Fraudsters found information about the account balance in advance, so that later they could use this data to impersonate a bank employee.
The Central Bank has revealed a new fraud scheme that allowed attackers to obtain customer data through the voice menu of a Russian bank in order to then use it for social engineering fraud, RBC reports .
By replacing the phone number with the one used by the client, the attackers called the interactive voice menu system, called the last four digits of the bank card number and received information about the client’s account balance.
The attackers then used this information to gain customer confidence over the phone. They called customers and received the necessary data for further theft of money from the account. Since they gave the exact balance of the account, people believed that a bank employee was talking to them.
However, in order to successfully carry out this scheme, scammers need the last four digits of a bank card and a phone number. According to the Central Bank, the phone numbers and the last four digits of the cards could have been obtained by the attackers from the Joom marketplace database, which was made public at the end of August.
As the representative of the Central Bank explained to RBC, such fraud became possible due to the fact that one of the banks, whose name is not disclosed, did not follow the recommendations for combating mobile fraud and protecting customers from unauthorized access to their confidential information through IVR (interactive voice menu system) given in 2019.