A notorious group of hackers has been found targeting customers of banks with phony fraud alerts and stealing thousands of dollars from their bank accounts. The scam first came to light in August; a dozen cases were reported across the U.S. 

What’s the story?

This time, potential victims are the customers of Bank of America and JPMorgan Chase; both have invested in Zelle mobile banking app.
  • In the latest scam, fraudsters are reportedly creating a false sense of security while convincing victims to act immediately against a pending payment via Zelle. 
  • Upon being defrauded, victims have claimed little or no help from the banks. According to Zelle, it's up to the individual banks to handle claims of fraudulent transactions.

How does the scam work?

Scammers send a fake request to withdraw or transfer a large amount of sum from their bank account into their Zelle account.
  • Irrespective of how people respond (Yes or No), they will receive a spoofed call from scammers pretending to be from the financial institution’s fraud department.
  • Under the pretense of verifying identity, scammers make them spill their personal banking details, which is often followed by forgot password feature.
  • In this ongoing fraud, several victims have lost thousands of dollars to scammers.

Recent events concerning the banking sector

Banks naturally make a lucrative target for cybercriminals. According to Nokia, there has been an 80% year-on-year rise in the number of new banking trojans in H1 2021 with the criminals’ key focus on Android phones. 
  • BrazKing Android banking Trojan, which is an ongoing development and developed by local actors, is targeting Brazilian banking customers via phishing.
  • A new Android banking trojan, dubbed SharkBot, was discovered by Cleafy and ThreatFabric. Active at least since October, the malware has targeted users of 27 banking and cryptocurrency apps in the U.K, the U.S., and Italy to exfiltrate funds.
  • Unpatched vulnerability is another threat hounding banking sectors. India’s one of the top banks allegedly risked the critical financial and personal data of about 180 million customers owing to an unpatched flaw.

Govt wants to help with a new rule

U.S. federal banking regulators have recently approved a new rule mandating banks to notify the federal regulators of major cybersecurity incidents within 36 hours. The new rule is designed to raise awareness of emerging threats targeting banking firms and the broader U.S. financial system. It will help the federal bank regulatory agencies to understand, analyze, and prepare a robust strategy to counter these increasing and accumulating threats before they become systemic.

Stay safe

For now, here are some safety tips to prevent yourself from falling into on-call frauds:
  • Do not give out your authentication and security codes to strangers.
  • Set a unique password for each service; use a password manager (highly recommended).
  • Whenever a bank or any other financial institution approaches you asking for validation, hang up and call back your bank.

Cyware Publisher