• A method of defrauding by targeting customers of financial institutions.
• Occurs when fraudsters impersonate contractors, suppliers, creditors or even senior management to ask a company to change their payment.
• Subsequent legitimate payments are then redirected to the fraudster’s account.

• Attacks occur across financial institutions and are not restricted to any one country or region.
• Fraudsters are well prepared before the attack by engaging in some form of reconnaissance (social engineering) to ensure details and names are correctly targeted.
• E-mail addresses used to request changes on the payee account are identical or very similar to the original suppliers or vendors e-mail which makes it difficult to detect the fraud.
• Fraudsters have been known to hack a creditor’s email account in order to send the beneficiary change request and thus appears to be a legitimate request.
• Traditional mail services are used to send forged letters which appear to be from the creditor.
• Exploits a human behavior/response which cannot be prevented by technology.

Examples:

• E-mails from new or existing vendors who claim that account numbers have changed and request payments now be sent to a new location and account.
• Vendors claiming payments must now be directed to a parent company in a different country.
• Employees receive an email from their CEO/CFO asking them to make payments but it will later turn out that the CEO/CFO's email has been compromised.
• E-mail may come from a domain that looks similar to a legitimate source.

• Vishing is the term used to describe tactics used by fraudsters to “fish” for personal information (such as online banking security credentials) over the phone.
• Fraudsters may contact customers pretending to be from DSBC. They may direct you to perform actions which may enable unauthorised payments to be sent to the criminal. This could include providing security codes generated or your eTAC Code in transactions.

DSBC will never request information over the phone that could be used to make a payment, such as asking you to provide security device codes or requiring you to divulge any of your security details.

• Smishing is a variation of Phishing that uses SMS messages instead of e-mail
• Fraudsters may contact customers using SMS pretending to be from DSBC. They may direct you to perform actions which may enable unauthorized payments to be sent to the criminal.
• This could include providing security codes generated from your token.

DSBC will never request information over the phone that could be used to make a payment, such as asking you to provide security device codes or requiring you to divulge any of your security details.

• Be suspicious of requests to change beneficiary information – question all changes and validate any change request using additional channels (i.e. call back and not reply directly to the email).
• Establish internal control procedures for change requests to beneficiary details.
• If unusual screens pop up and/or the computer’s response is unusually slow, log out from DSBCnet completely and scan the computer with the most updated version of virus protection software. If in doubt, contact your IT team and/or DSBC Customer Service Manager or team.
• Engage staff in fraud awareness and education.

• Never disclose security details over the phone when receiving unsolicited calls (ie username, token information, payment details)
• Whenever you receive an unsolicited call from DSBC, request contact details from the caller and validate the information with your DSBC Customer Service Manager or DSBC Help Desk.
• Do not amend payment information unless you are certain it is legitimate.
• Report attempted fraud to your bank and review email settings (i.e. change password).

• Never press the yellow button on the security device unless you are signing a transaction you have created – DSBC never asks for a yellow button response at logon.
• Use Dual Control - for transactions and entitlements (i.e. a minimum of two individuals are required for all activities).
• Set signature limits.
• Block all logon not coming from an approved list of IP addresses.
• Update software no longer supported by vendors.
• Only access DSBCnet via the website address at the address bar of your browser.
• Never access through hyperlinks embedded in emails and do not rely solely on the look and feel of a website when using DSBCnet.