A new social engineering scam is doing the rounds, and this one is particularly insidious: tricking users into sending money to what they think is their own account to reverse a fraudulent charge.
The FBI’s Internet Crime Complaint Center issued the warning, which it says involves cybercriminals who have definitely done their homework. “In addition to knowing the victim’s financial institution, the actors often had additional information such as the victim’s past addresses, social security number, and last four digits of their bank accounts,” the report said. IC3.
The scam begins like many targeted people do these days: with a text message. In this case, it’s not a phishing attempt, it’s an attempt to check if the person receiving the message is susceptible to further manipulation. Impersonating the target’s bank, the message asks if a large charge ($5,000 in the example given by the FBI) was legitimate and asks for a YES or NO response. The response does not lead to a follow-up SMS: “Our fraud specialist will contact you shortly.
This is where social engineering comes in, and the FBI paints a picture of a sophisticated operation.
“Fraud specialists” contacting users “speak English with no discernible accent”, and once they have established their credibility with the victim, they move on to “help” them “reverse” the bogus transaction.
It gets even more insidious here: the charges that are being rebutted aren’t directly bank charges: they’re payments made through an instant payment app like Venmo or CashApp. The scammer never asks for a password or any information that might tell someone they are chained.
Instead, the caller instructs the victim to use their bank’s website or app to remove their email address from the digital payment app (thus unlinking the app and the bank account) , which the fraudster then asks. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account controlled by the criminal.
“Victims often only realize they’ve been scammed after checking their financial account balance,” the FBI said.
The FBI says the normal advice for avoiding phishing applies here: do not respond to unsolicited requests to verify information, if you receive one, contact your financial institution directly, keep MFA enabled on all accounts, and beware of anyone providing personally identifiable information as proof of their legitimacy. Additionally, the FBI said “financial institutions will not ask customers to transfer funds between accounts to help prevent fraud.”
Social engineering is a problem on the internet that dates back almost to its inception, and it treats digital crime the same way crimes in the physical world are planned: what is the past of least risk with greatest reward?
Online, it’s less about brute force or technical skill, both of which require knowledge, training and time, and more about scamming, which is simplified in the digital world where personal charisma is less essential. .
Those who have not yet come into contact with a social engineering attack are a rapidly shrinking group: according to one statistic, 98% of cyberattacks involve social engineering to some degree. ®