We are used to advising everyone to ignore incoming calls posing as people from the bank. Most of the time they are scams, criminals who pretend to be bank employees and who, taking advantage of the fact that they have some of our personal data obtained on the Internet, want us to pass passwords over the phone.
Many people are already used to the subject. You receive SMS messages, calls from unknown telephone numbers, emails… we already know that we have to ignore the subject, but… what if the call received is from the bank’s telephone number?
Many times we have the bank contact stored in our mobile, so that if the management calls us to deal with anything (mortgages, loans or whatever), we already recognize the number. That is why this new scam draws attention, because the scam call is made with the bank number that we have in our contacts.
This is how several people who have suffered this attack are explaining it. They have received a call from the Banco Sabadell phone, with information on their name and ID, asking for passwords for access.
It’s the vishing method
The scam method that is described in the audios that circulate on the network is known as vishing. In this video they explain it from INCIBE:
Phone spoofing is called Caller ID spoofing in English, and consists of the caller ID displaying a different phone number than the phone from which the call was made.
To achieve this, they use VoIP (Voice over Internet Protocol), programs from which it is possible to define the phone that appears as the caller.
Currently, when we make a voice call from Skype, for example, “unknown phone” appears, but in this type of program it is possible to create a virtual phone and define it as the one that appears during the communication.
Here are two cases that are already circulating on the networks.
First case of attempted scam
I want to share with you some valuable information, because yesterday they tried to scam me and of all the times they have tried it, it is certainly the most elaborate, because these people go further and further and not even at the bank have they been able to tell me how they do it .
Today I receive a call at 19:30 in the afternoon. The phone number was exactly the same as my bank’s security service. In the bank they don’t know how they do it. This call tells me that they have accessed my online banking and are making payments. And that I have to give them a four-digit number from a code card and that a message will have arrived. Evidently I had received an SMS message in the same thread as the one from the bank, because of course, they were trying to access it, and I had to give them the password corresponding to the box that came to me in the message to verify my identity.
Of course it had to be fast, because they were withholding payments, because they thought it was suspicious that it was an unusual terminal and that we had to do it quickly because otherwise they couldn’t block those payments.
I told them that I would call them in a moment, and they replied: No, no, but you have to give it to me now.
I hang up, I go into my digital banking and I see that there is absolutely no movement or any payment.
I call the phone number of my bank Banco Sabadell, and they tell me that they have not called before. They have told me at the bank to share it with as many people as possible to see if it can be prevented from getting itchy, because it is very rare for them to call and the phone number of your bank appears on the screen.
The issue is that they have my phone number, they have my ID, they have my name because they called me by my name and they were trying to get in and they were trying to make bizums. Sure, we blocked the accounts and we already blocked online banking and they couldn’t do anything. Then he called me back, I told him a thousand barbarities and he hung up on me.
Obviously, what I mean, that you be very careful because the text message came to me in the same thread as the messages from the bank. Not even the bank knows how they did it. They were calling me and the same bank number appeared on the screen.
Second case of attempted scam
Hello, I have to tell you that they have done that to me. Exactly the same thing that boy said. I have the Banco de Santander telephone number in contact and suddenly the Banco de Santander calls me. I pick it up and it tells me it’s the security service.
Of course, they had my name, they gave me my DNI and identified themselves as belonging to the bank’s security service and that they have withheld a payment of €800 from an El Corte Inglés card that they want to confirm with me if I have indeed made me or not.
I don’t know what happened or I sensed something, and I told them “don’t worry, I’ll call the bank right now” and no, no, it’s not that they rush you, they overwhelm you, but well, I hung up and called the bank too, but of course, I was attacked because it was the same phone number from which they had called me and well, in the end it seems to be, as they explained to me at Banco de Santander, that there is an application that allows you to do that, even if you are calling from another number.
What they do is that you can tell the number that you call to appear the number that you want to appear. So they are effectively calling from another number, but with that application on the phone they call, the number they want appears, which is the bank’s.
Anyway, I actually had to block everything and make new cards.
Recommendation
What is clear is that you should never give passwords over the phone or by email. If someone insists, we do as in the two cases shown, we hang up and call the bank in case of doubt.
Technology advances, and we have to be prepared for when it is used for these purposes.
