New Phishing Scam Tricks Victims Into Transferring Funds With Text Message

The Federal Bureau of Investigation has released a public service announcement to alert the public to a new scam gaining significant traction in recent months. The phishing scam involves cybercriminals sending text messages to victims that appear to be bank fraud alerts asking if the customer has recently initiated a money transfer using their bank app. Once the victim responds to the text, the cybercriminals call the victim from what appears to be their banking institution’s legitimate 1-800 support number. By convincing the victim they need to do a reverse money transfer, the bad actors are able to swindle the bank account information and instead deliver the funds to the cybercriminal’s account. These scams have been so effective because these bad actors are very polished in their scam.  They create a false sense of urgency and get you to react quickly, trying to keep you on the phone and not let you call the bank to verify the caller.

The FBI recommends the following precautions to prevent being a victim of this scam:

• Be wary of unsolicited requests to verify account information. Cyber actors can use email addresses and phone numbers that may appear to come from a legitimate financial institution. Do not respond directly if a call or text regarding possible fraud or unauthorized transfers is received.
• If an unsolicited request to verify account information is received, contact the financial institution's fraud department through verified telephone numbers and email addresses on official bank websites or documentation, not through those provided in texts or emails.
• Enable Multi-Factor Authentication (MFA) for all financial accounts, and do not provide MFA codes or passwords to anyone over the phone.
• Understand financial institutions will not ask customers to transfer funds between accounts to help prevent fraud.
• Be skeptical of callers who provide personally identifiable information, such as social security numbers and past addresses, as proof of their legitimacy. Over the last decade, large-scale data breaches have supplied criminals with enormous amounts of personal data, which may be used repeatedly in various scams and frauds.

If you would like to learn more about different phishing scams and how you can protect yourself, you can read about the American Banking Association’s campaign Banks Never Ask here, which includes what you should do if you ever receive a scam email or text:

• Take a deep breath. In most cases, opening a scam email or text is perfectly safe. Modern mail apps, like Gmail, detect and block any code or malware from running when you open an email. The key is not to click suspicious links or download attachments.
• Do not download any attachments in the message. Attachments may contain malware such as viruses, worms, or spyware.
• Do not click suspicious links that appear in the message. Links in phishing messages direct you to fraudulent websites.
• Do not reply to the sender. Ignore any requests from the sender and do not call any phone numbers provided in the message.
• Report it. Help fight scammers by reporting them. Forward suspected phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726). Then, report the phishing attack to the FTC at ftc.gov/complaint.

And if you think you may be a victim of a phishing scam:

1. Contact your bank, financial institutions, and creditors
   • Speak with the fraud department and explain that someone has stolen your identity.
   • Request to close or freeze any accounts that may have been tampered with or fraudulently established.
   • Make sure to change your online login credentials, passwords, and PINs.
2. Secure your email and other communication accounts
   • Many people reuse passwords, and your email or cell phone account may also be compromised.
   • Immediately change your accounts’ passwords and implement multi-factor authentication — a setting that prevents cybercriminals from accessing your accounts, even if they know your password — if you haven’t already done so.
3. Check your credit reports and place a fraud alert on them
   • Get a free copy of your credit report from annualcreditreport.com or call 877.322.8228.
   • Review your credit report to ensure unauthorized accounts are not opened in your name.
   • Report any fraudulent accounts to the appropriate financial institutions.
   • Contact one of the three credit bureaus to place a fraud alert on your credit. That company must tell the other two.
     • Experian: 888.397.3742 or experian.com
     • TransUnion: 800.680.7289 or transunion.com
     • Equifax: 888.766.0008 or equifax.com
4. Contact ChexSystems at 888.478.6536 to place a security alert on the compromised checking and savings accounts when a deposit account has been impacted.
5. Contact the Federal Trade Commission to report an ID theft incident: visit ftc.gov/idtheft or call 877.438.4338.
6. File a report with your local law enforcement.
   • Get a copy of the report to submit to creditors and others who may require proof of the crime.

NASB recently conducted a webinar called Financial Fitness and Avoiding Exploitation, which you can watch here. The webinar also discusses popular scams and how to avoid them.