This phantom attack is back in the news—be careful.
Republished on January 18 with a new warning that banks are unlikely to refund money lost in this attack, with advice on what you need to do to secure your account.
It starts with a simple call, a message, a popup — but it ends with a potentially life-changing loss. It is a dangerous enough threat that Google has updated Android to protect its users. While there are many warnings about apps you shouldn’t install on your phone or laptop, this is much simpler. You should never install these apps.
The FBI has dubbed this threat “the Phantom Hacker,” and it has made the news again this week, with the bureau warning that “it’s growing rapidly,” that “scammers do not discriminate against anyone — they want money from anyone.”
The concept is simple, the FBI explains: “Scammers impersonate bank reps to convince victims that hackers have infiltrated their financial account. Victims are urged to move their money fast to protect their assets. In reality, there was never a hacker, and the money that was wired is now fully controlled by the scammer.”
There are variations on this theme, such as attacks from scammers claiming to be technical support reps. But the most effective attack is the banking rep. You will end up speaking to a convincing (albeit fake) bank rep who helps you move your cash from the “hacked” account to a safe new account, to stop your money being stolen. You are told this is urgent and is happening now, giving you no time to think. In reality, you are moving your money to an account controlled by the scammer.
While these attacks might just require you to approve a transaction within your banking app, many of the calls “direct the victim to download a software program allowing the scammer remote access to the victim’s computer.”
You’re told this is to stop the imaginary hacker. “The scammer requests the victim open their financial accounts to determine whether there have been any unauthorized charges – a tactic to allow the scammer to determine which financial account is most lucrative for targeting. The scammer informs the victim they will receive a call from that financial institution’s fraud department with further instructions.”
The rules to stay safe are stupidly simple.
- Never install an app when a supposed technical support or banking individual who has reached out to you sends a link or points you to a website.
- Your bank or credit card company will never call and ask for security credentials. If one does, you always have the right to call them back via the usual channels to ensure they work for the institution they claim.
- Never ever move money anywhere on the say-so of someone who has reached out to you by phone. This is never going to be a real solution. If they work for the bank as they say, they can stop the transaction—think it through.
The fact your bank or credit card company will not call you and ask you to transfer money or change your account is critical. The fault in falling for such a scam will likely fall to you. And that’s what happened in the latest Phantom Hacker warning from Chicago, when “one woman who lost $20,000 in the scheme… She was hoping to open her own business this year. That all changed when she received a phone call from a man who claimed to be with Bank of America.”
But as has now been reported, “Bank of America says a customer is out of luck after a phantom hacker’ drained $20,000 from her account… In cases like these, Bank of America says it tries to claw back funds but is not responsible for the theft. The bank says it will never call customers and ask them to send money or a wire transfer.”
Bank of America warns that “every year, people who consider themselves too smart to fall for a scam do just that. In 2023 alone, cybercrime complaints in the U.S. shot up 20% and losses topped $12.5 billion. As cybercriminals adopt better tools, tactics and tricks designed to deceive us, keeping safe means staying informed.”
The bank says that “if you authorize a transfer or send money to a scammer, there’s often little we can do to help get your money back. Just as you might do for your physical wellbeing, it’s a best practice to regularly check in on your cyber health, including updating your passwords. A one-and-done approach isn’t enough when threats keep evolving, and what worked two years ago may not offer you the best protection today or tomorrow. Remember that Bank of America will never contact you to request that you move money to protect yourself from fraud.”
The bank also warns that scams are getting ever more compelling and convincing. “Gone are the days when spelling and grammar errors could reliably tip you off to phishing emails or smishing texts. With today’s technology, including artificial intelligence, cybercriminals can avoid the mistake-riddled messages that once gave them away and use advanced tactics that play on our human emotions and reactions even more effectively. They have also become more persistent.”
Google has added scam call protection to its latest Android OS to protect you in multiple ways. It can deploy on-device AI to listen in to calls and flag when it suspects a scam — such as a supposed banking rep asking you to make a transaction. And as Android Authority explains, it will also “prevent users from disabling Google Play Protect during voice calls to prevent malefactors from tricking users into installing malicious apps on their devices.”
Regardless, you must never, ever install an app on your phone or laptop if you’ve been asked to do so by a tech support or banking rep on a call. The only exception is when you have reached out directly using normal channels. For example, you might use an app to send photos or run a live video link or diagnose a system fault. But you do not do this when it’s any kind of incoming call or message.
Bank of America warns that “sophisticated scams can start with a legitimate-looking but malicious text, followed by a phone call that spoofs a number you recognize, and a voice on the line warning you to take quick action. Tactics have evolved, but the best response remains the same. If you think there’s really a problem, disconnect or hang up, take a breath and use a trusted number or email address to contact that person, utility, bank or government agency yourself.”
The FBI’s full advice to keep Phantom Hackers at bay is below; if you think you have been a victim of any such crime you can report this to the FBI’s Internet Crime Complaint Center (IC3) which you can find at www.ic3.gov.
- Do not download software at the request of an unknown individual who contacted you.
- Do not click on unsolicited pop-ups, links sent via text messages, email links, or attachments.
- Do not contact the telephone number provided in a pop-up, text, or email.
- Do not allow an unknown individual who contacted you to have control of your computer.
Bank of America also provides a checklist which aligns with the advice from law enforcement — given this is coming from the kind of bank likely to be targeted if you’re hit by this kind of attack, it’s worth noting their advice:
- “Secure your online connection and devices with trustworthy and regularly updated antivirus software and keep operating systems current. Screen lock your devices, using a PIN and/or biometrics. Avoid public Wi-Fi and use your own charging equipment whenever possible.
- Freeze your credit. This is a free service offered by all credit bureaus to prevent anyone from opening new lines of credit or bank accounts using your social security number.
- Help protect your credentials. Create complex, unique and secret logins and passwords—and avoid using them on multiple accounts. Enable Multifactor Authentication (MFA) and biometrics when available.
- Be careful what you share online, in person, through email, text or over the phone. In the wrong hands, the information you share can potentially expose you to cybercrime. Avoid accepting friend requests from strangers, don’t give personal information to people who call you (hang up and call using a verified phone number), and be wary of messages from people you don’t know.
- Think before you click. Malicious emails or pop-up messages may contain attachments that when opened can infect your devices, or links that lead to look-alike web pages designed to steal your login credentials. Deals that sound too good to be true, often are. Be suspicious of unsolicited, bargain-priced or free offers. If your computer is frozen on a screen claiming you must call a number to unlock, bring your computer to a trusted retailer to scan for viruses. Do not call the number on the screen.”
Meanwhile, the FBI is not immune from attacks on its own calls, although these tend to be more complex and have more far-reaching implications. A few weeks ago, the FBI warned smartphone users to stop sending texts, and to use end-to-end encrypted messaging instead. This followed the widespread hacking of U.S. networks by China’s Salt Typhoon hacking group. But per Bloomberg on Thursday, the bureau has now reportedly warned agents that some of its own call logs stolen from AT&T during the attacks may be able to identify sources and perhaps even informants.
It also seems that if you have fallen victim to an actual call scam, you’re also in good company. It really could happen to anybody. As CNN reported on Thursday, “even world leaders receive scam calls; just ask Thailand’s prime minister.”
The party leader “revealed she got a call from an AI system, demanding money in the voice of another famous head of government. Paetongtarn Shinawatra did not reveal who the computer was mimicking, but said she received a message in a voice identical to a well-known leader. ‘The voice was very clear, and I recognized it immediately. They first sent a voice clip, saying something like, ‘How are you? I want to work together,’ and so on,’ Paetongtarn said, adding that whoever sent the message ‘probably used AI to take the voice’ of the unnamed world leader.”
This is on a different level to the bank rep scam, and relies on the use of AI to mimic voices well enough to lure a victim. Coming full circle, the FBI also warned users to beware this frightening new threat in a special advisory last month.
“Generative AI,” it warned, “takes what it has learned from examples input by a user and synthesizes something entirely new based on that information… Criminals can use AI-generated audio to impersonate well-known, public figures or personal relations to elicit payments.” Something else to watch out for.
