Payment fraud: the importance of two-factor authentication

Scammers are increasingly trying to hack accounts on social networks and messengers to steal personal data or manipulate friends and acquaintances of victims. They send strange messages to friends on behalf of the page owner, and also ask for a loan from contacts.

It happens that scammers take photos of loved ones and write that one of them got into a traffic accident and urgently needs money. To make it look believable, they may add fake medical documents with stamps.

These actions can have serious consequences, including financial losses and privacy violations.

Modern fraud technologies

With the development of technology, including artificial intelligence, scammers have become even more inventive. They can fake your photos, videos, and even your voice, which makes their schemes more believable. Your friends can really believe that they are helping you, for example, by receiving voice messages cloned using AI tools. To create such messages, scammers use audio and video recordings that the user has previously shared in chats.

How to protect your accounts from hacking?

One of the most effective security measures is two-factor authentication. It is a security feature that helps to further protect your account (for example, on the social network «Facebook», in the «Telegram» messenger, in the«Internet banking application, etc.). When setting up this function to log in to your account, in addition to your username and password, you need to specify an electronic key or confirmation code that should be sent to your smartphone, email, or the appropriate application.

This is an additional layer of protection for your accounts, because even if someone finds out your password, they will not be able to log in without an additional confirmation code.

You only need to enter the confirmation code when logging in to your page from a new device or an unknown browser. If you are logging in from a trusted device, two-step verification will not be necessary. In the security settings menu, you can manage trusted devices by adding or removing them.

There are several ways to set it up — it is important to choose the most reliable one.

Ways to set up two-factor authentication

The first way to receive a confirmation code — via SMS or instant messaging. This method is less secure, as attackers can intercept such messages. There is also the option to set up receiving the code by email, but this method can also be risky.

The second way (more secure) — is to use special applications such as «Google Authenticator», «Microsoft Authenticator» or «Authy». These applications generate one-time codes that change every 30 seconds, ensuring a high level of security. One-time codes cannot be easily intercepted, unlike SMS.

Action in case of suspected fraud

If you suspect that attackers may have accessed your account, check your active sessions in your settings. Log out of any sessions that don't belong to you. Or check your device list in your settings. If you find an unknown device, remove it, and also change your password and set up two-factor authentication if this feature is not installed.

To protect yourself from fraud on social networks and instant messengers:

• protect your accounts by taking care of:

1) strong password — use complex and different passwords for each account, avoid simple combinations;

2) two-factor authentication — set up this feature wherever it is possible;

• If you received a message with urgent request from a friend, for example, to borrow money, sign a petition, or vote in a competition, first check if this is really your friend. Contact him by phone or another messenger or ask something that only you two know. This will help you quickly expose the scammer. And don't even trust voice messages—it's better to check the facts!

Read more information on the website#CybersecurityFinance of the National Bank of Ukraine and the State Special Communications

This publication was prepared by the National Bank of Ukraine. Its distribution was carried out with the support of the USAID «Investments for Business Sustainability» Project. The views presented in this publication do not necessarily reflect the views of USAID or the U.S. Government.

The publication was prepared within the framework of the all-Ukrainian information and educational campaign #CybersecurityFinance. The goal of the campaign is to disseminate knowledge about payment security rules and form financial services consumers with the skills to protect financial data in virtual space.