Payment App Users Targeted in Phishing and Social Engineering Campaigns, FBI Warns
How to Avoid Falling Victim to Scammers.
Malicious actors are trying to deceive individuals living in the US using digital payment apps into making instant transfers of money in social engineering operations involving text messages that contain bogus bank fraud notifications, the FBI says.
How Does the Scam Work?
As per the warning issued yesterday by the Federal Bureau, once the targets answer the message, the attackers then call from a number that seems to match the financial institution’s genuine 1-800 support number.
Under the pretext of reversing the fake money transfer, victims are swindled into sending payment to bank accounts under the control of the cyber actors.
The phony fraud alerts mention the payment amount and bank names and instruct the recipients to confirm if they attempted to make large-scale instant payments.
According to the FBI, the payment amount and financial institution name vary from victim to victim. If customers reply to the phishing message with “No,” a follow-up message is sent:
Our fraud specialist will be contacting you shortly.
The attackers, who usually speak English without an accent, then contact the victim using a phone number that appears to be the bank’s authentic 1-800 support number, claiming to be from the fraud department.
The attackers’ ultimate goal is to fool the users into “reversing” the fake instant money transfer by requesting that they remove their email address from the payment app and attach it to one controlled by the hackers.
The actor, after asking for the victim’s email address, adds it to a bank account controlled by the actor. After the email address has been changed, the actor tells the victim to start another instant payment transaction to themselves that will cancel or reverse the original fraudulent payment attempt.
Believing they are sending the transaction to themselves, the victims are in fact sending instant payment transactions from their bank account to the actor-controlled bank account.
In many instances, the attackers communicated with victims over a period of several days. Users frequently discover they have been duped only after verifying the balance of their financial account.
- Be wary of unsolicited requests to verify account information. Cyber actors can use email addresses and phone numbers which may then appear to come from a legitimate financial institution. If a call or text is received regarding possible fraud or unauthorized transfers, do not respond directly.
- If an unsolicited request to verify account information is received, contact the financial institution’s fraud department through verified telephone numbers and email addresses on official bank websites or documentation, not through those provided in texts or emails.
- Enable Multi-Factor Authentication (MFA) for all financial accounts, and do not provide MFA codes or passwords to anyone over the phone.
- Understand financial institutions will not ask customers to transfer funds between accounts in order to help prevent fraud.
- Be skeptical of callers that provide personally identifiable information, such as social security numbers and past addresses, as proof of their legitimacy. The proliferation of large-scale data breaches over the last decade has supplied criminals with enormous amounts of personal data, which may be used repeatedly in a variety of scams and frauds.