FBI: Payment app users targeted in social engineering attacks

The warning, published by the Federal Bureau of Investigation as a public service announcement on Thursday, says the attackers will call victims who respond to their phishing messages from phone numbers spoofing the banks' legitimate 1-800 support number.

"Under the pretext of reversing the fake money transfer, victims are swindled into sending payment to bank accounts under the control of the cyber actors," the FBI said.

The fake fraud alerts reference the payment amount and financial institution names and ask the targets to confirm if they tried to make instant payments of thousands of dollars.

If the recipients respond to the phishing SMS and deny ever making such a payment, they'll get a second text message saying they'll be contacted "shortly."

The scammers do call as promised, typically speaking English without an accent and claiming to represent the target's bank fraud department.

Victims asked to reverse fake payments

The end goal is to trick the victims into "reversing" the fake instant payment transaction by asking them to remove their email address from the payment app and attaching it to one under the attackers' control.

"The actor, after asking for the victim's email address, adds it to a bank account controlled by the actor. After the email address has been changed, the actor tells the victim to start another instant payment transaction to themselves that will cancel or reverse the original fraudulent payment attempt," the FBI explained.

"Believing they are sending the transaction to themselves, the victims are in fact sending instant payment transactions from their bank account to the actor-controlled bank account."

The exchanges between the fraudsters and their victims can span several days, showing the scammers' determination to pull off their social engineering attack.

The FBI also shared a list of precautions Americans using digital payment apps should be aware of to avoid falling victims to one of these scams:

• Be wary of unsolicited requests to verify account information. Cyber actors can use email addresses and phone numbers which may then appear to come from a legitimate financial institution. If a call or text is received regarding possible fraud or unauthorized transfers, do not respond directly.
• If an unsolicited request to verify account information is received, contact the financial institution's fraud department through verified telephone numbers and email addresses on official bank websites or documentation, not through those provided in texts or emails.
• Enable Multi Factor Authentication (MFA) for all financial accounts, and do not provide MFA codes or passwords to anyone over the phone.
• Understand financial institutions will not ask customers to transfer funds between accounts in order to help prevent fraud.
• Be skeptical of callers that provide personally identifiable information, such as social security numbers and past addresses, as proof of their legitimacy. The proliferation of large-scale data breaches over the last decade has supplied criminals with enormous amounts of personal data, which may be used repeatedly in a variety of scams and frauds.