back to article Cybercriminals do their homework for latest banking scam

A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge.  The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done …

  1. Alumoi Silver badge

    the caller asks the victim ...

    Are people really that stupid to fall for that?

    You're the bank, do it yourself, that's the natural response.

    1. Ken Moorhouse Silver badge

      Re: You're the bank, do it yourself, that's the natural response.

      Many years ago I paid in some cheques using the bank's self-service in-branch deposit machine. I naturally assumed that the credits hit my account, until a week later I got a letter through the post asking me to check my account to see if amounts that the bank "deduced" that I'd paid in had in fact been credited.

      Turned out that the branch in question had had a robbery shortly after my visit.

      Now the relevant bit: The bank insisted that I do the legwork in getting all of the cheques stopped and reissued by the companies issuing them. I gave the same line "you're the bank, do it yourself" but to no avail. I jokingly said it was bad enough trying to get cheques issued by customers once, let alone twice. I did extract a compromise from them: they wrote to my customers explaining the circumstances, and that they would reimburse charges made in stopping the original cheques.

      One point I made to the bank was: surely you are insured against bank robberies, in which case the insurance company can pay out the amounts stolen. They maintained that they are not insured.

      It is this type of convoluted procedure for something that sounds very questionable that someone could latch onto and exploit.

      1. Doctor Syntax Silver badge

        Re: You're the bank, do it yourself, that's the natural response.

        I take it that this was your former bank.

      2. Potty Professor
        Holmes

        Re: You're the bank, do it yourself, that's the natural response.

        Soon after we were married, my wife and I bought a small amount of groceries from one of the (then) big supermarket chains. We only spent £10 as we were very short of money. I went to the checkout and wrote them a cheque for that amount. Some days later we received a letter from the supermarket asking me to issue another cheque for £10, because they had had a robbery and my original cheque was among those stolen. I refused to do so, and contacted my bank to stop the original cheque from being cashed. I explained to the supermarket that I would not issue a replacement cheque as I had completed the original transaction in good faith and to their satisfaction, and anything that had happened to the cheque thereafter was their problem, not mine. I posed the question, had I been mugged in the car park and my newly purchased goods stolen, would they have expected me to return to the store for replacement items? Had I known that the theft was going to happen, I would have kited considerably more than just £10.

  2. yetanotheraoc Silver badge

    followup

    What happens if you reply YES ?

    1. Flocke Kroes Silver badge

      Re: followup

      I tried thanking an "Amazon" representative for charging me £79/month and asking what benefits I get with my new payments. It really threw her as she was not prepared for that response. Unfortunately my enthusiasm tipped her off after only a few minutes and she hung up.

      1. Adam Ant
        WTF?

        Re: followup

        I'll quite often start off with "Hello little girl. Do you know what I have in my hand - It is long, black, and very hard... Guess where I'm going to shove it".

        It is a telephone hand set, and it is going back into the cradle, but they have usually hung up by then.

        1. veti Silver badge

          Re: followup

          Yes, I can't imagine that going wrong in any way...

  3. Version 1.0 Silver badge
    Unhappy

    An Internet feature

    The only time I've ever had an issue like this has been when I went into the bank to complain that my paycheck had not appeared in my account ... the bank apologized for entering the wrong account number and fixed it immediately ... Trusting the internet is like covering yourself in steak-sauce and walking through the Lion enclosure at the zoo while posting on Facebook.

  4. heyrick Silver badge

    be wary of anyone providing personally identifiable information as proof of their legitimacy.

    What, you mean like most banks when they call you?

    They're also completely unprepared, and quite stroppy, when you ask them a question they don't anticipate, such as "name three direct debits paid in the last fortnight", and really don't like being told that they failed to verify they were who they said.

    Hello NatWest, looking directly at you.

    With behaviour like that, it's not a great surprise people get scammed.

    These days I keep telling my bank that I refuse to accept any "official" notification sent via text or email (including in their app). If it is important, written on headed paper, signed, and posted. Given that I've had numerous messages (SMS and email) about my unarranged overdraft at the Credit Agricole (who I'm not a client of), I simply cannot accept electronic communications for anything other than providing a code number in response to a known purchase.

    1. IGotOut Silver badge

      Re: be wary of anyone providing personally identifiable information as proof of their legitimacy.

      Standard Life keep calling me (it is them), but I utterly refuse to answer any questions "for security purposes"

      1. Anonymous Coward
        Anonymous Coward

        Re: be wary of anyone providing personally identifiable information as proof of their legitimacy.

        'Standard Life keep calling me (it is them), but I utterly refuse to answer any questions "for security purposes".'

        At least, you think it is Standard Life, but it could equally well be a scammer spoofing the Caller-ID of a known published Standard Life phone number…

        There is no way to verify whether an incoming call is genuine, so, unless it's the number of a friend calling, I just ignore all unknown incoming calls. If it's not someone trying to scam me, it'll be someone trying to sell me something, and I don't want to hear from either of them.

        The only sensible way for a bank to request you to contact them urgently (eg, to check a potentially fraudulent transaction) is for them to text you, and for you to contact them via secure messaging in their website/app or phoning their known trusted contact phone number. (If the text message contains a web link or phone number in it, those must be verified against those published on their website, etc, and never trusted as-is.)

    2. Filippo Silver badge

      Re: be wary of anyone providing personally identifiable information as proof of their legitimacy.

      My current policy is straightforward. If you initiate communication with me using an untraceable mean, I will not enter any agreement with you. That includes phone, unencrypted email, and non-tracked mail.

      The actual content of the proposal is entirely irrelevant; I won't even listen to it. The entire purpose of the conversation is to convince me that you might actually be genuine, at which point I will politely hang up and separately contact your institution using a known-safe mean (a known-good phone number or address). Then we can discuss your proposal.

      This is separate from spam calls; if you sound like a spam call, I'll just hang up immediately and blacklist the number. I might have some false positives this way. I don't care. Whatever happens can be fixed later.

    3. Doctor Syntax Silver badge

      Re: be wary of anyone providing personally identifiable information as proof of their legitimacy.

      Hello NatWest HSBC, looking directly at you.

  5. TheProf
    Joke

    FBI

    Is this the same FBI that are going to give me $10,000 million dollars that someone found in an aircraft hangar in Dallas?

    I think someone should check their documents very, very carefully.

  6. Anonymous Coward
    Anonymous Coward

    Tell me again...............

    (1) How "on line banking" is "convenient"

    (2) How my sofa is SO much more convenient than an actual bank

    (3) How my laptop is SO much better to deal with than a real person

    (4) How waiting for a text message "security number" for so long that the on line transaction has timed out before the message arrives

    (5) How sorting out glitches (like item #4) on the phone, and waiting for 30 minutes for someone to pick up....how this is "an improved service"

    But of course this is all:

    (a) Just marketing

    (b) Just a cost reduction exercise.....where the data entry work has been moved from banking staff (expensive)........to the customer (much cheaper)

    Ah...another marketing lie......"Customer service is our number one priority"..................NOT!!!!

    1. Doctor Syntax Silver badge

      Re: Tell me again...............

      "(2) How my sofa is SO much more convenient than an actual bank

      (3) How my laptop is SO much better to deal with than a real person"

      The reality these days is that actual bank branches are becoming increasingly remote and when you finally complete the treck to one the staff are disempowered and unable to do anything except tell you to go online or ring. Having dissuaded everyone that it's not worth visiting their "local" branch they can close if due to lack of business.

      Trying to phone, of course, results in getting a recorded announcement that they're experience an unusual number of calls (for at least the last decade) and you should go online,

      The fact that this exposes you to fraud is your problem, not theirs.

    2. Anonymous Coward
      Anonymous Coward

      Re: Tell me again...............

      Personally I greatly prefer going online to having to bum a ride or take a bus to the bank.

      Neanderthals may disagree with that viewpoint.

      I also deal with a REPUTABLE bank, not one that keeps making the news with their shoddy security. Unliike some people, I didn't just pick a bank at random because it was "convenient."

      1. tip pc Silver badge

        Re: Tell me again...............

        If they are so good why not name them so the rest of us can enjoy their great service?

        1. Anonymous Coward
          Anonymous Coward

          Re: Tell me again...............

          Hello, Mr. Phisherman. No, you'll have to get your info elsewhere. :P

          1. tip pc Silver badge

            Re: Tell me again...............

            Ok,

            Really not sure why you are paranoid at disclosing the name of the establishment that surely has more then you as a customer, especially as we don’t know who you actually are.

            I’m with Barclays and had an issue a long time ago when my card got cloned and I had to turn detective in order to get them to refund me as.

            I’ve also had accounts at nationwide, Santander, RBS, Lloyds, tsb, and others I can’t remember.

            They’ve all had their faults, the Barclays app seems very good compared to others I’ve seen and puts it and them above.

            Ability to pay cash and cheques in via the outside machine was (3 local branches now closed) a huge bonus.

            Stirling seems ok, app looks good,

            Many people just use their phone to pay contactless now which is great, my missus has her cards actually locked in the safe.

            AMEX was great at delivering new cards to random places when I used to constantly lose mine.

            I should add that almost all uk accounts have 2 factor authentication meaning it’s very difficult for imposters to impersonate you, but not impossible.

            Certainly difficult to get you across the internet when you need to put your card into a card reader and enter the code generated on your banks site or they text you a code to a known number.

            It’s not impossible but certainly harder to get you today than 10 years ago.

            Even contactless payments will be subjected to extra verification, not sure that applies to payments from phones though as typically thy must be unlocked using a pin or biometric before payment and each transaction is unique.

            1. Cav Bronze badge

              Re: Tell me again...............

              "Really not sure why you are paranoid at disclosing the name of the establishment"

              How many customers said establishment has is irrelevant. The user's bank details are fair unique to him\her. Never give out any information that can be tied to any account you use, when it is completely unnecessary to do so. Who knows what information is being collected and collated now, or will be in the future.

              Why take an unnecesary risk?

  7. Doctor Syntax Silver badge

    "What's the past of least risk with greatest reward? "

    Path?

  8. JassMan
    Trollface

    I know that Brits often play the baddie in films but...

    The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.

    I am pretty sure that that this is an incorrect assertion on the part of the FBI.

    I think it much more likely that they speak Merkin without any discenible accent. We English all have accents and they are mostly discernible by other English speakers. Only a Merkin would think they all sound the same.

    1. Anonymous Coward
      Anonymous Coward

      Re: I know that Brits often play the baddie in films but...

      Yes, especially considering how many accents there are in the US as well.

      Their main point is they couldn't be politically correct and say "they don't sound like the typical Indian scammers."

    2. AndrueC Silver badge

      Re: I know that Brits often play the baddie in films but...

      I think it much more likely that they speak Merkin without any discenible accent. We English all have accents and they are mostly discernible by other English speakers. Only a Merkin would think they all sound the same.

      Yup, the closer you are to the source of a language the greater the rate of variation. Britain is a relatively small island but you only have to travel fifty miles to hear a different accent.

      1. Giles C Silver badge

        Re: I know that Brits often play the baddie in films but...

        50 - drive along the a47 from Peterborough to Norwich and the accents change every 10 miles or almost every other village

        1. Anonymous Coward
          Childcatcher

          Re: I know that Brits often play the baddie in films but...

          The accents change faster than genes

    3. Anonymous Coward
      Anonymous Coward

      Re: I know that Brits often play the baddie in films but...

      Not to mention, we're at the point where speaking clear and understandable English is a red flag. The real bank's phone support will have Indian accents, heavily compressed audio, and tons of background noise from the call center

    4. Paul 33

      Re: I know that Brits often play the baddie in films but...

      Speaking English without any discernible accent is a definite red flag. I know all my Banks have offshored their customer services and despite being called George, or Charles or Angela, all have a very discernible accent.

  9. RobThBay

    Hmmm...

    I had something like this happen last Thursday.

    My wife was transferring some money from our chequing account and the balance dropped below $100. A little while later a text shows up on my phone saying "....Chq Acct ***1234 balance is below threshold amt. Charges may apply. Review and deposit $ if req'd. Std msg rates apply. Txt HELP=help|STOP=stop."

    Clues that it was a fake notice.

    1. The account doesn't have a minimum threshold.

    2. The bank wouldn't use short forms like chq, acct, $, amt, std and msg.

    3. We don't keep very much money in that account, it often drops below $100 and this sort of message has never appeared before.

    I admit the text did catch me off guard for a few seconds and I can see how some people would fall for it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like