Fraud Masquerades as Anti-Fraud
Many of us have received a phone call or other notification from a credit card company telling us that they’ve detected suspicious activity on our card. Was it us? Did we just spend $500 at that big box store up the road? No? Thank you; there’ll be no charge. Or, if that was you, then you need take no further action.
Grifters have begun impersonating that sort of notification, and in a case reported by ABC7 News San Francisco, they induced victims to send them payments through the Zelle quick-pay app. The scam began with a text message asking a potential victim if she’d just charged “$432 at a Walmart in Texas. She texted “no,” in reply, at which point her phone rang. The voice on the other end said, ”Hi, this is the Bank of America fraud department,” and said that someone was using Zelle to withdraw money from her paycard account. The scam continued, offering further bogus details. “‘Now I see Zelle for $2,000 taken out of your account. Did you just do that?’ ‘No.’ ‘I also see one for $1,500. Did you Zelle anyone for $1,500?’ ‘No, I did not.'”
At this point the grifter set the hook. The victim could protect herself and prevent losses by sending the money back to herself through Zelle. This transfer, unlike the ones described in the scam call, unfortunately was real, but the funds were destined for the grifters’ account, not the victim’s. She was now out $5500. The tip-off should have been the recommendation to transfer funds, but the preparatory conversation was enough to dull the victim’s alertness.
The fraudster took pains to inoculate the scam against interference from the real Bank of America. “You’re gonna get a text saying that we’ve detected suspicious transfer activity, that it could be possible fraud or scam,” he said. “Don’t worry about that. We’re taking care of that right now in this phone call.” Sure enough, the victim disregarded the real warnings that quickly showed up.
Bank of America told News7:
“Bank of America will never ask a client to send money to themselves or anyone, ever. Spoofing and fraud communications often have urgency, typos, asking clients to send money etc. They use more and more sophisticated methods to appear to be authentic from the bank. Bank of America prioritizes client protection and works with clients to mitigate risks. When sending money using Zelle, clients receive several messages alerting them to red-flags that indicate a scam. Clients with questions should call the customer service number on their debit or credit card or bank statement to confirm any questionable or fraudulent inquiries.”
This particular incident was retail-level fraud, going after an individual consumer, but similar scams can easily be mounted against businesses. Going with your gut is an unsure security check. Not every scam call sounds like it’s coming from a sleazy boiler room. “The guy was very friendly, calm, kind, clearly educated… it was very creepy in retrospect,” the victim in this case said. But new-school security awareness training can help your employees recognize social engineering they might otherwise fall for.
ABC7 News (KGO-TV, San Francisco) has the story.
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW