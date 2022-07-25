Scam artists are working harder to steal your identity and money.

Phishing attacks, which use phony emails or text messages to fool you into divulging personal information, increased 28% last year, according to research from PhishLabs by HelpSystems. On a large scale, the schemes can be lucrative: Full sets of consumer data, including name, birth date, Social Security number and passwords, sell online for around $5 to $8 per record.

Those credentials can be a golden ticket into user accounts—but not always. Even when scammers have the login for, say, your bank, they still have one final barrier preventing full access: a one-time password sent to your smartphone.

But clever scammers are figuring out workarounds. You need to be one step ahead.

Fraudsters Target Multifactor Authentication

To better protect their account holders online, many businesses are using multifactor authentication. It’s the familiar security measure that requires you to enter a one-time password or code after you try to log in with your username and password.

The code, often a series of numerals, is texted to your phone or is generated by an authentication app. The process generally works well, but it can be defeated.

As senior fellow for threat research at Agari by HelpSystems, I hear about new scams targeting individuals and businesses every day. The following scenarios illustrate two approaches for hijacking one-time passwords through cunning social engineering—that is, manipulative—tactics.

Scenario No. 1: SIM Swapping

This is an effective method that’s been around for a while. A scam artist will call your wireless carrier and convince the rep they are you. Remember, the scammer already has bought or otherwise obtained your full credentials including your Social Security number and date of birth.

The fraudster explains that they (you) have a new smartphone and need to swap out the SIM—the technology that associates a phone number with a physical phone. Once they convince the rep to make the switch, they’ll link the SIM to a burner phone they control, where they can receive one-time passwords needed to access your account.

This may sound far-fetched, but it happens. In fact, throughout 2021, scammers used SIM swapping to defraud victims out of $68 million, according to the FBI Internet Crime Complaint Center. However, it takes skill and precise timing on the part of a scammer to convince the phone company to make the change.

Also, because your cellphone will go dead the moment the SIM is swapped, the maneuver is more likely to occur while you’re sleeping. The scammer must act quickly because you’ll probably figure out something is amiss within a matter of hours.

Scenario No. 2: Texted Authentication Codes

A newer, easier way has emerged for cybercriminals to access one-time passwords without needing your phone. Here’s how it works:

You receive a text you think is from your bank asking if you just paid $20,000 to a resort in the Maldives. You didn’t. And now you’re worried, angry and upset. You want to take immediate action to resolve the problem, so you’re not thinking rationally. That’s part of the ploy.

The text instructs you to reply “1” if the charge is accurate, and says you’ll be sent a code you must text back if you did not authorize the payment. At that moment, the scammer uses your stolen credentials to log into your account—which prompts your real bank to text you a one-time code.

You follow the instructions you were given and text that code to the scammer—providing the con artist with the missing piece needed to access your account and transfer your money to virtually anywhere.

The scammer may even attempt to buy more time by saying you’ll continue to see what looks like fraudulent activity on your account for up to 48 hours as the situation is resolved. That delays you from discovering and reporting the true scope of the incident to the authorities.

What Now? 3 Tips to Protect Yourself

Yes, it is scary and frustrating to learn about the ingenious swindles cybercriminals devise. Here are a few ways to stay sharp.

Verify, using a separate channel. In a previous article on common scams, I discussed the importance of using a second avenue of verification when you get an unexpected alert telling you to take any type of action. If you receive a text message about bank fraud, pull out your bank card and call the number listed on the back.Don’t call the number in the text or click on a link, because you’re likely to be led to a spoofed website or phony call center. Likewise, if you get an unsolicited call, hang up and call the number on your card. If you are indeed conned but can act quickly, the bank may be able to reverse any fraudulent transaction. Keep using multifactor authentication/one-time passwords. After hearing about these scams, you may think using multifactor authentication is a bad idea. But it’s still effective and important, particularly when you’re using sites or apps where sensitive financial or health care information is stored. Just remember to never give out a one-time password to anyone, including a bank employee. Stay abreast of industry threats. Scammers are always innovating. Reading up on their new tactics will help protect you, your identity and your assets from the internet’s bad actors.

