Payment app users targeted by social engineering attacks

Cybercriminals are trying to trick US users of digital payment apps into making instant money transfers in social engineering attacks using text messages with fake bank fraud alerts.

The warning, released Thursday by the Federal Bureau of Investigation as a public service announcement, says attackers will call victims who respond to their phishing messages from phone numbers spoofing the 1- 800 legitimate banks.

“Under the guise of canceling the fake money transfer, victims are scammed into sending payments to bank accounts under the control of cyber actors,” the FBI said.

Fake fraud alerts refer to the payment amount and names of financial institutions and ask targets to confirm if they tried to make instant payments of thousands of dollars.

If recipients respond to the phishing text message and deny having made such a payment, they will receive a second text message stating that they will be contacted “soon”.

The scammers call as promised, usually speak English without an accent, and claim to represent the target’s bank fraud service.

The victims demanded to cancel the false payments

The end goal is to trick victims into “cancelling” the fake instant payment transaction by asking them to remove their email address from the payment app and attach it to the one under the attackers’ control.

“The actor, after requesting the victim’s email address, adds it to a bank account controlled by the actor. Once the email address is changed, the actor tells the victim to start another instant payment transaction for itself that will void or reverse the original fraudulent payment attempt,” the FBI explained.

“Believing that they are sending the transaction to themselves, the victims actually send instant payment transactions from their bank account to the bank account controlled by the actor.”

The exchanges between fraudsters and their victims can last several days, showing the determination of the scammers to succeed in their social engineering attack.

The FBI also shared a list of precautions Americans using digital payment apps should know to avoid falling victim to one of these scams:

  • Beware of unsolicited requests to verify account information. Cyber ​​actors can use email addresses and phone numbers that may then appear to be from a legitimate financial institution. If a call or text is received regarding possible fraud or unauthorized transfers, do not respond directly.
  • If an unsolicited request to verify account information is received, contact the financial institution’s fraud department through verified phone numbers and email addresses on the bank’s official websites or documentation, not via those provided in text messages or emails.
  • Enable multi-factor authentication (MFA) for all financial accounts and do not provide MFA codes or passwords to anyone over the phone.
  • Understand that financial institutions will not ask customers to transfer funds between accounts to help prevent fraud.
  • Beware of callers who provide personally identifiable information, such as social security numbers and past addresses, as proof of their legitimacy. The proliferation of large-scale data breaches over the past decade has provided criminals with massive amounts of personal data, which can be used repeatedly in a variety of scams and frauds.


Source link

Elaine R. Knight