It pays to be careful where cold calls from someone claiming to work for your bank are concerned. Scam callers are impersonating bank staff, with suggestions of dubious payments made to your account. One unfortunate individual has already lost around $1,000 to this slice of telephone-banking based fraud. With a little press intervention they were lucky enough to get it back. Sadly most people don't get that far.
What's happening, and how can you avoid it?
An unauthorised payment: A scammer's steps to success
This attack has several steps. Here's how it plays out:
- The scam begins with a call from a supposed fraud team. This is a common confidence trick, it sounds convincing and it has a sense of urgency built in. The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible.
- Setting the recipient of the call off-balance is the aim of the game. And what better way to have them second guess themselves than by referring to technology they may not have used before? In this case, the scammer claims the victim's bank account has made a fraudulent Zelle transfer of $1,000 to somebody in Texas. Zelle is a US based digital payments network. To the recipient of such a call, it may well just sound like a big scary thing has happened to their money which they don't fully understand.
- Adding some time-based pressure is the final blow. "Hurry up and follow my dubious instructions or you lose all of your money" is a very successful tactic. Victims are dissuaded from calling their bank directly because they would just be "redirected back to the fraud team". In this case, the victim was told to reverse the transaction by punching in a code given to them by the fraudster. After the first $1,000 vanished, the scammer risked it all on another claim of $5,000 in fraudulent transfers. Thankfully, the victim was having none of it and more losses were averted.
Am I protected?
It's trickier than ever to deal with a case of banking fraud. Banks and payment systems increasingly put the onus on the individual to not get caught out by deception. If you bank online and send people money, you'll likely have gone through a fraud check flow.
This is where the site asks you to confirm who you're sending money to and why. If you select "romance" (for example), you'll be warned about romance scams and eventually you'll tick a box to confirm that you recognise the risks. If something goes wrong, on your own head be it.
This is almost note for note what happened to the person in the news story above. The bank said that because the victim "authorised" the payment, no protection was in place. This is clearly not an accurate reading of what happened, and the money request was clearly fraudulent. Even so, this is what you may have to contend with should you wander into a fraud situation.
Watch out for red flags
There's several aspects of this attack common to many others which may indicate a fraud attempt.
- They don't want you to call the bank back. If you do this, the fraud falls to pieces. A genuine member of staff would have no issue with you calling them yourself.
- Pressure tactics. If a bank calls you out of the blue and claims that they're powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
- Knowing your date of birth, address, and other information doesn't mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
- Referencing third party payment apps may be another red flag, especially if they talk about technology you've not used before.