Dr. Security gives tips and answers questions related to cyber security. This time it’s about social engineering attacks and “fake support” calls, which are becoming increasingly common among bank customers.
Dear Dr. Security,
Something strange happened to my sister a few days ago. She received a call from a support employee of a bank. Apparently there was an issue on my sister’s computer, probably related to a virus. According to my sister, the caller was very concerned and extremely friendly and could solve the problem within minutes. I am a bit worried about the damage that the virus has done. Do you have any idea of the magnitude? Are also people affected by the virus that are connected with my sister through her contacts? How can we avoid such issues in the future?
I have some good news and some bad news for your sister. On a positive note, your sister was probably not affected by any virus. Unfortunately, with high likelihood, she has fallen for a “fake support” attack. The situation you describe, in which bank customers are directly contacted by support employees, are more and more frequent in Switzerland but also elsewhere in the world. Support staff of banks should never call you in such a way. These are a form of so-called “social engineering attacks”, or “fake support” attacks, in which fraudsters pretend to be support staff of your house bank or of large technology companies. They are extremely clever, well trained, and typically speak the local language. As you describe, they act in a very friendly and customer-oriented manner, up to the point that some users end up trusting them more than real bank support employees!
In most cases, these calls proceed as follows:
- The attacker, calling themselves “bank support personnel” calls your mobile phone and raises concern that with a high chance your computer is affected by a virus that can also get access to your bank account. You are asked to install a program on the PC, such that the support agent is in a better position to assist you “cleaning” the device. Through the installation of the program (such as TeamViewer, or AnyDesk), the support agent can remotely observe everything that is happening on your computer and they can even take over control.
- You are then asked to log in to your e-banking portal. The caller then pretends to run various system checks in the background, which (surprise, surprise) are successful and detects that you have a “virus”. The whole process only takes a few minutes.
- In order to “successfully conclude the case”, a short test must be carried out to see whether payments can be processed again without any problems. To do this, you are requested to release a payment of a symbolic amount to a specific “test” account. You also have to confirm the transaction through the regular security step that your bank asks you to perform.
- This “test” is also successful and you will be finally allowed to return to your private activities or enjoy a coffee while the caller is still taking a “final test”. But what happens has little to do with solving the problem (which did not exist in the first place) but is actually malicious fraud. The hacker now executes a number of transactions with large amounts to the same account number that has been whitelisted (in the bank fraud detection module) with the first “test transaction” that you previously approved. This results in tens of thousands of Swiss francs sent from your account to that of the fraudster. The bank customer, if at all, will only notice this the next time they use their e-banking or when looking at their next bank statement.
But the next big surprise is yet to come. In most cases, the bank is not liable for such fraud, as the client is at fault “falling” for such fraudsters.
What I would suggest your sister do is the following:
- Immediately report to the bank that she was contacted by a support personnel and describe exactly what they asked her to do
- Check in the e-banking if she notices any suspicious transaction in the last few days
- Contact the police and press charges against unknown
- Change the access data to the e-banking (such as the password or PIN)
For future cases, never trust such calls, no matter how friendly they appear: the bank will never call you in such cases. Also, never install any programs on your PC, when asked to by someone on the phone, or via email.
More broadly, the issue of help-desk authentication is two-fold: when calling the support desk, they want to authenticate you (that is why they ask you questions such as your birthday, or the last transaction, or the account balance); but there should also be a way for you to authenticate the support desk personnel. If your bank is working with Futurae to authenticate your logins (to e-banking and mobile banking) and transactions, then you should soon be able to achieve that. By sending you a push notification to your secure application through the Futurae service, the bank can easily verify that you are authorized to talk to them, and implicitly you know that you are talking to a real support employee from the bank: only they have the power of sending you authenticated push notifications!
We have two recommendations for the concerned banks: the Futurae Authentication Suite can be used to achieve mutual authentication between helpdesk and clients, and also includes a fraud detection module which helps in detecting abnormal user behaviours induced by the installation of remote support software. For more information, follow this link, and don’t hesitate to get in touch with us.
And finally, a reading tip: together with the Public Prosecutor, Daniele Galliano, I recently wrote an article on “Le phénomène des money mules en Suisse” in the largest Swiss legal magazine “Aktuelle Juristische Praxis” (AJP/PJA). Anyone interested to have a look at the legal implications of money mules and fraudulent transactions can read it!
Best, your Doc
I am happy to answer your questions, so do not hesitate to write to the Doctor at: email@example.com.