Spoofing Legit Bank Service Numbers - Article

Some good info about the increasingly common spoofing of legit bank customer service numbers - B. Edwards

Scammers are spoofing bank phone numbers to rob victims
Posted: October 28, 2020 by Pieter Arntz

It can be a very convincing trick…
“You can check the number in your display online sir. You’ll see I’m really calling from your bank.”

That is, of course, if you are unaware that phone numbers can be spoofed. Then again, they wouldn’t be successful scammers if they weren’t convincing. If you suggest calling them back, they’ll tell you it’s impossible to call their extension directly and you would have to go through the operator in the head office. Which could take a while and because of the urgency that is not really an option now, is it?

What is spoofing?
The definition of spoofing is: to display characteristics that do not belong to you, in order to assume a false identity. We’ve talked about email spoofing in the past, but in this case we’re talking about caller ID spoofing. Caller ID spoofing is when someone calling your phone deliberately falsifies the information transmitted to your caller ID display to disguise their identity.

How does this scam pan out?
The scammer calls the victim while spoofing a phone number that belongs to the bank. And the scammer comes prepared with enough knowledge about the victim’s bank account to take away the last shreds of doubt. They tell the victim that they have noticed unusual activity on the victim’s bank account and urgently advise them to put their money in a different account.

If the victim indicates that they only have the one account, the scammer offers them a so-called “vault account” of the bank. The scammer explains that such an account is a safe place for their funds. Their money may be unavailable in such an account for a few days, but that is better than getting robbed blind isn’t it? If the victim starts asking a lot of questions, the scammer will say that there is no time to waste because of the danger of losing everything to an unknown entity. Of course, the “vault account” belongs to the scammer and the whole theatrics are designed to get the victim to transfer their belongings into that account.

Extra information from phishing
What makes this extra successful is that the scammers really come to the call prepared. They can tell you how much you have in your account and who received your latest payments. There are a few theories about how the scammers can obtain that information. Some even go as far to claim that they must have someone on the inside. This would explain a lot, but some victims admitted having received a phishing mail not too far before the call.
If the victims have clicked the link in that mail and have logged in to the phisher’s fake bank website, this not only explains how the scammers obtained the information, it also adds credibility to the story of the scammer on the phone. After all, the phishing attempt could have resulted in unauthorized access. What gives the “insider” scenario some extra credibility is the fact that some victims had recently raised their transaction limits because they needed to make some large payments.

Phishing sites mirror the bank site, and the phisher can follow the input of the victim into the real bank site. This allows them to have a look at the account details after getting logged in and equips them with the information they can use during the phone call.

Banking security measures
If the information the scammer has about the victim’s account stems from a phishing attempt and the bank uses a 2FA login method, then the login information will grow stale rather quickly. A successful phish allows the scammer to log in, but usually only once. They can look around and gather intel to prepare their call. Any subsequent action like making a payment or changing the 2FA settings would have to be authorized separately, and such a request would likely make the victim suspicious.
What investigators from a Dutch consumer television show found out is that some banks are more likely than others to be targeted. The investigators suspect that customers of banks that use a card reader to scan QR codes to authorize logins and payments are less vulnerable than those that send text messages. This could be because it is more difficult to mimic the QR codes on the bank phishing site than it is to create an input field for the verification code.
Another fail-safe that the scammer will try to circumvent, if necessary, are the transaction limits that are in place by default for some banks. These are often limited to rather small amounts and customers will have to raise the limit if they want to make larger payments. When the bank asks you to raise this limit instead of the other way around that should be a red flag. Remember that they can do it for you in case of a real emergency.

The aftermath of a spoofing attack
The scammers will try and make sure that the victim will not immediately realize that they have been had, so the scammers can make the money disappear from the target account in order to stop the payments being reversed.
With some banks you will have insurance against banking fraud, but other banks will say the victim transferred the funds themselves and will accept no responsibility for the loss. In most countries you are protected by law against fraudulent payments under certain conditions. One of these conditions can generally be described as “the customer should not be careless”, and a customer could be seen as careless if they gave away their login credentials. Whether entering those credentials on a bank phishing site that looks exactly like the one that belongs to the bank is a careless act is up for debate it seems.
So, in a worst case scenario you would not only feel embarrassed because you fell for the scam, you could also be labelled careless and lose the money in your account.

The future of caller ID spoofing
Caller ID spoofing has been causing problems since 2004 when a service was opened to allow spoofed calls to be placed from a web interface. In 2018, we mentioned one method of caller ID spoofing called “neighbor spoofing”. Neighbor spoofing was a popular method among cold callers using the same area code and telephone prefix of the person being called. Caller ID spoofing is generally legal in the United States unless done “with the intent to defraud, cause harm, or wrongfully obtain anything of value”. In 2019 the TRACED Act, the first federal law designed to curb unwanted robocalls was signed...
...The Federal Communications Commission (FCC) is leading the push for industry adoption of these standards to help consumers as quickly as possible.

--
https://blog.malwarebytes.com/social-engineer ... -to-rob-victims

This is good info indeed given the increasing frequency of this type of call and the spoofed numbers being used. So far this year, the office phone has received several calls from the Member/Cardmember Services robocaller where those calls spoofed the numbers of legitimate financial institutions  One of the worst things about these calls in general is how the operators, if and when spoken to, never disclose which card they are supposedly calling about in an attempt to get the intended victim to disclose their card details without giving a second thought.

While it's true that hanging up on the calling operator and calling back requires people to go through the phone tree again and that they likely won't get the same operator from before, the truth is a legitimate call about their credit card can be handled by any operator that can retrieve the information after confirming the caller's identity.

Years ago, a generically-labeled toll-free number called me and claimed to be my bank calling about suspicious activity on my card. i told the operator that as much as I wanted to believe the call was legitimate, I was going to hang up and immediately call the customer service number on the back of my card for my own safety. Although it turned out the call was legitimate and my card had been compromised, I wasn't going to take any chances and neither should anyone else in a similar scenario. A legitimate bank operator will understand. A scammer will likely pressure people to stay on the line, which should raise a red flag.

I recently received multiple calls, a text message and two emails with regards to unauthorized transactions on my debit card.  In my situation the calls and other forms of communication were legitimate.  The sad fact is that scammers are becoming smarter and more aggressive.  I appreciate posts like these and hope everyone will use common sense especially this time of year.

About 1 month ago, my elderly mom got a call from her "bank" and they knew her name, age, D.O.B., SS#, account # and the debts she owes.  Told her that for a small fee, they can pay her bills.  She told them that they would have to call back and talk to me, they never called back.  She went to bank next day, and they told her it was a scam.  She then added me to her account, and I have been monitoring it daily.  Banker said that he had already seen 4 people with the same scenario, but they fell for it and lost everything in their accounts!!