Bank phishing based on real bank's fraud prevention approaches

rjd185

I thought I would share this just for the record. It relates to a really professional phishing approach that I encountered yesterday using social engineering around the bank's own fraud prevention systems.

The attack is based just on knowing someone's phone number and their date of birth - the bank could just be a guess, but the scammers mimic the bank's actual procedures very well.

In summary, the scammers send a text that looks identical to a bank's normal fraud prevention SMS alert. This is followed shortly after by an SMS that appears to come from the bank's genuine fraud prevention system identifying the fake, fraudulent transaction. This is then followed up about 15 minutes later by an automated phone call mimicking the bank's actual fraud prevention phone contact, before finally routing the target person through to a human operator in the scammer's network.

There were a few things that made this stand out for me but I'm a paranoid IT specialist with some experience on security matters, and this phishing attempt was impressively compelling. I've put the details below but I'd just reiterate - any incoming phone call about finance that you did not initiate is NOT trustworthy. End of story. It doesn't matter whether something else indicates the call was expected or planned for. Do not volunteer ANY information no matter how appropriate it feels.

Here's why the whole thing looked so convincing. In my case, the identified bank was Barclays but that could have been for any bank and Barclays could just have been a good guess by the phishing group.

1. The SMS text sequence is very similar to the actual Barclays Bank texts and other bank fraud notification texts - mine appeared to be from 'BARCLAYS' but this would work for any bank I think.
   
2. The first text sets expectation that the second will come from a specific number 60291 - yes, this number is Barclays source for transaction fraud notifications - as well as warning about scams and phishing
   
3. The second text appears to come from 60291, so seems a valid source if you look it up - it asks whether you recognize a dodgy transaction (mine was '1000.00 GBP, Friends of the Earth, Netherlands')
   
4. Whether you respond to this text indicating you thought it was dodgy or not seems irrelevent - I didn't but15 minutes later you get a phone call
5. The phone call mimics the normal bank fraud prevention callouts (mine appeared to be from London)
6. The phone call is run by a robocaller - polished female English accent familiar on many such systems using good English saying that they have identified fraud on your account exactly as many banks
   
7. The robocaller warns about scams and phishing and says it will not request confidential information but it needs to confirm your identity by asking you to confirm your date of birth - same as many such systems, it then reads out three month/year combinations and asks you to select the one that applies. Yes, option number one was my actual month/year of birth - they have that information along with my phone number!
8. The robocaller then reads the same content as was in the second text i.e. the fraudulent transaction information - the two match exactly.
9. Whether the response here makes any difference next you get routed through to a human operator
10. The operator may or may not be aware of how you got there and they may not even know which bank your phishing messages referenced. Regardless they will advise that they need to take you through security.
11. At this point I probed for info from the operator but got nowhere and hung up.
    

Some noteworthy points:

1. The texts are completely in line with Barclays guidance at https://www.barclays.co.uk/help/security-fraud/confirm-transaction-text/
2. The texts are extremely polished English with no grammatical errors
3. The texts and the robocaller warn about avoiding scams - they are on your side!
   
4. 60291 is a genuine short code associated with Barclays - if you search it looks legit e.g. https://www.three.co.uk/content/dam/threedigital/terms-and-conditions/shortcodes/short-codes-feb-2024.pdf
   
5. The second text doesn't actually come from '60291' but from '60<space>291'. The Apple iPhone and I guess Android, standardize the number display so the space is missing when looking just at the text. Unless you drill into the contact details you will never see the space in the name.
   
6. The robocaller is amazingly good - you will not be able to 'hear' that it is a scammer system, and the script is extremely polished
7. Repeating the same transaction warning you've already seen in the second text is a nice touch
   
8. Embedding a tiny bit of personal information in the robocaller so you feel comfortable - my month/year of birth for example.
   

There were one or two tells in the texts (not much use of the definite article for example) and in the conversation especially with the human operator, but those can and probably will be cleaned up. When those small gaps disappear, fall back on the only safe approach.

These phishing teams are very good at what they do, and it will only get better.

Do not respond to any unsolicited text or phone call no matter how convincing or certain you may be about where an external contact is coming from. Hang everything up and then contact your bank through their published legitimate means (not through a link or number provided for reference). I spoke to Barclays to double check the fraud was no deeper than phishing, and to advise them of a great phishing attempt. Your bank will be able to confirm if there are any fraud flags, whether any contact attempts were made .

fromdusktilldawn

rjd185 said:

I thought I would share this just for the record. It relates to a really professional phishing approach that I encountered yesterday using social engineering around the bank's own fraud prevention systems.

The attack is based just on knowing someone's phone number and their date of birth - the bank could just be a guess, but the scammers mimic the bank's actual procedures very well.

In summary, the scammers send a text that looks identical to a bank's normal fraud prevention SMS alert. This is followed shortly after by an SMS that appears to come from the bank's genuine fraud prevention system identifying the fake, fraudulent transaction. This is then followed up about 15 minutes later by an automated phone call mimicking the bank's actual fraud prevention phone contact, before finally routing the target person through to a human operator in the scammer's network.

There were a few things that made this stand out for me but I'm a paranoid IT specialist with some experience on security matters, and this phishing attempt was impressively compelling. I've put the details below but I'd just reiterate - any incoming phone call about finance that you did not initiate is NOT trustworthy. End of story. It doesn't matter whether something else indicates the call was expected or planned for. Do not volunteer ANY information no matter how appropriate it feels.

Here's why the whole thing looked so convincing. In my case, the identified bank was Barclays but that could have been for any bank and Barclays could just have been a good guess by the phishing group.

1. The SMS text sequence is very similar to the actual Barclays Bank texts and other bank fraud notification texts - mine appeared to be from 'BARCLAYS' but this would work for any bank I think.
   
2. The first text sets expectation that the second will come from a specific number 60291 - yes, this number is Barclays source for transaction fraud notifications - as well as warning about scams and phishing
   
3. The second text appears to come from 60291, so seems a valid source if you look it up - it asks whether you recognize a dodgy transaction (mine was '1000.00 GBP, Friends of the Earth, Netherlands')
   
4. Whether you respond to this text indicating you thought it was dodgy or not seems irrelevent - I didn't but15 minutes later you get a phone call
5. The phone call mimics the normal bank fraud prevention callouts (mine appeared to be from London)
6. The phone call is run by a robocaller - polished female English accent familiar on many such systems using good English saying that they have identified fraud on your account exactly as many banks
   
7. The robocaller warns about scams and phishing and says it will not request confidential information but it needs to confirm your identity by asking you to confirm your date of birth - same as many such systems, it then reads out three month/year combinations and asks you to select the one that applies. Yes, option number one was my actual month/year of birth - they have that information along with my phone number!
8. The robocaller then reads the same content as was in the second text i.e. the fraudulent transaction information - the two match exactly.
9. Whether the response here makes any difference next you get routed through to a human operator
10. The operator may or may not be aware of how you got there and they may not even know which bank your phishing messages referenced. Regardless they will advise that they need to take you through security.
11. At this point I probed for info from the operator but got nowhere and hung up.
    

Some noteworthy points:

1. The texts are completely in line with Barclays guidance at https://www.barclays.co.uk/help/security-fraud/confirm-transaction-text/
2. The texts are extremely polished English with no grammatical errors
3. The texts and the robocaller warn about avoiding scams - they are on your side!
   
4. 60291 is a genuine short code associated with Barclays - if you search it looks legit e.g. https://www.three.co.uk/content/dam/threedigital/terms-and-conditions/shortcodes/short-codes-feb-2024.pdf
   
5. The second text doesn't actually come from '60291' but from '60<space>291'. The Apple iPhone and I guess Android, standardize the number display so the space is missing when looking just at the text. Unless you drill into the contact details you will never see the space in the name.
   
6. The robocaller is amazingly good - you will not be able to 'hear' that it is a scammer system, and the script is extremely polished
7. Repeating the same transaction warning you've already seen in the second text is a nice touch
   
8. Embedding a tiny bit of personal information in the robocaller so you feel comfortable - my month/year of birth for example.
   

There were one or two tells in the texts (not much use of the definite article for example) and in the conversation especially with the human operator, but those can and probably will be cleaned up. When those small gaps disappear, fall back on the only safe approach.

These phishing teams are very good at what they do, and it will only get better.

Do not respond to any unsolicited text or phone call no matter how convincing or certain you may be about where an external contact is coming from. Hang everything up and then contact your bank through their published legitimate means (not through a link or number provided for reference). I spoke to Barclays to double check the fraud was no deeper than phishing, and to advise them of a great phishing attempt. Your bank will be able to confirm if there are any fraud flags, whether any contact attempts were made .

I had a similar experience with my Barclays credit card. I received a phone call just after the normal chat lines closed, they rang back 3 times in short gaps so I answered it. They knew my name, but didn't go through any security procedure. Extremely well spoken and confident man asked me about a potentially fraudulent transaction - £120 for scaffolding in Coventry, I think. Call proceeded and he asked me which app I used - Barclays or Barclaycard for managing my card. Then he started talking about sending a confirmation code via the app, which raised my suspicions so I said that I would prefer to call the bank directly to discuss further. He hung up immediately. I rang the fraud line, and they advised cancelling the card. They also took me through the procedure they would use to confirm a genuine call from the bank, which was via a code through the app.

eeg1

we were caught out yesterday through a barclays bank fraudulant encounter. These people opened two loans on our account totally £96000 and then proceeded to withdraw that money and some of our own funds. We have lost £30000 and they have taken most of these "loans" out as well. i realised something was wrong, and contact barclays straight away but it was too late. Barclays did shut down the accounts, Barclays and action fraud are now aware but we feel very upset and violated - they were so convincing. It looks as if they accessed our accounts through an old iphone that we had wiped and returned 3 months ago. Obviously wiping the phones is not definitive and so they were able to see all our accounts and our details. Barclays can't even reassure us we will get our money back, they said we may end up having to pay the loans back too. It is extremely stressful and we feel so stupid, but they were so convincing. any advice would be very much appreciated.

wmb194

eeg1 said:

we were caught out yesterday through a barclays bank fraudulant encounter. 

These people opened two loans on our account totally £96000 and then proceeded to withdraw that money and some of our own funds. We have lost £30000 and they have taken most of these "loans" out as well. i realised something was wrong, and contact barclays straight away but it was too late. 

Barclays did shut down the accounts, Barclays and action fraud are now aware but we feel very upset and violated - they were so convincing. 

It looks as if they accessed our accounts through an old iphone that we had wiped and returned 3 months ago. Obviously wiping the phones is not definitive and so they were able to see all our accounts and our details. 

Barclays can't even reassure us we will get our money back, they said we may end up having to pay the loans back too. It is extremely stressful and we feel so stupid, but they were so convincing. any advice would be very much appreciated.

How were they so convincing? They contacted you? How did they access your account on the old phone? Did you provide the access PIN? It feels like you've skipped half the story.

danco

When you get any such message, it's best to phone your bank's fraud department.

But there's a catch.

If you just do that immediately, apparently there is a way in which the fraudsters can stay connected so that the call you think is going to the fraud department is still going to them.

Best way, if you can (if you have a partner, or both a landline and a mobile, say) is to phone your bank's fraud department from a different phone

Eco_Miser

danco said:

Best way, if you can (if you have a partner, or both a landline and a mobile, say) is to phone your bank's fraud department from a different phone

And if you can't use a different phone, ring a friend, so the scammer can't effectively impersonate them, and say something like "I've just received a weird phone call, and I'm making sure my line is clear." Then wait a while and ring your bank's fraud department.

M25

I ALWAYS assume any banking communication is a scam It's the only way to be.

You can log into your account and check or phone your bank to look for potential fraud.

If it really is fraud your bank will soon freeze your account and you'll notice quickly.

Having a backup current account/card is also sensible.

born_again

danco said:

When you get any such message, it's best to phone your bank's fraud department.

But there's a catch.

If you just do that immediately, apparently there is a way in which the fraudsters can stay connected so that the call you think is going to the fraud department is still going to them.

Best way, if you can (if you have a partner, or both a landline and a mobile, say) is to phone your bank's fraud department from a different phone

Does not work on mobiles, can only work on landlines.

born_again

eeg1 said:

we were caught out yesterday through a barclays bank fraudulant encounter. These people opened two loans on our account totally £96000 and then proceeded to withdraw that money and some of our own funds. We have lost £30000 and they have taken most of these "loans" out as well. i realised something was wrong, and contact barclays straight away but it was too late. Barclays did shut down the accounts, Barclays and action fraud are now aware but we feel very upset and violated - they were so convincing. It looks as if they accessed our accounts through an old iphone that we had wiped and returned 3 months ago. Obviously wiping the phones is not definitive and so they were able to see all our accounts and our details. Barclays can't even reassure us we will get our money back, they said we may end up having to pay the loans back too. It is extremely stressful and we feel so stupid, but they were so convincing. any advice would be very much appreciated.

How would they see your logon details? Unless they were stored on phone in a separate file.
No biometrics set up to access account?

Barkin

born_again said:

danco said:

When you get any such message, it's best to phone your bank's fraud department.

But there's a catch.

If you just do that immediately, apparently there is a way in which the fraudsters can stay connected so that the call you think is going to the fraud department is still going to them.

Best way, if you can (if you have a partner, or both a landline and a mobile, say) is to phone your bank's fraud department from a different phone

Does not work on mobiles, can only work on landlines.

Simple solution, on BT lines at least, is to hang up and wait a couple of minutes. 

https://www.ispreview.co.uk/index.php/2015/11/bt-tweaks-uk-phone-call-clearing-procedure-again-to-stop-fraudster.html

LightFlare

NEVER trust the number shown on caller display.

It is exceedingly easy to spoof the display to show any number you want.

Always get the genuine number off the back of a card or paper statement (if you have one)

Always phone from a different phone/line than the incoming call

These scams work so well as the use “shock and awe” to make victims think there is a sense of urgency. I always advise people to wait and think for 24hrs before responding to anything like this that is out of the blue

It’s amazing how many times after a bit of time and thought that the realisation of “how did they actually get my number” dawns. For example - I never give my mobile number to banks or retailers etc and only use for friends and families