A few weeks ago, Brian Krebs of Krebs on Security reported on a scam that a reader had come across where an innocent-looking text message led to a voice phishing call. SMS phishing or “smishing” is a type of phishing attack that comes to the target in the form of a text message. Usually these text messages will include a link that usually takes you to some sort of fake login screen where a target could be tricked into giving up their credentials. But in this particular attack that Brian reported on, the SMS message didn’t contain a link, but instead, was followed with a phone call from a spoofed number.
In this scam, the target received the text message above asking if they had attempted a $5000.00 Zelle Payment. The target obviously hadn’t so they simply responded with “NO” as the text requested. Seems innocent enough right? There were no links in the text that that the target was being persuaded to click or any other obvious signs of a phish. However, as soon as the target responded, they received a phone call from a number with a caller ID of “JP Morgan Chase.” When the target answered the call, the person on the phone claimed to be from the fraud department at J.P. Morgan Chase and that they were going to help the target secure their account. But before they could help, the they the person they were targeting to “confirm” some account details to make sure they were talking to the actual account owner and not the “scammer.”
At this point, the person being targeted in this scam hung up, looked up the real number for the J.P. Morgan Chase fraud department, and called them. The real employees at the financial institute confirmed that they had actually not called her. The target followed the rule that everyone should when they receive a call of this nature: always hang up, look up the number you have on file or what is on the official website, and call back on that number. That way you’ll be able to check if the call is legitimate before handing over any sensitive information.
How these types of scams usually work:
The week after he posted the original article, Brian Krebs published another article in which he wrote that he was able to consult a senior risk consultant, Ken, from an insurance company that provides financial services to credit unions. Brian wrote that Ken said that the fraudster will usually say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?” An unsuspecting target will give their username not knowing that the fraudster is actually using the forgot password feature that will usually generate a two-factor authentication passcode that gets sent to the email or phone number in a text to the account owner. In the article, Brian wrote that Ken then went on to say that, “[After this,] the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’” When the unsuspecting victim gives the fraudster this “password,” they’ve actually given the fraudster control of their account, since now they are able to reset the password.
How can you avoid these types of scams?
The best piece of advice to take away from this is that anytime you get a phone call, text, or email from someone claiming to be your financial institution, always think twice before clicking any links or giving away any information. Don’t be afraid to be rude on the phone to whomever you might be speaking with. Go by this mantra: hang up, look up, call back.