Hackers targeting money are not something new. The way they target differs with improvements in technology. To alert users during a fraudulent transaction from a stolen credit card, Banks used to send a message alert to the victims to confirm whether the transaction was initiated by the users. Threat actors are now spoofing these message alerts to make illegal money transfers.
As per the recent FBI’s Public Service Announcement, Hackers have been sending a spoofed message alert asking if the user-initiated any transaction with a digital payment app. If the victim responds to the alert, the victim gets a call from a number that appears to be a legitimate 1-800 number. By pretending to reverse transfer the fake transaction, hackers trick the users to transfer money to the bank accounts which are owned by the threat actors.
Message and Method
Hackers use a combination of Phishing and Social engineering for this attack. Both of these attacks have a high success ratio. Threat actors send these messages to the customers of financial institutions. The method used in this attack is sophisticated for victims to tell the difference between a fake and legitimate.
“Free Msg- (Insert financial institution name here) Bank Fraud Alert- Did You Attempt an Instant Payment in the amount of $5,000.00? REPLY YES or NO or 1 To STOP ALERTS”
Victims’ financial institution name differs based on their bank account information. If the victims reply “NO” to this message, they receive the following message.
Our fraud specialist will be contacting you shortly
When threat actors make the call, they speak fluent English just like a customer support specialist would speak. They gain credibility with the victim by telling their financial institution’s name and they are from the fraud department. After credibility is earned, they guide the user to several steps for reversing the payment.
Hackers involved in these activities seem to have well researched about whom they are going to contact, their past address, social security number, and their credit card last four digit numbers. Most of all they make the call from the financial institution’s 1-800 number which makes it completely invisible for the victim to have a suspicion.
After they confirm the victim with their personal information, they use the legitimate bank website or application and instruct the victim to remove their email address from their digital payments app. After this, the attackers ask for the victim’s email address which they add to the bank account controlled by them.
After this, they tell the victim that once the victim initiates a self-transfer in the digital payments app, it will cancel or reverse the fraudulent transaction. Believing this, the victims think that they are initiating a self-transfer but originally the transfer is sent to the hacker-controlled bank account. Sometimes, hackers even engage for several days with the victims. Victims realize only after they check their bank accounts.
To protect from these hackers,
- Do not reply to an unsolicited email or message directly even though it seems legitimate from the financial institution
- If a text is received, contact the financial institution through a verified number and do not use the number mentioned in the text
- Enable MFA in all the financial institutions and do not share the codes or passwords over the phone
- Banks never request to make a self-transfer for fraudulent transactions
- Even if they confirm your personal details, understand that recent data breaches have leaked a lot of customer data which are used by threat actors for scams like this.