Scammers Are Using This Low-Tech Tactic to Access People's Bank Accounts
Digital scams reported by banks rose tenfold during the first three quarters of 2024 compared to the same time frame last year. And while scammers are getting more clever, they’re not exploiting new technology so much as they are taking advantage of low-tech human error.
That's according to a recent report from cybersecurity firm BioCatch, which studied data from 170 banking institutions in the U.S. and Canada.
The report, released last month, distinguishes between fraud and scams. Although both are types of cybercrime designed to part you from your dollars, fraud is characterized by an unauthorized user getting control of your account and conducting activity (like buying stuff) without your permission or knowledge. Scams take place when criminals trick people into paying them under false pretenses (say, by impersonating a friend claiming an emergency and in need of money immediately).
So-called social engineering scams, when a fraudster tricks the victim into sending them money, now represent 23% of all digital banking fraud. This category of digital crime includes phishing, vishing (using voice messages rather than email to lure victims) and smishing (using SMS or text messages for the same goals).
Banking institutions have strengthened their cybersecurity infrastructures to such an extent that crooks now find it easier to manipulate a person than a chunk of computer code, BioCatch's director of global fraud intelligence, Tom Peacock, told CNBC.
“Fraudsters have realized that the humans are the weakest link,” he said.
The report says that impersonation scams and purchase scams are two particularly common ways to hoodwink victims. It says peer-to-peer network Zelle, whose corporate parent is owned by a consortium of big banks, is popular with crooks. (FTC data shows that PayPal and Cash App are two other popular targets for scammers, so it pays to vigilant regardless of which service you use.)
Despite banks' investments in technology to thwart bad actors, some regulators think they could be doing more to protect their customers from scammers. The Consumer Financial Protection Bureau (CFPB) is looking at how well banking giants JPMorgan Chase, Bank of America and Wells Fargo protect customers who use Zelle. A Senate report from July found that, while customers of these banks lost a combined $166 million to scammers over Zelle last year, the banks reimbursed just $64 million of the fraudulent transactions. That's 38% of their losses.
How to protect yourself now
While lawmakers consider requirements for banks to improve customer protections, there are ways you can help keep yourself safe from digital criminals in the meantime.
The Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security, recommends that people engage in due diligence before responding to unusual or unsolicited emails. You should also...
- Verify that the sender's address is legit. Phishers often use similar but slightly different email addresses to official ones. Small differences in spelling or company names with letters omitted might, at first glance, appear to come from genuine business accounts.
- Avoid clicking on suspicious links. If you hover over a URL in the body of an email and you notice that the text doesn't match what's printed in the body of the email, you could find yourself taken to a false company website and tricked into giving up personal information.
- Be skeptical of messages with generic greetings and signatures, or with poor grammar and spelling.
- Not download attachments sent in unsolicited messages. The agency says cybercriminals often use attachments to plant malware on victims' computers.
The agency also suggests that any request for money or financial information be verified with the purported sender using a different means of communication; say, looking up a company's billing department phone number on the internet rather than calling the number provided in an email.
One final word of warning: Don’t trust your phone to keep you safe.
BioCatch found that almost a quarter of unauthorized-use fraud in North America is carried out on “trusted” devices, meaning devices that you use frequently (you'll typically be asked to check a box saying "remember me on this computer" or similar language to verify the device's status). When it comes to scams, the figure is markedly higher, with nearly three-quarters being perpetrated on trusted devices.