Cybercriminals Are Doing Their Homework in Latest Banking Scam (theregister.com) 29
A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. From a report: The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said.
The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.
It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along. Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.
The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.
It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along. Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.
Many scams like this, just trust no contacts (Score:5, Informative)
It's quite simple. If somebody contacts you (phone, email, text, or other) claiming to be part of your bank/financial/whatever, and asks you to respond. DO NOT RESPOND.
Instead, call your back directly and verify that way.
Re: (Score:2)
Yes, this is the golden rule. It's sometimes a pain, but you should use it for managing your internet and phone service as well. Ask for the name and extension (not the phone number!) of the person that called you, then call the company back using a trusted phone number and get reconnected to that employee. Do this before you give them any information. It's not rude--just to say "To verify your identity I need to call you back. How may I reach you by calling XXX's public phone number? No, I don't want the p
Re: (Score:2)
It's quite simple. If somebody contacts you (phone, email, text, or other) claiming to be part of your bank/financial/whatever, and asks you to respond. DO NOT RESPOND.
Instead, call your back directly and verify that way.
This.
The two times in the last 10 years where something has gone wrong with my account, the message has always been simply "please call us".
Banking rules (Score:4, Informative)
Rule #2: Never, ever do anything. Your bank can do the needful themselves.
Re:Banking rules (Score:5, Insightful)
Rule #2: Never, ever do anything. Your bank can do the needful themselves.
There are often legitimate reasons you may need to reach out to your bank. In my line of work, we handle "Card not present" transactions all the time. Often times, a bank will block the charge for being suspicious (ours is a high dollar, high fraud industry) and request the customer contact the bank. Until they do, there's nothing we can do unless the customer wants to use a different card.
I've spoken with customers who have your mentality and then get pissed off with me for telling them they need to confirm it with their bank.
Re: (Score:2)
What aitikin said is true, but he's attacking PsychoSlashDot's mentality when he is actually in agreement with PsychoSlashDot.
In the context of BOTH Rule #1 and Rule #2, I think PsychoSlashDot is saying "do not try to fix it yourself by doing things like transferring your money using your app from one place to another; call the bank (rule #1) and let the bank fix it (rule #2)" .
I also agree, and my reasoning is that if the "bank person" cannot freeze or fix it, then you're not talking to the actual bank.
Re: (Score:2)
What aitikin said is true, but he's attacking PsychoSlashDot's mentality when he is actually in agreement with PsychoSlashDot.
In the context of BOTH Rule #1 and Rule #2, I think PsychoSlashDot is saying "do not try to fix it yourself by doing things like transferring your money using your app from one place to another; call the bank (rule #1) and let the bank fix it (rule #2)" .
I also agree, and my reasoning is that if the "bank person" cannot freeze or fix it, then you're not talking to the actual bank.
You got it. If someone is telling you that you need to transfer funds in/out of your account in order to "fix" some "wrong" transaction, it's just not real. The bank can - and should - do that themselves.
Also, aitkin is - as you see - talking from the perspective of a not-bank, which isn't... a bank. I was talking about a bank. If a vendor tells you that you need to go do something with your bank, by all means, contact your bank and investigate and do (if the bank agrees). But if your bank is telling
Re: (Score:2)
Rule #2: Never, ever do anything. Your bank can do the needful themselves.
There are often legitimate reasons you may need to reach out to your bank. In my line of work, we handle "Card not present" transactions all the time. Often times, a bank will block the charge for being suspicious (ours is a high dollar, high fraud industry) and request the customer contact the bank. Until they do, there's nothing we can do unless the customer wants to use a different card.
I've spoken with customers who have your mentality and then get pissed off with me for telling them they need to confirm it with their bank.
Ask the customer which they prefer, their payment got blocked and their money stayed in the bank, or their money got siphoned off by fraudsters?
The current failsafe design is good, late payment very often cost the customer very little, compared to losing the whole payment to fraudsters. Not doing anything is the correct approach for the customer.
Re: (Score:2)
Ask the customer which they prefer, their payment got blocked and their money stayed in the bank, or their money got siphoned off by fraudsters?
The current failsafe design is good, late payment very often cost the customer very little, compared to losing the whole payment to fraudsters. Not doing anything is the correct approach for the customer.
Done that a few times. You'd be surprised how often their response is something akin to, "I don't care, if it's fraud, I'm not responsible for the money out!" People are so damned unpredictable.
Re: (Score:1)
The people who fall for this kind of scam probably aren't in the Slashdot demographic.
Only scam I've ever fallen for involved a phone that I had sold to a Craigslist buyer, and the buyer had paid using a hacked PayPal account. About a day after the transaction, I received an email from PayPal that the transaction was fraudulent (and at the time, seller protection didn't cover items sold for local pick-up). It ultimately wasn't a very smart move on the part of the scammer, since I had their contact informa
Re: (Score:3)
Rule 2 is good but Rule 1 goes against common practices by banks who actually *do* call customers in case of fraudulent transactions. Though you could go and ask for a case number and then call the bank back, but that's just likely to confuse their customer service people.
Re: (Score:3)
Rule 2 is good but Rule 1 goes against common practices by banks who actually *do* call customers in case of fraudulent transactions. Though you could go and ask for a case number and then call the bank back, but that's just likely to confuse their customer service people.
Nope.
I have 5 banks that I use and they all say they might contact you if they spot a suspicous transaction. And they all say if you want to avoid fraud, don't give any information to anyone who calls you. Hang up and call the bank back at their published number - don't trust the number the caller gives you. That's what the bank says.
I've done this several times. Usually it was a cloned credit card, and all they did was ask "Is this a legitimate charge, yes or no". They didn't ask for any identification pro
Re: (Score:2)
Re: (Score:2)
Rule 2 is good but Rule 1 goes against common practices by banks who actually *do* call customers in case of fraudulent transactions. Though you could go and ask for a case number and then call the bank back, but that's just likely to confuse their customer service people.
Oh well. This is money. Confuse them if you have to. Educate them if you have to.
And yes, if your bank calls/texts/e-mails/mails you, call them. But - again - call the numbers you already have available, not the number they give you. Ever.
Tangential... I once had my bank call me to talk about a suspicious (legitimate) transaction. But before they would speak to me, they wanted me to answer my security questions. I explained "no, you don't need to do that. You know I'm me. You called me. But I
Duh (Score:1)
Repeat - the low hanging fruit has long been picked. Millions of people's entire lives and history and health data are in the hands of the bad guys.
But remember folks - make certain you have a 50 character randomly selected password on your computer, changed weekly, and never use the same one twice or for more than one site. Somehow this has to be the individ
Re: (Score:1)
Exactly what do y'all people think that the years of retailers hospitals and other places of giving all of your information was going to lead to.
Implying that criminals only hack retailers and not government databases?
By the way how do you propose you get treatment at a hospital without handing over personal details? Do you live in some fantasy word where you can go to a magic no-questions-asked hospital that stitches up the wounds of the criminal underworld?
Re: (Score:3)
Do you live in some fantasy word where you can go to a magic no-questions-asked hospital that stitches up the wounds of the criminal underworld?
A-yup, but now I'm missing a kidney.
Re: (Score:2)
Re: (Score:1)
Exactly what do y'all people think that the years of retailers hospitals and other places of giving all of your information was going to lead to.
Implying that criminals only hack retailers and not government databases?
You are missing the bigger point. If you want, I'll add guvmints as well.
I'll be very specific - Since the bad guys can easily get millions of people's email addresses, credit card numbers, credit ratings, criminal records, all of their data, and compile databases of millions at a time. Can you give me the rationale that makes a hacker go after individuals?
The individual who is violated is the product, not the source.
By the way how do you propose you get treatment at a hospital without handing over personal details?
It is fascinating that after what I wrote that I somehow do not want hospitals col
Funny! mobile app scam? Maybe (Score:2)
Dead giveaway (Score:5, Funny)
'The "fraud specialists" contacting users reportedly "speak English without a discernible accent," '
I've had enough experience with various industries' "help" personnel that I'd find this extremely suspicious right off the bat.
Re:Dead giveaway (Score:4, Insightful)
I've had enough experience with various industries' "help" personnel that I'd find this extremely suspicious right off the bat.
Seriously. If you don't experience long hold times, random disconnects, and a representative that you can barely understand between the heavy accent and VoIP glitches, you're not dealing with genuine customer support.
Also, customer service issues with fraudulent/disputed charges are never resolved immediately. That's a red flag right there. It always has to be submitted as a ticket to someone higher up the chain, and the results of the dispute are usually sent via snail mail.
Re: (Score:3)
You left off removing the building from the satellite maps, but are fundamentally correct.
https://dilbert.com/strip/2022... [dilbert.com]
Re: (Score:2)
My bank called a few years ago with a mortgage offer. The offer would not work for property held in trust title. I explained this to the agent. The conversation extended to hows and whys, with good questions and insight from her side. She was sited in Jamaica. I rate this as the most honest and forthright conversation that I have ever had with a phone agent.
Accents work both ways. At my age 18, sleeping daytime after working graveyard shift, I sleep-bought Time-Life books from someone with a charmin
What if I say yes? (Score:1)
So if I say yes, they leave me alone? Why not followup either way? If I say no, I'm obviously clueless (for answering at all). If I say 'yes' I'm an even better target because my response indicates I'm one or more of the followin