Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
If there’s one account you don’t want hacked, it’s your bank account. But you shouldn’t worry so much about hacks, because scams are the bigger threat.
In general, while far from perfect, banks are pretty good about security. Hacks and breaches are fairly rare in the grand scheme of things. When a bank account is drained, it’s often because the owner was careless and unwittingly gave away access (e.g. compromised ATM skimmers and wire transfer con scams).
Two-factor authentication (2FA) is supposed to protect your bank account, but scammers have found a way around it—by tricking you with a new phishing tactic. In this article, we explain how the scam works and how you can evade it.
How 2FA Protects Your Bank Account
Before we explain how the scam works, it’s important to understand how most bank 2FA protocols work.
2FA is simple: in order to access your account, you start by entering your password, which is your first factor, and then you confirm that your identity using a second factor, such as a security question or a verification code sent in a text message. Learn more about the pros and cons of different 2FA methods.
Text messages are the most common form of 2FA used today. The idea is that you can only log in to your bank account if you have the account password AND the phone with the right SIM to which the text message is sent.
2FA also comes into play when you want to change account details and settings, usually requiring you to log out and log back in after making a major change. Generally speaking, 2FA is awesome—it’s a lot harder to intercept SMS text codes than it is to brute force a weak password, so 2FA keeps you safer most of the time.
Despite the risks involved in using 2FA, it’s always better than not using it at all.
How the 2FA Bank Phishing Scam Works
It starts with a phone call. You may or may not recognize the number, but it doesn’t matter because phone numbers can be spoofed (which happens often with robocalls).
When you pick up, the caller will say they’re from your bank, they’ve noticed a fraudulent charge on your account, and they want to help resolve the issue but first need to confirm your identity.
To do this, they’ll offer to send a confirmation code by text message and ask you to read the code back to them over the phone. They may do this two or three times, stating that the first one didn’t go through for some reason.
At this point, you might be suspicious, but because the call started with a suggestion of fraudulent charges on your account, you’ll feel compelled to stay on the line. After all, the fraudulent charges could be real, and if they are, better to take care of them ASAP.
The scammer reads off a handful of your most recent bank charges, then ends with a final non-existent charge.
You don’t recognize it, so you think it must be fraudulent. You let the scammer know. They reassure you that it’s okay, promise to reverse the charge, then send over one last confirmation code by text message. You read it back. That’s it, done!
Except the next time you log in to your bank account, you see that thousands have been drained from your account and now you need to contact fraud services.
Here’s What Actually Happened
Every time you received a confirmation code, it was actually the scammer trying to access your bank account. When you read the code back to them, they typed it in and successfully bypassed your account’s 2FA security.
Once in, they can do things like change your username, change your password, change your phone number for 2FA, or even send money from your account to their account.
In order to pull this off, the scammer needs to know quite a bit:
- Your username
- Your password
- Your phone number
- Your recent charges
Unfortunately, these details aren’t difficult to obtain.
Most people use the exact same usernames and passwords for all of their web accounts, so if one account gets breached, every other account becomes vulnerable. This is why we recommend using unique passwords.
Gaining access to one of your accounts can also give the scammer more information to play with. For example, if they manage to log in to your Amazon account, they might look at your saved credit cards and see the last four digits of each.
If you aren’t sure if your account details have ever been breached or leaked, head over to HaveIBeenPwned? and check right away. This is the only account checker you should use—it’s safe, reliable, and trusted.
Phone numbers are easy to dig up online. This is why you should never share your personal details online, especially in social media profiles.
As for your recent charges? The scammer could’ve gotten his hands on a bank statement that you didn’t think twice about tossing in the trash. You may not think it’s necessary, but home paper shredders are crucial for fringe cases like this.
What should you do to avoid this scam?
If anyone ever calls YOU and then asks you to confirm your identify over the phone, politely say you aren’t comfortable doing that on an incoming call. Hang up and call them back using their official customer service line, which you can find online.
Staying Safe in the Face of Scams
This 2FA phishing scam isn’t the only one you need to be wary of.
Clever criminals will always be coming up with new ways to con innocent people out of their hard-earned money. Stay on top by reading our articles on the newest internet scams to avoid, not getting tricked by phone scams, and identifying fake IRS scams.