BML ‘phishing’ website targets mobile banking customers

The Bank of Maldives (BML) yesterday issued a statement warning that fraudsters had created a false BML website to deceive the company’s mobile banking service customers, obtaining their bank account number, credit card number and its security code through the fraudulent website.

The fraudsters were inviting BML customers to their fraudulent website under the domain by sending text messages from 00455, claiming it was a registration website for the BML mobile banking service.

The fraud, known as ‘phishing’, is relatively common in the Western world and many banks instruct their customers to never access their website by clicking a link in an email. Technology analyst group Gartner estimate that 3.6 million adults fell victim to such scams in the 12 months ending August 2007, losing US$3.2 billion in the process.

Since then phishing attacks have become markedly more targeted and refined, with the emergence of ‘spear-phishing’, with individual and high-value targets such as corporate account executives being targeted.

BML warned that if any of its customers filled this registration form displayed in the fraud website, the fraudsters will be able to take advantage of them and misuse the information.

The statement said that the mobile banking was a service provided by BML “with high security and confidentiality.”

However, it is the responsibility of the customers to keep confidential information such as their card number, expiration date, pin number and security code, account number, internet banking user ID and its security and password, said the statement.

The BML said the most common method fraudsters used was to obtain information to misuse credit cards and debit cards after obtaining the data by sending emails from sources trusted by the victim, linked to fraudulent sources.

The fraudulent website is designed to appear just like the legitimate website.

BML warned customers to never use a link to access the bank’s website, and recommended its address be typed directly into the browser.