OGDEN — While the pandemic is wreaking havoc with the health of millions around the world, cybercriminals are also trying to take advantage of beleaguered consumers by targeting their bank accounts.
The American Bankers Association this month is launching an industrywide effort to combat online fraud aimed at individual consumers and their banking activities. The “Banks Never Ask That” campaign was developed to inform consumers about the ongoing risk of phishing scams perpetrated by criminals worldwide.
The Federal Trade Commission estimates phishing schemes cost consumers almost $1.9 billion last year, with the global pandemic only adding to the threat.
“We’ve had customers that have been targeted with phishing campaigns related to the pandemic and the election, also with regards to government programs tied to the pandemic like (Paycheck Protection Program) loans,” said Brian Stevens, senior vice president of information technology at Bank of Utah.
“Basically, anytime there’s something that’s notable going on and people might be interested in or that impacts their lives, fraudsters are going to use that as an opportunity to try to instill some urgency in their victims and try to get them to do something (immediately).”
The goal of this campaign is to help people see the pattern of phishing, specifically that banks are never going to try to create a situation where a consumer is triggered to give out their account username and password, he said. The campaign uses videos and animated GIFs, along with consumer tips on social media and in local bank branches to help consumers spot bogus bank communications that ask for sensitive information.
Because cybersecurity education and fraud awareness can frequently be glossed over by consumers, the campaign uses humor to try to be more memorable, a news release states. Campaign advertising asks questions that banks would never ask such as, “Do you believe in aliens?” alongside sample phishing questions that banks would never ask, such as, “We’ve spotted some unusual activity on your account, can you please verify your username and password?”
“Everyday we see new phishing scams targeting business owners and consumers that can catch people unaware and lure them into sharing personal information and ultimately paying money to a fraudster,” Stevens said. “If a person’s computer does get compromised through phishing, we often see hackers picking up on an existing transaction between the hacked person and his or her bank, or between a hacked business and a vendor.”
He said in either case, hackers sends emails impersonating the victim asking the bank to transfer money or asking a vendor to make a payment for services to a fake account.
“Most of the time when we get involved our customer has been tricked into giving their bank username and password to someone,” he said.
One example was a local business owner who was nearly scammed out of thousands of dollars in a real estate transaction.
“They had all the information that we needed to verify them,” said Chase Phillips, co-owner of Utah-based American Secure Title. ”They had hacked into the client’s email and had been watching the email exchange between the client and their loan officer, the client and the bank, and the client and us. So they had all of the background on the transaction.”
He said the crooks also knew the client’s Social Security number and birthday. “They basically posed as the clients,” he said.
After finalizing the sale and preparing to initiate the funds transfer, the scammer called the office again to request some changes.
“After they closed and signed on the transaction, they called us back and said, ‘I gave you the wrong account information to close. I would actually like you to send the proceeds from the sale of my home to this different bank and here’s the new account.’”
The fraudster emailed new instructions and the company initiated the transfer. Fortunately, the bank making the transfer held up the transaction because it noticed the account the money was going to had only been established recently at a different bank, which was not standard business practice.
“We got lucky because the bank that was receiving that money happened to notice that the way the account was set up (and) their system red-flagged it as a fraudulent account, meaning it was set up at the last minute and then received a very large amount of money from an outside source being wired in,” Phillips explained. “So they held the money and called our bank to question it. Our bank called us and that’s when we realized it had gone to the wrong place.”
He said the criminals were so thorough and clever that it was nearly impossible to recognize anything was amiss. The company has since enhanced its transaction procedures to prevent future incidents.
But even after reporting the incident to the FBI, he said authorities were unable to pursue the case because such fraud is so rampant that they only investigate cases in which large amounts of money are lost.
Meanwhile, Stevens warns individual or business consumers to never share their bank username, password or Social Security number by email or phone with anyone, and if you receive a request for payment from a vendor that seems unusual, call someone you know and trust at that organization to verify the legitimacy of the request.
“We can’t stop people from clicking on fraudulent email links, so we’re trying to educate people as much as we can to realize the pattern,” he added.
Stevens noted that scammers have learned how to entice potential victims of all ages, thereby widening their pool of potential targets.
“We do see a lot of young people being victims as well. Usually that’s more related to schemes that are ‘get rich quick,’ where they’ve found ads for work from home by surfing internet,” he said. “(It’s) where someone is tricking them into becoming a money mule, which is someone who is unknowingly running money through the bank to launder it for someone who’s stolen it from somewhere else.”
Typically the younger generation who are more comfortable with technology are targeted with big money schemes, but they don’t realize they’re helping someone commit fraud. However, with people who are less comfortable with technology, they are usually targeted with more email fraud scams, he added.
Stevens also noted that cybercriminals are very smart and spend all of their time trying to come up with clever ways to trick consumers into taking the virtual bait.
“It’s not a part-time job for these guys, this is their job. They’re doing this all day every day and they’re gonna adapt just like everyone adapts every day at their job to what presents itself,” Stevens said. “These are really smart individuals that are using a lot of automated tools and they just spend their time being creative and figuring out what’s going to trigger the right behavior.”
“They don’t need to be right all the time. They can send thousands and thousands of emails, they just need to get one person who is either anxious about the contents of the email or not giving enough attention to what they’re reading or looking at,” he said. “They just need to catch them in a weak moment.”