Banking Trojans, malicious programs, phishing and other forms of internet-borne malice are ever-evolving risks that keep escalating in numbers and sophistication.

With that, most threats still need user interaction to help usher them into a PC or mobile endpoint. This is where anyone can apply some extra precautions to safeguard against the latest cybercrime schemes.

 

Mitigating Malware for PC Users

Most cases of PC malware infections begin with spam email that tricks victims into navigating to a spoofed URL or opening a malicious attachment. If you are not expecting a document, such as an invoice, package tracking link or fax, your best bet is to immediately delete the unsolicited message and alert your IT department as well as your bank or other service provider.

Those who frequently conduct online banking away from home should never access personal accounts from public computers. Online banking should be carried out from trusted or secured Wi-Fi networks, over a secured VPN connection and through devices protected by security solutions.

Email Awareness

Stay away from unsolicited email. Seriously. No matter how tempting a subject, if you did not solicit it, did not make a purchase and were not expecting an invoice or package, report it as spam to your IT department. Then send it to the abuse mailbox of the applicable service provider and delete it from both your inbox and the trash folder.

Be especially wary of attachments and examine them for their true extension type. Most malware is actually an executable, like an .exe file; a container file, like .zip or .rar; or an Office spreadsheet or document with macros that, in some cases, run automatically. Don’t let that happen.

Email is not a bulletproof communication method. In fact, it’s the favored method by which phishers, spammers and other cybercriminals spread their malicious schemes. These bad actors are determined to come up with a way to make you open and click, so don’t take the bait.

More Computing Hygiene Tips

Some additional computing hygiene tips can go a long way toward helping users protect themselves from run-of-the-mill malware:

  • Don’t unsubscribe from spam. Instead, mark it as spam or junk and keep your email address private. Spam botnet operators look for unsubscribers to reply so they can verify that the address is active.
  • Always update your operating system as soon as new updates and patches are available. Set your endpoint to update automatically.
  • Delete software you no longer use. Duly update all programs you do use.
  • Disable online ads on the PC you use for banking and payments. Unfortunately, cybercriminals often compromise and repurpose ads for the covert delivery of malware. Known as malvertising, this is one of the most popular methods for malware looking to leverage exploit kits and infect new victims.
  • Ignore free offers. There are no free meals on the internet. Whether it’s a free game, free software or free adult content, you’re likely giving out something without knowing it. Free stuff in the digital realm can easily contain a backdoor to your endpoint, make you part of a botnet, and push adware, spyware, ransomware and banking Trojans to your endpoint.
  • If you are using personal email at work, never open attachments on your work endpoint. Refrain from sending sensitive work data to and from that personal email box.

Mitigating Malware for Mobile and Smartphone Users

The average person looks at his or her phone 46 times every day, according to Time. As for banking with our phones, Payment Week reported that 38 percent of consumers interact with a bank primarily via a mobile device, and 63 percent use phones to carry out standard banking tasks. That means mobile banking is being used more than ever before.

With users migrating their everyday banking to mobile devices, cybercriminals are taking advantage of the increased opportunities to dupe them into opening malicious messages and emails, clicking on evil links or downloading innocuous-looking apps from dubious sources. Users can foil most of these attacks by keeping in mind some familiar tips for mitigating malware:

  • Email spam and unsolicited messages pose the same threat to mobile device users as PC users. Mobile devices are especially vulnerable to phishing attacks and identity theft schemes.
  • Treat unsolicited SMS messages and emails as spam and never open them. Never follow links, open attachments or heed instructions contained in these messages.
  • Criminals like using stressful ploys, such as sending text messages to users claiming their bank or credit card account has been disabled. Don’t take the bait. Call the number provided in the SMS, the number on the back of your credit card or dial the bank directly using a number you know to be genuine.
  • Update your phone’s operating system as soon as a new update is available.
  • Delete apps you no longer use and always update those you do.
  • Enable a screen-lock password for your device.
  • Don’t enable sideloading on your device.
  • Don’t root or jailbreak your device.
  • Don’t download apps from unofficial app stores.
  • Get links to banking and payment apps directly from the service provider’s website.
  • Don’t grant applications admin permissions. If an app requires that sort of control, it is likely something you do not want on your device.
  • Malicious apps often ask for your location and access to SMS, calls and services that cost money. If you downloaded a legitimate app that needs all the above, make sure it actually uses this access for the services it offers.
  • Be vigilant for any odd behavior the device may exhibit. A mobile malware app can lock the device for a ransom or to keep users out while it conducts fraudulent activity. If your device is suddenly inaccessible, check for ransomware and then check your bank account.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today