New bank scam - please be careful Post Reply

[Prevent Bank Scam]

Hi
I mentioned this scam to Annabel earlier today and she asked me to post.

Background - I work in tech and I spoke directly to the victim in this scam, I still don't fully understand the details but I watned to share.

1. A colleague received a text asking if she had spent money in Argos in Manchester. She was asked to reply back Y/N

Comment: this is pretty standard we've all had these

2. She replied back with an N. She then received a phone call from a number that came up as her bank. It asked her to check her last three transactions on her banking app. They did NOT ask for any data or PINS etc etc. All they did was ask her to check her last transactions and confirm that she hadn't made some purchases they read out.

Comment: again this is standard and no personal details were shared

3. She THEN had a text from her bank saying £5k had been transferred out of her account. This was a genuine text from her bank

4. She then had another text from her bank, another £5k had been transferred out

5. She then called, using her work mobile, the fraud number for her bank who quickly checked her account, confirmed that this was a scam and then refunded the money to her.

When I first heard this I was sceptical, not that I didn't believe the person I was talking to, but I didn't understand how they accessed her bank account. The bank told her that the original text message had some script in it (script is a technical name for a tiny tiny program) that once she opened up the text allowed that script to run. That script enabled the scammers to have access to her phone.

THEN when she opened up her bank app to check the transactions she was actually opening the app for the scammers as they were already remotely on her phone.

She was told by the bank to immediately put her phone on airplane mode (don't forget she was on her workphone too) and then take it to a phone shop to get wiped. She'll also probably have to change her number. She was on a new iPhone and not Android.

What is scary about this scam is that even as someone who works in tech, I would have done exactly the same.

Moral of the story:

1. from now on, if you receive a text from your bank then should we open it? I'd say no but not sure how realistic that is.
2. if you do open it, and I'm still trying to process what this means if we can't trust texts from banks, then don't open your bank app at same time.

Those of you who work in tech may be sceptical about this, I am, but it was told directly to me by the victim and I was on a group call with a bank app software developer at the same time (this is just a coincidence - but it is my line of work).


Hope this helps.

[Denwand]

Wow! - This is so sophisticated and scary.

It all looks so innocent and unsuspicious we could all fall for it...thanks for the warning.

[Thankyou]

Thank you for the heads up.
If my bank call saying they want to check details of spending etc I always tell them I will hang up and call them back. Use a number that you already know. People can make it look like they are calling / texting from any number and as the op warns, scams are getting more advanced.

[atbattersea]

Firstly, your friend should report this to Apple - if there is a flaw in the OS of the iPhone, then it needs to be fixed.

If you scour the web you will find reports of malware distribution of this type – usually it is connected to national spy agencies, etc. I have never heard of this sort of scam for financial gain.

Having said that, one would think that the phone vendors would be wise to this by now, so I am kind of sceptical.

A bit more likely is that you friend has recently downloaded an app, that is actually the source of the malware.

It is worth remembering that all text and call IDs can be spoofed - most people do not realise this, and think that the "name"/number shown must be genuine. But if you think about it you know that cannot be true, because you have received calls/texts from people that are not in your contacts list but somehow display a "name" (eg "NHS", etc).

My usual course of action is not to respond to texts from businesses, because I have never asked any of them to text me in the first place.

As far as general scam advice goes, don’t give people who phone you any personal information. If I can be bothered I sometimes engage in a bit of scam baiting (when they call me) - I give them a false name and other false details, and tell them I have about ten bank accounts each with several hundred thousand pounds in them.  This, of course, gets them interested, and I keep them on the line until I get bored and eventually tell them where to go (you would think that my number would have been blacklisted by now)!

Some of you may wonder why I do this. The reasons are twofold: it can be enormously amusing for a few minutes, turning the tables on the scammers (and relating this to friends later, when we have great laugh – I can't believe the gullability of these scammers sometimes, I told one the other day I was born in 1904!), the second reason is altruistic: if I am keeping them on the phone for 20 mins or so, deliberately wasting their time, then tat might spare someone who is not so savvy from getting their call.