FRAUD SQUAD
Monday, March 18th, 2024
New and innovative applications are touted as a fun way to make prank calls, but they aren’t just being used by teenagers to pull a fast one on a friend. Fraudsters are using these apps to mimic legitimate business numbers and send text messages or calls that appear to be from the victim’s trusted financial institution (FI) in a scam called bank spoofing. Scammers on the other end of the call attempt to acquire sensitive information such as bank account numbers, passwords, personal identification numbers (PINs), and authentication codes that allow money transfers or access to the account.
The Scam: Remember the days when there was no caller ID, and you could pick up the phone and pretend to be someone else just for a laugh? With the rise of innovative applications, there is a fun way to put a spin on an old trick, but these applications that were created for entertainment are now being used by threat actors to commit fraud. There are apps now accessible to anyone which enable people to make a call or text appear to come from whatever name and number they choose. While these apps are touted as a fun way to make prank calls, they aren’t just being used by teenagers to pull a fast one on a friend. Fraudsters are using these apps to mimic legitimate business numbers and send text messages or calls that appear to be from their trusted financial institution (FI). Scammers on the other end of the call attempt to acquire sensitive information such as bank account numbers, passwords, personal identification numbers (PINs), and authentication codes that allow money transfers or access to the account.
The Scheme: In February 2024, Avalon Grimes, a nurse based in New York, received a call from her bank, Chase. Since the caller ID displayed the same number as the one on the back of her Chase bank card, the call didn’t raise any suspicions. The scammer, posing as a bank employee, informed Grimes that her account had been breached and advised her to transfer the money in the compromised account to a new, secure account in order to protect it from fraud. The call continued with the “bank employee” attempting to help Grimes transfer the money, and that’s when the scammer requested Grimes to share the security code sent to her phone. Grimes discovered that her hard-earned savings, amounting to $24,000, had been wired out of her account to another financial institution (FI). Chase is currently investigating and attempting to work with the FI that received the money, but if the scammer immediately withdrew the funds, then the money is not recoverable. In that case, Grimes would never get her money returned.
In a similar case, Angel Pineda of Texas, who is also a Chase account holder and nurse, was scammed out of $49,000. Pineda often has to communicate with Chase to confirm large transactions like car or rent payments, so when a call came in from the FI, it didn’t raise any red flags. In mid-December 2023, Pineda received a call identified by caller ID as Chase. The “bank employee” used the same tactic that was used with Grimes in the previous story and informed Pineda that his account was flagged for fraudulent activity. He was asked to share personal information so the “bank employee” could open a secure account and transfer the funds in order to protect his money. Pineda authorized a $49,000 wire transfer to the new account. A week later, Pineda called Chase to get assistance in accessing the new account, but what he found out was that there was no account with Chase, and his money was gone – he was scammed.
Fraud Geek Explains
Bank spoofing is a common and destructive scam in which fraudsters impersonate banks to steal money and data. While savvy criminals may use their own methods or technology to spoof legitimate phone numbers, it has become easier and easier with the help of entertainment apps. Currently, there are a variety of apps available, many for free, to spoof numbers and make prank calls. The con is simple – the fraudster chooses a number or name for display on caller ID and then makes the call to you. Because of the current fraud detection and protection methods used by banks, consumers will often fall for the fake call because it’s their own FI calling to alert them of fraudulent activity on their account. Both Grimes and Pineda fell victim to this bank spoofing simply because they trusted the caller ID, and the scam spiraled when they didn’t recognize the red flags. As information about these tactics continues to spread through information sharing, hopefully, consumers will better understand how to navigate these kinds of calls to avoid losing their private data or assets.
With the rise of scammers using technology to conceal their identity and target consumers, the government has made attempts to tighten regulations. The Truth in Caller ID Act of 2009 was enacted “to prohibit anyone from causing a caller ID service to knowingly spoof with the intent to defraud, cause hard or wrongly obtain anything of value.” In 2018, the Ray Baum Act was passed to extend to text messages and international calls originating from outside the US, targeting those who reside in the US. And in 2019, the Federal Communications Commission (FCC) adopted new rules that will allow the legal pursuit of scammers sending spoofed calls and texts, including international fraudsters who make spoofed calls to Americans.
Phone companies have also been called into action to help stop the threat of spoofing, with some creating and implementing spam blockers and caller ID authorization, but spoofing still poses a significant threat.
Fraud Geek’s Advice
While regulations have been getting increasingly stringent to prevent these scams and protect consumers, financial institutions are not under any obligation to refund money if a customer authorizes a transfer of funds as a result of bank spoofing. Some FIs have taken into account these rising threats and work with their customers to investigate and recover funds if they occur, but the best course of action is to prevent the fraud from ever happening.
Consumers can protect themselves by remembering the following:
Individuals should always be skeptical of any unsolicited text or call from their bank, even if the caller ID identifies the financial institution as the sender/caller – especially if it claims to need an immediate response or attention. Remember:
Financial Institutions: Keep Your Customers Protected
The DefenseStorm Difference:
DefenseStorm approaches fraud differently by looking at both monetary and non-monetary transactions to catch fraud before funds leave the bank. Our GRID Active Fraud Prevention product identifies unusual patterns, such as exceptionally large withdrawals within a short period of time not consistent with normal activity. Our ability to monitor, detect, and alert on suspicious activity across all departments – including Originations, Online and Mobile banking, and Internal Fraud with Employee Activity Monitoring – allows the FI to stop fraudsters before funds leave the account.
JPMorgan Chase Customer’s Life Savings Swiped in Sophisticated Scam – Why Apple Is Abruptly Deleting Apps in Response
https[:]//dailyhodl[.]com/2024/02/10/jpmorgan-chase-customers-life-savings-washed-away-by-scammer-why-apple-is-abruptly-deleting-apps-in-response/
CBS New York Investigates Spoofing Scams after Nurse loses $24,000. https[:]//www[.]youtube[.]com/watch?v=5fCDxqYR3BM
East Texas nurse loses $49,000 in banking scam https[:]//www[.]cbs19[.]tv/article/news/local/traveling-nurse-loses-49000-in-banking-scam/501-8a4770f8-bb0a-4b55-94a7-d344cb398b73
Federal Communications Commission (FCC) – Spoofing https://www.fcc.gov/spoofing
Federal Communications Commission (FCC) – PDFs
https://docs.fcc.gov/public/attachments/DOC-358841A1.pdf
https://www.fcc.gov/sites/default/files/caller_id_spoofing.pdf