Types of cyberattacks

Not everyone is who they say they are. If you detect something strange, be suspicious

Avoiding becoming a victim of digital fraud is simpler than you might think. Learn how to identify these attacks and protect yourself effectively.

Never share sensitive information such as passwords or your card PINs or access codes, either by email, by messaging applications, or by telephone.
Be wary of requests for personal information by phone, email or suspicious links.
Remember: MoraBanc will never ask you for confidential data such as your PIN or passwords through any communication channel.
To access MoraBanc, preferably use the App, and if you do so via the web, make sure it’s the official page www.morabanc.ad, especially if accessing through Google or Bing.

Discover the most common types of cyberattacks

Phishing

One of the most common attacks. You receive an email that pretends to be a company or authority that asks you to give them personal, professional or financial information, usually to solve a problem that may affect you urgently. The people who do this use the company's image and the message can often send you to a fake website.

Some tips:

Check the sender and be wary of emails that ask for passwords or banking details.
Avoid clicking on links, replying, or downloading attachments if you haven't requested them.

Learn more about how phishing works

Phishing is a digital scam that aims to trick you into sharing private information, such as passwords, identity data or bank details. Here is a simple and detailed explanation with visual examples:

You are sent a suspicious email
Cybercriminals send you an email that looks real. It could appear to come from your bank, an online store, or a government agency.
- How they trick you: The email may say there is an urgent problem, such as:
  - "Your account has been blocked. Click here to fix it."
  - "We've detected a strange charge on your card. Check it now."
- How can you confirm your suspicions?
  - The sender has a strange address: ex. "support@bankxxz-alert.com".
  - There are grammatical or spelling errors.
  - The email is not well written.
  - They make you feel pressured to act quickly.
They take you to a fake web page
The email includes a link that takes you to a page that appears legitimate. The page might copy the design of your bank or a well-known company.
- How can you tell if a website is fake?
  - The website address is not the official one. For example:
    - "https://moraxxxxxxbank.com" instead of "https://www.morabanc.ad".
  - The website does not have a padlock (🔒) next to the address.
  - The page may have visual or text errors.
You are tricked into entering your details
Once on the fake page, they ask you for personal or financial information, such as:
- Your bank's username and password.
- Credit card number or PIN code.
- Verification code (OTP) that you receive on your mobile phone.
What happens next?
- Your data is stored in a system by cybercriminals, who can:
  - Access your bank accounts and steal your money.
  - Use your information to impersonate you.

Example of a complete phishing scenario:

You receive an email that says: "Your card will be blocked if you do not confirm the details within the next 24 hours."
You click on the link, which takes you to a page that looks like your bank's.
You enter your username, your password and your PIN code.
Cybercriminals use this data to access your bank account.

How to avoid falling into the trap:

Never click on suspicious links: If you are unsure, go directly to the official website by typing the address into your web browser.
Always verify the website address: It must start with "https://" and have a padlock next to it (🔒).
Be wary of emergency messages: Trustworthy companies will not ask you for personal information by email.
Never share sensitive data: Your bank will never ask you for your PIN or access credentials.

If you believe you have shared information on a fake website, contact Telebanc immediately at +376 884 884 to block access to the account.

Through BIZUM

The Bizum feature of the MoraBanc app is widely used and practical, but some cybercriminals take advantage of it to make fraud attempts by sending messages requesting money, which some customers may end up accepting without realising it.

Some tips:

Verify the profile of the user you are interacting with, especially if they are requesting payment.
When using Bizum, make sure to review the data for all transactions before validating them.
Pay attention to all the messages you receive from MoraBanc and be suspicious if you do not recognise any of the transactions.

Learn more about how the Bizum attack works

Smishing

Cybercriminals send us a text message (SMS) to obtain our data. They include a web link or a telephone number that can be called to verify, update or prevent us from being unsubscribed from a service.

Some tips:

Don't fall into the trap of urgency and don't click on links, attachments or images without verifying the sender.
Never give your PIN, bank password or other credentials by SMS.

Learn more about how a smishing attack works

Smishing is a form of phishing that uses text messages (SMS) to trick you into giving out personal, financial or other sensitive information. Here is a detailed explanation of the process with visual examples:

You receive a suspicious SMS
Cybercriminals send a text message that appears legitimate, often using the name of a well-known entity, such as your bank, a delivery company, or a government service.
- Examples of messages:
  - "Your bank account will be blocked. Click the link to verify the data at https://xxxxx.com."
  - "You have a package waiting to be picked up. Check here: [fake link]."
  - "We have detected suspicious activity. Contact us immediately at [fake phone number]."
- What should you look for to confirm your suspicions?
  - Unrecognised web links or phone numbers in the messages.
  - Spelling or formatting errors.
  - An urgent or threatening tone.
  - Not feeling identified with what the message is asking for. Ex.: Not being a customer of the supposed bank.
They direct you to a website or action over the phone
The message often includes a link that redirects you to a fake page that pretends to be the official website of the company or service mentioned. In other cases, it urges you to call a number where attackers will try to extract sensitive information from you.
- How can you tell if a website is fake?
  - Suspicious web address: The address does not match the official domain (ex.: "https://security-bank-xxxxx.com").
  - No security certificates: The page does not show a padlock (🔒) next to the URL.
  - Visual or spelling errors: It may have a rudimentary design.
They trick you into providing sensitive information
Once you access the fake website or call the number provided, cybercriminals try to obtain confidential information. They may ask you for:
- Your banking credentials (username and password).
- Your PIN code or OTP verification code (which you receive on your mobile).
- Other personal data, such as credit card number or ID card.
Consequences of a smishing attack
If attackers get your information, they can:
- Access your bank account and conduct fraudulent transactions.
- Use your data to impersonate your identity.
- Sell your information on the black market.

Example of a complete smishing scenario

You receive an SMS that says: "Suspicious activity in your account. Click here to verify: [fake link]".
You access the link and it directs you to a page that pretends to be your bank's website.
You enter your credentials, your PIN code and your OTP code.
Cybercriminals use this data to steal money from your account.

How can you avoid falling into the trap?

Don't click on suspicious SMS links: If you are unsure, go the official website by typing the address manually in the browser.
Always verify the sender: Legitimate messages come from official numbers.
Be wary of urgent or threatening messages: Serious companies do not use this form of communication.
Never give out sensitive information: such as PIN or OTP codes by SMS or over the phone.

If you suspect you have been the victim of a smishing cyberattack, contact Telebanc immediately at +376 884 884 to protect your account.

Vishing

Vishing is a telephone fraud where they call you to try to obtain personal information. Scammers may have basic information about the victim that they have collected on the Internet and that will help them create a prior bond with the victim to gain their trust.

Some tips:

If you receive calls that generate an emergency, be suspicious.
Never give sensitive data or information over the phone.
During the call you may be asked to download files or click on links. Don't do it.

Learn more about how a vishing attack works

Vishing is a phishing technique where cybercriminals call you by phone to trick you into giving them confidential information or money. Through a convincing pitch, they usually take advantage of pressure and urgency to get you to trust them. Here we explain the process with specific examples:

Cybercriminals' preparation
Attackers collect basic information about you before contacting you, often from public sources or social media. This information may include:
- Your full name.
- Details of your company or job title.
- Information about accounts or services to which you are subscribed.
Example: "Hello, I'm Anna from your bank's Customer Service. I've noticed unusual activity on your account."
You receive a suspicious call
The attacker contacts you using a false identity, often posing as:
- Your bank or financial institution.
- A technology services company (such as "technical support").
- A government authority.
Cybercriminals use technologies to spoof the phone number, making it appear that the call is coming from an official number.
They create an emergency situation
During the call, they create a fictitious situation that puts pressure on you to act quickly. This may include:
- Problems with your bank account: "We've detected suspicious charges on your account. We need your PIN to block them."
- Fake technical support: "There is a virus on your computer. We need to access it remotely to fix it."
- A fake investigation: "We are from the tax agency and we have found irregularities in your taxes. If you don't pay now, you will receive a penalty."
Attempt to obtain information or access
Through the conversation, they ask you for sensitive information or guide you to perform specific actions, such as:
- Provide the Digital Banking username and password, the credit card number, PIN or an OTP code for some supposed transaction.
- Download a program to give them remote access to your device.
- Make a bank transfer.
Specific example:
1. The attacker tells you that there is an unauthorised charge on your account and that they need your OTP code to block it.
2. You provide the code, thinking you are solving the problem.
3. The attacker uses this information to access your account and steal your money.
Example of a complete vishing scenario
1. You receive a call from a supposed employee of your bank.
2. They inform you that your account has been compromised and that they need your PIN and OTP code to "protect it".
3. You provide them with the information to make it seem like they are solving the problem.
4. Cybercriminals use this data to make fraudulent transfers.

How can you avoid becoming a victim of vishing?

Be suspicious of unexpected calls: Especially if they ask you for sensitive information or if they create an emergency situation.
Verify the caller's identity: Hang up and contact the entity directly through its official number.
Never share sensitive data over the phone: Your bank or official institutions will never ask you for PINs, passwords or OTP codes.
Don't install software or opening links suggested by unverified calls.
Keep calm: Pressure tactics are a key tool of cybercriminals.

If you suspect you have been the victim of vishing, contact Telebanc immediately on +376 884 884 to take security measures and protect your account.

In online shopping

Most websites have reliable platforms so that we can make purchases, but sometimes we can come across websites that make us fraudulent offers and take advantage of the sales process to keep your payment details and access your money.

Some tips:

Be suspicious of offers that are too good to be true and always check that the online store has "https" and a digital certificate.
Research the store's reputation: look for reviews and make sure the page design is consistent.
Use secure payment gateways like RedSys or services like PayPal to protect your data.

Learn more about how the online shopping attack works

Online shopping attacks take advantage of fake websites, offers that are too good to be true, or unsafe payment processes to trick you and steal your data or money. Here is a detailed explanation of how these scams work and how you can identify them:

Fraudulent websites
Cybercriminals create websites that mimic legitimate online stores. These pages can have a design very similar to that of real companies or even use well-known names and logos.
- What do these websites do?
  - They collect your personal and payment data (credit card and digital banks).
  - They charge for non-existent products or services that never arrive.
  - They jeopardise the security of your device with malware.
Offers too good to be true
Attackers often use irresistible offers to lure you in, such as deep discounts on popular or exclusive products.

Specific example:
- A page offers a high-end mobile phone for just 20% of its regular price.
- When you try to buy it, you enter your payment details, but you never receive the product.
Unsecured payment processes
Some fraudulent e-stores do not use secure payment platforms and may ask you to:
- Enter your card details directly. Normally you will always be redirected to secure payment gateways.
- Make untraceable bank transfers.
- You pay through unreliable methods such as unfamiliar digital wallets.
Data collection through phishing
Some cybercriminals send you emails or messages with offers that include links to fake pages. When you click on it, you are sent to a fake store.

Example of phishing related to online shopping:
- "50% off your favourite brands! Offer valid today only. Click here!"

How can you avoid being a victim of an online shopping attack?

Verify the web address: It must start with "https" and display a padlock (🔒).
Check the digital certificate: Click the lock to check if the certificate is valid and matches the store.
Search for reviews and opinions: Research the reputation of the online store on trusted websites.
Be wary of offers that are too good to be true: If an offer seems unrealistic, it's probably a scam.
Don't enter personal data on suspicious websites: Don't make payments without verifying the security of the site.
Use secure payment methods: Use virtual cards or payment gateways like PayPal that offer fraud protection.

Example of a complete online shopping attack scenario

You receive an advert with an attractive offer for a luxury watch at a greatly reduced price.
You go to the website, which looks professional, but does not include clear details about the company.
You complete the purchase with your credit card.
You never receive the product and, shortly after, you detect unauthorised charges on your account.

If you suspect you have been the victim of vishing, contact Telebanc immediately on +376 884 884 to take security measures and protect your account.

CEO Fraud

Most people react quickly when they receive an email from a senior manager or person in charge of their company. Attackers take advantage of this to send fake emails or make calls that may request sensitive data or request money transfers to the cybercriminal's accounts.

Some tips

Be suspicious of these types of requests, especially if they are unusual.
Carefully examine the sender of the message and grammatical errors.
If in doubt, check with the sender using another communication channel.

Learn more about how the CEO fraud attack works

CEO fraud is an impersonation technique in which cybercriminals pose as a senior manager or executive of a company to manipulate employees and obtain sensitive information or money. They use pressure tactics and deception to make the attack seem like a legitimate and urgent order. Here is a detailed explanation:

Cybercriminals' preparation
Attackers investigate the company and its employees using:
- Professional social networks like LinkedIn to identify positions and hierarchies.
- Public information about the company, such as corporate emails, names of managers or ongoing projects.
Example:
- They discover that the company's CEO is travelling and take advantage of this situation to justify their "urgent communication".
Creating a fake email or call
Once they have enough information, the attackers send an email or make a call, impersonating the CEO or another senior executive. They use techniques such as spoofing to falsify the email address or phone number, making it appear legitimate.

How can you detect fake emails or calls?
- Subtle errors in the email, such as "ceo@company-mgt.com" instead of "ceo@company.com".
- A very formal tone or, conversely, an excessively colloquial one that does not match the manager's usual style.
- Calls from unknown numbers but that present themselves with authority.
They create an emergency situation
Attackers try to pressure the employee into making quick decisions without verifying the information. Messages often include commands like:
- Make an urgent bank transfer to a foreign account.
- Provide confidential information or access credentials.
- Process a fake payment related to a supposed contract or a supposed invoice.
Common examples:
- "I need you to transfer €50,000 to the following account before closing today."
- "I've attached the urgent invoice. Process it immediately."
- "I'm in a meeting, I can't talk. Send me the system access data."
The employee complies with the order
If the employee does not verify the request, they might do the requested action without realising that it is a fraud. This can result in:
- Money transfers to cybercriminals' accounts.
- Exposure of sensitive data that can be used in other attacks.
- Loss of trust within the company and damage to its reputation.

How can you avoid becoming a victim of CEO fraud?

Always verify suspicious requests:
- Contact the sender directly through a different communication channel (for example, a phone call).
Examine the email carefully:
- Check the sender's address and look for grammatical errors or strange details.
Be wary of urgency or pressure:
- Legitimate managers usually give reasonable time for important actions.
Implement internal controls:
- Establish procedures to verify transfers or access to sensitive data.
Train employees:
- Provide regular training on cybersecurity and how to identify these types of fraud.

Example of a complete CEO fraud scenario

An employee receives an email from the supposed CEO while he/she is travelling.
The email indicates that an urgent transfer is needed to close an important contract.
Pressed by the tone of urgency, the employee processes the transfer without verifying it.
Later, the employee discovers that the recipient account belongs to cybercriminals.

And remember:

MoraBanc will never ask you for confidential information by email or via SMS.
Always monitor the personal information you post online. You don't know who might see it or for what purpose.
Always be wary of transactions that you are not used to doing and that come to you with a sense of urgency.
If in doubt, do nothing and confirm the information with MoraBanc using any of the official communication channels.

Manage your day-to-day

Get more

Enjoy today

Live worry-free

We're here to help you

Current Affairs

Solutions for your everyday life

Fuel your growth

International solutions

We're here to help you

Current Affairs

Our model

Get to know the country

Our exclusive investments

Our solutions

Manage your day to day

Current Affairs

Not everyone is who they say they are. If you detect something strange, be suspicious

Discover the most common types of cyberattacks

Phishing

Through BIZUM

Smishing

Vishing

In online shopping

CEO Fraud

And remember:

Download our app