One of the most prevalent methods for hackers to gain access to bank accounts is to drain the victim's assets via Zelle, a "peer-to-peer" (P2P) payment service utilised by many banking institutions that allows users to send money to friends and family instantly. Naturally, many of the phishing scams that lead up to these bank account takeovers start with a counterfeit SMS from the target's bank alerting them to a suspected Zelle transfer.
According to the text, someone attempted to withdraw a substantial sum of money from their bank account and deposit it into their Zelle account. The notification asks for a response of "Yes," "No," or "1" to decline. Regardless of which option is selected, the recipients are instantly contacted by a person posing as a bank official. Incoming phone numbers are frequently faked to make it appear as if they are from the person's bank.
The scammer asks for the customer's online banking username and then instructs them to recite back a passcode given through text or email to "verify their identity." In actuality, the fraudster begins a transaction — such as the "forgot password" option on the financial institution's website — that creates the member's authentication passcode.
Ken Otsuka is a senior risk consultant of CUNA Mutual Group, an insurance company that offers credit unions financial services. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”
“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’”
Once the scammer obtains control of the bank account, they will make different deposits to other accounts before draining the customer's funds. When a victim understands what has happened, they typically contact their bank right away. Unfortunately, most consumers who fall victim to this type of direct contact phishing fraud rapidly discover that many banks are unable to help them recover their stolen funds in any way. The banks argue that the transaction was initiated by the customer and thus does not fall under Regulation E's "unauthorised transaction" protection.