#BanksNeverAskThat Outsmarts Online Scammers and Phishing Fraud

A man holding credit card and entering security code

Phishing scams used to steal banking information are on the rise. In the US alone, people lose over USD1 billion every year to relatively simple online scams. And no, it’s not senior citizens who “always fall for these tricks”. On the contrary, people under 30 are more likely to become victims. “Time to smarten up”, warns the #BanksNeverAskThat campaign.

Every day, thousands of people fall victim to phishing and other fraud. Young and old alike, digitally literate or not so tech savvy. Likewise, banks of all sizes are suffering significant losses. Moreover, it is not all about money. For banks, their reputation is also at risk. And for individuals, their livelihood as well as their identity is at stake, as phishing is often used for identity theft.

In that respect, it’s bizarre how people would never give their PIN, social security number or other sensitive information to a random person with an official-looking business card knocking at the door. And yet, it is somehow more normal, and certainly far easier, to do so during online interactions (phishing), or when pressured into it on the phone (vishing) or via SMS (smishing).

There has been a sharp increase in scams during the Covid-19 pandemic, especially in Banking-related scams, since fraudsters are taking advantage of the coronavirus crisis. They focus on things people care about or, create a sense of urgency – banking, for example, on people’s precarious financial situation at the end of the month or deadlines for benefits or government loans coming through – and then lure them into revealing sensitive information.

Scams Increasing in Variety and Sophistication

As more and more people become aware of scams, the scammers themselves have needed to improve their skills. The usual warning signs, like spelling and grammar mistakes, unsharp copy-pasted logos or suspicious attachments might now be altogether absent. So, in some cases, unless individuals are paying close attention, it is easy to be fooled.

One of the more sophisticated scams that circulated this summer, for example, used extremely convincing emails that linked to a fake login screen resembling Bank of America’s login screen. The email was not a bulk email, it was socially engineered, and the lookalike website would pass most visual tests. It also used security challenge questions to add “legitimacy”. Meaning the scammers not only gained access to victims’ bank accounts, but from then on, could also use the victims’ security question answers for subsequent scams.

Another example illustrates the scammers advanced phone skills, which they use to deceive people. Last year, a businessman named Pieter Twittered about a call he received from an unknown number. The woman on the line said she worked with the bank and told him someone had used his card in Miami. The woman asked if it was him. Pieter, who lives in San Francisco, said “No”. Next, the woman asked for his member number and said she would send a text with a “verification pin”. Shortly after, Pieter did receive a text from his bank’s real number. Not realizing it was a password reset code, he gave the code to the “friendly lady”. Moments later, the fraudster was in his account…

Take the #BanksNeverAskThat test

October is cybersecurity awareness month in the US. A good time for the American Bankers Association (ABA) to launch a new awareness campaign called #BanksNeverAskThat. This humorous and at the same time bold campaign helps customers identify phishing scams and thwart fraud. ABA partnered with approximately 1,500 banks across America in the development of this campaign.

Aside from videos, podcasts, and tips, there’s also a short quiz on the campaign website to make consumers more aware and test how “scam-proof” they actually are. US residents who take the quiz and share their results can also enter a sweepstake offering up to $1,000 cash.

Some typical scams?

  • Individuals receive text messages saying their card ending in xxxx is locked, asking them to please “Reply with your pin” to reactivate the card
  • Individuals receive emails including their bank’s logo on the top and seems to come from their bank, urging them to click on a link to retrieve an important document or open the attached document
  • A call from “the bank”. First, the “bank” asks if the last four digits of the individual’s credit card are indeed xxxx, suggesting they know them and just wants to confirm their identity. Next, they ask for their birthday and social security number.

Communicating with the Bank

As a general rule, consumers should remember that banks never pro-actively call to ask for personal information like pins, passwords, member numbers, or social security numbers. There are strict rules and protocols about this. Also, someone from a bank would never put pressure on consumers to verify or give up sensitive information.

The best approach when receiving unsolicited emails, phone calls, or text messages is a “zero trust” approach. Hang up, don’t click on a link, don’t text back, but call, email or contact the bank directly, using the number that’s on the back of their bank card, the official banking app already on the phone, or by typing in the bank’s website address directly in the browser.

It is also wise for everyone to familiarize themselves with the risks that come with online banking and the signs that show they are potential targets, and then take the necessary precautions.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.