Scammers Have a New Way to Phish for Bank Account Information, Banker Says

A new phishing scam is hitting banking customers—and this time, the scammers make it seem like their messages are coming from the real customer service line or fraud prevention hotline.

The scam was revealed by wrestling announcer Lenny Leonard, who says that when he's not calling body slams and sleeper holds, he's a "mid-level executive with a very large financial institution." In a Twitter thread, he details the new scam and how not to fall for it.

Leonard warned on Thursday that he had been called by a scammer who had spoofed the legitimate phone number to his bank. The scammer then sent a fraud alert using this number, asking if he recognized a certain charge.

"When you reply no, they IMMEDIATELY call you from the number that appears to be your banks legit phone number but they are masking their true number," Leonard wrote. "They will ask to verify personal & account information in an attempt to access your funds & once they gain access you're f***ed."

In Leonard's case, he says that when he told the scammer that he'd have to call them back, the scammer told him to look at the back of his debit card to confirm that they were calling from the same number. After telling off the scammer, Leonard says he called his bank and, sure enough, no legitimate alert had been sent, nor had any unusual activity been seen on his account.

Leonard told his followers how to not fall for the scam.

"If you EVER have someone CALL YOU and say they are your bank, do NOT provide any information like that over the phone on an INBOUND CALL," he wrote. "Tell them you need to call them back & make sure you are dialing the number on the back of your card NOT a # they give you".

Leonard told Newsweek that though he didn't have too much more to add beyond what he already wrote, he did urge people to share the warning with friends and family.

"I would just urge everyone to make sure they are sharing this with their less tech savvy friends and family because the text I got looked EXACTLY like a prior text I had gotten from the bank my account is with," Leonard told Newsweek.

A representative from Chase also confirmed that the company was familiar with the scam.

"Unfortunately, scammers target consumers from many banks. We urge all consumers to never share their banking passwords or send money to someone who tells them that doing so will prevent fraud on their account. Bank employees won't call, text or email consumers asking for this information, but scammers will," Amy Bonitatibus, Chase's chief communications officer, told Newsweek.

Newsweek reached out to Wells Fargo and Bank of America for comment.

phishing spoofing scam bank robbery cybercrime theft
In the new scam, a thief will pretend to be using the same number as their victim's bank, in order to convince the victim they're a legitimate bank employee. Chainarong Prasertthai/Getty

While spoofing a phone number is common with scammers, often it's a fake number as well, though Western Bank warns their customers that fake calls can come from a number they recognize.

The bank also lists a variation on the scam Leonard warns of. In the version Western Bank describes, a scammer spoofs the legitimate customer service number of the bank, like before. But this time, anticipating a response like Leonard's, the scammer will ask the victim to call them back using the same number that's on the back of the debit card—which is the same as the one they're spoofing.

In this variation, though, they'll leave the phone connection active, fooling the victim with a fake dial tone. Once the victim dials, the scammer "answers," in hopes that the victim will be fooled into thinking the scammer is indeed a legitimate employee.

One way to thwart this is to remember that a real bank employee will already have your information. Never offer up important information like a bank account number. Instead, ask the bank employee if you can confirm their information by asking them to read off what they have.

In addition, banks will never ask for a PIN, a full Social Security number or a customer's online banking username and password. Banks already have access to customers' accounts, and when it comes to Social Security numbers, a legit bank employee will only ask for the last four digits to confirm.

Update 4/23/2022, 4:45 p.m.: This article has been updated to include comment from Lenny Leonard.

Update 4/26/2022, 9:30 p.m.: This article has been updated to include comment from Chase.