Smishing is a form of phishing where fraudsters use SMS (text messages) to trick individuals into revealing sensitive information, such as personal, financial, or login credentials. These scams often appear legitimate, mimicking trusted institution or individuals.

1. 1. 1. How Fraudsters Operate in Smishing?
         
         • Impersonating Trusted Entities:
           • Fraudsters send messages pretending to be from a bank, government agency, retailer, or other trusted organization.
           • Common examples: "Your account has been locked," or "You've won a prize, click the link to claim."
         • Creating Urgency or Fear:
           • Messages often include threats (e.g., account suspension) or create a sense of urgency (e.g., fraudulent transactions detected) to compel immediate action without careful thinking.
         • Including Malicious Links:
           • The SMS includes a link to a fake website that looks like the legitimate site of the bank. Users are prompted to enter personal details, passwords, or payment information, which the scammers then steal.
         • Requesting Direct Replies or Downloads:
           • Some smishing messages might ask you to reply with personal information or to download malicious software (malware) disguised as a legitimate app.
         • Spoofed Sender IDs:
           • Attackers can make the SMS appear as if it’s coming from a legitimate Bank Dhofar, often showing up as part of an ongoing thread of legitimate messages you may have previously received from the real entity.
      2. How to Protect Against Smishing?
         
         • Do Not Click on Links in Unsolicited Messages:
           • Avoid clicking links from unknown senders. Always verify by contacting the bank through official channels.
         • Be Skeptical of Urgent Requests:
           • Bank Dhofar will not ask for sensitive information via text message. If a message is creating panic or urging immediate action, it's likely a scam.
         • Verify Contact Information:
           • If you receive an unexpected message, don’t respond directly. Instead, use a trusted source, like the official website or phone number, to verify.
         • Do Not Provide Personal Information:
           • Never send passwords, account numbers, or other sensitive information through SMS.
         • Install Security Software:
           • Use mobile security apps that can detect and block smishing attempts and malware.
      3. How to report a Smishing?
         • Report the incident to Bank Dhofar customer care via email at Care@bankdhofar.com.
         • Call the 24X7 Call Centre at +968 24791111.

Be vigilant, do not disclose your personal information over the phone to anyone.

'Vishing' (Short for voice-based-phishing) is a criminal mechanism where people are lured to share their personal identity data and financial account credentials over the telephone, either to an Interactive voice response (IVR) machine or a person. These calls always try to convince bank customers that there's an issue with their banking account or debit/credit card or that they won a big amount in a lottery/draw, which lure them to share personal details with them over the call.
Please stay alert to suspicious calls claiming to be from Bank Dhofar. Please do not share any personal information or bank details via phone or online, and do not click on any suspicious links sent by e-mail/SMS/WhatsApp or via Social Media platforms

1. 1. 1. How the Fraudsters Operate?
         
         • Impersonating Bank Representatives:
           
           • The fraudster calls the customer and claims to be calling from the Bank
           • They ask for personal details such as user id, login and transaction password, OTP (One-time password), Card PIN, Grid card values, CVV or any personal parameters such as date of birth, mother's maiden name.
      2. Tips to Protect Yourself from Vishing;
         
         • Be Suspicious of Uninformed Callers:
           • Your bank would have knowledge of some of your personal details. Be suspicious of any caller who appears to be unaware of basic personal details like first and last name (although it is unsafe to rely on this alone as a sign that the call is legitimate). If you receive such a call, report it to your bank.
         • Do Not Leave Personal Details on Unverified Systems:
           • Do not call and leave any personal or account details on any telephone system that you are directed to by a telephone message or from a telephone number provided in a phone message, an e-mail or an SMS especially if it is regarding possible security issues with your credit card or bank account.
         • Verify Telephone Numbers:
           • When a telephone number is given, you should first call the phone number on the back of your credit card or on your bank statement to verify whether the given number belongs to the bank.
         • Do Not Provide Personal Information
           • If you get an SMS or call asking for personal or credit/debit card information, please do not provide this information.

Pretexting is a form of social engineering attack where a fraudster fabricates a scenario or a "pretext" to trick someone into revealing sensitive information. The attacker often impersonates a trusted individual, authority figure, or bank representative to build trust and manipulate the target into divulging data, such as passwords, financial details, or personal information

1. 1. 1. How Pretexting Works?
         
         • Research: Fraudsters often research their target to gather basic information, such as names, job roles, and organizational details. This helps make their pretext more convincing.
         • Building Trust: The fraudster creates a believable story and assumes a false identity (e.g., posing as IT support, law enforcement, or a bank representative) to gain the target’s trust.
         • Creating Urgency: Attackers frequently create a sense of urgency or authority. For example, they may claim that there’s a security issue that needs immediate attention, encouraging the target to act without thinking.
         • Request for Sensitive Information: Once trust is established, the fraudster requests sensitive information, such as login credentials, account details, or access to restricted systems. They may also manipulate the target into performing actions, like transferring funds or clicking malicious links.
      2. How Fraudsters Operate in Pretexting?
         
         • Impersonation: The fraudster assumes the identity of someone the target trusts, such as a colleague, customer service agent, or government official.
         • Tailored Scenarios: The pretext is customized to the target, often using information gathered from social media, company websites, or public databases.
         • Persistence: Fraudsters are often patient, sometimes initiating multiple interactions to build trust gradually before attempting to extract sensitive data.
      3. Protecting Against Pretexting:
         • Verification: Always verify the identity of anyone requesting sensitive information, even if they appear legitimate. Use official contact channels.
         • Awareness Training: always keep yourself updated on social engineering tactics, including pretexting, so you can recognize red flags.
         • Limit Information Sharing: Be cautious about sharing personal or company details online, as fraudsters may use these to craft convincing pretexts.

Baiting is a social engineering tactic that involves enticing individuals into engaging with seemingly innocent objects or content that turn out to be malicious. The goal is to trick people into exposing themselves or their organizations to security risks, such as malware, data breaches, or unauthorized access. Baiting often takes the form of physical media (like a USB stick) or digital lures (like fake websites, emails, or downloads).

1. 1. 1. Examples of Baiting:
         
         • Physical Baiting: Attackers leave USB drives in public places (e.g., parking lots, cafes, banks) labeled as something intriguing like "Company Payroll" or "Confidential Info." Curious victims plug the drive into their computers, unknowingly introducing malware.
         • Online Baiting: Fraudsters create fake websites or ads offering free downloads, software, or media (like movies or music). Once the user downloads the file, malware infects their system.
         • Email Baiting: Fraudulent emails may offer free items, deals, or promotions that encourage users to click a link or download a file, which installs malware or leads to phishing sites.
      2. How Fraudsters Operate with Baiting?
         
         • Target Selection: Fraudsters often select targets based on their curiosity or vulnerability. They might choose employees of large organizations or individuals who frequent specific locations or websites.
         • Creating the Bait: Fraudsters design the bait to be tempting or urgent, such as naming the USB stick something confidential or offering a deal that seems too good to pass up.
         • Delivery Method:
           • Physical: Leaving USB drives, CDs, or other media in accessible areas where victims may find and use them.
           • Digital: Using fake websites, malicious links, or email attachments to lure victims into clicking or downloading harmful content.
         • Exploitation:
           • Physical Media: When the victim plugs the device into their computer, the malware automatically runs, giving the fraudster remote access to the system.
           • Online: Clicking on a malicious link could lead to credential harvesting (phishing) or download malware, like ransomware, onto the victim's machine.
         • Gaining Access: Once the victim engages with the bait, fraudsters can:
           • Steal sensitive data (e.g., login credentials, personal information).
           • Encrypt files and demand a ransom (ransomware attacks).
           • Install spyware to monitor the victim’s activity.
           • Use the compromised device as a backdoor into a corporate network.
      3. Preventive Measures:
         • Education: Regular security awareness training that emphasizes the dangers of curiosity-driven actions, like plugging in found USB drives or clicking suspicious links.
         • Technical Safeguards: Using endpoint protection, anti-malware software, and disabling auto-run for external devices to prevent unauthorized executions.
         • Testing: Simulated phishing or baiting attacks to train you to recognize suspicious items or online offers.

SIM swap fraud is a type of identity theft where attackers trick a mobile carrier into transferring control of a victim's phone number to a SIM card in the fraudster’s possession. This allows the attacker to intercept calls, texts, and any two-factor authentication (2FA) messages sent to the victim’s phone number, giving them access to sensitive accounts such as email, bank accounts, and social media profiles.

1. 1. 1. How Fraudsters Operate in SIM Swap Attacks
         • Gather Personal Information:  Fraudsters first gather personal details about the victim. This could include the victim’s full name, address, date of birth, or other identifiable information. They often obtain this information through data breaches, phishing attacks, social engineering, or even purchasing it on the dark web. 
         • Contact the Mobile Carrier:   Using the victim's personal information, the attacker contacts the victim’s mobile service provider. They pose as the victim, claiming to have lost their phone or SIM card and request that the phone number be transferred to a new SIM card (which they control). 
         • Authenticate Using Stolen Information:   If the attacker has gathered enough personal information, they can answer security questions or provide required verification data to convince the mobile carrier that they are the victim. 
         • Take Control of the Number:   Once the carrier transfers the phone number to the fraudster’s SIM card, the victim's phone loses service, and all calls, texts, and 2FA codes are routed to the attacker’s device. 
         • Access Sensitive Accounts:   Armed with control over the phone number, the fraudster can reset passwords for online accounts (such as email, banking, or social media) by intercepting the text-based verification codes sent by these platforms. This gives them full access to the victim's accounts. 
         • Drain Financial Accounts:   In many cases, the attacker’s primary target is the victim's financial accounts. They can transfer funds, make unauthorized purchases, or even engage in other types of identity fraud using the victim’s financial data.
      2. Tips to Prevent SIM Swap Fraud:
         • Enable Two-Factor Authentication (2FA) Using an App: Instead of relying solely on SMS-based 2FA, use an authenticator app (like Google Authenticator or Microsoft authenticator) for generating time-based codes that are not linked to your phone number. 
         • Use Strong Security Questions: Avoid using easy-to-find or guessable answers for security questions (e.g., mother’s maiden name or favorite pet’s name). Instead, create random or complex answers that aren’t publicly available.
         • Contact Your Mobile Carrier for Extra Security: Request additional protections from your carrier, such as a PIN or password that must be provided before any account changes can be made. Some carriers may offer specific SIM protection features. 
         • Monitor Your Phone's Service:  If your phone suddenly loses service or you receive unexpected alerts about your SIM card or number, contact your mobile carrier immediately.
         • Be Wary of Phishing Attempts:  Always be cautious of unsolicited messages or emails requesting personal information. Fraudsters often use phishing to collect the data they need to perform a SIM swap. 
         • Monitor Your Accounts Regularly:  Regularly check your financial and personal accounts for any unauthorized activity or suspicious login attempts.

If you have any doubt about the authenticity of the ATM or the POS machine, do not use it.

Card skimming is the act of using a skimmer to illegally collect data from the magnetic stripe of a credit, debit or ATM card. These skimmers are installed in ATM or POS machines. This information, copied onto another blank card's magnetic stripe, is then used by an identity thief to make purchases or withdraw cash in the name of the actual account holder. Check the ATM or the POS machine for any abnormalities and look for any unusual or strange additions to the machine.

1. 1. 1. How the Fraudsters Operate?
         • At ATM machines: Fraudsters insert a skimming device to the ATM's card slot. This device scans the card and stores its associated information. While a customer keys in his PIN, the wireless skimming device transfers the data to the fraudsters. This information is then used by the fraudsters for online shopping or to make counterfeit credit cards. 
         • At Shopping Malls or Restaurants: At restaurants and shopping malls, the credit card is swiped twice, once for the regular transaction and the other in the skimmer that captures the personal information, which is retrieved later by the fraudsters.
      2. Tips to Protect Yourself from Card Skimming
         • Protect your PIN: Stand close to the ATM and shielding or cover the key pad with your other hand when entering your PIN. 
         • Be Observant: If you see anything unusual, strange, suspicious, something that does not look right with the ATM or if the keypad does not feel securely attached, stop your transaction and inform the bank. 
         • Avoid Suspicious Devices: If the ATM appears to have anything stuck onto the card slot or key pad, do not use it. Cancel the transaction and walk away. Never try to remove suspicious devices. 
         • Be Cautious of Strangers: Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you are having difficulties. Do not allow anyone to distract you. 
         • Keep Your PIN Secret: Never reveal it to anyone, even to someone who claims to be calling from your bank or a police officer. 
         • Maintain distance: Ensure that other people in the queue are at a reasonable distance away from you. 
         • Monitor your accounts: Regularly check your account balance and bank statements, and report any discrepancies to your bank immediately.

Be cautious from unsecure link and always verify whether the URL is safe before clicking

Website spoofing is the act of creating a website, as a hoax, with the intention of performing fraud. To make spoof sites seem legitimate, phishers use the names, logos, graphics and even code of the actual website. They can even fake the URL that appears in the address field at the top of your browser window and the padlock icon that appears at the bottom right corner.

1. 1. 1. How the Fraudsters Operate?
         • Fraudsters send e-mails with a link to a spoofed website asking you to update or confirm account related information. This is done with the intention of obtaining sensitive account related information like your Internet Banking User ID, Password, PIN, credit card / debit card / bank account number, card verification value (CVV) number, etc.
      2. Tips to Protect Yourself from Spoofed Websites
         • Bank Dhofar will never send e-mails that ask for confidential information. If you receive an e-mail requesting your Internet Banking security details like PIN, password or account number, you should not respond.
         • Check the webpage's URL. When browsing the web, the URLs (web page addresses) begin with the letter’s "http". However, over a secure connection, the address displayed should begin with "https" note the "s" at the end.  For example, if you visit a website such as the following address “http://www.xyz.com”. Here the URL begins with "http" meaning this page is not secure. Click the tab under "Login". The URL now begins with "https", meaning the user’s name and password typed in will be encrypted before being sent to our server.

You always have to protect your information  be it over the internet or during your normal banking activities by simply following these tips:

• • • Do not use passwords that are easy to guess, e.g. your name, your date of birth, your telephone number(s), etc.
    • Use a combination of upper- and lower-case letters as well as numbers.
    • Do not share your password with anyone and do not use the same password for other websites.
    • Change your password frequently and never write it down.
    • Always log into Internet Banking via our sites at the following addresses: BankDhofar online Banking (https://online.bankdhofar.com/) and not through other links.
    • Avoid logging into Internet Banking from Internet Cafes, Libraries or public sites.
    • Always close the window once you have logged out of your Internet Banking session.
    • Be wary of opening email messages from untrustworthy sources, especially if they contain attachments.
    • Do not reply to emails that request your personal information. They may appear to come from a trusted friend or business, but they are designed to trick you in disclosing sensitive personal information.
    • Use personal firewalls and anti-virus software.
    • Avoid downloading software such as screen savers, desktop themes, games, and other executable type programs from obscure or unidentifiable websites. These programs may contain Trojan viruses that would enable hackers to monitor or take over your PC.
    • Disable all unnecessary services running on your computer.
    • Always verify that the site is the genuine Bank Dhofar site.
    • Before you start your internet banking session, ensure that all other internet sessions are closed. If your internet banking session is open, we recommend that you do not open other internet browsers at the same time.
    • Please contact our Customer Service Helpdesk on +968 24791111 in case you receive fraudulent emails or require any assistance using our Internet Banking service

Bank Dhofar will never ask for sensitive information, such as passwords, PINs or OTPs, via email or other channels. Be cautious of suspicious or urgent action which requesting for personal details. If you ever doubt the legitimacy of this activity, please contact our official Customer Care at care@bankdhofar.com or 24X7 Call Centre on +968 24791111.

• • • Avoid Sharing Sensitive Information: Never share personal information like passwords, PINs, account numbers, or OTPs through SMS, even if the message appears to be from the bank.
    • Beware of Phishing SMS (Smishing): Be cautious of suspicious or unsolicited SMS messages asking for your personal or banking details. Banks will never ask for such information via SMS.
    • Verify Sender Information: Ensure that SMS messages are from the official bank number. Fraudsters often use spoofed numbers to mimic official bank communications.
    • Don’t Click on Unknown Links: Avoid clicking on links in SMS messages from unknown or unverified sources. These could lead to phishing websites or install malware on your device.
    • Report Suspicious Activity: If you receive any suspicious or fraudulent SMS, report it immediately to your bank and block the sender.
    • Use Strong Phone Security: Enable a screen lock or biometric lock (fingerprint/face ID) on your phone to prevent unauthorized access to your SMS banking details.
    • Regularly Monitor Transactions: Keep an eye on your SMS alerts for any unusual banking activity or unauthorized transactions.

• • • Use Official Bank Accounts Only: Ensure you are interacting with the official WhatsApp number of your bank, which is typically verified with a green tick mark.
    • Enable Two-Factor Authentication (2FA): For WhatsApp, enable two-factor authentication to add an extra layer of security to your account.
    • Never Share Sensitive Data: Do not share account numbers, PINs, OTPs, or any other sensitive information through WhatsApp.
    • Be Wary of Unsolicited Messages: Fraudsters may send messages posing as the bank, asking for personal information. Always verify the sender’s identity before responding.
    • Don’t Click on Suspicious Links: Avoid clicking on any links or downloading attachments sent through WhatsApp, unless you are sure of their authenticity.
    • Regularly Update the App: Ensure that your WhatsApp is up-to-date with the latest version to avoid vulnerabilities that could compromise your account security.
    • Limit Personal Information: Avoid sharing excessive personal information via WhatsApp, as fraudsters could use this to impersonate you or hack into your accounts.
    • Report Fraudulent Activity: If you suspect fraudulent activity or receive suspicious messages, report them to your bank and block the sender on WhatsApp.

Here are some ways to protect yourself every time you use your ATM/CDM. Always be aware of security when using an ATM/CDM and follow these general tips to ensure your personal information is kept safe:

• • • Never disclose your Personal Identification Number (PIN) to anyone.
    • Never write your PIN or password on your ATM card or credit card. Memories your PIN or password.
    • Never use an ATM/CDM with a blank screen.
    • Do not force your card into the card slot.
    • Stand close to the ATM/CDM and use your body and hand as a shield to make sure nobody sees you keying in your PIN.
    • Keep your hand over the card slot to make sure nobody can swap or take your card.
    • Follow the instructions on the ATM/CDM screen carefully.
    • Do not insert your card until asked to do so by the display screen.
    • Only put in your PIN when the ATM/CDM tells you to do so.
    • Avoid drawing cash late at night or when you are alone.
    • Leave the ATM/CDM immediately if you don't feel safe or you are suspicious of individuals loitering around. Come back later or use another ATM/CDM.
    • Never hurry when using an ATM/CDM. Make sure you are not distracted, intimidated or rushed into your transaction.
    • Never accept help from strangers when using an ATM/CDM. Always be wary of strangers asking for help. While one distracts you the other steals your card and money.
    • Do not count your cash in front of the ATM/CDM.
    • Avoid using ATMs in secluded areas after dark.
    • If the ATM/CDM retains your card, cancel it immediately.
    • Always check that it is your card you get back from the ATM/CDM.
    • Be aware of the daily withdrawal limits on each of your cards and decrease them if necessary.
    • When using your cards at ATM/CDM be alert that there are no additional devices affixed on the card reader slot or keypad, and ensure that no one can see you punch the PIN number on the ATM/CDM keypad.
    • Report lost or stolen cheques, ATM/CDM cards, or Credit Cards as soon as you discover they are missing.

3D Secure (3DS) is a security protocol designed to reduce fraud and add an extra layer of authentication for online card transactions. Here are some essential security tips for using 3D Secure:

• • • Use Strong Authentication Methods: When setting up 3D Secure with Bank Dhofar, ensure that you use strong passwords or passphrases. Enable two-factor authentication (2FA) whenever possible, using SMS codes, biometrics (fingerprint or facial recognition), or a secure app.
    • Protect Personal Information: Never share your 3D Secure password or one-time passwords (OTPs) with anyone. Be cautious when receiving unsolicited calls, emails, or SMS messages asking for sensitive information. Use unique passwords for your banking apps or online transactions that are not easily guessable.
    • Monitor Account Activity: Regularly check your transaction history and bank statements for any suspicious or unauthorized activities. Set up real-time alerts for transactions to quickly detect any unauthorized charges.
    • Update Contact Information: Ensure that your mobile number and email address are up-to-date with your bank so that you can receive OTPs and alerts. If you lose your phone or change your contact details, inform the bank immediately.
    • Beware of Phishing Attacks: Be wary of fake websites, emails, or text messages pretending to be from your bank. Only enter your 3D Secure credentials on secure, verified payment portals, and always check the website URL for legitimacy. Avoid clicking on links in emails or SMS messages that ask for your payment details or personal information.
    • Use Secure Devices: Always use trusted devices for online payments. Avoid making transactions on public or shared computers. Ensure your device has up-to-date security software to protect against malware, spyware, and other cyber threats. Avoid using public Wi-Fi for sensitive transactions, as these networks are less secure and may be targeted by hackers.
    • Recognize Legitimate 3D Secure Prompts: Familiarize yourself with Bank Dhofar’s 3D Secure process so that you can identify legitimate prompts during transactions. If you notice something unusual, such as a fake-looking OTP page or suspicious delays, cancel the transaction and report it to the bank.
    • Secure Mobile Banking Apps: Lock your phone with a PIN, fingerprint, or facial recognition to protect mobile banking apps. Keep your banking app updated to ensure you have the latest security features. Use app-based OTP generators (instead of SMS OTPs) when available for enhanced security.

• • • Install Comprehensive Security Software: Use reputable antivirus or antimalware solutions that offer real-time protection and regularly scan your system for threats.
    • Update Everything: Keep your operating system, applications, and security software updated to patch vulnerabilities that malware might exploit.
    • Be Cautious with Emails and Attachments: Do not open attachments or click links from unknown or unexpected emails. Phishing schemes are a common way malware spread.
    • Use a firewall: Block unauthorized access to your computer. It helps filter incoming and outgoing traffic to prevent malware attacks.
    • Backup Your Data Regularly: Save your data case of ransomware or a destructive malware attack. Use both cloud-based and offline backups.
    • Use Strong Passwords and MFA: Secure your accounts with strong, unique passwords, and enable multi-factor authentication where possible to reduce the risk of credential-stealing malware.
    • Awareness and Training: Regularly awareness about phishing, malware, and safe internet practices.

• • • Avoid Easily Guessable Numbers: Do not use sequences like "1234," "0000," or your birth year. Aim for a random sequence.
    • Use Different PINs for Different Accounts: Especially between your bank and other accounts.
    • Never Share Your PIN: Even service providers will never need your PIN to assist you.
    • Cover the Keypad: When entering your PIN at ATMs or on point-of-sale terminals, cover the keypad to prevent others from seeing your input.
    • Memorize your PINs: instead of writing them down. If you must record them, store them in a secure, encrypted place.

• • • Never Share Your OTP: OTPs are meant to be used only once and only by you. Sharing your OTP with anyone else defeats the purpose of this security layer.
    • Beware of Scammers: Scammers often try to get OTPs by pretending to be from legitimate organizations. Legitimate companies or banks will never ask for your OTP.
    • Use the OTP Promptly: Use the OTP as soon as you receive it and ensure that it matches the correct request before submitting it.
    • Alert for Unsolicited OTPs: If you receive an OTP but haven’t initiated a login or transaction, it could mean someone is trying to access your account. In such cases, immediately change your password and alert the service provider.
    • Use Secure Methods for OTPs: Whenever possible, receive OTPs over secure methods like an authenticator app instead of SMS, which can be more vulnerable to interception.