Cybercriminals target victims by sending text messages with what appear to be bank fraud alerts asking if the customer has initiated an instant money transfer using digital payment apps.
“Once the victim responds to the alert, the cybercriminal calls from a number that appears to match the financial institution’s legitimate 1-800 assistance number. Under the guise of canceling the fake money transfer, victims are scammed into sending payments to bank accounts under the control of cyber actors,” according to the statement.
See also: 5 Takeaways About the FBI’s 2021 Internet Crimes Report Pandemic Fraud
The sophisticated phishing and social engineering scam results in victims unwittingly using payment apps connected to their bank accounts to send funds to fraudsters. The apps facilitate the quick transfer of funds between registered users. Only the recipient’s email or mobile number can initiate an instant payment transaction.
In addition to knowing the victim’s bank and related data, criminals often had access to additional information such as past addresses, the person’s social security number, and the last four digits of their bank accounts. This information was used to convince customers that the steps they were being asked were the financial institution’s legitimate process to recover the stolen funds, according to the IC3 statement.
Read more: SIM card swapping fraud highlights biometrics and behavioral analysis as a defense
The scam often tricks people into believing that they are sending the transaction to themselves, when in fact the victims are sending instant payment transactions from their bank account to another account controlled by the thief. Often fraudsters interact with people for several days, with victims only realizing they have been scammed after checking their bank statements.
IC3 warns that the proliferation of major data breaches over the past 10 years has given cybercriminals a wealth of personal data that can be repeatedly used in a variety of scams and frauds.