Bank scammers using genuine push notifications to trick their victims

https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/

You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.

"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.

"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."

Your phone buzzes. You tap the notification and this pops up on screen:

`In app popup. "Are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. @ Not you? Your details are safe. Just tap 'No, it's not me' and we'll end the call."`

This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.

Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?

Right!

This is a genuine notification. It was sent by the bank.

You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.

Congratulations. You just got played. Scammers have stolen your life savings.

How the scam works

This is reasonably sophisticated, and it is easy to see why people fall for it.

  1. The scammer calls you up. They keep you on the phone while...
  2. The scammer's accomplice calls your bank. They pretend to be you. So...
  3. The bank sends you an in-app alert.
  4. You confirm the alert.
  5. The scammer on the phone to your bank now has control of your account.

Look closer at what that pop is actually asking you to confirm.

We need to check it is you on the phone to us.

It isn't saying "This is us calling you - it is quite the opposite!

This pop-up is a security disaster. It should say something like:

Did you call us? If someone has called you claiming to be from us hang up now [Yes, I am calling Chase] - [No, someone called me]

I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.

But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.

Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.

And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.

Further reading

You can read the original story from the victim on Reddit. See more comments on Mastodon.

{
"by": "edent",
"descendants": 11,
"id": 40246477,
"kids": [
40247561,
40247549,
40248052,
40248132,
40248637
],
"score": 40,
"time": 1714736180,
"title": "Bank scammers using genuine push notifications to trick their victims",
"type": "story",
"url": "https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/"
}
{
"author": "edent",
"date": "2024-05-02T19:35:42.000Z",
"description": "You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they’re calling from your bank’s fraud department. “Yeah, right!” You think. Obvious scam, isn’t it? You tell the caller to do unmentionable things to a goat. They sigh. “I can assure you I’m calling from Chase bank. I understand you’re sceptical. I’ll send a push notification through the app so you can see this is a genuine call.” Your phone buzzes.…",
"image": "https://shkspr.mobi/blog/wp-content/uploads/2024/05/chase-fs8.png",
"logo": "https://logo.clearbit.com/shkspr.mobi",
"publisher": "Shkspr",
"title": "Bank scammers using genuine push notifications to trick their victims",
"url": "https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/"
}
{
"url": "https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/",
"title": "Bank scammers using genuine push notifications to trick their victims",
"description": "You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. \"Yeah, right!\" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh. \"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call.\" Your phone buzzes.…",
"links": [
"https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/",
"https://shkspr.mobi/blog/?p=50470"
],
"image": "https://shkspr.mobi/blog/wp-content/uploads/2024/05/chase-fs8.png",
"content": "<div>\n\t\t\t\t<p>You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.</p>\n\t\t\t\t<p>\"Yeah, right!\" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.</p>\n\t\t\t\t<p>\"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call.\"</p>\n\t\t\t\t<p>Your phone buzzes. You tap the notification and this pops up on screen:</p><p><img alt=\"`In app popup. &quot;Are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. @ Not you? Your details are safe. Just tap 'No, it's not me' and we'll end the call.&quot;`\" src=\"https://shkspr.mobi/blog/wp-content/uploads/2024/05/chase-fs8.png\" /></p><p>This is <em>obviously</em> a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the \"Yes\" button.</p>\n\t\t\t\t<p>Why wouldn't you? The caller knows your name and bank <em>and</em> they have sent you an in-app notification. Surely that can only be done by the bank. Right?</p>\n\t\t\t\t<p>Right!</p>\n\t\t\t\t<p>This is a genuine notification. It <em>was</em> sent by the bank.</p>\n\t\t\t\t<p>You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.</p>\n\t\t\t\t<p>Congratulations. You just got played. <a target=\"_blank\" href=\"https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/\">Scammers have stolen your life savings</a>.</p>\n\t\t\t\t<h2 id=\"how-the-scam-works\"><a target=\"_blank\" href=\"https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/#how-the-scam-works\">How the scam works</a></h2>\n\t\t\t\t<p>This is reasonably sophisticated, and it is easy to see why people fall for it.</p>\n\t\t\t\t<ol>\n\t\t\t\t\t<li>The scammer calls you up. They keep you on the phone while...</li>\n\t\t\t\t\t<li>The scammer's accomplice calls your bank. They pretend to be you. So...</li>\n\t\t\t\t\t<li>The bank sends you an in-app alert.</li>\n\t\t\t\t\t<li>You confirm the alert.</li>\n\t\t\t\t\t<li>The scammer on the phone to your bank now has control of your account.</li>\n\t\t\t\t</ol>\n\t\t\t\t<p>Look closer at what that pop is <em>actually</em> asking you to confirm.</p>\n\t\t\t\t<blockquote>\n\t\t\t\t\t<p>We need to check it is <em>you</em> on the phone to <em>us</em>.</p>\n\t\t\t\t</blockquote>\n\t\t\t\t<p>It isn't saying \"This is <em>us</em> calling <em>you</em> - it is quite the opposite!</p>\n\t\t\t\t<p>This pop-up is a security disaster. It should say something like:</p>\n\t\t\t\t<blockquote>\n\t\t\t\t\t<p>Did you call us? If someone has called you claiming to be from us <strong>hang up now</strong> [Yes, I am calling Chase] - [No, someone called me]</p>\n\t\t\t\t</blockquote>\n\t\t\t\t<p>I dare say most people would fall for this. Oh, not you! You're <em>far</em> too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.</p>\n\t\t\t\t<p>But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.</p>\n\t\t\t\t<p>Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.</p>\n\t\t\t\t<p>And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.</p>\n\t\t\t\t<h2 id=\"further-reading\"><a target=\"_blank\" href=\"https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/#further-reading\">Further reading</a></h2>\n\t\t\t\t<p>You can <a target=\"_blank\" href=\"https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/\">read the original story from the victim</a> on Reddit. See more <a target=\"_blank\" href=\"https://mastodon.social/@Edent/112372412442888807\">comments on Mastodon</a>.</p>\n\t\t\t</div>",
"author": "https://orcid.org/0000-0002-9265-9069",
"favicon": "https://shkspr.mobi/blog/wp-content/uploads/2023/07/cropped-avatar-192x192.jpeg",
"source": "shkspr.mobi",
"published": "2024-05-02T20:35:42+01:00",
"ttr": 100,
"type": "article"
}