How Hackers Can Break Into Your Bank Account

Vawter Financial |
Categories
BY SIMON BATT UPDATED MAY 25, 2021 

1. Mobile Banking Trojans

These days, you can manage all of your finances from your smartphone. Usually, a bank will supply an official app from which you can log in and check your account. While convenient, this has become a key attack vector for malware authors.

 

Tricking Users with Fake Banking Apps

The simpler means of attack is by spoofing an existing banking app. A malware author creates a perfect replica of a bank's app and uploads it to third-party websites. Once you've downloaded the app, you enter your username and password into it, which is then sent to the hacker.

 

Replacing a Real Banking App with a Fake One

The sneakier version is the mobile banking Trojan. These aren't disguised as a bank's official app; they're usually a completely unrelated app with a Trojan installed within. When you install this app, the Trojan begins to scan your phone for banking apps.

When it detects the user launching a banking app, the malware quickly puts up a window that looks identical to the app you just booted up. If this is done smoothly enough, the user won't notice the swap and will enter their details into the fake login page. These details are then uploaded to the malware author.

Typically, these Trojans also need an SMS verification code to access your account. To do this, they'll often ask for SMS reading privileges during the install, so they can steal the codes as they come in.

 

How to Defend Yourself from Mobile Banking Trojans

When downloading apps from the app store, keep an eye on the number of downloads it has. If it has a very low amount of downloads and little to no reviews, it's too early to call if it has malware or not.

This goes double if you see an "official app" for a very popular bank with a small download count—it's likely an imposter! Official apps should have a lot of downloads, given how popular the bank is.

Likewise, be careful with what permissions you give apps. If a mobile game asks you for permissions with no explanation as to why it wants them, stay safe and don't allow the app to install. Even "innocent" services like Android Accessibility Services can be used for evil in the wrong hands.

 

2. Phishing

As the public becomes savvy toward phishing tactics, hackers have escalated their efforts to trick people into clicking their links. One of their nastiest tricks is hacking the email accounts of solicitors and sending phishing emails from a previously trusted address.

What makes this hack so devastating is how hard it would be to spot the scam. The email address would be legitimate, and the hacker could even talk to you on a first-name basis. This is exactly how an unfortunate home buyer lost £67,000, despite replying to an email address that was previously legitimate.

 

How to Defend Yourself from Phishing

Obviously, if an email address looks suspicious, treat its contents with a healthy dose of skepticism. If the address looks legitimate but something seems strange, see if you can validate the email with the person sending it. Preferably not over email, though, in case the hackers have compromised the account!

Hackers can also use phishing, among other methods, to steal your identity on social media.

 

3. Keyloggers

This method of attack is one of the quieter ways a hacker can gain access to your bank account. Keyloggers are a type of malware that records what you're typing and sends the information back to the hacker.

That might sound inconspicuous at first. But imagine what would happen if you typed in your bank's web address, followed by your username and password. The hacker would have all the information they need to break into your account!

 

How to Defend Yourself from Keyloggers

Install a stellar antivirus and make sure it checks your system every so often. A good antivirus will sniff out a keylogger and erase it before it can do damage.

If your bank supports two-factor authentication, be sure to enable this. This makes a keylogger far less effective, as the hacker won't be able to replicate the authentication code even if they get your login details.

The opinions expressed in our blog are for general informational purposes only and are not intended to provide specific advice or recommendations for any individual or on any specific security. It is only intended to provide education about the financial industry. To determine which investments may be appropriate for you, consult your financial advisor prior to investing. Any past performance discussed during this blog is no guarantee of future results. Any indices referenced for comparison are unmanaged and cannot be invested into directly. As always please remember investing involves risk and possible loss of principal capital; please seek advice from a licensed professional.