The FBI has published an alert on a new phishing scheme that is aimed at tricking victims into undertaking money transfers to cybercriminal-controlled accounts.
According to Security Week, as a part of these attacks, the cybercriminals target users of digital payment applications with fake text messages pretending to be from legitimate financial institutions and ask customers to verify they have initiated instant money transfers.
The FBI advisory said, “Cybercriminals are targeting victims with a sophisticated phishing and social engineering scam which results in victims unwittingly sending funds to the actors using digital payment apps. The actors take advantage of payment apps connected to bank accounts.”
If a recipient responds to the automated text message, the criminals then call the victim from a number that appears to be the same as the legitimate 1-800 support number for the financial institution. Then claiming to represent the fraud department of the organisation, the criminals walk the victim through a process meant to reverse the fake instant payment transaction.
The threat actors that engage in these attacks appear to have extensive knowledge of the background information of the victim, such as past addresses, social security numbers and the financial institution they are clients to, as well as the last four digits of their bank account numbers. The victim is also asked to remove their email address from their digital payment app and to share it with criminals – who then add it to a bank account they control.
The FBI said, “After the email address has been changed, the actor tells the victim to start another instant payment transaction to themselves that will cancel or reverse the original fraudulent payment attempt. Believing they are sending the transaction to themselves, the victims are in fact sending instant payment transactions from their bank account to the actor-controlled bank account.”
Copyright © 2022 FinTech Global