CBS This Morning recently reported about a growing bank scam that is targeting customers with realistic “call from” numbers. Today’s technology allows scammers to impersonate incoming call telephone numbers, and they are using it very effectively. For instance, scammers can make it seem like the incoming call is from the IRS, your bank, or a well-known company. In short, the “call from” telephone number you see on your phone may not be real. Always be on your guard!
How the scam works
- You get a call with a caller ID from your bank, so you answer it.
- The caller identifies themselves as a bank representative, asking if you performed a certain transaction recently. Which, of course, you didn’t.
- The caller will then say that “he is going to send you a one-time code to your cell phone. When received, please read it back.”
- You get the code and read it back.
- The caller will try to keep you on the phone and ask for more identifying information.
- At some point, the call will end.
What just happened?
You were scammed and unknowingly let a criminal into your bank account. Here’s how.
When the hacker “sent you a one-time code and asked that you read it back,” he had already logged into your account with your credentials, but because you had two-factor authentication, he needed you to tell him the code that your bank’s system texted to your cell phone. Once you gave him the security code, he was in, cleaning out your account.
Why is this scam so effective?
As readers of our blog have heard me say time and again, the most feared hacker is a Social Engineer with technical skills. A social engineer knows how to talk to people and convince them to do things that they would normally never do. For instance, most people know to never give their security code to anyone over the phone; yet many do when convinced by a social engineer. They’re very good at their job!
In this scam, the phone call appeared to come from the target’s bank. Today’s technology allows scammers to spoof any number they choose. Because of this, the target was convinced that the call was legitimate.
The second reason it seemed legitimate was that since the caller already had the target’s login credentials, he didn’t need to ask for it, making the call less suspicious. The hacker probably got the victim’s login credentials from the Dark Web.
How to protect yourself from the phone Bank scam
- Never trust Caller ID, technology has rendered it suspect. Always be skeptical.
- Understand that a legitimate caller from your bank would NEVER send and ask you to repeat codes. They don’t need them because legit bank personnel already have all the access they need to perform transactions on your account.
- Legitimate bank personnel would not need to ask for your account number, social security number, any security codes, name, address, etc. They already have that information on file.
- Always ask, “if the bank is calling me, then why is this person asking me to identify myself?”
- Anytime you get such a call, hang up, then immediately call your bank using their official contact information and report the incident.
- Immediately change your password since it has already been compromised.
- Review your bank transactions often; daily, if possible, and question any transaction you don’t recognize.
- Put automated alerts on your accounts, so you are aware of transactions as soon as they happen.
Putting two-factor authentication (2FA) on all accounts that give you that option is a great way to increase fraud protection. However, if you give the security code to anyone, then you defeat the purpose of 2FA.
If you are ever asked to give “one-time codes” to anyone, don’t do it, you’re being scammed.
XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 460+ Petabytes of data with over 1400+ employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause. Backup & Disaster Recovery | Business Continuity | Data Risk Assessment