FRAUD SQUAD

Hi, It’s Your Financial Institution…or is it?

Monday, March 18th, 2024

VIEW ALL FRAUD SQUAD ITEMS

Cyber security risk management solutions from DefenseStorm.

New and innovative applications are touted as a fun way to make prank calls, but they aren’t just being used by teenagers to pull a fast one on a friend. Fraudsters are using these apps to mimic legitimate business numbers and send text messages or calls that appear to be from the victim’s trusted financial institution (FI) in a scam called bank spoofing. Scammers on the other end of the call attempt to acquire sensitive information such as bank account numbers, passwords, personal identification numbers (PINs), and authentication codes that allow money transfers or access to the account.

The Scam: Remember the days when there was no caller ID, and you could pick up the phone and pretend to be someone else just for a laugh? With the rise of innovative applications, there is a fun way to put a spin on an old trick, but these applications that were created for entertainment are now being used by threat actors to commit fraud. There are apps now accessible to anyone which enable people to make a call or text appear to come from whatever name and number they choose. While these apps are touted as a fun way to make prank calls, they aren’t just being used by teenagers to pull a fast one on a friend. Fraudsters are using these apps to mimic legitimate business numbers and send text messages or calls that appear to be from their trusted financial institution (FI). Scammers on the other end of the call attempt to acquire sensitive information such as bank account numbers, passwords, personal identification numbers (PINs), and authentication codes that allow money transfers or access to the account.

The Scheme: In February 2024, Avalon Grimes, a nurse based in New York, received a call from her bank, Chase. Since the caller ID displayed the same number as the one on the back of her Chase bank card, the call didn’t raise any suspicions. The scammer, posing as a bank employee, informed Grimes that her account had been breached and advised her to transfer the money in the compromised account to a new, secure account in order to protect it from fraud. The call continued with the “bank employee” attempting to help Grimes transfer the money, and that’s when the scammer requested Grimes to share the security code sent to her phone. Grimes discovered that her hard-earned savings, amounting to $24,000, had been wired out of her account to another financial institution (FI). Chase is currently investigating and attempting to work with the FI that received the money, but if the scammer immediately withdrew the funds, then the money is not recoverable. In that case, Grimes would never get her money returned.

In a similar case, Angel Pineda of Texas, who is also a Chase account holder and nurse, was scammed out of $49,000. Pineda often has to communicate with Chase to confirm large transactions like car or rent payments, so when a call came in from the FI, it didn’t raise any red flags. In mid-December 2023, Pineda received a call identified by caller ID as Chase. The “bank employee” used the same tactic that was used with Grimes in the previous story and informed Pineda that his account was flagged for fraudulent activity. He was asked to share personal information so the “bank employee” could open a secure account and transfer the funds in order to protect his money. Pineda authorized a $49,000 wire transfer to the new account. A week later, Pineda called Chase to get assistance in accessing the new account, but what he found out was that there was no account with Chase, and his money was gone – he was scammed.

Fraud Geek Explains

Bank spoofing is a common and destructive scam in which fraudsters impersonate banks to steal money and data. While savvy criminals may use their own methods or technology to spoof legitimate phone numbers, it has become easier and easier with the help of entertainment apps. Currently, there are a variety of apps available, many for free, to spoof numbers and make prank calls. The con is simple – the fraudster chooses a number or name for display on caller ID and then makes the call to you. Because of the current fraud detection and protection methods used by banks, consumers will often fall for the fake call because it’s their own FI calling to alert them of fraudulent activity on their account. Both Grimes and Pineda fell victim to this bank spoofing simply because they trusted the caller ID, and the scam spiraled when they didn’t recognize the red flags. As information about these tactics continues to spread through information sharing, hopefully, consumers will better understand how to navigate these kinds of calls to avoid losing their private data or assets.

With the rise of scammers using technology to conceal their identity and target consumers, the government has made attempts to tighten regulations. The Truth in Caller ID Act of 2009 was enacted “to prohibit anyone from causing a caller ID service to knowingly spoof with the intent to defraud, cause hard or wrongly obtain anything of value.” In 2018, the Ray Baum Act was passed to extend to text messages and international calls originating from outside the US, targeting those who reside in the US. And in 2019, the Federal Communications Commission (FCC) adopted new rules that will allow the legal pursuit of scammers sending spoofed calls and texts, including international fraudsters who make spoofed calls to Americans.

Phone companies have also been called into action to help stop the threat of spoofing, with some creating and implementing spam blockers and caller ID authorization, but spoofing still poses a significant threat.

Fraud Geek’s Advice

While regulations have been getting increasingly stringent to prevent these scams and protect consumers, financial institutions are not under any obligation to refund money if a customer authorizes a transfer of funds as a result of bank spoofing. Some FIs have taken into account these rising threats and work with their customers to investigate and recover funds if they occur, but the best course of action is to prevent the fraud from ever happening.

Consumers can protect themselves by remembering the following:

Individuals should always be skeptical of any unsolicited text or call from their bank, even if the caller ID identifies the financial institution as the sender/caller – especially if it claims to need an immediate response or attention. Remember:

  • Your financial institution will never ask you to share personal information or password.
  • Never share a verification code that was sent to your phone or email.
  • Do not share any information with a caller who may ask to verify information.
  • Set up two-factor authentication with your financial institution.
  • If you do answer a call from your financial institution, do not engage in conversation with the unknown caller -even if they claim to be a bank employee. Instead, hang up and call the customer service number on the back of your card – do not follow a link or call a number given on the call or text.
  • Educate yourself: Contact your financial institution to understand how fraud is flagged and verified. Great questions to ask: (1) How will I be notified about fraudulent activity on my account? (2) What do I do if I think I’m the victim of fraud?
  • Remember: It is not just banks that are spoofed—many scammers will also spoof credit card companies, credit monitoring businesses, and government agencies like local law enforcement, the Federal Bureau of Investigation, and the Internal Revenue Service.

Financial Institutions: Keep Your Customers Protected

  • Educate customers on common fraud schemes, including bank spoofs [texts, emails, and calls], and how to avoid them.
  • Consider a security awareness campaign with emails and banners reminding customers of red flags for fraud.
  • Monitor customer accounts for unusual activity, such as large or frequent wire transfers, and contact the customer to verify the transactions.
  • Use fraud detection software to identify suspicious patterns and behavior.
  • Train employees to recognize and report potential fraud, including tech support scams.
  • Partner with law enforcement agencies to share information and coordinate efforts to combat fraud.
  • Conduct regular audits of security protocols and procedures to ensure they are up-to-date and effective.
  • Implement strict verification procedures for wire transfers and other high-risk transactions.
  • Use encryption and other security measures to protect customer data from unauthorized access.
  • Stay up-to-date on the latest fraud trends and tactics and adjust security protocols accordingly.

The DefenseStorm Difference:

DefenseStorm approaches fraud differently by looking at both monetary and non-monetary transactions to catch fraud before funds leave the bank. Our GRID Active Fraud Prevention  product identifies unusual patterns, such as exceptionally large withdrawals within a short period of time not consistent with normal activity. Our ability to monitor, detect, and alert on suspicious activity across all departments – including Originations, Online and Mobile banking, and Internal Fraud with Employee Activity Monitoring – allows the FI to stop fraudsters before funds leave the account.

JPMorgan Chase Customer’s Life Savings Swiped in Sophisticated Scam – Why Apple Is Abruptly Deleting Apps in Response

https[:]//dailyhodl[.]com/2024/02/10/jpmorgan-chase-customers-life-savings-washed-away-by-scammer-why-apple-is-abruptly-deleting-apps-in-response/

CBS New York Investigates Spoofing Scams after Nurse loses $24,000. https[:]//www[.]youtube[.]com/watch?v=5fCDxqYR3BM

East Texas nurse loses $49,000 in banking scam https[:]//www[.]cbs19[.]tv/article/news/local/traveling-nurse-loses-49000-in-banking-scam/501-8a4770f8-bb0a-4b55-94a7-d344cb398b73

Federal Communications Commission (FCC) – Spoofing https://www.fcc.gov/spoofing

Federal Communications Commission (FCC) – PDFs

https://docs.fcc.gov/public/attachments/DOC-358841A1.pdf

https://www.fcc.gov/sites/default/files/caller_id_spoofing.pdf

 

DefenseStorm

DefenseStorm experts collaborate to share valuable insights, tips, trends, and resources about cyber risk management. Information sharing is a critical component of cyber risk readiness and considered a best practice to improve cyber risk awareness. As a leader in the industry, we strive to build a community of trust by providing the most current and important information that affects your financial institution.