It seems like a revolving door at this point, but once again we’re hearing about phishing attacks that are intended to fool smartphone users (Android and iOS) into installing, what looks like an update to their banking app.
You might be wondering, how exactly is this possible? Given all of the protections that Apple has in place, including each app having to be approved to be in the App Store. Well, what is actually happening is that a progressive web app or PWA is being installed, which does not need any vetting from the App Store. PWAs are essentially websites that look and act precisely like apps. In fact, PWAs were the only way to use apps on the iPhone way back in 2007 when it first launched. Apple later realized that native iPhone apps would deliver a far better experience, and the App Store launched a year later in 2008. But PWAs are still available on every platform – even desktop OS.
Cybersecurity company ESET discovered that PWAs were being used to target both Android and iPhone users, using a variety of methods, including texts, ads on social media and voice calls. Once the user logs into the fake app, it is able to capture their login details and sends it to the hacker. Now that hacker is able to login to your banking account.
The firm warns that iPhone users are a higher risk, since many assume their devices are safe from malware. And there’s an animated pop up that instructs them to add the PWA to their home screen, and it looks identical to iOS prompts. Making it tough to tell whether this is real or not. It appears that this is mostly targeting Czech and Hungarian users.
How to protect yourself from phishing attempts
First, it’s important to explain the difference between Phishing and Spam. Spam is the lesser of the two, it’s technically sending you anything you don’t want. Phishing on the other hand, is an attempt to gain information from the user. And it can be far more dangerous.
So how can you protect yourself? Well, first of all, your banking app won’t contact you via text, email, or voice call to update your app. There’s also a good amount of info that they will never ask for, like your social security number, password and PIN. Additionally, if you do download something and it looks strange, inspect the URL. A lot of times, hackers will get a URL that is very similar to the bank’s URL. For instance, bankofamerica.com could be changed to bankfamerica.com, hoping that no one would notice. And at first look, you’d probably miss it.
Finally, if you are accessing your bank account through a browser like Safari or Chrome, the bank will never ask you to update the “app”. Because the “app” was updated when you loaded the page. The most banks will do is, tell you that your version of your web browser is set to be unsupported at some point in the future.
Of course, any real update to any banking app will be available in the App Store and/or Google Play Store.
2024-08-28 15:10:36