The tone is alarmist. A post shared more than 107,000 times on Facebook since October 3 warns of a scam targeting Crédit Agricole account holders. The procedure is explained as follows: the victim is contacted by telephone by a person who introduces himself as his bank advisor. This person assures her that “she won’t ask for any number”.
It says call to update a “securicode”. And as proof of her good faith, she provides information such as “the account number, the exact balance of my three accounts”, the publication specifies. A new security code is sent via SMS. “I tell myself it sucks, comments the Internet user. If you enter this code, it adds a new payee and clears your accounts! “Warning, warn the post, “the trick is really very well done”.
A banking expert contacted by 20 minutes, confirms the trial which “focuses on Crédit Agricole” in this post, but turns out to be “a classic phishing scenario affecting customers of all banks”. Thus, the scammer has collected, upstream, a certain amount of information to put his victim in confidence and give credibility to his speech, he explains.
If the generalization of strong authentication has allowed the fall in the rate of fraud in payments on the Internet (-20%), the threats are evolving, notes the latest report of the Observatory for the security of means of payment. Customer “manipulation” fraud techniques and identity theft campaigns have developed in parallel and are increasingly sophisticated.
An increase in the number of reports
The number of fraud reports, with identity theft of the type of fake bank advisors, has therefore “grown very sharply in recent months”, confirms the Prudential Control and Resolution Authority (ACPR). Other scenarios apply: the fraudster may claim that he needs to urgently block or cancel a bank card or transfer a fraudulent account, points out the site of the information service on insurance, banking, savings, a common platform set up by the ACPR, the Banque de France and the Autorité des marchés financiers (AMF).
These calls are actually meant to bypass new payment security features. Frequently, the site also specifies, scammers use technologies that allow them to reveal the telephone number of the forged bank and to hide their real number.
Information retrieved from phishing or malware
Initially, information was usually retrieved via phishing, i.e. an email was sent asking to “update” or “confirm” [ses] information following a technical incident”, in particular bank details, or by “stealer” type malware, software that steals user data stored in the browser.
Once this information is obtained, the fraudster then calls the customer with the aim of validating the transactions protected by strong authentication measures. “In the case presented, this is obviously the addition of an external account number, which assumes that the fraudster already has access to the customer’s online bank,” the banking expert points out.
Never communicate your details by email or telephone
The scammer asks the victim to add an account, an action which will activate the sending of a temporary security code via SMS, and which he tries to recover in order to finalize the addition of external accounts and make transfers in his favor.
Crédit Agricole indicates that it mobilizes human and financial resources to fight cybercrime and remembers never to ask to communicate data by email or telephone. The bank’s website also lists examples of attempted fraud and explains best practices. The Payment Methods Security Observatory also lists precautionary advice in case of suspicious activity.