Social engineering has taken first place in the methods of stealing money from accounts and cards of individuals. Using psychological techniques, scammers mislead clients for profit. The classic scheme of such fraud is when the victim receives a call from supposedly bank security officers.
However, the arsenal is not limited to persuasion. We have collected five popular fraudulent tools that were used to steal money from your colleagues and acquaintances in 2019. No theory - only real cases.
All major banks have anti-fraud systems in place that analyze transactions and look for anomalies and fraudulent patterns.
The evolution of attacker tools and systems that counter them is similar to the evolution of armor and projectiles - it is an endless process. For obvious reasons, the article will not outline what and how exactly banks can calculate, but it is important to understand: like fire, fraud is best prevented.
In “Tinkoff Stories” in the mobile application, we regularly talk about how not to fall for the tricks of inventive attackers, and also launch several thematic projects at once, including an animated series.
If previously there were typical portraits of such victims, the most common of which were elderly people, now the lines are blurred. Neither gender nor age now affects the ability to withstand a variety of subterfuge schemes.
However, technology comes to the aid of not only decent citizens. The scammer says that the confirmation code cannot be shared with anyone - it matches the text of the SMS and inspires trust in the victim.
The scammer asks you to enter the code in tone mode after switching to the IVR (interactive voice menu), which in a standard announcer voice says that you need to enter the code in tone mode after the signal.
After installation, the fake bank employee asks the client to name the code displayed in the application. The fraudster enters this code into the program on his device. After the victim grants all permissions (if necessary, downloads an add-on for full control), the attacker receives, depending on the OS and manufacturer of the victim’s smartphone:
Other scammers, in pursuit of converting calls into stolen money, turn to telecommunications phone number substitution services.
Technically, number spoofing is possible by exploiting the vulnerability of telephone connection protocols, such as SIP and ISDN PRI, which do not provide a mechanism for verifying the authenticity of the sender of the message.
A beautiful number like 8 (495) xxx-xxx-xx displayed on the smartphone screen dulls the victim’s vigilance.
Scammers ask for a card number and a confirmation code to log into their personal account in order to help the client. Having gained access to a huge amount of information (data about transactions, accounts, balances), scammers easily gain trust, removing any last doubts (“Craftsters can’t know so much about me,” the client thinks).
The prepared victim is told that the only way to save the money is to withdraw it to a secure account. Next, there are two possible scenarios for the development of events.
Translation. The client is offered to independently transfer funds to a secure account. Fraudsters use psychological pressure to convince you to make a transfer to the drop account. A drop is a person who, for a small fee, signs up for a regular debit card, then gives it to scammers who use it to cash out stolen money.
ATM. Fraudsters can use ATMs with a cash-in function for their own purposes.
The client is informed that he urgently needs to go to the nearest ATM and withdraw all the money. For particularly large victims (and at this point the scammers see how much money is in the accounts) they can even call a taxi.
After withdrawing money, the victim is asked to deposit cash into the scammers' account. They are intimidated with fines and penalties, and on the other hand, they are lured with promises to compensate for the inconvenience with monetary compensation. Eventually the scammers gain the upper hand and the customer funds their account with freshly withdrawn cash.
Typically, false security providers rely on their persuasion skills: they turn the client against real bank employees and inspire the need to confirm transactions. It may look surreal, but these are the realities.
But some scammers rely more on technological solutions. Instead of complex processing, the client is asked to dial a sequence of characters on the phone, which is actually a USSD command to enable forwarding of the victim’s incoming calls to the scammers’ number. In addition, they ask for identification data, which they will use to impersonate the client when calling a real security service.
Therefore, you need to remember that real bank employees will never ask:
The next article will tell you even more about how to resist scammers who lie in wait for you literally at every turn: on social networks, investments, message boards and dating sites.
However, the arsenal is not limited to persuasion. We have collected five popular fraudulent tools that were used to steal money from your colleagues and acquaintances in 2019. No theory - only real cases.
All major banks have anti-fraud systems in place that analyze transactions and look for anomalies and fraudulent patterns.
The evolution of attacker tools and systems that counter them is similar to the evolution of armor and projectiles - it is an endless process. For obvious reasons, the article will not outline what and how exactly banks can calculate, but it is important to understand: like fire, fraud is best prevented.
In “Tinkoff Stories” in the mobile application, we regularly talk about how not to fall for the tricks of inventive attackers, and also launch several thematic projects at once, including an animated series.
Basic scheme
Fraudsters introduce themselves as the bank's security service and report an attempt to write off funds from the client's account. To cancel an unauthorized transaction, you are asked to provide the full card number and confirmation codes from SMS. In fact, at this moment they either log into your personal banking account or make transactions on the Internet - then they will ask for an additional expiration date and a three-digit code on the back of the card.If previously there were typical portraits of such victims, the most common of which were elderly people, now the lines are blurred. Neither gender nor age now affects the ability to withstand a variety of subterfuge schemes.
IVR
The obvious disadvantage of the standard scenario for scammers is the inevitable struggle with clients’ fears and their questions, which often arise. For example, in the same SMS it is written that you cannot tell the code to anyone.However, technology comes to the aid of not only decent citizens. The scammer says that the confirmation code cannot be shared with anyone - it matches the text of the SMS and inspires trust in the victim.
The scammer asks you to enter the code in tone mode after switching to the IVR (interactive voice menu), which in a standard announcer voice says that you need to enter the code in tone mode after the signal.
Remote access
A scammer's call usually takes the client by surprise. The caller introduces himself as a bank employee and reports that malicious software has been detected on the client’s device. To fix it, you need to provide access to the device. The victim needs to download a remote access program to his smartphone - TeamViewer, Anydesk or another.After installation, the fake bank employee asks the client to name the code displayed in the application. The fraudster enters this code into the program on his device. After the victim grants all permissions (if necessary, downloads an add-on for full control), the attacker receives, depending on the OS and manufacturer of the victim’s smartphone:
- Android (for example, Samsung) - full remote access to the client’s device. The fraudster makes payments from the client device, since transaction confirmation codes are sent to it.
- iOS and some Android devices (for example, Nexus) - viewing access. The fraudster directs the client’s actions (“Click here, and now click here”). As a result, the client himself transfers funds to the fraudster.
Replacing a scammer's number
Some attackers call from simple SIM cards bought by the handful from the metro. In this case, the victim receives a call from fake bank employees from a number with typical prefixes 926, 916 and others.Other scammers, in pursuit of converting calls into stolen money, turn to telecommunications phone number substitution services.
Technically, number spoofing is possible by exploiting the vulnerability of telephone connection protocols, such as SIP and ISDN PRI, which do not provide a mechanism for verifying the authenticity of the sender of the message.
A beautiful number like 8 (495) xxx-xxx-xx displayed on the smartphone screen dulls the victim’s vigilance.
Cash-in to a secure account
A bank client receives a call allegedly from the bank's security service. During the conversation, it turns out that the client’s account is in danger and funds can be withdrawn from it any minute.Scammers ask for a card number and a confirmation code to log into their personal account in order to help the client. Having gained access to a huge amount of information (data about transactions, accounts, balances), scammers easily gain trust, removing any last doubts (“Craftsters can’t know so much about me,” the client thinks).
The prepared victim is told that the only way to save the money is to withdraw it to a secure account. Next, there are two possible scenarios for the development of events.
Translation. The client is offered to independently transfer funds to a secure account. Fraudsters use psychological pressure to convince you to make a transfer to the drop account. A drop is a person who, for a small fee, signs up for a regular debit card, then gives it to scammers who use it to cash out stolen money.
ATM. Fraudsters can use ATMs with a cash-in function for their own purposes.
The client is informed that he urgently needs to go to the nearest ATM and withdraw all the money. For particularly large victims (and at this point the scammers see how much money is in the accounts) they can even call a taxi.
After withdrawing money, the victim is asked to deposit cash into the scammers' account. They are intimidated with fines and penalties, and on the other hand, they are lured with promises to compensate for the inconvenience with monetary compensation. Eventually the scammers gain the upper hand and the customer funds their account with freshly withdrawn cash.
Forwarding to the victim's number
Banks do not sleep and, having identified a suspicious transaction, rush to contact clients.Typically, false security providers rely on their persuasion skills: they turn the client against real bank employees and inspire the need to confirm transactions. It may look surreal, but these are the realities.
But some scammers rely more on technological solutions. Instead of complex processing, the client is asked to dial a sequence of characters on the phone, which is actually a USSD command to enable forwarding of the victim’s incoming calls to the scammers’ number. In addition, they ask for identification data, which they will use to impersonate the client when calling a real security service.
Conclusion
Fraudsters can use several funds from this list at once. Therefore, it is important to be on guard when receiving any calls from the bank and not to rush to trust the caller. He can threaten fines from the bank and tempt with bonuses for fulfilling his demands.Therefore, you need to remember that real bank employees will never ask:
- Tell them the transaction confirmation code.
- Install programs on your smartphone, especially with remote access functionality.
- Execute USSD commands on your phone.
- Transfer or deposit your money through an ATM to third party accounts.
The next article will tell you even more about how to resist scammers who lie in wait for you literally at every turn: on social networks, investments, message boards and dating sites.
