Cybercriminals targeting banks and financial institutions for social engineering
The Department of Justice Federal Bureau of Investigation sent out a notice that cybercriminals target victims to transfer funds into their accounts. This kind of scam has always existed in one form or another. Today, almost all of us have banking or financial apps on our phones or computer. Hackers utilise it by sending in mass scam payloads and trying to lure victims.
Issue warned by FBI's Internet Crime Complaint Center brought out the devastating insights on hackers tricking users into spending money. Victims think they are using the money in their account when lured into the trap, but the case is different.
A public service announcement report said, "cybercriminals are targeting victims by sending text messages with what appear to be bank fraud alerts asking if the customer initiated an initiated money transfer using digital payment applications (apps)." The actual game begins once the victim takes the notification as a legitimate one and responds to the alert. A call comes into the victims' device, which seems next to the official number of financial institutions. 1-800 support number is used.
Under the pretext, a fake money transfer request is sent where victims input their payment or bank account details. Cyber attackers take control of the victim's financial account once enough details are gathered. Additionally, with victims' financial information, attackers launch their exploit further and collect "past victim's address, social security number (SSN) and last four digits of their bank accounts." IC3 took the time to reveal almost every kind of information related to the attack, but it will take time for the message to go to every individual.
Messages sent by threat actors are pretty interesting. They will not ask for critical information in the first message. They will check if the victim can be lured into the trap before wasting time on them. Firstly, they take in a Yes or No transmission and once the victim responds, follow up text comes. It can say things like, "Our fraud specialist will contact you shortly."
FBI tried to put together a sophisticated picture as simple as possible for non-techy people to understand easily. They said if "fraud specialists" contact comes to people, they should be careful. An easy way to learn about them is the discernible accent. The fraudulent actor never asks for a password, instead asks for a transaction in CashApp or Venmo. Which instantly transfers funds, and there is no way to get the money back.
We've seen call centre IT people who would try to take control of the computer, especially people of old age who have very little IT knowledge. Screen sharing app such as TeamViewer or Anydesk is used to take mouse and keyboard control.
The dangerous thing is to imitate instant transactions through third-party payment apps; only email and mobile numbers are required. Here's a snippet the FBI provided:
Free Msg- (Insert financial institution name here) Bank Fraud Alert- Did You Attempt an Instant Payment of $5,000.00? REPLY YES or NO or 1 To STOP ALERTS.
The recommendation is pretty straightforward too. FBI asked citizens to be wary of unsolicited requests to verify account information. The verification process can give complete control to threat actors. Contacting the financial institution is the best way to go, as they can immediately check account status and turn off the transaction process if needed. Because once the funds are sent, it only takes a few seconds for attackers to make sure they can never be taken back again.
Multi-factor authentication (MFA) and two-factor authentication (2FA) should be there and never provided these codes to anyone. Even the financial institution would not ask for passwords and login codes. Those unaware of the latest scams and social engineering tactics should be careful who is contacting them if their fund remains on the digital platform.