Working as a fraud fighter on the front lines every day, there is not a scam or threat I have not seen. What I do for work makes me skeptical of every text message, phone call or email I receive – much more than your average consumer. So, imagine when I received a call from my bank that seemed so authentic that, for a moment, I did not doubt its legitimacy. That's exactly what happened to me recently when I was contacted by someone impersonating my bank. But I was curious and wanted to explore the fraudster’s methods directly. Instead of hanging up the phone, I played along.
In the first few moments of interaction, several things happened that genuinely made me believe it was a legitimate call. First, the number that appeared on my caller ID was a legitimate phone number for the bank. I even double checked the details on the bank’s website as I waited on hold. While phone spoofing is hardly new, it is not very common in Brazil to see this from large corporations.
Second, I was put on hold and kept waiting for a long time. When I answered, the recording informed me of the details of a specific purchase and asked me to press (1) if I recognized the transaction or press (2) if I did not recognize it. Okay, nothing new here, but what caught my attention was after pressing 2, I was left on hold for over five minutes. This is very different from most scams where an “agent” will come on the phone within seconds.
Finally, when the "agent" finally got on the phone, she informed me that for security reasons, I didn't need to provide any personal information. At this point, she confirmed my full name and other sensitive details. After confirming the data, she informed me again about the suspicious transaction and assured me everything would be automatically refunded to the account, and she would proceed with cancelling the device that attempted the transaction.
The script was flawless. To maintain trust (and the call), she told me that while I confirmed the information, a PDF report was being generated for me to use legally in case of any financial loss. Additionally, she informed me that if the call failed, I could simply call the official number on the bank's website!
While the fraud fighter in me wanted to believe this was a scam, all the evidence was pointing to this being a legitimate call. I was waiting for the trick – and then it happened. The call suddenly dropped.
Before even thinking about returning the call, I received a WhatsApp call with the bank's logo but from an unusual private number. This is where I discovered the weakness in the process. But curiosity got the best of me, and I was intrigued to learn more about their techniques, so I answered the call.
The “agent” apologized and said that the process would continue via WhatsApp to facilitate communication. Again, she told me that the report was almost finished, only one step remained: eliminating the suspicious device. BINGO!
But how? No surprise to me at all, the “agent” requested I use the screen share feature on WhatsApp (honestly, I was expecting a request to download a screen sharing app). I shared my screen with great reluctance, but I just had to know their script. After making me go through several pages and trying to confuse me, I ended up on a page that requires a password. It is at this point, they steal your password, and it is at this point, I hung up.
There are several common bank impersonation methods used by fraudsters in Brazil. The one described previously (steal credentials and deletion of genuine device) is a well-known scam. Another common method is designed to phish for PIX transfer codes. In this scam, a fraudster sends a code via SMS which, in theory, is a security code to protect the account but is actually a PIX transfer code. The code contains the string “Credit Protection” although it is still unknown how they do this.
Although this experience explores a very common type of scam, it sheds light on the unsettling sophistication of the fraud techniques and the in-depth knowledge of bank processes and protocols that fraudsters have acquired. The blend of authentic details, prolonged waiting times, a very clear and professional speech, and the unexpected switch to WhatsApp demonstrated a level of cunning that transcends conventional scamming methods.
In retrospect, I started to think of the ways this scam could be detected with BioCatch technology. There were many indicators that would have raised the risk of this transaction significantly. Some of these risk factors include:
1) Active call. BioCatch data shows that less than one percent of Android users are on an active phone call while simultaneously conducting mobile banking activity. This behavior, however, is seen in over 50% of confirmed fraud cases.
2) Screen broadcast. No bank will ever ask customers to share their screen, so this has red flags all over it.
3) Remote access tool installed. This script called for using the existing screen sharing capability in WhatsApp, a highly common app already installed on most devices in Brazil. However, in other parts of the world where WhatsApp is not so common, fraudsters will attempt to get victims to download a screen sharing tool, such as TeamViewer, as a way to get them to share their screen. A recently installed remote access tool can contribute to a higher scam risk score.
As a fraud fighter, if I was fooled, even if only for a moment, it goes to show how believable and professional these schemes have become. This encounter serves as a stark reminder that vigilance and education are our greatest defense. While technological safeguards are crucial, the human element remains equally important.
