Social engineering scams, particularly those involving bank impersonation, pose a significant threat to financial security.
According to Salv, by masquerading as trusted financial institutions, fraudsters manipulate victims into divulging sensitive information, approving unauthorized transfers, and ultimately draining their bank accounts. This deceitful practice is closely linked to authorised push payment (APP) fraud, which exploits human vulnerabilities within payment processes.
Bank impersonation scams typically follow a precursor scam, such as a marketplace or romance deception, where the victim has already been tricked into sharing personal data. Given through an example by Tony Sales at We Fight Fraud, the fraudsters then initiate the next phase by posing as the victim’s bank, persuasively guiding them through fabricated security procedures to sanction additional transactions. Victims, convinced they are interacting with genuine bank representatives aiming to safeguard their funds, find themselves deeply entangled in the scam.
The scam begins with a seemingly innocuous text alerting the victim to a suspicious payment request, prompting them to respond if they did not authorize the transaction. When the victim replies, this triggers a phone call from the criminals, further solidifying their deceptive façade as helpful bank staff.
During the call, victims are subjected to standard security questions—such as the name of their primary school or their mother’s maiden name—mirroring legitimate bank security checks. Once trust is established, the fraudster, posing as a fraud prevention agent, convinces the victim to approve a series of ‘test’ transactions under the guise of verifying the security of their account.
Each approved transaction results in money being siphoned directly to the criminals. Unbeknownst to the victim, these are not tests but actual transfers draining their account. The final phase of the scam involves the criminal requesting a six-digit code, supposedly to finalize the security checks. However, this code grants the scammer full access to the victim’s online banking, setting the stage for a complete account takeover.
By convincing the victim to delete their banking app under the pretext of technical troubleshooting, the criminals ensure that no balance update notifications disrupt their activities. As the victim waits for their system to ‘reboot,’ the criminals transfer the remaining funds to their controlled accounts, effectively clearing out the victim’s bank account.
This insidious manipulation not only leads to significant financial loss but also leaves lasting psychological impacts on the victims, who believed they were diligently protecting their assets. The sophistication and convincing nature of these scams underscore the critical need for increased awareness and prevention strategies to combat APP fraud effectively.
Copyright © 2024 RegTech Analyst
Copyright © 2018 RegTech Analyst
