Consumers are being warned of a new telephone scam in which fraudsters impersonate major companies, so as to take over computers to steal money from online bank accounts.
Criminals are using technology to take control of victims’ computers from remote locations, after telephoning them and offering to help with a slow computer or internet connection, Financial Fraud Action UK (FFA UK) is warning. The membership body of banks and credit, debit and charge card issuers, and card payment acquirers speaks of a recent increase in reports of this type of scam.
To carry out this fraud, scammers are impersonating internet service providers, computer companies, banks, software firms and law enforcement. They are also claiming to be calling as a result of recent high-profile data breaches.
The scammers claim there is a problem with the victim’s computer or internet service which is causing it to run slowly. They say they can fix it but need to access their computer to do so. Victims are then asked either to visit a website or enter a command prompt on their computer, which gives scammers control of the machine remotely. The fraudster will take some time to ‘fix’ the problem, in some cases as long as 30 or 40 minutes.
During the call, the scammer will tell the victim they are entitled to compensation, or pretend to put them through to a supervisor, who will make the offer. The scammer will say they are sending the money and will ask the victim to log into their bank account to check it has arrived. But the scammers will still have access to the computer and will put up a fake screen which makes it appear the money has arrived. Working in the background, they will take money from the victim’s bank account. Or, the scammers may transfer money between accounts to make it look like payment has been made.
The fraudster may also ask for a bank passcode sent by text message or generated by a card reader, claiming that this is required to process the refund. But this code will actually enable them to set up a new payee and take funds from the victim’s account.
In an alternative version of this scam, fraudsters may say the money has been sent but they have accidentally sent thousands of pounds, rather than hundreds, an error which will cost them their job. They will transfer money between the victim’s bank accounts to make it seem as if they have sent too much. In this case, the fraudster will ask for the difference to be refunded via wire transfer.
Kevin Epstein, of Proofpoint, said: “Proving that the weakest links in security remain all of us, this scam which was previously confined to tricking Senior Citizens uses a phone call to leverage the same social engineering tactics that have been so successful persuading users to click email links and open attachments. As Proofpoint’s Human Factor report establishes (proofpoint.com/humanfactor), this is an ongoing security challenge. Regardless of the source, the result is the same – users volunteering access to their systems – and this ongoing challenge reemphasizes the need for modern targeted attack protection and threat response systems. Security professionals need to protect users not only against attackers but against their own human tendencies.”