A new and insidious phishing scheme has recently arisen, to try and trick bank customers into giving out valuable personal data over the phone. In one scenario, a man was shocked to receive a call from his bank that a criminal had used his debit card to make withdrawals from his account. The caller asked the man for personal information, including his PIN, saying ’it was needed to verify his identity. What the man didn’t realize was that the caller was actually the criminal, who was using an elaborate phishing scheme to steal his banking information.
Scammers use phishing emails, texts or phone calls attempt to look like someone you know or trust — such as a bank representative — and trick you into revealing your personal information. They will then use that information to commit financial fraud.
Such bank scams are common — and increasingly sophisticated. Last year, the FTC received more than 535,000 complaints about imposter scams. Nearly $50 million in losses were recorded, according to the FBI’s 2018 Internet Crime Report.
It’s important to know the signs of a phishing attack and the steps to take to prevent yourself from falling victim to one.
How phishing scams work
In most phishing schemes, fraudsters tell a compelling story to pull you in. They might say that your financial information was compromised or that you need to click a link to make a payment and avoid a penalty. They will often pressure you to act quickly.
The man who received the call from his supposed bank is a perfect example. The caller who pretended to be a bank representative said some suspicious withdrawals had been made on his account, so the man was understandably concerned.
Here are the steps the fake bank representative took to get him to reveal his personal information: First she asked for his bank account number to “verify” his identity; he immediately provided it. Then she used the account number to prompt the man’s bank to send him an actual verification number a few second later and asked him to read it back. When he did, she was able to access his bank transactions and read those back to him.
As this scenario shows, the fraudster presented a convincing situation that needed a rapid response. By coaxing bits of information out of the man, she was able to give the impression that she was actually with the bank.
Thankfully, the man had a sense that something was wrong when the caller asked for his PIN. He hung up and called his bank. They told him that they had not contacted him and that nothing was wrong with his account.
How to protect yourself
First, know the types of things your bank may ask you — such as your account number, Social Security number or mailing address — if they contact you about a potential issue. They may also ask if you have used your credit or debit card on specific dates or at specific locations to identify if fraudulent activity occurred.
However, your bank won’t ask for personal information like your debit card PIN, online banking password or one-time passcode (OTP, also known as a two-factor authentication code).
Other possible phishing red flags:
- The caller says you were selected for a prize or special offer, but you have to pay or give information to receive the prize.
- The caller threatens you or demands you pay them with gift cards, cryptocurrency or money wires.
Please note that even if your caller ID shows a bank number you recognize, that doesn’t mean the call is coming from the bank. Scammers can use technology to display a fake number.
The best way to confirm whether a call is legitimate is to contact your bank using a verified number, which you can find on the back of your credit or debit card or on your bank’s official website.
What to do if you’ve been scammed:
If you think you may have been compromised by a phishing scam, take immediate action:
- Contact your bank and tell them what happened.
- If you gave out your username, password or account number, change it right away.
- If you’ve had contact from a suspected scammer, file a report with the FTC.
- If you gave out your Social Security number to a scammer, go to gov for remediation steps. The site provides a trove of information for consumers to read after they’ve fallen victim to identity theft.
- If you divulged your Social Security number or other personally identifiable information during a scam, contact the three major credit reporting agencies and have a fraud alert or credit freeze put in place:
- Equifax: (800) 685-1111 or com/personal/credit-report-services/
- Experian: (888) 397-3742 or com/help/
- TransUnion: (888) 909-8872 or com/credit-help
Phishing scams are rampant, and anyone can become a target. Exercising caution when anyone asks for your personal banking information will significantly reduce your risk of becoming a victim.
Learn more with First Republic’s fraud prevention resources, or contact a banker to ensure that your personal or business cybersecurity plan is complete.
