Cybercriminals are trying to trick American users of digital payment apps into transferring funds instantly in social engineering attacks using text messages with fake bank fraud alerts.

An alert issued by the Federal Bureau of Investigation as a public service announcement on Thursday said attackers would call victims who responded to phishing messages from their phone numbers and spoof the legal number of the bank support service, 1-800.

“Under the pretext of canceling the fake money transfer, victims are fraudulently forced to send payments to bank accounts controlled by cybercriminals,” the FBI said.

False alerts about fraud refer to the payment amount and the names of financial institutions, asking victims to verify whether they are trying to make instant payments of thousands of dollars. If buyers respond to phishing SMS and refuse to make such a payment, they receive a second text message that they will be contacted “soon”.

Scammers often speak English without an accent, as promised, and claim that the victim represents the bank fraud department. The ultimate goal is to trick victims into “canceling” a fake instant payment transaction by asking them to remove their email address from the payment program and put it under an attacker’s control.

“The actor asks for the victim’s email address and adds it to a bank account controlled by the player’s first fraudulent payment attempt,” the FBI said. Victims are sending instant payment transactions from their bank account to an actor-controlled bank account, thinking they are sending the transaction to them.”

Correspondence between scammers and their victims can take several days, demonstrating the scammers’ determination to launch an attack using social engineering.

The FBI also shared a list of precautions that Americans using digital payment applications should take care to avoid falling victim to one of these scams:

• Be wary of unsolicited requests to verify your account information. Cyber ​​organizations can use email addresses and phone numbers that can later appear to belong to a legitimate financial institution. If you receive a call or report about possible fraud or unauthorized translation, do not respond directly.
• If you receive a request for verification of your account information, please contact the Financial Institutions Anti-Fraud Office at the verified phone numbers and email addresses found on official websites or bank documents, rather than those specified in text or emails. . . .
• Enable Multi-Factor Authentication (MFA) for all financial accounts and do not share MFA codes or passwords with anyone over the phone.
• Understand that financial institutions will not ask their customers to transfer funds between accounts to prevent fraud.
• Be skeptical of callers who provide personal information such as social security numbers and past addresses as proof of their legitimacy. The increase in large-scale data leaks over the past decade has provided criminals with massive amounts of personal data that can be used over and over again in various scams and scams.