Fake bank advisor fraud: understanding this type of vishing attack
In an increasingly connected world, cybercriminals are constantly coming up with new ways to target their victims, whether they are individuals, businesses, government agencies, or organizations.
While phishing remains the primary method of cyberattacks, telephone scams, such as vishing, are on the rise at an alarming rate.
Among these, fraud involving fake bank advisors is on the rise in France, affecting thousands of victims each year.
According to the latest survey by Cybermalveillance.gouv.fr, cases of fraud involving fake bank advisors have indeed risen by 78%, illustrating the scale of the problem.
The increasing exposure of personal data, particularly through recent data breaches, is contributing to the rise of this scam.
In this article, we’ll take a closer look at this threat, explore how it works, analyze its consequences, and, most importantly, discover the best practices for effectively protecting yourself against it.
What is the "fake bank advisor" scam?
Definition
The "fake bank teller" scam is a type of fraud in which cybercriminals pose as bank employees to obtain sensitive information or steal funds.
This scam falls under a broader category known as vishing, a term derived from the combination of “voice” and “phishing.” Vishing can be translated into French as “hameçonnage vocal.”
Vishing involves the use of fraudulent phone calls to psychologically manipulate victims and trick them into disclosing confidential information.
This method draws on the principles of social engineering, a set of techniques designed to influence behavior by appealing to emotional factors such as fear, urgency, trust, and empathy.
Methods Used in Fake Bank Advisor Scams
As we have seen, the "fake bank advisor" scam relies on vishing attacks, which can take various forms and vary in complexity:
1. Direct phone calls: The scammer contacts the victim directly by phone. This call may be made via the traditional telephone network or via VoIP using apps like WhatsApp (Voice over IP is a technology that allows voice calls to be made over the Internet).
In both cases, the caller identifies himself as a bank advisor and claims to want to resolve an issue related to the victim’s account.
2. Hybrid attack using phishing emails and/or text messages: In this scenario, the victim first receives a text message or email informing them of a problem with their bank account or an impending fraudulent payment.
The message then asks you to urgently call a phone number to be connected with a supposed bank representative. These messages obviously mimic official communications from banks.
3. Handing a credit card to a delivery person: Among the most sophisticated scams, some fraudsters manage to physically steal their victim’s credit card.
After establishing a relationship of trust, they claim there is a security issue with the account and insist that the victim provide their PIN under the pretext of verification.
They then ask the victim to hand over their card to a courier, claiming that the bank needs to retrieve the card to secure it or destroy it. Once they have the card and the PIN, the scammers immediately use it to withdraw cash or make purchases.
4. Use of infostealer malware: These malicious programs are designed to steal sensitive information stored on an infected device. Once installed (for example, via a phishing link leading to a fake app store), they monitor the user’s activity and collect data (usernames, passwords, etc.).
Some apps can go to great lengths to take control of the victim’s phone, as revealed by Korean researchers in a study:
-
- Remove any anti-phishing apps that may be on the device.
- Sending photos, videos, voice recordings, etc.
- Call forwarding (to block all calls to legitimate phone numbers and redirect calls to a fraudulent number).
- Displaying an overlay (fake screen) to hide unauthorized calls.
- Blocking legitimate external calls.
- Manipulation of the call log (so that the legitimate number appears instead of the fraudulent one).
How does the fake bank advisor scam work?
Step 1: Initial Access
The first step in a fake bank advisor scam is therefore to contact the victim. The cybercriminal’s goal is to manipulate the victim’s emotions.
He will therefore play on fear, a sense of urgency, trust, and respect for authority. He uses a reassuring and professional tone to inform the victim of alleged suspicious activity on their account.
Step 2: Handling
Once the conversation is underway and a relationship of trust has been established, the scammer can continue to manipulate their victim. To bolster their credibility, the scammer may provide details about the victim that they obtained from hacked databases or social media.
They may then ask for sensitive information (such as a verification code received via text message) or prompt the victim to perform certain actions directly.
Step 3: The fraudulent transfer
The goal of a fake bank advisor scam is to steal money. Once the scammer has obtained the necessary information, they can carry out their plan by asking the victim:
- His credit card numbers for making online purchases.
- His login credentials for his online banking account so that he can transfer funds himself.
- To make fraudulent transfers under a false pretext (such as claiming that the money needs to be transferred to a new checking account to protect it from hacking).
Signs of a scam involving a fake bank advisor
Suspicious behavior to watch out for
Despite the increasing professionalism of hackers, certain signs may indicate an attempt at fraud involving a fake bank advisor:
- Unusual communication channels: Some vishing calls go through the traditional telephone network, while others use VoIP software—a communication method that a bank would not use.
- An email or text message asking you to call a number: It is rare, if not impossible, for a bank to alert a customer via text message or email about a problem with their account.
- Calls at unusual times: Scammers often contact their victims early in the morning, late at night, or on holidays. This is another red flag that a scam is likely underway.
- Urgent or threatening tone: The scammer urges the victim to act quickly, under the pretext of resolving a problem or disputing a payment. Urgency is key to these attacks. The goal is to push you into acting impulsively instead of taking a step back. Be on the lookout for these signs.
- Requests for confidential information: The supposed bank representative asks for usernames, passwords, or verification codes sent via text message or email. A real bank representative would never do this.
Checks to be performed
If you suspect that you are dealing with a fraudulent "bank advisor," follow these guidelines:
- Check the caller’s number: Even if the displayed number appears legitimate (a number already saved in your contacts or showing the name of a well-known company), it could be a case of number spoofing. The best course of action is to end the call and call the legitimate number back. Ideally, you should make the return call from a different device, in case your phone is infected with spyware.
- Ask the caller questions: A scammer may know a lot about you (last name, first name, phone number, address, credit card numbers, account numbers, etc.). Even so, don’t hesitate to ask questions and press them on the matter. They will likely end up giving themselves away.
- Say as little as possible and do nothing: A bank will never ask you for login credentials or other sensitive information over the phone. Similarly, it will never ask you to transfer funds between your accounts or to an external account. If a caller asks you to do so, you are dealing with a scam involving a fake bank representative.
What should you do if you encounter a fake bank advisor?
The key steps
If you have been the victim of a scam involving a fake bank advisor, it is crucial to act immediately to protect your finances and prevent others from being targeted. Here are the first steps you should take:
- Contact your bank immediately to report the scam and secure your bank accounts and payment methods.
- File a complaint with the police, the gendarmerie, or the public prosecutor.
- If you are a victim of credit card fraud, report it on the Ministry of the Interior’s Perceval platform, which was designed to combat this type of scam.
- Visit the 17Cyber website for assistance with your procedures and cybersecurity advice.
Enhance your security and let your friends and family know
In addition to taking official steps, informing your loved ones is a key step. Scammers often target older adults, but young adults are also vulnerable—even if this may seem counterintuitive—as a recent study shows. Letting your loved ones know helps prevent them from becoming the next victims.
In a professional setting, immediately notify your IT security department and your colleagues to prevent the attack from spreading.
Finally, to prevent any future intrusion attempts:
- Change all your passwords to secure your digital accounts.
- Reset your cell phone to remove any potential spyware.
How can you protect yourself from scams involving fake bank advisors?
Keep a low profile on social media
A cybercriminal cannot carry out a social engineering attack without having information about you. It is therefore important to limit your digital footprint—that is, your attack surface.
Don’t post anything personal on social media, including professional social media platforms, which are often a goldmine for malicious individuals.
As early as 2012, researcher Michal Kosinski and his colleagues at the universities of Cambridge and Stanford demonstrated that a machine learning algorithm can accurately determine an individual’s personality traits by analyzing their reactions on Facebook.
So what about a resume with all your contact details and personal information available to the public on LinkedIn?
If you want to post on social media, it’s best to limit your audience to people you trust.
Also, only keep people you actually know in your contacts, and be cautious when a stranger tries to join your network.
Protect yourself as much as possible from data breaches
Users are not responsible for the security of the companies to which they entrust their information. Nevertheless, it is everyone’s duty to be vigilant.
This means signing up only on trustworthy websites that process data in accordance with the law, particularly the GDPR.
This also means not providing more information than is necessary—for example, by leaving optional fields blank.
For example, when signing up for a newsletter, you shouldn't be asked for your date of birth or mailing address.
Conclusion
Fraud involving fake bank advisors is a growing threat, exacerbated by the proliferation of data breaches on the dark web, where sensitive information such as IBANs and other personal user data circulates.
While technical solutions exist to filter out fraudulent calls and text messages, they are not foolproof. Cybercriminals sometimes manage to circumvent them by using advanced techniques, such as installing spyware on targeted devices.
In the face of this threat, the best defense is still people. Developing a critical mindset when dealing with suspicious communications and learning to identify warning signs are essential skills for minimizing risks.
Raising awareness is therefore a key strategy, both within the family—where it is crucial to discuss these fraudulent practices with loved ones—and in the workplace, where it is essential to assess how well teams can withstand vishing attempts.
With this in mind, vishing simulations, such as those offered by Hucency, allow organizations to test employees’ ability to detect an attack under real-world conditions.
These simulations are followed by a detailed report that provides tailored recommendations for strengthening internal procedures and optimizing the defense strategy against these sophisticated fraud schemes.
Contact us to find out if your organization is prepared to handle a vishing attack.
