My experience with scammers: Social Engineering in Banking
We've all heard about the Tinder Swindler and Anna Delvey's Netflix series, just a couple of the popular factual social engineering stories that shook not only social media but also international banking systems. If there's one lesson these stories have hammered into our heads, it's that anyone can fall victim to scams because scammers find ways to game us.
You may be one of the few, like me, who remain unscathed from these scammers, but that doesn’t mean you’ll be safe for long. As you read this, a scammer from Jamaica could be planning his troll farm’s most devious global scam yet, and this information should be alarming enough to get you worried.
This is precisely how social engineering works. By definition, social engineering is the art of exploiting human psychology to gain access to buildings, systems, or data. It involves altering human behavior through indirect means, typically focusing on behaviors that individuals are usually hesitant to change on their own.
Social engineering attacks can take various forms, but they all generally follow the same pattern: establishing false trust, exploiting human error, and using persuasion to access sensitive or confidential information.
In other words, social engineering is a sophisticated term for when someone manipulates you into doing something you wouldn't typically do. Scammers employ social engineering to obtain access to your personal information, finances, or even your computer. Some scamming examples include phishing attacks, manipulation, and impersonation techniques.
Scammers exist in all countries, even in the most developed ones. During my time in Singapore, I received a phone call from a person who identified themselves as my bank's customer care manager. They claimed to be calling to confirm a $5,000 SGD transaction on my newly issued credit card, providing me with a credit card number that should have been mine. Initially, I assumed it was legitimate.
I explained that I had not requested any credit card issuance and pointed out that the bank had to verify my passport and pass card before issuing any bank card. I suggested that they investigate internal fraud at the branch level. The caller then connected me to her "supervisor," and we rehashed the issue.
At this point I was still believing that this was legit.
I only started doubting the legitimacy of the call when they casually responded to my concerns about internal fraud. I expected a more serious reaction, given the severity of internal fraud at a bank. Instead, they recommended that I report the issue to the police immediately and connected me with "Inspector Lee," who began by lecturing me on cybersecurity and the importance of not sharing personal documents online. Following the lecture, he requested that I send him scans of my papers via Line messenger. At this stage, I was already enjoying the conversation and insisted on visiting him in person at the police station until he gave up.
Reflecting on this experience, I couldn't help but wonder how easy it could be for a non-banking individual to fall into such a trap.
Beware of Common Bank Scams
Banks are often prime targets for scammers, who employ various tactics to exploit individuals and their financial institutions. Let's explore some scamming examples commonly encountered by bank customers:
1. Phishing Attacks
The Phony Email: Scammers send deceptive emails, posing as the victim's bank. These emails often request urgent action, such as updating account information or confirming transactions. Unsuspecting customers may click on fraudulent links and unknowingly provide sensitive data.
2. Impersonation Techniques
CEO Fraud: Scammers impersonate high-ranking executives within a bank and send emails to employees, instructing them to transfer funds or share confidential information.
Tech Support Impersonation: Fraudsters pretend to be bank tech support, calling customers and claiming their accounts are compromised. They request remote access or payments for 'security' services.
3. Manipulation Strategies
Social Engineering Pretexting: Scammers fabricate elaborate stories to gain trust, posing as contractors, delivery personnel, or bank colleagues. They aim to access secure areas or information.
Blackmail: Criminals threaten to expose compromising information, forcing victims to pay to prevent the release of sensitive data.
It's vital to remain vigilant and be aware of these scamming examples to protect yourself and your bank from falling victim to these tactics. Always verify the authenticity of any bank-related communication, especially when it involves sensitive information or financial transactions.
My lesson here: Scammers are becoming more sophisticated, and their scenarios are well-prepared. They employ multiple individuals to impersonate actual bank employees. They are familiar with standard bank procedures and even use the same jingle as the actual bank's hotline. They also knew my name. I'm certain they guessed the bank because it's the second-largest retail bank in Singapore. But everything else was impressive. I can't help but wonder what they could have done with my documents. The only thing that comes to mind is using them to apply for a small loan from a lending app. Legitimate banks won't issue a loan without thorough customer verification, but smaller lenders often will.
This case has made me even more convinced that it's the responsibility of financial institutions to protect customers' money and identity, not just to educate them. No matter how much you educate customers about fraud and protection, there's a group of malicious individuals whose full-time job is to outsmart them, and they will eventually succeed. Especially in the digital world, banking solutions should be foolproof. This is what we strongly believe in at Tonik, from day one of our bank's ideation and our very first whiteboard sketch.
You might be wondering: What could I have done if my Tonik Account was the one that got scammed? Here’s my answer:
- I would immediately search to see if the phone number belonged to Tonik. (You can find our legitimate Tonik hotline numbers here).
- I would log in to the app and check if the "new credit card" is there. If it's present, I can lock it with a simple toggle, preventing any transactions. If it's not there, it means there is no card. Without it being displayed in the application, there's no way to issue or use the card.
- I would chat with a Tonik app customer care agent and address the "new card" issue directly.
- Tonik card issuance can only be initiated from the app. I'm absolutely sure that no one can gain access to my Tonik App. We have a one-device policy, meaning that even if someone knows my password and tries to install the Tonik app on another phone and log in, they would still need to verify their face, matching the one used during the Tonik onboarding process. If it's not the same person, they have no way to access my funds.
If this were another bank in the Philippines, I would ask the operator to block the card. If the bank is legitimate, this would immediately raise a flag that triggers a sequence of actions, buying some time to reach the branch and speak to a bank representative.
But, in the Philippines, we are particularly concerned about individuals impersonating Tonik to gain access to other financial apps belonging to customers. We recently had a case where an impersonator pretended to be a Tonik representative, offering to help people get a cash loan from Tonik. To do so, they requested a screenshot of their GCash account with all the details.
Protecting Yourself Online: Must-Do Tips for Staying Safe
As the digital world keeps changing, so do the dangers. Here are some important tips to keep you and your personal info safe online, luv:
I. Online Identity Protection
A. Strong Passwords & Extra Security
Your online safety starts with having strong, tricky passwords. Use a mix of capital letters, small letters, numbers, and special characters. Think of it as building a strong lock for your digital stuff.
Turn on Two-Factor Authentication (2FA) whenever you can. It's like having an extra lock on your online vault.
B. Spotting Tricky Emails and Texts – Don't Click on Sketchy Links
Be watchful of your inbox. If you get an email or text that seems strange or is from someone you don't know, be careful.
Don't click on any links or download stuff from messages that look fishy. First, make sure the sender is real before you do anything.
II. Smart Moves on Social Media
A. Privacy Settings & What You Share
Your social media profile is like your online home. You can decide who's allowed in by adjusting your privacy settings.
When it comes to personal info, like your address, phone number, or birthday, think twice before sharing it with everyone. Just like you lock your front door, keep your digital space secure.
B. How to Tell Real from Fake Profiles
Not everyone online is who they say they are. Be careful when you get friend requests from people you don't know in real life.
Watch out for signs like strange details, vague info, or too-good-to-be-true photos. Check if the people you connect with are for real, just like you would in person.
C. Think Before You Share
Everything you put online is like a piece of your life story. Be careful about what you share, just like you'd be careful with your personal stuff.
Don't share sensitive info, secret stuff, or personal pictures with everyone. Guard your online identity as you would in the real world.
III. Choosing the Right Apps and Places for Money Stuff
A. Do Some Research
Before you trust any app or place with your money, check out how safe and reliable they are. Make sure they have good security to keep your money and personal info safe.
B. What to Look for in Money Apps
Money apps that have extra safety features are great. Think of it like adding more locks to your money box. Look for features like using your fingerprint and checking your transactions.
C. Hear What Others Say
Before you make money choices, see what other people say in reviews. It's like getting advice from folks who've been there. Learn from their stories and make smart choices when it comes to your money. Your financial future is important, so keep it safe, luv!
My recommendation here would be to keep your logins into mobile wallets strictly as biometrics. And of course, never share the phone numbers or account numbers of the mobile wallets. But I guess this is obvious.
Let me end this with a reminder: There is no entity or individual within the country authorized to facilitate Tonik loans. If you come across any information suggesting otherwise, please inform us immediately, and we will take swift action. Your vigilance is crucial in maintaining the security and integrity of our services.
Learn more about Mila Bedrenets, Tonik Chief Growth Hacker.
