Don’t click on attachments or website links contained in emails leading to Maybank2u.com or any other online banking system. It could be a scam.

However as online banking becomes more popular, Maybank M2U increasingly becomes a target of criminals. Unlike robbing a physical bank, these cyber criminals directly target you, the consumer, in attacks known as phishing schemes.

The Maybank M2U team sat down with Head of Cyber Security at Maybank to find out what phishing is and how the consumer can avoid it.

Phishing: What It Is And How To Avoid It.

What phishing is?

The term ‘phishing’ describes a scam, or fraud, designed to obtain private information like passwords and credit card numbers. Usually, criminals carry out phishing attacks by pretending to be a trusted party like Maybank and tricking you to reveal your online banking username, password and Transaction Authorization Code (TAC) to them.

The most common form of attack involves sending phishing emails with links to a fake M2U phishing website that is actually controlled by the criminals. Phishing emails are designed to appear to have been sent from Maybank and contain official-sounding messages that prompt users to update their account information.

Unsuspecting users who follow these instructions are brought to a site they think is M2U, but is actually a fake site controlled by the criminals. When the user updates his/her account information, their username, password and TAC are revealed to the criminals.

The criminal can then login to the user’s account on the real M2U. Once inside, the criminal can transfer funds from the victim’s account.

What steps does M2U take to prevent phishing scams?

M2U employs encryption technology to ensure the safety and confidentiality of your transactions. However, because phishing scams are forms of social engineering that trick the user, precautions at the system level are not enough to prevent phishing scams.

The first defense that M2U deploys against phishing is TAC, or Transaction Authorization Code, to add a second layer of authentication to the login process. The TAC is sent directly to the user’s mobile phone to verify the transaction request and user’s identity for certain transactions in M2U.

Maybank M2U also have dedicated staff that monitor all user account activity. If any weird activity is detected, they will alert Customer Service to verify the transaction in question.

Lastly, M2U plays and active role in helping the Malaysian Commission for Multimedia and Communications (MCMC) and the Malaysian Computer Emergency Response Team (MyCERT) to identify and shut down phishing sites which M2U users have reported, or the ones the team has discovered.

What steps does M2U take when a phishing scam is reported?

Once M2U is notified of phishing emails or websites, M2U do some internal investigations to locate the sender of the phishing emails and the web hosts of the phishing websites. M2U then pass on this information to MCMC and MyCE.

Report Phishing

If you suspect that you have been tricked into giving your ID and Password at a fake website, change your password immediately by directly logging in through http://www.maybank2u.com.my. Report Phishing websites or e-mail immediately

Maybank M2U has identified several email scams. Please DO NOT click on these or any other URLs to link to Maybank2u.com or to your personal information.

Security update: 26 February 2009:

http://www.blocked-m2u-activation.com/M2ULogin.htm
http://www.tac-you.com/
http://myban2common.com/maybank2u/common
http://linkinmaybank2009.com
http://maybank2umy.com
http://mail.gemacocards.com/www.maybank2u.com.my/index.html
http://75.144.177.173/ol/verificationPortal.htm?https://www.maybank2u.com.my/mbb
http://www.systemsqwe.net/maybank2u/common/?MULogin.do?action
http://0x4b95d041/secure/verificationPortal.htm?https://www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login/
http://201.6.243.249/mybank/common/index.htm

Sample of FAKE e-mail being circulated

Security Alert

Please continue to be alert against any emails requesting you to update your particulars or log in into Maybank2u via any email link. Maybank M2U URL is http://www.maybank2u.com.my and you should be suspicious of any e-mail that informs you otherwise.

Maybank does not send out any e-mail or SMS requesting customers to provide personal banking ID or PIN or credit card information. Please do not log in through website links contained in emails supposedly from Maybank or other institutions. Be alert or you may fall victim to a financial scam.

DM: Readers, Don’t fall prey to this type of scams.

Popularity: 12% [?]