Fraudsters hijack an account using phishing and steal 80,000 francs. Postfinance leaves customer out in the cold.
EF won't forget this day anytime soon. The 36-year-old just wants to make a quick payment on the Postfinance app. But she can't log in. The application reports “Password is incorrect”.
More than 80 thousand francs have disappeared. All my savings!
Suspecting something bad had happened, she rushed to the nearest Postomat and realized: her account was empty. “More than 80,000 francs have disappeared. All my savings!”
Criminals are the buyers
It all started with an ad on Anibis and Facebook Marketplace. EF offers furniture there. Shortly thereafter, a woman contacted us via WhatsApp and expressed interest in the advertised bed.
She asks if she can pick up the bed, and the post office offers this transportation service.
A picture of the supposed postal location is sent with the offer. The URL and logo look acceptable to the seller. Only: there is no such postal service. The 36-year-old does not suspect anything and accepts the proposal.
A cleverly manipulated fake website
The buyer then sends her a link to an (alleged) postal website to arrange transportation and payment. “I have a Postfinance account and I thought: Postfinance payments are normal. “It didn't seem suspicious to me.”
She provides her name, address and International Bank Account Number (IBAN) on the website. Shortly afterwards, you receive an SMS verification code, which actually comes from Postfinance. You enter the code on the fake website thinking it is the official postal website.
This is what's happening now: Hackers took over the account and ordered electronics worth more than 80,000 francs from large online stores. How the perpetrators were able to hijack your account is a mystery to EF.
She realized she had fallen for a phishing scam. But: “I never gave out my login password. It's saved on my phone and it's so complex that I don't know it by heart.
How did criminals get the login password? puzzle
“Kassenrutsch” asks Postfinance: How did the perpetrators manage to hack into a customer's electronic finance without a password? The bank objects: “Without the e-finance number, password and a third security element, it is not possible to log in to e-finance. “In this case, fraudsters gained access to this highly confidential data by exploiting the customer's trust.”
How to protect yourself from phishing
With the following preventive measures you can avoid loud noise Protecting the Federal Office of Cybersecurity from phishing attempts:
- Whenever possible, two-factor authentication should be installed.
- Banks and credit card companies that ask you via email to change your password or verify your credit card should not be trusted.
- Do not enter passwords or credit cards on a website clicked through a link in an email or text message.
- Be suspicious if emails demand action and threaten you with consequences if you don't do it (losing money, reporting, etc.).
By passing the security code, the customer has breached her duty of care and is therefore liable for the damage. Postfinance provides no evidence that the perpetrators obtained the password.
Postfinance's security system works – then it doesn't
EF also criticizes Postfinance's security system. For the following reasons: This stopped the criminals' first four attempts to pay the sum of 34,000 francs. But not others. “How can the system recognize the first transfers as offensive, but not the rest?” Postfinance does not want to answer this question. “For safety reasons, we cannot give an answer.”
Regardless of how the perpetrators acted, the case once again shows that you should definitely not accept unusual suggestions and payment methods when doing business online. If EF insisted on paying in cash or transferring Twint, the perpetrators would have no chance.
“Tv expert. Hardcore creator. Extreme music fan. Lifelong twitter geek. Certified travel enthusiast. Baconaholic. Pop culture nerd. Reader. Freelance student.”