A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. 

The FBI’s Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. “In addition to knowing the victim’s financial institution, the actors often had further information such as the victim’s past addresses, social security number, and the last four digits of their bank accounts,” the IC3 said. 

The con starts off as many that target individuals do nowadays: With a text message. In this case it’s not a phishing attempt, it’s an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target’s bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: “Our fraud specialist will be contacting you shortly. 

This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. 

The “fraud specialists” contacting users reportedly “speak English without a discernible accent,” and once they establish credibility with the victim they move on to “helping” them “reverse” the fake transaction. 

It gets even more insidious here: The charges that are being refuted aren’t bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they’re being strung along.

Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls. 

“Victims often only realized they had been scammed after they checked their financial account’s balance,” the FBI said. 

The FBI says that the normal tips for avoiding phishing apply here: Don’t respond to unsolicited requests to verify information, if you receive one contact your financial institution directly, keep MFA enabled on all accounts and be wary of anyone providing personally identifiable information as proof of their legitimacy. Also, the FBI said, “financial institutions will not ask customers to transfer funds between accounts in order to help prevent fraud.”

Social engineering has been a problem on the internet dating back almost to its inception, and it treats digital crime in the same way that crimes in the physical world are planned: What’s the past of least risk with greatest reward? 

Online, it’s less about brute force or technical skill, both of which require knowledge, training and time, and more about con artistry, which is made simpler in the digital world where personal charisma is less essential. 

Those who’ve yet to come in contact with a social engineering attack are a rapidly shrinking pool: According to one statistic, 98 percent of cyber attacks involve social engineering in some capacity. ®