I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:
received text earlier that day saying that my CC was used for an unauthorized purchase (happens a couple times/year)
got a call from someone claiming to be my bank (not one of the popular chains like Chase or whatever)
caller asked me to verify myself through text code, and I didn't read the text message carefully and provided it (later inspection showed that it was a password reset code)
after going through some (fake) recent transactions, I told them they all sounded fraudulent (they were on the other side of the country)
they asked me to confirm myself again through another code to finalize, at which point I told them they don't need a second code since I already proved my identity, and they hung up
I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.
I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).
I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.
I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.
It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother
I almost fell for an unrelated scam just a couple months ago. Basically, I was on vacation visiting family, had just gotten a new phone (w/ GrapheneOS, so it didn't have Google's network of spam detection), and was out and about at the time. Here's how it went down:
I immediately went to go reset my password and found I was locked out, so I called my bank. They confirmed that my account had been automatically locked for suspicion of fraud (good job!!) and confirmed what I suspected, the scammer had reset my password (first code) and was attempting to add an external account (second code). Had I given them that second code, they likely would have been able to submit the transfer and it would've been a giant headache to try to get that money back.
I didn't lose anything and I immediately improved the security on my account, but I felt like an idiot for letting them get that far. I had also recently consolidated my other accounts to this one, so this would've been a big blow. They changed my account numbers, I changed my username and password, and they held my account for a week or so to ensure everything was good. This bank is one of the few that actually cares about security, so I set up voice recognition (they said they track it anyway, this just turns on an extra feature) and Symantec VIP (I prefer my regular TOTP app, but they don't support that).
I don't think it'll happen to me again, but I was still surprised that I got so far through the process before recognizing that it's a scam. And I consider myself pretty security conscious (e.g. I use TOTP everywhere, password manager, keep credit bureaus frozen, etc). I guess they got my info from a breach somewhere because they knew my name, my username (to be fair, I used it everywhere), and the bank I use (could've gotten lucky). I have since changed most of my usernames to be random, so hopefully I'll be more safe going forward.
Anyway, stay on your guard, it can happen to you.
The fact that many banks still don't have at least app-based 2FA should be criminal.
How would that help in this case? "Sir, please accept the pop up from our app"
I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.
It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother