You’ve heard of the traditional email phishing and computer malware scams that attempt to steal customer bank information, but now there is a new player in town and this one is convincing. Scammers are now using what is called the chat box scam to steal information from online banking customers. Here is how it works.
The victim unknowingly downloads a piece of malware onto the computer by downloading an infected attachment or clicking a bogus web link. The malware then waits for the victim to visit his or her online banking website. (This scam is so convincing because it happens while you are visiting your actual bank’s website not a fake website created to look like the bank’s site.) Once the victim is on the site, a message flashes saying it is running a security check. Then, the customer receives this or a similar bogus pop-up message.
“The system couldn’t identify your PC You will be contacted by a representative of bank to confirm your personality. Please pass the process of additional verification otherwise your account will be locked. Sorry for any inconvenience, we are carrying about security of our clients.”
The poor grammar in this message should be a red flag to customers, but most people won’t notice it. Instead, they will worry about being locked out of their account and proceed to follow the instructions. This is when a chat box appears stating that someone will be with you shortly , just like the ones customers are accustomed to seeing on retail websites. During the live chat, the victim will be asked to provide personal banking information to verify his or her identity, but really the victim is providing the sensitive information to a scammer who will use the information to illegally access the victim’s account.
It is also possible for the malware to simultaneously complete a purchase or an unauthorized transfer to another account as the victim is keying in account information. Also of notable concern is that this type of attack could conceivably be used against businesses and their employees, with the attacker posing as an IT help desk technician.
It is essential that banks inform customers of this scam. Make sure they know that your bank does not have a live chat option on the website and that a legitimate customer service person would never ask for the customers’ passwords or account numbers. Also, encourage customers to keep their internet security software up-to-date. This will help protect them from such malware.