Protect Yourself from Fraud: Understanding Sophisticated Attacks
Fraudsters are now deploying sophisticated, two-step social engineering attacks against members starting with a SMiShing (SMS text phishing) campaign. Followed by a vishing (phishing via phone calls) attack against Credit Union members who provided the requested information from the SMiShing campaign. The typical sequence of events is:
Protect Yourself from Fraud: Recognize the Sequence of Events
- SMiShing Attack: The member receives a text message alert appearing to come from the credit union warning them of suspicious transactions on their account. The member is conned into providing online banking login credentials, debit card numbers, PINs, expiration dates, and CVV/CVC codes.
- Vishing Attack: The fraudster calls the member from a spoofed phone number appearing to originate from the credit union. The fraudster cons the member into triggering an OTP (One Time Password) event for online banking, which is sent to the member via text message. The member provides the OTP to the fraudster.
- Account Breach: With the info in-hand, the fraudster successfully logs into the member’s account using the login credentials and OTP. The fraudster then uses P2P to transfer funds out of the member account. A variation of this scam involves fraudsters calling the credit union and impersonating members to change the member’s mobile phone number used to transmit OTPs. This allows the fraudsters to intercept the OTPs.
Protect Yourself from Fraud: The Impact and a Real-Life Example
Scams cheat older Americans out of almost $3 billion a year. It hit one of our own recently and thankfully everyone did the right thing. Listen to our latest Podcast to hear the true-life story of a Senior that was approached by a phone scammer. How they got her grandsons name and the one thing she did that saved her from becoming a victim. Watch the video above to view the interview.
Additional Resources
For more information on how to protect your personal and financial data online, visit our Fraud Alerts page.