How do bank phishing scams actually work?



A friend of mine recently got scammed by a bank phishing link sent to her phone. She made the mistake of clicking on the link (it was a fake message saying someone had made a transaction and to click the link if it wasn’t her) and next thing she knew, $5k was taken from her bank account. She didn’t enter any details at any point, she just clicked it.

She was luckily able to call her bank and get the money back, but it got me thinking – how are scammers able to take money from you just because you click on something through your text messages?

In: Technology

I think it depends if she has connected any electronic fund transfer systems to it, eg. Apple Pay, pay pal and cash app

I’ve seen many that will create a fake “login” page, and use any information entered in an attempt to gain control of the victims account long enough to issue a bill payment to a recipient they control.

2 ways that I can think of from the top of my head:

– Like someone else already mentioned, the link could have lead to a website that LOOKED like that of the bank but in reality was a different one that was controlled by the attacker (ex: vs From there she would have ‘logged in’ to the attackers website but in reality that wouldn’t have done anything. The attackers would have stolen the credentials that she used to ‘log in’ and then used them to transfer money to an account they owned/controlled.

– If the bank that your friend is with had a what’s called a Cross Site Request Forgery (CSRF) vulnerability AND she was logged in to the bank on one of the tabs then the attackers could have transferred money to their account by simply her clicking the link in the text message.
This vulnerability works like this: In normal circumstances, when you send money from account A to account B, that’s done through a request from you to the bank that says “Send $100 from me to B”. The request is valid because YOU are logged in on your banking app so the bank knows that it is actually you (since you had to go through the login process) that’s is transferring the money. The link your friend clicked could have generated a request that said “Send $100 from me to Z”. IF your friend was already logged in to her bank (assuming the bank was vulnerable to this type of attack), the request would be accepted as valid since technically it was sent from your friends device on which she would have already been logged in on. Again, for this scenario the bank would have needed to be vulnerable to this AND your friend would have needed to be already logged in to the bank on a different tab.

(Pardon the spelling, typed out on mobile)

It is also possible that the fake site she visited installed malware on her device and exfiltrated stored data or logged her keystrokes.

Perhaps the text message was real. Someone had stolen or cloned her card and it was a genuine link from the bank after the transaction had taken place?

On a phone, malware via a link is very rare.