In the new scam, a thief will pretend to be using the same number as their victim's bank, in order to convince the victim they're a legitimate bank employee. Chainarong Prasertthai/Getty
A new phishing scam is hitting banking customers—and this time, the scammers make it seem like their messages are coming from the real customer service line or fraud prevention hotline.
The scam was revealed by wrestling announcer Lenny Leonard, who says that when he’s not calling body slams and sleeper holds, he’s a “mid-level executive with a very large financial institution.” In a Twitter thread, he details the new scam and how not to fall for it.
FRAUD SCAM ALERT: a thread As some of you know my day job is as a mid-level executive with a very large financial institution Wanted to send a heads up about a scam that we are not only seeing at my bank but was attempted on me as well with one of my accounts at another bank — Lenny Leonard (@WWNLennyLeonard) April 21, 2022
Leonard warned on Thursday that he had been called by a scammer who had spoofed the legitimate phone number to his bank. The scammer then sent a fraud alert using this number, asking if he recognized a certain charge.
“When you reply no, they IMMEDIATELY call you from the number that appears to be your banks legit phone number but they are masking their true number,” Leonard wrote. “They will ask to verify personal & account information in an attempt to access your funds & once they gain access you’re f***ed.”
In Leonard’s case, he says that when he told the scammer that he’d have to call them back, the scammer told him to look at the back of his debit card to confirm that they were calling from the same number. After telling off the scammer, Leonard says he called his bank and, sure enough, no legitimate alert had been sent, nor had any unusual activity been seen on his account.
Leonard told his followers how to not fall for the scam.
“If you EVER have someone CALL YOU and say they are your bank, do NOT provide any information like that over the phone on an INBOUND CALL,” he wrote. “Tell them you need to call them back & make sure you are dialing the number on the back of your card NOT a # they give you”.
Leonard told Newsweek that though he didn’t have too much more to add beyond what he already wrote, he did urge people to share the warning with friends and family.
“I would just urge everyone to make sure they are sharing this with their less tech savvy friends and family because the text I got looked EXACTLY like a prior text I had gotten from the bank my account is with,” Leonard told Newsweek.A representative from Chase also confirmed that the company was familiar with the scam.
“Unfortunately, scammers target consumers from many banks. We urge all consumers to never share their banking passwords or send money to someone who tells them that doing so will prevent fraud on their account. Bank employees won’t call, text or email consumers asking for this information, but scammers will,” Amy Bonitatibus, Chase’s chief communications officer, told Newsweek.
While spoofing a phone number is common with scammers, often it’s a fake number as well, though Western Bank warns their customers that fake calls can come from a number they recognize.
The bank also lists a variation on the scam Leonard warns of. In the version Western Bank describes, a scammer spoofs the legitimate customer service number of the bank, like before. But this time, anticipating a response like Leonard’s, the scammer will ask the victim to call them back using the same number that’s on the back of the debit card—which is the same as the one they’re spoofing.
In this variation, though, they’ll leave the phone connection active, fooling the victim with a fake dial tone. Once the victim dials, the scammer “answers,” in hopes that the victim will be fooled into thinking the scammer is indeed a legitimate employee.
One way to thwart this is to remember that a real bank employee will already have your information. Never offer up important information like a bank account number. Instead, ask the bank employee if you can confirm their information by asking them to read off what they have.
In addition, banks will never ask for a PIN, a full Social Security number or a customer’s online banking username and password. Banks already have access to customers’ accounts, and when it comes to Social Security numbers, a legit bank employee will only ask for the last four digits to confirm.
Source: Scammers Have a New Way to Phish for Bank Account Information, Banker Says
Woman With Missing Dog Gets Scam Texts Threats To Expose Affair to Her Wife Accused Leader of GoFundMe Scam With Homeless Vet Sentenced to 27 Months How ‘The Tinder Swindler’ Made This Woman Realize She Was Being Scammed
Phishing for phishing awareness”. Behaviour & Information Technology. 32 (6): 584–593. doi:10.1080/0144929X.2011.632650. ISSN 0144-929X. S2CID 5472217.Phishing attacks and countermeasures”. In Stamp, Mark; Stavroulakis, Peter (eds.). Handbook of Information and Communication Security. Springer. ISBN 978-3-642-04117-4.
Internet Crime Report 2020″ (PDF). FBI Internet Crime Complaint Centre. U.S. Federal Bureau of Investigation. Retrieved 21 March 2021.The Phishing Guide: Understanding and Preventing Phishing Attacks”. Technical Info. Archived from the original on 2011-01-31. Retrieved 2006-07-10.
The Big Phish: Cyberattacks Against U.S. Healthcare Systems”. Journal of General Internal Medicine. 31 (10): 1115–8. 2005). “A Leet Primer”. TechNewsWorld.Security Usability Principles for Vulnerability Analysis and Risk Assessment”. Proceedings of the Annual Computer Security Applications Conference 2007 (ACSAC’07). Archived from the original on 2021-03-21. Retrieved 2020-11-11.
Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content”. ACM Transactions on Computer-Human Interaction. 26 (5): 32. Data Breach Investigations Report” (PDF). PhishingBox. Verizon Communications. Retrieved 21 March 2021.
Fifteen years of phishing: can technology save us?”. Computer Fraud & Security. 2019 (7): 11–16. doi:10.1016/S1361-3723(19)30074-0. S2CID 199578115. Retrieved 21 March 2021.The Black Market for Netflix Accounts”. The Atlantic. Retrieved 21 March 2021.
Spear Phishing: Who’s Getting Caught?”. Firmex. Archived from the original on 2014-08-11. Retrieved July 27, 2014.Hacking Gets Personal: Belgian Cryptographer Targeted”. Info Security magazine. 3 February 2018. Retrieved 10 September 2018.
RSA explains how attackers breached its systems”. The Register. Retrieved 10 September 2018.Epsilon breach used four-month-old attack”. itnews.com.au. Retrieved 10 September 2018.
What Phishing E-mails Reveal: An Exploratory Analysis of Phishing Attempts Using Text Analyzes”. SSRN Electronic Journal. doi:10.2139/ssrn.3427436. ISSN 1556-5068. S2CID 239250225. Archived from the original on 2021-03-21. Retrieved 2020-11-02.
Threat Group-4127 Targets Google Accounts”. secureworks.com. Archived from the original on 2019-08-11. Retrieved 2017-10-12.How the Russians hacked the DNC and passed its emails to WikiLeaks”