American users of digital payment apps are being tricked into making instant money transfers in social engineering attacks using text messages with fake bank fraud alerts by cybercriminals.
The Federal Bureau of Investigation published the warning as a public service announcement on Thursday. It says the attackers will call victims who respond to their phishing messages from phone numbers pretending to be the banks’ legitimate support number.
“Under the pretext of reversing the fake money transfer, victims are swindled into sending payment to bank accounts under the control of the cyber actors,” the FBI said.
The fake fraud alerts reference the financial institution’s names and payment amount and ask the targets to confirm if they tried to make instant payments of thousands of dollars.
If the recipients respond to the fraud SMS denying ever making such a payment, they’ll get a second text message saying they will be contacted shortly. As promised, the scammers call back, claiming to represent the recipient’s bank fraud department.
The end goal is to trick victims into reversing the fake instant payment transaction by asking them to remove their email address from the payment app. The threat actors then attach the email address to a bank account under their control. After this is done, the threat actors tell the victim to start another instant payment transaction to themselves that will reverse or cancel the initial fraudulent payment attempt.
The victims then send instant payment transactions from their bank account to the account controlled by the threat actor, believing they are sending the payment transaction to themselves.
The exchanges between the fraudsters and their victims can span several days, showing the scammers’ determination to pull off their social engineering attack.
The FBI also shared a list of precautions that Americans using digital payment apps should be aware of in order not to fall victim to one of these scams:
- Cyber actors can use email addresses and phone numbers that may appear to come from a legitimate financial institution. Be aware of unsolicited requests to verify account information. Do not respond directly to calls or texts regarding possible fraud or unauthorized transfers.
- Contact the financial institution’s fraud department through verified telephone numbers and email addresses on official bank websites, not through those provided in texts or emails, in the case that an unsolicited request to verify account information is received.
- Enable Multi-Factor Authentication (MFA) for all financial accounts, and do not provide MFA codes or passwords to anyone over the phone.
- Understand financial institutions will not ask customers to transfer funds between accounts to help prevent fraud.
- Be skeptical of callers who provide personally identifiable information, such as social security numbers and past addresses, to prove their legitimacy. The proliferation of large-scale data breaches over the last decade has supplied criminals with enormous amounts of personal data, which may be used repeatedly in various scams and frauds.
Found this article interesting? click here to read more exclusive content we post.