Fraudsters are now deploying sophisticated, two-step social engineering attacks against members starting with a SMiShing (SMS text phishing) campaign. Followed by a vishing (phishing via phone calls) attack against Credit Union members who provided the requested information from the SMiShing campaign. The typical sequence of events is:
- Member receives a text message alert appearing to come from the credit union warning them of suspicious transactions on their account. The member is conned into providing online banking login credentials, debit card numbers, PINs, expiration dates and CVV/CVC codes.
- The fraudster calls the member from a spoofed phone number appearing to originate from the credit union. The fraudster cons the member into triggering an OTP event for online banking which is sent to the member via text message and the member provides the OTP to the fraudster.
- With the info in-hand, the fraudster successfully logs into the member’s account using the login credentials and OTP. The fraudster then uses P2P to transfer funds out of the member account. A variation of this scam involves fraudsters calling the credit union and impersonating members to change the member’s mobile phone number used to transmit OTPs. This allows the fraudsters to intercept the OTPs.
Scams cheat older Americans out of almost $3 billion a year.
It hit one of our own recently and thankfully everyone did the right thing. Listen to our latest Podcast to hear the true-life story of a Senior that was approached by a phone scammer. How they got her grandsons name and the one thing she did that saved her from becoming a victim. Watch the video above to view the interview.
