In the Wake of Covid-19, published in December 2020, the Association of Certified Fraud Examiners found that 79 percent of respondents had seen rising fraud levels in the final months of 2020. Some 90 percent expected a further increase during 2021. The most serious areas of concern were cyber-fraud, including business email compromise, where 85 percent of respondents reported an increase, and payment frauds, where 72 percent saw an increase.
What is Banking Fraud?
Banking fraud is constantly evolving as conditions change, creating new vulnerabilities for banks and opportunities for fraudsters. Staying abreast of this moving target is essential if banks are to find solutions that can spot and prevent such scams, especially given the effects of the pandemic on the banking fraud landscape. The common methods criminals use to defraud banks and their customers – something everyone should know about going forward. We classify the different types of frauds according to whether the payment is initiated by unauthorized or authorized parties. In our view this is the most relevant classification system to use, since this distinction directly affects the level of liability that banks face.
How do Bank Scams Work?
Scammers can never access your bank account without your help. Therefore, a bank scam starts the moment the link is established between you and the scammer. Here are some of the common ways a bank scammer will target you:
- Send you fake checks that legally bind you to some action.
- Send a spam email or fake text messages that requires you to respond with a log-in code or with a link to download malware.
- Get you to share your credit card number or bank account information on a phishing website.
- Pretend to be a bank representative and ask for your account number over the phone.
- Try to gain remote access to your online banking platform through malware or viruses.
- Buy your banking information on the Dark Web.
The good news is that in most cases, you’re in control of what bank scammers can steal. The more you understand how they try to pull off bank scams, the more secure your account information and money will be.
Top Types of Bank Scams
1. Bank insider frauds
Insiders can be bank employees or staff employed by IT vendors working with the bank. Because these people have detailed knowledge of the bank’s internal systems, this fraud can be difficult to detect and can continue for long periods unless a robust fraud-monitoring system is in place.
Insiders exploit user privileges to access victims’ accounts directly, or to transfer funds from the bank’s internal payment accounts into accounts belonging to customers. The ACFE survey mentioned in the Introduction revealed that 48 percent of banks and financial service providers had seen an increase in internal fraud. Shockingly, 71 percent expected to see it increase further in 2021 – nearly a quarter expected a “significant” increase.
2. Phishing scams
Millions of fake official emails or text messages from banks, companies, delivery agents, tax authorities, health services, and many other sources are sent every day. The emails contain links that, once clicked by an unwary victim, automatically download and install a piece of malware on their device which gathers personal information needed for an account takeover.
Phishing attacks surged after Covid-19 lockdowns began in March and April 2020. More than 8,000 involved criminals impersonating the police or a bank, a jump of 94 percent. The scams included fraudsters sending emails or text messages pretending to be from government departments and offering grants related to Covid-19.
3. Man in the middle/pharming scams
A hacker obtains sensitive information transmitted between two other parties online. This can happen when the victim is intercepted trying to log in to their online or mobile banking service, allowing their log-in information to be harvested.
4. Online Lending Scams
If you’re in a fix and can’t get a loan from your bank, you may be tempted to try an online lender. But many of these services are really just trying to scam you online. Bank scammers will set up fake websites designed to commit loan fraud or email you with a “special offer”. When you apply, they’ll ask for sensitive information like bank details or Social Security numbers. Once they have access to this information, they can open real loans in your name or provide you with a false loan and request payment right away. Only after you pay do you realize the loan was fraudulent.
5. Technical support scam
Fake technical support staff call the victim, who is told that there is a problem with their software. The victim is duped into giving the caller control of their computer remotely, sometimes with the help of personal information about them gathered via social engineering. The fraudster is then able to gain access to their computer and steal confidential information. Action Fraud in the UK said it received almost 15,000 reports of tech support fraud in the 12 months to November 2020, with a total of £16 million defrauded from victims who were duped into installing remote-access software.
6. Government Impostor Scams
Americans fend off over 3 billion spam phone calls a month. And a large number of them are scammers pretending to be from a government or law enforcement agency like Medicare, the FBI, or the IRS. During these calls (or emails or texts), the imposter will threaten you with jail time for outstanding debts that require you to pay with a gift card. Or, they might claim you’ve won a prize that requires payment of taxes or fees before they can process it. Either way, the scammers either get money or your personal information they can use for other types of financial fraud. For examples of other government imposter scams, check out usa.gov. Remember, the government and your bank will never ask for personal information in an email or text. If you’re unsure, hang up and call back on the official agency phone number.
7. Mobile SIM-swap frauds
Stealing mobile numbers via SIM swap is a key fraud vector in the developing world, because the primary way most people access mobile banking is via their mobile phone number. Their mobile number is connected to their bank account and is used to verify their identity – most banks also use this phone number as the primary 2FA implementation mechanism.
The victim receives a call from a fraudster pretending to represent a telco to check account details. Using the personal information obtained, the fraudster poses as the victim and contacts their mobile service provider to have their number transferred to a new SIM in a device the gang controls. This gives access to the victim’s mobile wallet and can even allow the fraudster to attempt to reset the victim’s mobile banking security data and access their account.
8. Account takeover resulting from social engineering and telephone scams
Even well-known, unsophisticated techniques such as telephone frauds, which date back decades, continue to be extremely effective, especially when combined with basic social engineering using information about the victim that is easily found online. This type of scam can involve callers pretending to be agents working for a wide variety of organizations, such as the victim’s bank or the tax authorities. Victims are persuaded to disclose their banking credentials, allowing the criminals to take control of their account.
Must-Learn Tips to Avoid Bank Scams (Free but Useful)
1. Secure your devices with RealCall app
If you get a cold call trying to sell you something, ignore it. Robocalls are usually illegal. If you get an unwanted call, use the RealCall app which also avoids offers that come through text or an unexpected email based on a strong number database and continuous iteration of blocking rules. If you get a cold call trying to sell you something, ignore it. Robocalls are usually illegal. If you get an unwanted call, use the RealCall app which also avoids offers that come through text or an unexpected email based on a strong number database and continuous iteration of blocking rules.
2. Carefully assess any messages claiming to be your bank
You can better recognize phishing emails once you understand how banks communicate with customers. There are certain things legitimate banks never do. If you get a message like that, assume it’s fraudulent. Some other tips include:
- Calling: Banks or other financial institutions don’t call for your PIN or checking account number. Never provide this over the phone. Call your bank directly using the phone number on your credit card or bank statement if you want to confirm.
- Email: Your bank has no reason to email you for account information it already has. If you receive an email asking you to click a link or provide account information, assume it’s fraudulent. Don’t click any links and mark the email as spam.
- Text messages: If a message appears to be from your bank asking you to sign in or enter your PIN, it’s a scam. Banks never ask customers for this information by text.
- Urgent action: A common theme in phishing emails is the urgent call to action. Cybercriminals want to scare you into acting immediately without thinking. The email says there was suspicious activity on your account, and you should log in immediately to avoid having it frozen or closed. No legitimate business would close a customer’s account without giving reasonable notice. Contact your bank through your normal channels to check your balance and account activity if you aren’t sure.
- Typos: Misspelled words and grammatical errors are another red flag. Major corporations have professional editors to make sure the content is correct.
3. Create strong passwords and update them regularly
At some point, almost everyone has used the same password for different websites. But this is one of the simplest ways for hackers to get into your accounts. If they figure out the password for one, they can sometimes access your other accounts.
The most common passwords are:
Use unique passwords for each website. They should be 12 characters long and include numbers, lowercase letters, uppercase letters, and symbols. McAfee Total Protection includes a password manager to help generate and store your passwords in a single location.
4. Always make sure you’re on the bank’s official website/app
If you get an email about an issue with your bank account, you can always go directly to your bank’s website. Don’t click any links in a text or email — just go directly to your bank’s website to check your account. Similarly, if you get a phone call, dial your bank directly using the official telephone number. Use two-factor authentication when logging into websites for your financial institutions. You’ll get a one-time code by text or email to use each time you log into your account.
5. Check your bank statements regularly
Review your bank statements carefully each month to ensure there are no unauthorized transactions. Contact your bank immediately if you see any payments or withdrawals that you don’t recognize.
What should be done to Minimize Your Loss if you’ve Already Suffered from a Bank Scam?
1. Don’t pay any more money
This may sound obvious, but some schemes use the promise of large returns to persuade victims to send one fee after another, even when the victims suspect something is wrong. These fee frauds have increased significantly online in recent months. Typically, legitimate brokers will deduct fees and commissions from your account, and not demand more money to release your earnings or principal. U.S. brokers will never withhold or collect taxes.
Also, be on the lookout for recovery frauds. These frauds target recent victims and claim to be able to get the stolen money back if the victims first pay an upfront fee, “donation,” retainer, or back taxes. The perpetrators of these advance-fee frauds often pose as government officials, attorneys, or recovery companies. Learn more about the warning signs of recovery frauds.
2. Collect all the pertinent information and documents
While the events are still fresh in your memory, develop a timeline and collect documents and information that could help when it comes time to report or investigate the fraud. Write down conversations you had with the fraudsters with the approximate dates and times they took place. Documents and information to collect and keep include:
- Names, titles, or positions used by the fraudsters.
- Social media profiles, group posts, chats, or other online interactions.
- Website addresses and screen shots.
- Emails and email addresses. Save these electronically, or print them out with the full header information. (Your email provider or a web search can describe how to capture header information.)
- Phone numbers you used to contact them.
- Account information, statements, trade confirmations, disclosures, and sales materials.
- If credit cards were used, include the receipts or statements.
- Exchanges of digital currencies, such as bitcoin.
- Records of other forms of payment including cancelled checks or receipts for wire transfers, money orders, or prepaid cards.
- Any correspondence received, including envelopes.
3. Protect your identity and accounts
If you provided payment information to the fraudsters, take the steps necessary to block access to your accounts and protect against identity theft. Credit cards. If you used credit card information in the fraudulent transaction, contact your card issuers immediately to make a fraud report. As part of the process, you may be required to get a new account number.
You may also want to contact one of the three national credit reporting companies (below) and ask that it place a fraud alert on your credit file. The credit reporting company you contact will automatically report the fraud alert to the other credit reporting companies. A fraud alert will notify potential creditors to verify your identity before extending additional credit in your name. Placing a fraud alert is free and typically lasts up to one year or until you ask for it to be removed.
You can also request a free security freeze. A security freeze restricts access to your credit file, making it harder for identity thieves to open accounts in your name. You will have to contact each credit reporting company to place a freeze. A security freeze will not be lifted unless you request it.
4. Report the fraud to authorities
Tell us if you believe you were victimized by a fraud that involved commodity futures, options on futures, swaps, commodity pools, binary options, foreign exchange, digital assets, or other derivatives. If you have experienced other types of fraud and don’t know where to send your complaint, the Department of Justice has a directory that can help. Also, federal agencies work closely together and will forward your complaint to the appropriate agency.
If the fraud occurred in your local community, you could also report the matter to the police and your district attorney. You may need to file a police report if you plan to file an insurance claim for fraud losses. Also contact your state financial regulator or attorney general. State authorities may choose to bring actions in state court.