Consumers beware: amid the current economic uncertainty, scammers are finding unique and innovative ways to take advantage of others.
One of the latest examples is the rising concern over fraudsters tricking unsuspecting people into providing their login credentials through social engineering scams. Many of those impacted are members of credit unions that offer person-to-person payment (P2P) services like Zelle and Payzur.
Criminals are aware that credit unions are utilizing 2-step authentication to further verify a members’ identity by sending a one-time pass code to their mobile device. These fraudsters have developed a sophisticated social engineering attack against members to obtain that pass code, which they steal and use to login to member accounts. Once they have access to an account, the fraudsters will change contact information and passwords on the account.
Here are more details on how the scam works:
- A criminal may call you, spoofing the credit unions’ phone number. The person on the phone will falsely claim they are in the credit unions’ fraud department and are calling to verify suspicious transactions.
- To verify the members’ identity, the fraudster explains that a pass code will be sent via text message and the member must provide the pass code over the phone.
- The fraudster will then attempt a transaction that triggers a 2-step authentication pass code, such as using the “forgot password” feature or initiating a P2P transaction. The pass code is sent via text or email to the member who, in turn, provides it to the fraudster.
- The fraudster will then use the pass code to login to the members’ accounts and use the P2P feature to transfer funds.
Although this new scam is very disturbing, there are ways to combat and fight back against these criminals. Below are ways that Signal Financial and other credit unions are fighting against social engineering scams:
- Implementing waiting periods, such as 2 days, before newly enrolled members may use P2P.
- Implementing lower daily limits for new users for the first few P2P transactions to reduce the risk exposure.
- Delaying transfers following a password change. Password changes are a common indicator of an account takeover.
- Blocking P2P tokens that are found to be fraudulent. A P2P token refers to the email or mobile number of the intended recipient of the transfer.
- Using a real-time fraud monitoring solution that can identify password changes using a device not recognized, immediate enrollment in P2P, and an addition of a new token.
- Including a statement in texts and emails containing the pass code, such as, “If you did not request this pass code call the credit union immediately. Don’t share this pass code with anyone. Credit union employees will never ask for this pass code.”