The Credit Card Association of the Philippines (CCAP) is warning the public against unscrupulous individuals and emails that inquire about sensitive information regarding the cardholder, otherwise known as phishing.

Wikipedia describes phishing as the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or information technology (IT) administrators are commonly used to lure the unsuspecting public.

Phishing emails may contain links to websites that are infected with malware.

CCAP executive director and spokesperson Alex Ilagan said banks never ask for sensitive information such as complete credit card number through emails, phone calls or text message, unless the cardholder is the one contacting the bank.

Account takeover fraud is most common in financial institutions, but there are reported cases in accounts used to purchase goods and services, or store and access classified data.

“Account takeover fraud is when a fraudster obtains an individual’s personal information. Using this information, the fraudster will pose as the cardholder and make transactions,” Ilagan said.

To obtain sensitive information of the cardholder, the fraudster may call and pretend to be a bank employee and offer you a card upgrade, lifetime annual fee waiver or credit limit increase in exchange for your active card.

Once the unsuspecting cardholder agrees, the fraudsters will send a messenger to pick up the card from the former’s address – then use the card afterwards.

Syndicates may also use spoof websites and email addresses that appear to be from trustworthy sources.

Once a cardholder inputs his details into hoax websites, the sensitive information would then be used.

The fraudster would try to trick the public into providing personal information such as passwords, home/business address, and credit card information.

Commonly spoofed companies include well-known international financial institutions.

Phishing usually have spelling and grammatical errors, sensationalized subjects as well as web links spelled out, and not as a hyperlink.

Phishing emails also routinely contain supposed threats that the cardholder’s account will be cancelled or closed if they do not respond with the confidential information being asked for, and at times have attachments ending in “.exe.”

Spoofed websites, on the other hand, are unsecure website addresses that do not have a lock logo in the browser’s status bar – which indicates whether or not the site’s identity has been verified. At times the bank’s URL is also incorrect or slightly different from the official website.

“Be careful of emails and websites asking for confidential information such as passwords even if it is threatening to disable your account should you not provide certain information. Be sure to call your bank to confirm the authenticity of the request,” Ilagan said.

Cardholders should be aware of the bank’s website privacy policy and never submit confidential information through forms embedded in email messages.

“It would be best to open a new browser window and type the URL directly. Be sure to check the address bar to make sure you are on the right website. For additional security, cardholders may download anti-phishing software from established anti-virus providers to block fake websites,” Ilagan said.

Should any cardholder receive calls or emails regarding the above stated matter, CCAP urges the public to verify first with their banks and check the authenticity of the offer.