security in your finances

phishing is a subset of fraud, one of the biggest online threats today, and one that almost everyone is exposed to. As its name suggests, phishing is an attack aimed at obtaining our data. Quite a few attacks can be prevented by technical means, however, without your involvement, technical means are worth very little. We, at K&H, do our best to protect your money and your data, but one of the key components of that protection is YOU.

& why would it be good for the attacker to get my data?

• they can easily get your money, take out a loan or make a purchase on your behalf using your bank card, bank account or authorisation details. With your passwords, they can access your mail, your social media profiles and the applications you use, or even create a fake online persona, post in your name, and, in the worst case, sell your data on darkweb... and that’s just the tip of the iceberg.

& why is phishing so widespread?

• data phishing does not require deep technical knowledge.

& how does phishing work?

• when phishing, hackers use psychological manipulation to get your data. You may receive a tempting, attention-grabbing offer or one that promises high profits, or, to the contrary, an intimidating or threatening message, aimed at getting as much of your data as possible.

& via what channels can they contact me?

• you may receive phishing messages through virtually any online channel or by phone. In Hungary, phishing e-mails are the most common forms; however, phone and SMS phishing attacks are also becoming more usual. There are also phishing attempts via chat applications or even social media sites. Any channel where the attacker does not need to be present in person is suitable for phishing.

one of the most common phishing techniques is for unauthorised persons to try and obtain the bank card details and certain identification data of customers from a phone number that appears to be real, often pretending to be representatives of another bank. It can also happen that they call ‘on behalf’ of another bank and then, once they identify the person as a K&H customer, they ‘transfer’ the call to a K&H ‘staff member’ or immediately redial the customer again, posing as a staff member of K&H.

phone spoofing

caller ID spoofing is a special technique that allows fraudsters to modify the caller ID that is displayed on the phone’s screen (for example, to a K&H phone number), hiding the identity of the real caller. In other words, when you receive such a call, the display will not show the real caller’s phone number, but another number that often looks familiar, such as the bank’s phone number. This increases the credibility of the fraudsters and helps them deceive victims. A familiar phone number may appear less suspicious, making it more likely that they can trick victims into providing the information they want.

how to protect yourself from phone fraudsters

• pick up unexpected phone calls with caution and suspicion
• urgency is unusual and suspicious: think carefully about what the callers are asking from you
• never share your personal or financial information, the bank will not ask for such information over the phone
• do not believe that the phone number displayed is the Bank’s real customer service number, look up the real phone number on the Bank’s official website
• don’t trust everyone: fraudsters can easily get your basic information from social media profiles - don’t believe the caller just because they know some of your personal details
• never install a software that someone asks you to install over the phone, this is often how scammers take control of your device
• do not transfer money when requested by phone, the bank will never request a financial transaction over the phone
• if you become suspicious during a phone call, end the call immediately, call K&H TeleCenter using one of the central contact numbers, and report your suspicion
• similarly to a bank administrator, you can also ask the caller to prove that he or she is a K&H Bank employee

They typically take the form of letters written in incorrect Hungarian, with typing and spelling mistakes, which

• make an offer that’s impossible to refuse (e.g. a top category smartphone for free),
• are attention-grabbing (e.g. you inherited USD 5 million)
• sometimes threaten you with some negative consequences or sanctions (e.g. if you do not log in, your account will be blocked)

The text of the link in the letter is not related to the content of the letter (e.g. the link in the letter sent on behalf of K&H does not point to kh.hu, but to a completely different page).

what to do in order to avoid becoming a victim of phishing

• handle unsolicited e-mails with care and caution
• the more urgent the tone of the letter, the more suspicious it should be
• be especially careful if a ‘banking’ e-mail asks for confidential information, such as your online banking password, as real banks never ask for such information by e-mail
• do not click on links in the e-mail or open attachments
• always check the link! The easiest way to do this is to hover your mouse cursor over the link. DO NOT click on it, just look at the link in the window or in the bottom left corner of your browser.
• look out for oddities, spelling mistakes, an urgent tone or unusual formatting, as such errors can be telltale signs of fake e-mails
• look for differences between the real and fake e-mail addresses, look carefully at the e-mail address because even a small difference can indicate fraud
• phishing e-mails are harder to spot on mobile devices, so simply do not reply to suspicious e-mails
• if you receive a phishing letter written on behalf of K&H, please forward it as explained in the section ‘what to do if you suspect a phishing attempt’, otherwise delete it promptly

due to their nature, these messages typically contain a short, attention-grabbing narrative message and a link (e.g. your package no. 111111111 has been sent). Text messages, like telephone calls, can also come from a phone number that appears to be real. In any case, be suspicious if you receive a text message with content you were not expecting (e.g. if you have not ordered anything and you are still informed about the arrival of a package). To check the link, hold your finger on the link for some time, and you will see the link to which the message actually points. If the text of the link is not related to the content of the message (e.g. the link in the text message is sent on behalf of K&H, and it does not point to kh.hu but to a completely different page), you are almost certainly the target of a phishing attack.

how to protect yourself from fake bank text (SMS) messages

• do not click on unknown SMS links, attachments or images without verifying the identity of the sender
• always look up the number online or check the bank’s website to see if the number matches
• do not let urgent messages influence your decisions
• never reply to SMS messages asking for your PIN code, online banking password or other security IDs
• delete the text message, and if the attack is performed under the name of K&H, please notify us

• K&H Bank will never ask its customers to log in to K&H e-bank by clicking on a link from an e-mail or text (SMS) message.
• We will never ask for confidential information (e.g. customer ID, ePIN, mPIN, password, 3DSecure text (SMS) message confirmation code) or phone number via e-mail or text message.
• The address of the official K&H Group website always starts exactly as follows: https://www.kh.hu
• To ascertain that the e-banking site is genuine, check the green padlock at the beginning of the search bar and check that the site address starts with https://www.kh.hu/ebank, or,
  if you are logging in using a mobile token or text (SMS) message, https://ebank.sso.kh.hu/
• K&H Bank will never, in any form, request remote access to your devices or ask you to install any applications. Please, note that if you allow remote access to anyone (e.g. by installing the AnyDesk application) to your computer or mobile device, they may have access to the confidential data you store on the device (about yourself or your business) and see everything you do, including your activities on the electronic banking platform.

• immediately contact our colleagues through K&H TeleCenter (+36 1/20/30/70 335 3355) in case you find any unusual or questionable setting in your e-bank, under “settings / device management”, or in connection with your registered device or transaction history
• if you receive a message in your mailbox that instructs you to log into the K&H e-bank or mobile bank, contact our colleagues through the email address informationsecurity@kh.hu so that we can investigate the issue. Please send us the suspicious message as an attachment. In one of the most popular email software, you can do this as follows: after opening the message, click the three vertically aligned dots on the right side, download the message, and then click the paper clip icon to attach the downloaded file (which has an .eml extension) to the message to be sent to us.

Inheritance fraud means that fraudsters offer a significant inherited amount, i.e. major financial gain, to those who are receptive to that. In the typical scenario, a message is sent in the name of a foreign lawyer or authority, in which a very high inherited amount is promised in exchange for a participation. Claiming various costs, the fraudsters request the transfer of a low advance payment.

how to protect yourself from such scams

• never disclose confidential information or banking, identification or authentication data in response to a request received in e-mail or otherwise
• do not initiate payment based on an e-mailed request 
• if you receive unsolicited e-mail (spam), pay attention to its language, e.g. sloppy formulation or grammatical or stylistic errors, even if they seem to corroborate the story because a message written in broken Hungarian may be perceived as a foreigner’s attempt at communicating in Hungarian. If you receive such a mail, be suspicious and careful!
• be suspicious if strangers offer you wealth that is easy to gain
• do not be gullible - if a story sounds too good to be true, it is probably a scam

our universal advisors often report a type of fraud that is difficult to prevent because our client intentionally wants to transfer money to the fraudster. In the latest case, our client was contacted by a lady (?) who claimed to be a Hungarian living in Africa. Her family name was the same as our client’s, and the fraudster claimed to be a distant relative. Over several weeks of daily online conversation involving photos generated with artificial intelligence, our client grew to trust the “lady” that she had only heard from in messages. So when the fraudster mentioned that her small child was seriously ill and needed an expensive operation that was performed in West Europe only, our client wanted to transfer a large amount in order to help.

Fortunately, this story ended well because our universal advisor managed to convince our client that this was a fraudulent attempt at obtaining her savings. As the police confirmed this conclusion, our client suffered no damage.

The “Nigerian-type” or “419” fraud is a specific method employed in social media or on online dating portals, when the victims willingly transfer money to the fraudsters. The perpetrator builds up a romantic relationship with the victim, and then comes up with a touching story to ask for money. The deceptive story is supported with a fake social media profile that nevertheless looks authentic.

How to protect yourself from such fraud?

• never disclose confidential information or banking, identification or authentication data in response to a request received in e-mail or otherwise
• do not initiate payment based on an e-mailed request
• if you receive unsolicited e-mail (spam), pay attention to its language such as sloppy formulation or grammatical or stylistic errors, even if such errors seem to corroborate the story because a message written in broken Hungarian may be perceived as a foreigner’s attempt at communicating in Hungarian. If you receive such a mail, be suspicious and careful!
• do not believe romantic stories sent to you by e-mail
• do not be gullible – if a story sounds too good to be true, it is probably a scam

A client of ours received an unusually high phone bill from his service provider. Upon checking his call list, he found a long call to a foreign (African) number. He remembered a missed call from a number abroad. Unsuspectingly, he had called the number back. The phone on the other side rang for a long time but was not picked up; then the connection was broken. The phone company told our client that he had fallen victim to call-back fraud. The phone connection had actually been made; the call sounds had been recorded and played back by the fraudsters.

Call-back fraud is rather frequent. The perpetrators make many phone calls from unknown numbers, often from abroad, in order to gain money from their victims. The calls are short and immediately interrupted because the fraudsters want to be called back, so that they can gain income from the high (often premium) rates of international calls. The fraud attempt is successful even if the phone is not picked up despite a long series of rings, if the call is interrupted, or if the line is busy.

how to protect yourself from callback fraud

• be careful with unexpected calls, especially if the number is unknown or the call is made from abroad
• do not pick up calls from unknown foreign numbers: these can be risky, especially if they are made from a country where you have no acquaintance or you do not expect calls from
• if the caller’s number is hidden, you do not have to answer the call
• if you receive a suspicious call, check the phone number on the internet; a fraud attempt is likely if others have reported suspicious activities for the phone number
• you can block foreign calls with unknown international codes, either individually or collectively
• az egyedi hívószámok letiltását a telefonod beállításaiban teheted meg, míg az előhívószámok
• such calls can be blocked individually under your phone’s call settings; if you want to block them collectively, contact the client service of your provider

Investment fraud is very common. The fraudsters advertise a seemingly attractive opportunity to invest in shares, bonds or cryptocurrencies, often using images of and recommendations by celebrities such as models or athletes. The perpetrators attempt to gain their victims’ money through the promise of getting rich fast.

how to recognise a false investment opportunity

• always be suspicious if an offer sounds too good to be true, or if you receive unsolicited mail about an investment opportunity
• be cautious about investments that are claimed to return fast, or if the opportunity will supposedly expire in a short time
• always seek an independent financial consultant’s advice before paying out or investing money; in that way, you can make safer investment decisions
• be suspicious of popup windows claiming that you have unexpectedly won something, as such messages are often malicious
• if you fall victim to investment fraud, the fraudsters may contact you again, or may sell your data to other criminals

Consumers and businesses buy and sell more and more goods on the internet. Online offers are often favourable indeed, but beware of fraudsters!

how to avoid fraud

• before buying, search for information on the seller, and read product reviews
• use secure payment methods only; be suspicious if you are asked to use a service for sending money
• use a virtual card dedicated to online purchases, and top up its balance with the required amount on a one-off basis. That way, you cannot lose more than the balance of this secondary card in the worst-case scenario
• do not allow any application other than your bank’s or card company’s app to save your card data
• in each case, assess the risks of payment in advance, as well as the cost of payment on delivery. It is advisable to choose the latter option, especially in case of high-value purchases
• do not use a free or public wi-fi network when making a payment
• be wary of unrealistically favourable offers, as well as products that offer miraculous effects
• a popup window that notifies you of an unexpected prize is very likely a malicious program
• set a daily limit, a transaction limit, as well as an online purchase limit for your account and card

In one of the most frequent schemes, a buyer calls the seller to claim that he has paid for the product, and asks the seller to install a program on his computer or phone in order to “ensure that the payment is received”. The software usually grants remote access to the device. The unsuspecting seller may disclose to the fraudsters the code received in a text message; as a result, the criminals lock him out of his own banking profile, and empty his bank account.

In another type of online marketplace fraud, the seller is informed in a text message that the product has been paid for but he must “accept the amount” by opening a link in the message. Alternatively, the “buyer” recommends a courier service by abusing the name of a well-known and legitimate delivery service (e.g. Foxpost, DHL, DPD, MPL), and sends a text message or e-mail containing a phishing link referring to that provider. The link leads to a false website compiled by the fraudsters, where the seller is requested to enter his bank card data. Then the criminals can abuse the card, e.g. by making purchases. In other cases, the seller is invited to select his account managing bank and then enter his sensitive login data. This false website forwards the data to seller’s bank, and the careless client (seller) gets a legitimate one-time login code (e.g. in a text message) which he also enters on the false site. In that way, the fraudsters gain control of the client’s bank profile, and can immediately steal (transfer) the account balance.

how to avoid this scam

• never transfer money if you are the seller
• be aware that you, as the seller, should only receive but not send money
• you do not need any software program to receive money on your bank account, and you do not need to log into your netbank or mobile bank. It is enough to send your name and bank account number; never disclose any further bank or user account data, or any password, in response to a request received by phone, e-mail or text message
• never click or tap on a hyperlink received in an e-mail or text message, and do not open any attachment; for logging in, type the website address manually
• never download unknown software or applications to your computer or mobile phone
• notify your bank immediately if you have fallen victim to fraud, and report the case to the police

In these scams, the criminals send a text or e-mail message in the name of a non-banking service provider, asking you to confirm your data, pay an overdue amount, receive a parcel or a transferred sum, or suspend the service. Under that pretext, they request bank account or card data, personal data, or a money transfer. These messages often include links that seem to lead to the legitimate provider’s website but actually take you to a malicious site, or install malicious software on your device.

how to avoid such scams;

• be careful with unsolicited messages (spam)
• be especially wary if sensitive information is requested, such as personal or banking data or IDs, or if you are instructed to pay immediately
• do not transfer money based on a service provider’s message
• do not install software by opening a link received in a message, or based on instructions in a message
• download only authentic software from your service provider’s official website, or from official application stores (google play, app store)

Cybercriminals know that service providers increasingly use social media to keep in touch with their clients, even for the purposes of complaint handling or problem solving.

The perpetrators monitor complaints made to service providers in social media, and then pose as a representative of a company by copying a real representative’s profile or creating a similar one. They contact complaining customers and ask for sensitive information such as personal, banking or login data, ostensibly in order to resolve the issue. With that sensitive information, they can access the client’s bank account or various online accounts.

how to avoid this scam

• check the name of the social media profile (e.g. by visiting the service provider’s known site), and check for any spelling differences in the profile name
• do not open a contact link received in a social media message
• report suspected fraudulent profiles to the social media platform operators, and block those profiles
• always check the sender of the message
• do not disclose your personal data to anyone in social media
• do not disclose your user name, password or other identification or authentication data to anyone, under any circumstances; service providers never ask for that information  

Fraudsters employ various methods to make you disclose your personal data; for example, they may offer you a job. Then they use the data for unauthorized purchases, or they open a bank account, buy telephone subscription, borrow money, execute illegal business transactions, or sell your data to other fraudsters.

how to avoid this fraud:

• regularly review the data protection and security settings of your social media accounts
• consider how much information and what photos you share in social media; these can be used by criminals to create false identities, or to defraud you
• report suspected fraudulent profiles to the social media platform operators, and block those profiles
• recognise unusual or suspicious messages or posts from acquaintances, and report these to the social media operators
• regularly check your bank account statements; if you see a debit for something that you have not ordered, contact your bank and your card company
• set a daily limit, a transaction limit, as well as an online purchase limit for your account and card

• install software updates as soon as they are available or set up automatic update downloads.
• take care of the security of your wireless (Wi-Fi) network. Avoid public Wi-Fi networks when using e-bank or mobile bank.
• do not install illegal or unknown software.
• lock your computer when you are not using it so that no-one can easily access your personal data or applications.
• use a password at least 12 characters long to log in to your computer. Your password shall not be a dictionary word, or anything connected to you and shall contain upper- and lower-case letters, digits, and special characters. Consider using a trustworthy password manager.
• do not install software that can be used to remotely control your computer.
• do not grant anyone remote access to your device that you use for banking.
• encrypt your data stored on the device.
• regularly back up your data and check whether the back-up is complete and can be used to restore your important data.
• use a browser that can block pop-up windows as such usually display websites that ask you to enter sensitive data.

approval with mobile token

• scan QR codes only from the Bank’s website and always check the URL of the page you are at.
• never scan QR codes you received in an e-mail or message; visit the kh.hu website instead.

• lock your smartphone or tablet when you are not using it so that no-one can easily access your personal data or applications.
• only install apps from the official application stores (iOS: App Store, Android: Play Store).
• use a PIN at least 5 digits long or an even more secure solution to unlock you lockscreen.
• do not use a jailbroken or rooted mobile device because a modified operating system may lack several built-in security features.
• always use the latest version of our mobile application and the operating system of your mobile device.
• disallow the installation of third-party applications on your smart device.
• install software updates as soon as they are available or set up automatic update downloads.
• take care of the security of your wireless (Wi-Fi) network. Avoid public Wi-Fi networks when using e-bank or mobile bank.
• do not install illegal or unknown software.
• do not install software that can be used to remotely control your smart device.
• do not grant anyone remote access to your device that you use for banking.
• encrypt your data stored on the device.
• regularly back up your data and check whether the back-up is complete and can be used to restore your important data.

K&H Bank uses two-factor authorisation for online login and transaction approval. During an identification in text message, users are required to enter not only their password but also a code received in the text message. This secondary authentication request appears on your phone’s screen even if someone else has been trying to make a transaction.

if you get an approval request and suspect foul play, follow the steps below:

• Check the request for identity verification: make sure it is really you who has initiated the login or transaction.
• Never approve requests that you do not recognise.
• Check all the data in the text message with the approval request: the transaction, the amount, the recipient, etc.
• Never leave your authentication devices unattended: always keep them in a secure place and never share them with others.
• Use screen lock: a lockscreen on your mobile phone protects it from unauthorised access.
• Only register your own biometrics (fingerprint ID, face ID) on your device.
• Check your settings: set up your phone to only show push and text messages after the lock screen has been unlocked. This protects sensitive data from unauthorised access.

Phoney WiFi networks can be so sophisticated that a general user would hardly spot them. In such a scam the attackers set up a fraudulent WiFi hotspot bearing the name of a well-known and legitimate one. Then they invite potential victims to connect. They tap into the communication and collect sensitive information such as usernames and passwords while the users often do not even detect the attack.

how to protect yourself against WiFi scams – here are a few useful tips:

• avoid “unsecured” connections: when looking for available networks, skip those that your device marks as “unsecured”.
• do not use public WiFi networks if you do not have to: using public WiFi networks poses a heightened risk of attack. Opt for an alternative such as your own mobile data or a safe home network when available.
• do not allow “automatic connection to WiFi networks”: with automatic connection your device can easily connect to unknown networks, which is risky.
• be cautious with websites requesting sensitive login data: when using a public WiFi network do not log in to websites that require the entering of a username and password.
• set up multiple-factor authentication: if available, set up multiple-factor authentication on websites that give you access to important data. This will give you more security in the online space.
• use a trustworthy VPN (virtual private network) service.

Scammers use phishing e-mails or text messages to install malicious code on your device, that may allow them to look for and collect information such as login data. Such pieces of code are usually installed without the user’s knowledge when the user clicks on a link in a phishing message posing as a legitimate notification or installs an application that contains malicious code. As the user is not aware of being spied upon, they may disclose sensitive information such as login data and financial information.

how to protect yourself against malicious code attacks - here are a few useful tips:

• keep your software, including your browser, antivirus, and operating system, updated because the latest patches tend to improve security. Set up automatic updates if possible.
• restart your mobile device regularly.
• never click on links in messages or open attachments.
• always examine your e-mails thoroughly, looking for inconsistencies such as odd language, spelling errors, or a pressing tone.
• exercise caution when using mobile devices; never allow automatic connection to networks.
• if you receive a suspicious e-mail, report it to the Bank; such information can help in preventing attacks of this type.
• before installing some software always consider whether you really need that application. Remove the applications you do not use.
• only install applications from the official application stores (Google Play, App Store), and never root or jailbreak your operating system or apps.
• always check what kinds of permission an application requests. If they seem unnecessary, look for another app instead (e.g. it is unnecessary for a map application to access your contacts).

The spread of digitalisation is creating new opportunities for fraudsters, who are using a wide variety of methods to defraud companies and extort money from them using false information.

One of the most common types of abuse that companies are facing today is the so-called “fake management instruction”, targeting an employee authorised to make payments and tricking them into paying a false invoice or initiating an unauthorised transfer. They rely on employees trying to quickly follow instructions that come directly from senior management.

By applying appropriate controls, falling victim to such fraudulent practices can be prevented or reduced.

The most common source of trouble is the possession of conflicting privileges

Having conflicting privileges means that a single individual has multiple privileges that allow them to perform unauthorised activities without being subject to proper controls, thus posing a risk to attacks by fraudsters.

& what can you do?

• grant well-defined privileges to job positions (role-based access: e.g. query/view privileges, input privileges, signing privileges);
• prohibit the same person from holding overlapping or hierarchically positioned privileges (e.g. if transactions are input and approved by the same person, it may give rise to abuse or error);
• regularly review privileges; and
• ensure that there are strict identification procedures and four-eye controls in place.

Four-eye controls are procedures whereby two independent individuals are required to perform a transaction or operation, thereby:

• preventing errors and fraud; and
• increasing process transparency.

& K&H Electra privileges

The bank strongly recommends that business clients set user and signature limit points in K&H Electra so that, where possible, more than one user is required to initiate a payment order, or more than one user is required to sign it, at least for higher value orders.

The K&H Electra system uses signature points to control the initiation of payment orders. This points matrix can be customised according to two criteria:

• User signature score for a given account: typically, a user authorised to sign payment orders has 5 or 10 points, but this can be varied within the range 1-99; and
• Value-dependent  signature limits can be set for each account: Electra has a default setting of 10 signature points required to initiate a payment order, but this can altered for different accounts and different values.

User and signature scores can be queried with the Self-administration Privilege and modified with the Company Privilege.

Social engineering is a collective term for attacks that exploit certain human characteristics and people’s current states of mind. In many cases, the characteristics in question are very useful for a particular job, but it is important to be aware that they carry a certain risk. For example, in the case of customer service staff, helpfulness is very commendable, but in an attack it can be easily exploited by a fraudster: all they need to do is simply ask for help, advice or information. Employees particularly at risk of social engineering attacks include staff in human resources, IT, customer service and finance, as well as senior management assistants, PR and marketing professionals.

Some social engineering attacks are physical; for example, an attacker may impersonate someone else (external IT professional, auditor, cleaner, guest, journalist, student writing their thesis, etc.) to gain access to the company, from where they can exploit the staff’s lack of security consciousness to collect data, documents, or even equipment (e.g. a laptop, phone, access card, etc. left in the office during lunchtime), go through bins, take a back-up of unlocked devices or leave infected media in places where staff can easily find them. The prevalence of social engineering is illustrated by the fact that each of the above-mentioned types of attack has its own specific name.

& how to protect yourself

Remember that you are the key: your organisation's defences are as strong as those of its weakest link, i.e. its people.

Teach your colleagues to regard strangers and unusual requests with healthy suspicion, not just online but in the physical world too. For larger companies, we recommend training security staff in this, and establishing an access procedure, but even for small and medium-sized businesses where the staff know each other, escorting guests can be a solution as well as a polite gesture. Emphasis should be placed on ensuring that all your employees are aware that they could be a target, and could be used to attack the business itself.

CEO fraud, or whaling, is an attack targeting senior managers in an organisation.

Typically, such attempts are preceded by a lengthy research process to ensure that the senior manager or their assistant under attack takes the bait. CEO fraud emails are written in perfect language, containing information which seems important, so they will almost certainly be opened. Often, they refer to or steal the identity of an existing contact, and the sender of the email is not suspicious. In many cases they contain an attachment, and if you examine the link you will find that the attacker is concealing the actual URL to which the link points. In addition to financial gain, the aim of these attacks is in most cases to gather as much information as possible (e.g. about the organisation's operations in preparation for a subsequent larger-scale attack).

With the rise of artificial intelligence and deep fakes, it is increasingly easier to carry out attacks where the attacker impersonates a senior executive, using their voice and image, and requests information or the transfer of sizeable funds in a video conversation.

& How to protect yourself?

One of the basic rules of defence is to ensure that as little is known about you as possible. Carefully separate your work and private life! As a senior manager, it is particularly important to pay attention to visibility settings on social networking sites. Find the right need-to-know balance: post only what is relevant to your business, never share more than you absolutely have to, and try to keep your voice and face in public forums to a minimum.

In particular, as a manager, make sure that you follow all the security rules you expect from your colleagues: in your case, even stricter controls may be justified, as a successful attack on you could cause serious damage.

Always check or double-check enquiries. It pays to be careful: call back the person claiming to be an existing contact or the colleague in question using a phone number you know. It only takes one phone call for you to check that you have indeed been contacted by the person who was supposed to have sent the email or called you, and you can save yourself from a major loss.

A ransomware attack is a cyber-attack in which an attacker installs malicious software on a target's computer or network that encrypts data. The attacker then demands a ransom to recover the data. Ransomware attacks are often made via phishing emails containing malicious attachments or links and are perhaps the most blatant example of why it is important to keep your staff’s security awareness up to date. It only takes one careless colleague to cause serious damage to a business that may lose data as a result of the attack, and paying a ransom is no guarantee that the attackers will reinstate the data.

& how to protect yourself?

Anti-virus software is an effective defence against known ransomware, but a solid, practical understanding of phishing signs can protect against new ransomware attacks that only emerge later. Phishing signs are discussed at www.kh.hu/web/eng/security-in-your-finances. Keep in mind that there is no 100% protection, but in the event of a ransomware attack, data can be recovered from backups that are created and checked regularly.

Attackers issue an invoice in the name of a business’ partner, sometimes even drawing attention to the fact that the account number has changed.

& how to protect yourself?

Such attacks are relatively easy to thwart if your finance staff know that in such cases they need to check that the invoice is genuine. The easiest way to do this is to check that there is indeed an agreement or contract with the company issuing the invoice, or to double-check the invoice number, perhaps by a phone call. For existing partners, the procedure is even simpler: if the invoice number changes, verify it.

A DDoS (distributed denial-of-service) attack is a cyber-attack in which an attacker uses multiple computers or devices to generate large amounts of traffic to a website or server to overload it and prevent it from functioning normally. DDoS attacks are often aimed at crippling companies' websites or online services, which can result in loss of customers, revenue and reputation, but it should also be borne in mind that DDoS attacks are sometimes used by hackers to “mask” other attacks.

& how to protect yourself?

The “captchas” already used on many websites can offer protection against requests from bots. For applications that are likely to have high traffic, technical solutions to ensure load balancing should be considered.

It is impossible to completely eliminate cyber-attacks, but businesses can take steps to reduce their risk and mitigate their impact. The cornerstone of protection is that the business has an information security strategy that clearly defines the protection objectives to be achieved.

The suggestions listed below provide practical help for day-to-day protection against attacks:

• Regularly update the software, anti-virus and firewalls used by your business to protect it from the latest threats.
• Implement secure passwords and multi-factor authentication.
• Regularly back up your data and ensure that they can be recovered in the event of a ransomware attack.
• Implement good encryption and privilege management practices to make it harder for attackers to access your data.
• Educate your employees: prepare them to recognise and avoid cyber-attacks, especially phishing attacks. Employees need to know how to check email addresses, website URLs, attachments and content to avoid falling for fake messages, and they must never give their personal or company information to sources that cannot be trusted.
• In the event of a cyber-attack act quickly: have a cyber-attack contingency plan in place that identifies responsible individuals, actions to be taken and communication channels. Notify authorities, partners and customers of the cyber-attack.

E-bank or mobile bank activation: when an e-channel is being activated, we will send you a message in case of authentication device registration

• about VICA registrations in case of Electra
• about mobile token, username & password creation in case of e-bank

First login to e-bank or mobile bank: we will send you a notification on the first login to your e-channel:

• Electra users: first use of VICA, USB token
• E-bank users: mobile token, username & password on first use

If you did not perform this login, please call K&H Corporate Customer Service immediately on +36 1 468 7777 or on+36 1 468 7755 to keep your account safe.

CyberShield transaction monitoring notification: as a debit card holder of a business with less than 10 employees and an annual turnover of less than EUR 2 million, you will receive a free notification when we detect a debit transaction of minimum HUF 15,000 initiated using a business debit card of yours. This message does not contain the details of the transaction; the purpose of the notification is to ensure that you immediately become aware of a transaction that was not initiated by you, so that you can take action to ensure the security of your account/bank card. For detailed information on Cyber Shield transaction monitoring notifications, please visit https://www.kh.hu/biztonsag-a-penzugyekben/kiberpajzsertesitesek.

In K&H Electra, a new limit management option has been available since 23 September 2024, which represents another step towards safer banking.

The new feature allows you to determine, per account, how many signature points you require from users to approve payment orders between certain (from to) amount ranges, i.e. you can use scores to control how many signers are required to initiate an order. The default setting is a total of 10 points, which can come from one signer (acting alone) or from multiple signers.

For example, let us say that to approve payment orders of HUF 0-1,000,000, 5 signature points are required, while orders from HUF 1,000,001 require 10 signature points. In this case, order (A) for HUF 500,000 can be approved by a single user who has 5 signature points, but they cannot sign order (B) for HUF 2,000,000 alone. Thus order (B) typically requires either two users with 5 signature points each or a single user with 10 signature points.

Please consider your company's operations in terms of the value of your payment orders and your approval structure, and take advantage of the protection offered by the setting of limits accordingly. We recommend restricting limits to match your payment habits, and at the same time prevent the execution of unusual payment transactions. Security is best ensured by signature limits that suit your own operations, so please consider your company's planned activity per account and set limits accordingly, regularly maintaining and reviewing them and changing them as necessary.

The new function is accessible on the client-side administration interface (under Settings/Privilege Management/Signature Limits). To set or change limits, you are required to have 'Company privilege'. If you wish to apply a more complex structure than 4 amount ranges per account, you must still contact K&H Corporate Customer Service staff, as such a complex limit structure cannot be modified via the interface.

To ensure that your assets are managed more securely, we also recommend that you regularly review your users’ privileges and signature points, which you can still do in Settings/Privilege Management.

Make sure your contact data is correct! Instead of central contact information, provide the bank with the most up-to-date contact details specific to each user wherever possible. This will ensure that any alerts or registration or information messages are always sent to the right person. Pay particular attention to the phone numbers for mobile banking and electronic banking applications (e.g. ViCA)!