Security Brief

Fraud Brief – April 17, 2020

Victims of P2P Transaction Fraud

The FBI’s Detroit Field Office, in collaboration with the Office of Private Sector (OPS), is informing financial institutions about a scheme involving fraudulent peer-to-peer (P2P) financial transactions. Criminal elements have defrauded multiple financial institutions, and their customers, through a targeted telephonic phishing, or voice phishing (vishing) scheme which enables fraudulent P2P transactions.

HOW TO IDENTIFY THREAT:
Bank customers, who have experienced a compromise of their personal identified information, receive spoofed fishing calls from their financial institution. The caller portrays a representative of their bank’s fraud or customer service department and claims to be verifying a possible debit transaction. Some customers receive a text message asking for their online account information, including username, PIN, card number, and other forms of personal identification information (PII).

Multiple banks reported the use of the bank’s “forgot password” feature to access the victim’s account. If additional online security measures were required, the caller would send the customer a two-factor authentication (2FA) code; once the customer confirmed the code, the caller had access to the victim’s account.

Many financial institutions indicated the scammers changed the victim’s contact phone numbers and email addresses on the compromised accounts and then used the bank’s P2P payment system to conduct multiple transfers to various payee debit cards or bank accounts. Majority of the phone numbers and IP addresses associated with the scam resolved to the Miami, Florida area. The scammers appear to be targeting banks that offer P2P transfer services such as uPay, Pay-A-Friend, Zelle, etc.

ADDITIONAL RESOURCES:
If your organization receives reporting from your customers about vishing schemes, direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office.