In this attack, fraudsters are borrowing a tactic from an old tech support scam that eventually allows them to gain access to their victims' devices and bank accounts. They are calling their targets and claiming to be bank security officials who are just trying to help them by stopping some fraudulent or unauthorized activity that has been detected. The fact that these scammers are informing their victims of a possible crime and claiming that they are trying to prevent it from happening again tends to put the victims at ease and makes them more likely to cooperate. When they follow the criminals' instructions, they end up providing access to their bank accounts as well as any other sensitive data that may be stored on the devices they use for online banking.
How it works
Unlike some other social engineering scams designed to gain access to victims' bank accounts, this one requires very information about the victim in order to achieve success. A scammer calls the potential victim and claims to be a bank security official who has detected and stopped unauthorized or potentially fraudulent transactions from draining funds from the victim's account. He's one of the good guys who has already prevented the target from losing money. All he needs now is a little help from the victim to make sure this doesn't happen again.
In the old tech support scam, criminals convinced their targets to download remote access software to give the scammers access to their devices. Threat actors have realized that, because so many people are now doing their banking online, borrowing this tried and true tactic is a great idea. If they can convince their targets to download a remote access app, they may not even need to ask for their bank account information. They will instead be able to remotely use the victim's device to access the account and extract funds.
The criminal tells the victim that, in order to help prevent unauthorized transactions in the future, an app needs to be downloaded to the device the victim uses for online banking. The fact that the scammer isn't asking the target for account information makes it even more likely that the target will cooperate. The remote access app used in the instances of attacks reported thus far is AnyDesk. AnyDesk works with both iPhone and Android devices as well as PCs and MACs to provide remote access to the victims' devices. This app is available from legitimate sources including the App Store and Play Store, so no red flags there.
Once the app is installed, the attacker may be able to use it to gain access to the victim's accounts and drain them. Additionally, with this device access, the criminal may be able to collect enough sensitive personal data to perpetrate other attacks up to and including identity theft. He can also access contact lists and find other targets to reach out to while posing as the device owner.
How to recognize this and other banking scams
Knowing how the vast majority of financial institutions handle instances of banking fraud will help you to avoid becoming a victim of this and other scams.
Typically, a bank will freeze an account and/or debit card when potential fraud is detected. This may be followed by an automated phone call or text message informing you of the action taken. These may instruct you to call a dedicated fraud line using a number available on the bank's official website. If a number is included in a message that appears to be from your bank, it could be a scam. Call your bank using a number you know to be valid or one obtained from the bank's official site and tell them about the message. If it's valid, they'll let you know. If not, they'll likely appreciate the information.
If you receive an email that appears to be from your bank warning you about some suspicious account activity, beware. Banks do not normally send information like this via email. Never reply to one of these messages or click a link included in one. Never open an attachment to one of these emails as it may carry a malicious payload. Call your bank, instead, at a number you know to be valid, not one included in the email.
Your bank will never ask you to provide your account password or a PIN you receive on your device as part of the multi-factor login process. If it really is your bank making contact with you, they don't need that information to access your account details.
Hopefully, armed with these details, you'll be able to protect yourself and your accounts from fraudsters.