The Federal Bureau of Investigation (FBI) has issued an alert on a new phishing scheme aimed at tricking victims into making money transfers to accounts controlled by cybercriminals.
As part of these attacks, the cybercriminals target users of digital payment applications with fake text messages pretending to be from legitimate financial institutions, asking customers to verify they has initiated instant money transfers.
“Cybercriminals are targeting victims with a sophisticated phishing and social engineering scam which results in victims unwittingly sending funds to the actors using digital payment apps. The actors take advantage of payment apps connected to bank accounts,” according to the FBI advisory.
If the recipient responds to the automated text message, the criminals – “who typically speak English without a discernable accent,” according to the FBI – call the victim from a number that appears to match the legitimate 1-800 support number for the financial institution.
[ READ: FBI Warns of BEC Scams Abusing Virtual Meeting Platforms ]
Claiming to represent the organization’s fraud department, the cybercriminals seek to establish credibility, after which they walk the victim through a process supposedly meant to “reverse” the fake instant payment transaction, the FBI warned
The threat actors engaging in these attacks appear to have extensive knowledge of the victim’s background information, including past addresses, Social Security numbers, the financial institution they are clients to, and the last four digits of their bank account numbers.
Using this information, customers are tricked into believing they are being walked through a legitimate process for retrieving stolen funds. The victim is asked to remove their email address from their digital payment app and to share it with the cybercriminals, who add it to a bank account controlled by the threat actor.
[READ: FBI Warns of Phishing Attacks Targeting US Election Officials ]
“After the email address has been changed, the actor tells the victim to start another instant payment transaction to themselves that will cancel or reverse the original fraudulent payment attempt. Believing they are sending the transaction to themselves, the victims are in fact sending instant payment transactions from their bank account to the actor-controlled bank account,” the Bureau explained.
The FBI is warning individuals of all types to be wary of unsolicited requests to verify account information, to contact their financial institution when such a request has arrived, to use multi-factor authentication (MFA) for all accounts, and to be skeptical of callers providing personally identifiable information as means of proving their legitimacy.
Related: FBI Warns of Phishing Attacks Targeting US Election Officials
Related: FBI Received 1,600 SIM Swapping Complaints in 2021
Related: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise
