Cyber security experts have raised the alarm over a scam involving fraudsters who are taking advantage of bank customers on Twitter. You should not tweet at your bank if you want to raise a complaint or request assistance, they warn. This is because you may instead receive a reply from a scammer via a “quote-tweet” that could lure you in.
The reply reportedly directs you to a scammer’s “helpline” number, a trick that has been convincing many an unsuspecting victim.
Making it even harder to spot is the fact that genuine companies sometimes do choose to reply to these queries using a separate Twitter account, separate from their corporate (verified) ones when responding to support requests.
In a piece for Bleeping Computer, the journalist Ax Sharma described how he tagged India’s third-largest private bank – Axis Bank – in a tweet to see what would happen.
He received a reply as a ‘quote tweet’ from an account claiming to be Axis Bank.
But when there was no follow-up from the @axis_bank_00 account, alarm bells started ringing.
While there was no obvious phishing link sent in response, as is commonly seen in less subtle scam attempts, this one used a templated text to get users to call a “helpline” number.
But Axis Bank later posted from its actual account to clarify: “Hi, we have noticed a post made to you by a person claiming to represent Axis Bank.
“The response has NOT been posted by our official representatives. We would request you to immediately stop any interaction with the other profile and do not share any information with them.
“We request you to engage with the official Axis Bank page https://twitter.com/AxisBankSupport/… only. Do note that Axis Bank does not ask for personal security details related to your Internet banking or phone banking passwords, OTP, PIN on the email, phone or otherwise.”
James Graham, vice president of cyber risk management firm RiskLens, explained why these scams can be so dangerous.
He said: “Trust is central to the relationship between financial institutions and their customers.
“Threat actors continually innovate and will use any and all techniques that will allow them to access customers’ personal information.
“This kind of attack can erode that trust which can cause customers to be wary of where they keep their bank accounts. It can present a risk not only to customers and their sensitive personal information.
“It also can present significant financial and operational risks to those banks and calls into question how they safeguard their customers’ accounts.
“This adds increased pressure on the banking industry to understand and manage cyber risk, and even more so when that industry is under intense scrutiny after the recent collapse of several financial institutions.”
Twitter’s guidelines explicitly state that “you may not use Twitter’s services to deceive others into sending you money or personal financial information via scam tactics, phishing, or otherwise fraudulent or deceptive methods”.
They add: “Using scam tactics on Twitter to obtain money or private financial information is prohibited under this policy. You are not allowed to create accounts, post Tweets, or send Direct Messages that solicit engagement in such fraudulent schemes.”