“Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'” “In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said.
Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. In reality, the fraudster initiates a transaction - such as the “forgot password” feature on the financial institution’s site - which is what generates the authentication passcode delivered to the member. To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.
Here’s what one of those scam messages looks like:Īnyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. Last week’s story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.