Numerous fraudsters are trying to deceive US-based users of digital payment apps into making quick cash transfers in social engineering attacks using SMS messages with phoney bank fraud alerts.
The FBI warned the public about the circulating scam. In the public service announcement, the agency stated that the threat actors would contact the victims who responded to their phishing SMS from phone numbers that impersonated the banks’ legal 1-800 support number.
They added that fraudsters trick the victims into sending payments to bank accounts controlled by their adversaries. Moreover, the fake fraud alerts then cite the payment amount and banking institution names and inquire to the targets to confirm if they attempted to execute instant payments of large sums.
Suppose the social engineered message’s receiver reacts to it and denies the mentioned activities; the victims will receive another text message stating that they will be contacted by the bank again “shortly.”
The fraudsters will call the target as promised in the previous message. The caller will speak English fluently and convincingly, which will claim that they represent the anti-bank fraud department.
The fraudsters will instruct the victims to reverse the attempted fake payments via social engineering tactics.
The campaign aims to deceive the victims into reversing the non-existent quick cash transaction by instructing them to remove their email addresses from the payment application.
The FBI explained that the threat actors ask for the victim’s email address that they will add to a bank account controlled by them. Suppose the fraudsters have changed the email address; they will then tell the victim to initiate another instant cash transfer to themselves that will reverse or cancel the previous fraudulent payment attempt.
However, the victims will send an instant payment transaction to the actor-controlled bank account instead of canceling or sending back the cash to their bank account.
The exchanges between the victims and the threat actors can stretch up to several days, implying that the fraudsters are determined to successfully execute their social engineering campaigns.
