I recently received an SMS notification from my bank about possible fraudulent activity on my credit card account. While waiting for an agent to take my call, I browsed through Facebook to look for their support page. Unfortunately, I found two pages that looked almost exactly alike. The difference was the verified badge on the legitimate page and the About info as shown below.
Figure 1 Legitimate bank page on the left, fraudulent page on the right
Surprisingly, the fraudulent page even has a chatbot to greet clients before starting a conversation, which makes you believe that you are conversing with the bank’s legitimate social media page.
Figure 2 Fraudulent page chat bot
When clicking on any of the two chatbot options, you will receive an automatic response, followed by a question from the other side, as shown below:
Figure 3 Fraudulent page chat initiation
After a little back-and-forth about the “fraudulent transaction” as shown below, the person on the other end of the line eventually asks if I am enrolled in the bank online banking service, which should be their main target in this scheme.
There are however, two directions the conversation will lead:
- If you have an online banking account, the fraudster will ask for your User ID and the last 4 digits of your account.
- If you don’t have an online banking account, the fraudster will ask you to send a picture of the credit card.
At this point, I already stopped the conversation since I didn’t prepare enough tools to continue with the investigation and opted to report the page/account to Facebook so they can block the account and prevent other people from getting scammed.
Learn more about “industry” trends, and how phishing kits work.
Best practice and recommendation
It is very convenient for banks to serve clients through social media. However, this convenience also comes with the possibility of people being deceived by threat actors, whose only aim is to steal your hard-earned money.
How to avoid becoming a victim of fraudulent pages
We have come up with the following check list to help people avoid becoming victims to these schemes.
- Look for the Facebook verification badge on the profile/page, which can also be seen on the message chat head.
- Figure 4 Verified Badge on the Profile Name
- You may also check the number of Likes the profile/page has, this usually indicates if a page was recently created.
- Do not provide any account information online, especially account numbers and personal information that can be used by fraudsters to login into your account. Customer service agents of banks will often make a service call once you make contact through social media channels. Never give your phone number in chats, they should be able to contact you if you provide them with a valid transaction ID.
- Make it a habit to call your bank directly through their customer service hotline, this will help ensure that you are talking to the right person who may help you with your account concerns.
- Report fraudulent pages to the social media support page to help prevent other people from falling victim to such schemes.
Indicators of Compromise
hxxps://www.facebook.com/bdounibankonline/
Discover a behind the scenes look at phishing kits.