Do not take any of these calls.
Anadolu Agency via Getty Images
Updated on Nov. 29 with new warnings about the surge in dangerous calls being made to citizens and additional advice on what to look out for.
You have been warned. The FBI has just issued a stark new warning as cyber criminals gain access to customer bank accounts, The bureau says these attackers have already stolen $262 million this year, with the threat likely to get worse over the holidays.
Some of these attacks come at you by text or email, tricking you into sharing one-time passcodes or even your actual password. “The cyber criminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.”
But the new advisory flags phone calls as the most serious risk. “Be suspicious of unknown ‘banking’ or ‘company’ employees who call you,” the FBI warns. “Don’t trust caller ID. Hang up, verify the correct number, and call it yourself. Companies generally do not contact you to ask for your username, password, or OTP.”
There are a range of other ways in which one of these attacks may target you — including manipulating search engine results to have a fake login page appear ahead of real pages in the results. That way, even if you hang up a call and search for a legitimate website, you could be fooled into accessing the wrong one.
The lures being users for attacks can vary, but they’re likely to include a sense of urgency to force you into acting before you have time to think. Fraudulent transactions, hijacked accounts or stolen passwords are always good entry points for an attack.
“Once the impersonators have access and control of the accounts,” the bureau says, “the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets.” An attacker might also “change the online account password, locking the owner out of their own financial account(s).”
If you have fallen victim to any such attack, or if you have shared information or logged into an account using a website you now think may have been fake, contact your bank and explain the situation. And change your online passwords.
“Contact your financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity,” the FBI says.
“Requesting a recall and obtaining a Hold Harmless Letter/indemnification documents as quickly as possible may reduce or eliminate your financial losses.” Citizens are also urged to “immediately report fraudulent wire transfers to both to your financial institution and to the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov.”
Whilst this FBI warning focuses on financial institutions, we’re also seeing new attacks pretending to be technical support — impersonating Apple or Google or others. The same rules apply. Do not engage. Hang up. Contact the company using their usual means, or ideally log into your account via an app and check for any messages.
In response to the FBI’s account takeover warning, Bitdefender has published findings from surveying users in multiple countries, including the U.S. “1 in 7 consumers (~14 %) reported falling victim to a scam in the past year,” it says. “The most common scams encountered are delivery, shipping and mail fraud (21%) followed by credential phishing and account takeover (19%) – the type the FBI highlights.”
Bitdefender says that while “social media has overtaken email as the primary vector,” it has found that “25% of scams now happen over the phone.”
While the FBI’s latest alert focuses on cyber criminals mimicking financial organizations to trick their customers into giving away account details, there’s another dangerous impersonation scam the bureau has flagged that’s now surging again.
Several local police forces in the U.S. are again warning (1,2,3) that citizens are being called by individuals pretending to be officers. Many of these calls even spoof real police numbers to make the lures even more convincing. These scams are not confined to state and local police. Federal agencies — including the FBI — have also been spoofed.
The FTC explains “the call comes from someone claiming they’re a sheriff or deputy at your local police department.” They say “you’ll be arrested unless you pay a fine. To avoid being arrested, they might tell you to send cash, deposit money at a Bitcoin ATM, buy gift cards and give them the numbers, or send money.”
“There are many versions of the impersonation scam,” the FBI says, and they all exploit intimidation tactics. Typically, scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”
The FTC advice on this is clear — again, do not take the calls, hang up, call back using a publicly available number that’s verifiable.
“Even if the caller uses the name of a real officer, has a real number show up on caller ID, or has information about you (like your address), that’s not a real officer calling. It’s a scammer trying to steal your money. Here’s what to know:
- Real law enforcement officers won’t call to say you’re going to be arrested (or threaten to arrest you if you hang up).
- Real law enforcement officers won’t call to insist that you pay fines by cash, gift card, cryptocurrency, payment app, or a wire transfer service — and never as a way to buy your way out of a ‘crime’.”
