The United States Federal Bureau of Investigation (FBI) issued an advisory concerning so called “reverse” instant payment phishing schemes. Users of online payment applications or services are being targeted with a scam text message that asks them to confirm an instant money transfer. An example of one of these scam text messages is below.
“Free Msg- (Insert financial institution name here) Bank Fraud Alert- Did You Attempt an Instant Payment in the amount of $5,000.00? REPLY YES or NO or 1 To STOP ALERTS”
Attempts to deny the transfer by responding to the text initializes a call that spoofs the legitimate 800 support number for the financial institution.
“Our fraud specialist will be contacting you shortly”
The threat actors, who “speak English without discernible accent,” then seek to establish credibility with the user and often appear to have extensive knowledge of the targeted user’s background information, including the last four digits of bank accounts, social security number (SSN), and prior addresses. These criminals then lead the user to initiate a payment transaction to themselves that will “cancel” or “reverse” the original purported fraudulent payment. This transaction enables the threat group to send funds from the targeted user to a bank account controlled by the threat group.
Due to widespread data breaches committed over the last few years and the continued evolution of underground criminal data markets, organizations and individuals should assume a threat group targeting them has an enormous amount of personal information prepared. As such, contacting trusted financial institutions should always be initiated by the individual via the institution’s original website or other verified documentation, such as a service number on a physical card or prior account statement. In addition, enabling Multi-Factor Authentication (MFA) for all financial accounts will diminish the ability of threat actors to initiate unauthorized payments. Moreover, consumers should be educated never to initiate new transfers in the case of financial transfer errors or criminal activity.