Scammers mimic SCA security check in an attempt to steal users’ bank credentials and personal data

• Phishers are imitating the messages meant for SCA and asking users to provide their updated details.
• Each of these scam emails includes links to sites that are meant to capture personal details of users.

Banks, card providers, and retailers across Europe have implemented a new online security check to strengthen their online card payment process. As a part of the new check process known as Strong Customer Authentication (SCA), customers have been urged to provide updated contact information. However, this has paved a new way for scammers who aim to steal users’ bank account details and other personal information.

How do the scammers operate?

Phishers are imitating the messages meant for SCA and asking users to provide their updated details. To make it convincing, these messages are sent through emails that appear to come from legitimate banks such as Santander, Royal Bank of Scotland (RBS), and HSBC.

Each of these scam emails includes links to sites that are meant to capture personal details of users. These stolen details can be later used by scammers to hack into victims’ bank accounts.

What is SCA?

SCA or Strong Customers Authentication is a new European regulatory requirement to reduce fraud while making online payments. The security check is required if the payment is over €30. The authentication is based on at least two of the following three criteria such as:

• Something the customer has such as phone or hardware token;
• Something the customer knows such as a password or PIN;
• Something the customer inherits such as fingerprint, voice pattern or facial recognition.

How to spot a phishing email?

Users should follow the basic steps to spot if an email is spoofed or not. This includes:

• Look for the real sender address. The scammers often include the legitimate brand name as a sender email address to make the email look real. Hence, the recipients should verify the email address before proceeding;
• Hover the mouse over the link that comes attached within an email to know if it is fake or not. If an email seems important but you’re concerned it could be fake, contact the company in question yourself using a trusted method.