The FBI recently put out a warning informing Americans of a new scam in which scammers first bait victims by sending fake “bank fraud” alert messages and then calling them from a number that resembles the financial institution’s legitimate 1-800 support number. “This is a common tactic we see across a number of scams, with hackers using data scraped from the dark web and other data leak sources to legitimize conversations with victims,” Adrien Gendre, Chief Tech & Product Officer at Vade told Lifewire over email. “This is social engineering at its worst and can be very convincing to users who are not educated about these types of scams.”

Believe It or Not

According to the FBI’s advisory, the scammers swindle victims by getting them to transfer money into bank accounts under the fraudster’s control under the pretext of reversing a fake money transfer. The scam begins with a fake fraud alert that asks targets to confirm if they had indeed made the transfer amounting to several thousand dollars. If the target responds to the SMS, denying making such a payment, they get a follow-up resolution call from the scammers, typically from a number that belongs to the financial institution’s fraud department.  During the call, the actor first gets the victim to change their email address from their account to one belonging to the scammers. “After the email address has been changed, the actor tells the victim to start another instant payment transaction to themselves that will cancel or reverse the original fraudulent payment attempt,” explained the FBI. Stephanie Benoit-Kurtz, Lead Faculty for the College of Information Systems and Technology at the University of Phoenix, has seen such types of scams earlier as well. In fact, in an email conversation with Lifewire, she shared that Truecaller estimates that over 59 million Americans have lost some money due to a phone scam in the past 12 months. Benoit-Kurtz points to the Federal Communications Commission (FCC), which has documented several such telephone call scams. “The key is to be aware that the call could be spoofed, which means the number looks like it is coming from a financial institution when in reality it is bad actors trying to social engineer you into providing personal information that could lead to an account take over, or some type of monetization of the activity,” shared Benoit-Kurtz. Gendre added that just like with email addresses, hackers can spoof both caller names and numbers to create the ruse that a text is from a legitimate organization.  “In this particular scam, it is unusual that the purported bank is offering up information on the user, such as recent addresses and social security numbers. A financial institution wouldn’t offer this information freely, and so it is a clear sign to the user that something is awry,” pointed Gendre. Mark Scrano, Information Security Manager at Cobalt, told Lifewire in an email that scammers often use such confidence-building schemes using your personal information to garner your trust. 

Hook Line and Sinker

Benoit-Kurtz shared that social engineering scams generally have several characteristics that can help people realize that they are being targeted. One of the first is the urgency.  “Whatever the request is on the phone or text, the request is that a response for the information is necessary RIGHT NOW. Banks and financial institutions will never demand information in that way,” pointed out Benoit-Kurtz.  Then there’s the pressure to validate or provide private information, such as social security numbers, mother’s maiden name, etc. Benoit-Kurtz asserted that people should never give out this information to anyone. “This is different when you reach out to the organization for authentication purposes, but when they place a call to you, they should never ask for private information,” shared Benoit-Kurtz. All our experts believe that such scams bet on the victims to react emotionally to the message and respond immediately, without first going to the original source—their bank. They’re all also of the opinion that the only defense people have against such sophisticated social engineering scams is to pause and take stock of the situation before deciding to engage.  “Always call the fraud department yourself using publicly-listed phone numbers should you need to engage with the fraud department at your bank. Never trust phone numbers or links in SMS messages or incoming phone calls,” advised Scrano.