If there’s one account you don’t want hacked, it’s your bank account. But you shouldn’t worry so much about hacks, because scams are the bigger threat.
In general, while far from perfect, banks are pretty good about security. Hacks and breaches are fairly rare in the grand scheme of things. When a bank account is drained, it’s often because the owner was careless and unwittingly gave away access (e.g. compromised ATM skimmers and wire transfer con scams).
Two-factor authentication (2FA) or One Time Password (OTP) is supposed to protect your bank account, but scammers have found a way around it—by tricking you with a new phishing tactic. In this article, I explain how the scam works and how you can evade it.
How 2FA or OTP Protect Your Bank Account
2FA is simple: in order to access your account, you start by entering your password, which is your first factor, and then you confirm that your identity using a second factor, such as a security question or a verification code (OTP) sent in a text message.
Text messages are the most common form of 2FA used today. The idea is that you can only log in to your bank account if you have the account password AND the phone with the right SIM to which the text message is sent.
2FA also comes into play when you want to change account details and settings, usually requiring you to log out and log back in after making a major change. Generally speaking, 2FA is awesome—it’s a lot harder to intercept SMS text codes than it is to brute force a weak password, so 2FA keeps you safer most of the time.
How The Scammers Operate
It starts with a phone call. You may or may not recognize the number, but it doesn’t matter because phone numbers can spoofed.
When you pick up, the caller will say they’re from your bank, they’ve noticed a fraudulent charge on your account, and they want to help resolve the issue but first need to confirm your identity.
To do this, they’ll offer to send a confirmation code by text message and ask you to read the code back to them over the phone. They may do this two or three times, stating that the first one didn’t go through for some reason.
At this point, you might be suspicious, but because the call started with a suggestion of fraudulent charges on your account, you’ll feel compelled to stay on the line. After all, they are the ones been charged for the call.
The scammer reads off a handful of your most recent bank charges, then ends with a final non-existent charge.
You don’t recognize it, so you think it must be fraudulent. You let the scammer know. They reassure you that it’s okay, promise to reverse the charge, then send over one last confirmation code by text message. You read it back. That’s it, done!
Except the next time you log in to your bank account, you see that thousands (provided there was money in the account initially. 😂) have been drained from your account and now you need to contact fraud services.
See What Actually Happened
Every time you received a confirmation code, it was actually the scammer trying to access your bank account. When you read the code back to them, they typed it in and successfully bypassed your account’s 2FA/OTP security.
Once in, they can do things like change your username, change your password, change your phone number for 2FA, or even send money from your account to their account.
In order to pull this off, the scammer needs to know quite a bit:
- Your username
- Your password
- Your phone number
- Your recent charges
Unfortunately, these details aren’t difficult to obtain.
Now that you know these things, take heed lest you fall.