security in your finances

phishing is a subset of fraud, one of the biggest online threats today, and one that almost everyone is exposed to. As its name suggests, phishing is an attack aimed at obtaining our data. Quite a few attacks can be prevented by technical means, however, without your involvement, technical means are worth very little. We, at K&H, do our best to protect your money and your data, but one of the key components of that protection is YOU.

& why would it be good for the attacker to get my data?

• they can easily get your money, take out a loan or make a purchase on your behalf using your bank card, bank account or authorisation details. With your passwords, they can access your mail, your social media profiles and the applications you use, or even create a fake online persona, post in your name, and, in the worst case, sell your data on darkweb... and that’s just the tip of the iceberg.

& why is phishing so widespread?

• data phishing does not require deep technical knowledge.

& how does phishing work?

• when phishing, hackers use psychological manipulation to get your data. You may receive a tempting, attention-grabbing offer or one that promises high profits, or, to the contrary, an intimidating or threatening message, aimed at getting as much of your data as possible.

& via what channels can they contact me?

• you may receive phishing messages through virtually any online channel or by phone. In Hungary, phishing e-mails are the most common forms; however, phone and SMS phishing attacks are also becoming more usual. There are also phishing attempts via chat applications or even social media sites. Any channel where the attacker does not need to be present in person is suitable for phishing.

one of the most common phishing techniques is for unauthorised persons to try and obtain the bank card details and certain identification data of customers from a phone number that appears to be real, often pretending to be representatives of another bank. It can also happen that they call ‘on behalf’ of another bank and then, once they identify the person as a K&H customer, they ‘transfer’ the call to a K&H ‘staff member’ or immediately redial the customer again, posing as a staff member of K&H.

phone spoofing

caller ID spoofing is a special technique that allows fraudsters to modify the caller ID that is displayed on the phone’s screen (for example, to a K&H phone number), hiding the identity of the real caller. In other words, when you receive such a call, the display will not show the real caller’s phone number, but another number that often looks familiar, such as the bank’s phone number. This increases the credibility of the fraudsters and helps them deceive victims. A familiar phone number may appear less suspicious, making it more likely that they can trick victims into providing the information they want.

how to protect yourself from phone fraudsters

• pick up unexpected phone calls with caution and suspicion
• urgency is unusual and suspicious: think carefully about what the callers are asking from you
• never share your personal or financial information, the bank will not ask for such information over the phone
• do not believe that the phone number displayed is the Bank’s real customer service number, look up the real phone number on the Bank’s official website
• don’t trust everyone: fraudsters can easily get your basic information from social media profiles - don’t believe the caller just because they know some of your personal details
• never install a software that someone asks you to install over the phone, this is often how scammers take control of your device
• do not transfer money when requested by phone, the bank will never request a financial transaction over the phone
• if you become suspicious during a phone call, end the call immediately, call K&H TeleCenter using one of the central contact numbers, and report your suspicion
• similarly to a bank administrator, you can also ask the caller to prove that he or she is a K&H Bank employee

They typically take the form of letters written in incorrect Hungarian, with typing and spelling mistakes, which

• make an offer that’s impossible to refuse (e.g. a top category smartphone for free),
• are attention-grabbing (e.g. you inherited USD 5 million)
• sometimes threaten you with some negative consequences or sanctions (e.g. if you do not log in, your account will be blocked)

The text of the link in the letter is not related to the content of the letter (e.g. the link in the letter sent on behalf of K&H does not point to kh.hu, but to a completely different page).

what to do in order to avoid becoming a victim of phishing

• handle unsolicited e-mails with care and caution
• the more urgent the tone of the letter, the more suspicious it should be
• be especially careful if a ‘banking’ e-mail asks for confidential information, such as your online banking password, as real banks never ask for such information by e-mail
• do not click on links in the e-mail or open attachments
• always check the link! The easiest way to do this is to hover your mouse cursor over the link. DO NOT click on it, just look at the link in the window or in the bottom left corner of your browser.
• look out for oddities, spelling mistakes, an urgent tone or unusual formatting, as such errors can be telltale signs of fake e-mails
• look for differences between the real and fake e-mail addresses, look carefully at the e-mail address because even a small difference can indicate fraud
• phishing e-mails are harder to spot on mobile devices, so simply do not reply to suspicious e-mails
• if you receive a phishing letter written on behalf of K&H, please forward it as explained in the section ‘what to do if you suspect a phishing attempt’, otherwise delete it promptly

due to their nature, these messages typically contain a short, attention-grabbing narrative message and a link (e.g. your package no. 111111111 has been sent). Text messages, like telephone calls, can also come from a phone number that appears to be real. In any case, be suspicious if you receive a text message with content you were not expecting (e.g. if you have not ordered anything and you are still informed about the arrival of a package). To check the link, hold your finger on the link for some time, and you will see the link to which the message actually points. If the text of the link is not related to the content of the message (e.g. the link in the text message is sent on behalf of K&H, and it does not point to kh.hu but to a completely different page), you are almost certainly the target of a phishing attack.

how to protect yourself from fake bank text (SMS) messages

• do not click on unknown SMS links, attachments or images without verifying the identity of the sender
• always look up the number online or check the bank’s website to see if the number matches
• do not let urgent messages influence your decisions
• never reply to SMS messages asking for your PIN code, online banking password or other security IDs
• delete the text message, and if the attack is performed under the name of K&H, please notify us

• K&H Bank will never ask its customers to log in to K&H e-bank by clicking on a link from an e-mail or text (SMS) message.
• We will never ask for confidential information (e.g. customer ID, ePIN, mPIN, password, 3DSecure text (SMS) message confirmation code) or phone number via e-mail or text message.
• The address of the official K&H Group website always starts exactly as follows: https://www.kh.hu
• To ascertain that the e-banking site is genuine, check the green padlock at the beginning of the search bar and check that the site address starts with https://www.kh.hu/ebank, or,
  if you are logging in using a mobile token or text (SMS) message, https://ebank.sso.kh.hu/
• K&H Bank will never, in any form, request remote access to your devices or ask you to install any applications. Please, note that if you allow remote access to anyone (e.g. by installing the AnyDesk application) to your computer or mobile device, they may have access to the confidential data you store on the device (about yourself or your business) and see everything you do, including your activities on the electronic banking platform.

• immediately contact our colleagues through K&H TeleCenter (+36 1/20/30/70 335 3355) in case you find any unusual or questionable setting in your e-bank, under “settings / device management”, or in connection with your registered device or transaction history
• if you receive a message in your mailbox that instructs you to log into the K&H e-bank or mobile bank, contact our colleagues through the email address informationsecurity@kh.hu so that we can investigate the issue. Please send us the suspicious message as an attachment. In one of the most popular email software, you can do this as follows: after opening the message, click the three vertically aligned dots on the right side, download the message, and then click the paper clip icon to attach the downloaded file (which has an .eml extension) to the message to be sent to us.

Inheritance fraud means that fraudsters offer a significant inherited amount, i.e. major financial gain, to those who are receptive to that. In the typical scenario, a message is sent in the name of a foreign lawyer or authority, in which a very high inherited amount is promised in exchange for a participation. Claiming various costs, the fraudsters request the transfer of a low advance payment.

how to protect yourself from such scams

• never disclose confidential information or banking, identification or authentication data in response to a request received in e-mail or otherwise
• do not initiate payment based on an e-mailed request 
• if you receive unsolicited e-mail (spam), pay attention to its language, e.g. sloppy formulation or grammatical or stylistic errors, even if they seem to corroborate the story because a message written in broken Hungarian may be perceived as a foreigner’s attempt at communicating in Hungarian. If you receive such a mail, be suspicious and careful!
• be suspicious if strangers offer you wealth that is easy to gain
• do not be gullible - if a story sounds too good to be true, it is probably a scam

our universal advisors often report a type of fraud that is difficult to prevent because our client intentionally wants to transfer money to the fraudster. In the latest case, our client was contacted by a lady (?) who claimed to be a Hungarian living in Africa. Her family name was the same as our client’s, and the fraudster claimed to be a distant relative. Over several weeks of daily online conversation involving photos generated with artificial intelligence, our client grew to trust the “lady” that she had only heard from in messages. So when the fraudster mentioned that her small child was seriously ill and needed an expensive operation that was performed in West Europe only, our client wanted to transfer a large amount in order to help.

Fortunately, this story ended well because our universal advisor managed to convince our client that this was a fraudulent attempt at obtaining her savings. As the police confirmed this conclusion, our client suffered no damage.

The “Nigerian-type” or “419” fraud is a specific method employed in social media or on online dating portals, when the victims willingly transfer money to the fraudsters. The perpetrator builds up a romantic relationship with the victim, and then comes up with a touching story to ask for money. The deceptive story is supported with a fake social media profile that nevertheless looks authentic.

How to protect yourself from such fraud?

• never disclose confidential information or banking, identification or authentication data in response to a request received in e-mail or otherwise
• do not initiate payment based on an e-mailed request
• if you receive unsolicited e-mail (spam), pay attention to its language such as sloppy formulation or grammatical or stylistic errors, even if such errors seem to corroborate the story because a message written in broken Hungarian may be perceived as a foreigner’s attempt at communicating in Hungarian. If you receive such a mail, be suspicious and careful!
• do not believe romantic stories sent to you by e-mail
• do not be gullible – if a story sounds too good to be true, it is probably a scam

A client of ours received an unusually high phone bill from his service provider. Upon checking his call list, he found a long call to a foreign (African) number. He remembered a missed call from a number abroad. Unsuspectingly, he had called the number back. The phone on the other side rang for a long time but was not picked up; then the connection was broken. The phone company told our client that he had fallen victim to call-back fraud. The phone connection had actually been made; the call sounds had been recorded and played back by the fraudsters.

Call-back fraud is rather frequent. The perpetrators make many phone calls from unknown numbers, often from abroad, in order to gain money from their victims. The calls are short and immediately interrupted because the fraudsters want to be called back, so that they can gain income from the high (often premium) rates of international calls. The fraud attempt is successful even if the phone is not picked up despite a long series of rings, if the call is interrupted, or if the line is busy.

how to protect yourself from callback fraud

• be careful with unexpected calls, especially if the number is unknown or the call is made from abroad
• do not pick up calls from unknown foreign numbers: these can be risky, especially if they are made from a country where you have no acquaintance or you do not expect calls from
• if the caller’s number is hidden, you do not have to answer the call
• if you receive a suspicious call, check the phone number on the internet; a fraud attempt is likely if others have reported suspicious activities for the phone number
• you can block foreign calls with unknown international codes, either individually or collectively
• az egyedi hívószámok letiltását a telefonod beállításaiban teheted meg, míg az előhívószámok
• such calls can be blocked individually under your phone’s call settings; if you want to block them collectively, contact the client service of your provider

Investment fraud is very common. The fraudsters advertise a seemingly attractive opportunity to invest in shares, bonds or cryptocurrencies, often using images of and recommendations by celebrities such as models or athletes. The perpetrators attempt to gain their victims’ money through the promise of getting rich fast.

how to recognise a false investment opportunity

• always be suspicious if an offer sounds too good to be true, or if you receive unsolicited mail about an investment opportunity
• be cautious about investments that are claimed to return fast, or if the opportunity will supposedly expire in a short time
• always seek an independent financial consultant’s advice before paying out or investing money; in that way, you can make safer investment decisions
• be suspicious of popup windows claiming that you have unexpectedly won something, as such messages are often malicious
• if you fall victim to investment fraud, the fraudsters may contact you again, or may sell your data to other criminals

Consumers and businesses buy and sell more and more goods on the internet. Online offers are often favourable indeed, but beware of fraudsters!

how to avoid fraud

• before buying, search for information on the seller, and read product reviews
• use secure payment methods only; be suspicious if you are asked to use a service for sending money
• use a virtual card dedicated to online purchases, and top up its balance with the required amount on a one-off basis. That way, you cannot lose more than the balance of this secondary card in the worst-case scenario
• do not allow any application other than your bank’s or card company’s app to save your card data
• in each case, assess the risks of payment in advance, as well as the cost of payment on delivery. It is advisable to choose the latter option, especially in case of high-value purchases
• do not use a free or public wi-fi network when making a payment
• be wary of unrealistically favourable offers, as well as products that offer miraculous effects
• a popup window that notifies you of an unexpected prize is very likely a malicious program
• set a daily limit, a transaction limit, as well as an online purchase limit for your account and card

In one of the most frequent schemes, a buyer calls the seller to claim that he has paid for the product, and asks the seller to install a program on his computer or phone in order to “ensure that the payment is received”. The software usually grants remote access to the device. The unsuspecting seller may disclose to the fraudsters the code received in a text message; as a result, the criminals lock him out of his own banking profile, and empty his bank account.

In another type of online marketplace fraud, the seller is informed in a text message that the product has been paid for but he must “accept the amount” by opening a link in the message. Alternatively, the “buyer” recommends a courier service by abusing the name of a well-known and legitimate delivery service (e.g. Foxpost, DHL, DPD, MPL), and sends a text message or e-mail containing a phishing link referring to that provider. The link leads to a false website compiled by the fraudsters, where the seller is requested to enter his bank card data. Then the criminals can abuse the card, e.g. by making purchases. In other cases, the seller is invited to select his account managing bank and then enter his sensitive login data. This false website forwards the data to seller’s bank, and the careless client (seller) gets a legitimate one-time login code (e.g. in a text message) which he also enters on the false site. In that way, the fraudsters gain control of the client’s bank profile, and can immediately steal (transfer) the account balance.

how to avoid this scam

• never transfer money if you are the seller
• be aware that you, as the seller, should only receive but not send money
• you do not need any software program to receive money on your bank account, and you do not need to log into your netbank or mobile bank. It is enough to send your name and bank account number; never disclose any further bank or user account data, or any password, in response to a request received by phone, e-mail or text message
• never click or tap on a hyperlink received in an e-mail or text message, and do not open any attachment; for logging in, type the website address manually
• never download unknown software or applications to your computer or mobile phone
• notify your bank immediately if you have fallen victim to fraud, and report the case to the police

In these scams, the criminals send a text or e-mail message in the name of a non-banking service provider, asking you to confirm your data, pay an overdue amount, receive a parcel or a transferred sum, or suspend the service. Under that pretext, they request bank account or card data, personal data, or a money transfer. These messages often include links that seem to lead to the legitimate provider’s website but actually take you to a malicious site, or install malicious software on your device.

how to avoid such scams;

• be careful with unsolicited messages (spam)
• be especially wary if sensitive information is requested, such as personal or banking data or IDs, or if you are instructed to pay immediately
• do not transfer money based on a service provider’s message
• do not install software by opening a link received in a message, or based on instructions in a message
• download only authentic software from your service provider’s official website, or from official application stores (google play, app store)

Cybercriminals know that service providers increasingly use social media to keep in touch with their clients, even for the purposes of complaint handling or problem solving.

The perpetrators monitor complaints made to service providers in social media, and then pose as a representative of a company by copying a real representative’s profile or creating a similar one. They contact complaining customers and ask for sensitive information such as personal, banking or login data, ostensibly in order to resolve the issue. With that sensitive information, they can access the client’s bank account or various online accounts.

how to avoid this scam

• check the name of the social media profile (e.g. by visiting the service provider’s known site), and check for any spelling differences in the profile name
• do not open a contact link received in a social media message
• report suspected fraudulent profiles to the social media platform operators, and block those profiles
• always check the sender of the message
• do not disclose your personal data to anyone in social media
• do not disclose your user name, password or other identification or authentication data to anyone, under any circumstances; service providers never ask for that information  

Fraudsters employ various methods to make you disclose your personal data; for example, they may offer you a job. Then they use the data for unauthorized purchases, or they open a bank account, buy telephone subscription, borrow money, execute illegal business transactions, or sell your data to other fraudsters.

how to avoid this fraud:

• regularly review the data protection and security settings of your social media accounts
• consider how much information and what photos you share in social media; these can be used by criminals to create false identities, or to defraud you
• report suspected fraudulent profiles to the social media platform operators, and block those profiles
• recognise unusual or suspicious messages or posts from acquaintances, and report these to the social media operators
• regularly check your bank account statements; if you see a debit for something that you have not ordered, contact your bank and your card company
• set a daily limit, a transaction limit, as well as an online purchase limit for your account and card

• install software updates as soon as they are available or set up automatic update downloads.
• take care of the security of your wireless (Wi-Fi) network. Avoid public Wi-Fi networks when using e-bank or mobile bank.
• do not install illegal or unknown software.
• lock your computer when you are not using it so that no-one can easily access your personal data or applications.
• use a password at least 12 characters long to log in to your computer. Your password shall not be a dictionary word, or anything connected to you and shall contain upper- and lower-case letters, digits, and special characters. Consider using a trustworthy password manager.
• do not install software that can be used to remotely control your computer.
• do not grant anyone remote access to your device that you use for banking.
• encrypt your data stored on the device.
• regularly back up your data and check whether the back-up is complete and can be used to restore your important data.
• use a browser that can block pop-up windows as such usually display websites that ask you to enter sensitive data.

approval with mobile token

• scan QR codes only from the Bank’s website and always check the URL of the page you are at.
• never scan QR codes you received in an e-mail or message; visit the kh.hu website instead.

• lock your smartphone or tablet when you are not using it so that no-one can easily access your personal data or applications.
• only install apps from the official application stores (iOS: App Store, Android: Play Store).
• use a PIN at least 5 digits long or an even more secure solution to unlock you lockscreen.
• do not use a jailbroken or rooted mobile device because a modified operating system may lack several built-in security features.
• always use the latest version of our mobile application and the operating system of your mobile device.
• disallow the installation of third-party applications on your smart device.
• install software updates as soon as they are available or set up automatic update downloads.
• take care of the security of your wireless (Wi-Fi) network. Avoid public Wi-Fi networks when using e-bank or mobile bank.
• do not install illegal or unknown software.
• do not install software that can be used to remotely control your smart device.
• do not grant anyone remote access to your device that you use for banking.
• encrypt your data stored on the device.
• regularly back up your data and check whether the back-up is complete and can be used to restore your important data.

K&H Bank uses two-factor authorisation for online login and transaction approval. During an identification in text message, users are required to enter not only their password but also a code received in the text message. This secondary authentication request appears on your phone’s screen even if someone else has been trying to make a transaction.

if you get an approval request and suspect foul play, follow the steps below:

• Check the request for identity verification: make sure it is really you who has initiated the login or transaction.
• Never approve requests that you do not recognise.
• Check all the data in the text message with the approval request: the transaction, the amount, the recipient, etc.
• Never leave your authentication devices unattended: always keep them in a secure place and never share them with others.
• Use screen lock: a lockscreen on your mobile phone protects it from unauthorised access.
• Only register your own biometrics (fingerprint ID, face ID) on your device.
• Check your settings: set up your phone to only show push and text messages after the lock screen has been unlocked. This protects sensitive data from unauthorised access.

Phoney WiFi networks can be so sophisticated that a general user would hardly spot them. In such a scam the attackers set up a fraudulent WiFi hotspot bearing the name of a well-known and legitimate one. Then they invite potential victims to connect. They tap into the communication and collect sensitive information such as usernames and passwords while the users often do not even detect the attack.

how to protect yourself against WiFi scams – here are a few useful tips:

• avoid “unsecured” connections: when looking for available networks, skip those that your device marks as “unsecured”.
• do not use public WiFi networks if you do not have to: using public WiFi networks poses a heightened risk of attack. Opt for an alternative such as your own mobile data or a safe home network when available.
• do not allow “automatic connection to WiFi networks”: with automatic connection your device can easily connect to unknown networks, which is risky.
• be cautious with websites requesting sensitive login data: when using a public WiFi network do not log in to websites that require the entering of a username and password.
• set up multiple-factor authentication: if available, set up multiple-factor authentication on websites that give you access to important data. This will give you more security in the online space.
• use a trustworthy VPN (virtual private network) service.

Scammers use phishing e-mails or text messages to install malicious code on your device, that may allow them to look for and collect information such as login data. Such pieces of code are usually installed without the user’s knowledge when the user clicks on a link in a phishing message posing as a legitimate notification or installs an application that contains malicious code. As the user is not aware of being spied upon, they may disclose sensitive information such as login data and financial information.

how to protect yourself against malicious code attacks - here are a few useful tips:

• keep your software, including your browser, antivirus, and operating system, updated because the latest patches tend to improve security. Set up automatic updates if possible.
• restart your mobile device regularly.
• never click on links in messages or open attachments.
• always examine your e-mails thoroughly, looking for inconsistencies such as odd language, spelling errors, or a pressing tone.
• exercise caution when using mobile devices; never allow automatic connection to networks.
• if you receive a suspicious e-mail, report it to the Bank; such information can help in preventing attacks of this type.
• before installing some software always consider whether you really need that application. Remove the applications you do not use.
• only install applications from the official application stores (Google Play, App Store), and never root or jailbreak your operating system or apps.
• always check what kinds of permission an application requests. If they seem unnecessary, look for another app instead (e.g. it is unnecessary for a map application to access your contacts).

• in the instant payment system, money is transferred to the recipient’s account in a matter of seconds 24 hours a day, 365 days a year. Another feature that was launched together with the instant payment system is secondary account identifiers. If a person registers their e-mail address, mobile number, tax number, or tax ID with their bank, then such can be used instead of their account number to identify them as the recipient of money transfers. With a view to preventing fraud, bank clients, too, need to be more cautious when making transfer instructions.
• it is important that would-be recipients of payments are very meticulous when sharing their secondary account identifier. If you make a mistake in that, you will not receive your counterparty’s payment, or - worse still - the payment might go to someone else. Therefore, you should double - or even triple - check whether you have given people your secondary identifier correctly.
• it is also important to notify your counterparts and your bank if you change your e-mail address or telephone number used as a secondary account identifier.
• before you make an instruction for payment using a secondary account identifier you have not paid to for some time, maybe one that is included in your K&H e-bank or mobile bank partner list, check with the counterparty if they are still using that same identifier.
• if you come to suspect that someone is using your e-mail address or mobile number as their secondary account identifier, or you receive a registration confirmation code when you have not started a registration at all, contact K&H TeleCenter immediately at +36 1/20/30/70 335 3355.

securely - without cash

• managing your finances is becoming easier, and more readily available device-wise, by the day. In order to make such transacting secure, the international, and Hungarian, regulators have put detailed requirements in place and the banks are doing their utmost to protect you. All this comes to nothing, however, without prudence on your side.
• mobile phones have been coming to the forefront of online transacting and so deserve special attention when it comes to their security.
• K&H e-bank and mobile bank offer you the opportunity to instantly change your card limits or even to suspend your card in the event it has got lost or stolen or you suspect fraudulent activity.