Russian-speaking Israelis have been the target of a new phishing scam reported over the last few weeks, in which the scammer pretends to be an Israel Police officer and tells the target that they are the victim of credit card fraud.
The phishing attacks are all carried out in Russian, and the scammers will phone, pretending to be banking officials, credit card companies or Israel Police officers. During the course of the conversation, they will put pressure on the victim, allegedly telling them that they have detected banking fraud in the victim's account.
They will ask the target of the attack to provide them with a code, which the bank will have sent to them, in order to gain access to their account. And, to provide a degree of authenticity, the scammer will send a forged police ID to the target, thus gaining their trust.
"We live in an era where our information is in the hands of many parties, and it is enough for just one of them to not protect it properly for the information to end up in the wrong hands, which then use it for targeted attacks."
Check Point
"Someone called my mother in Russian and introduced himself as a police officer who was checking that money had not been stolen from her bank account," recounts C., speaking to Walla News on the condition of anonymity.
"It set off warning bells for me because he sent a police ID via Whatsapp. When we checked the number on True Caller, it said 'Nazareth Station, but then when he called from a different number, it said Discount Bank, Netanya."
How does the scam work?
The scam itself is fairly simple, experts explain.
"What we see here is a combination of using the existing capabilities of applications [For example, the scammer registering himself in True Caller however they want and the utilization of prior information that the attacker had about the victim," cybersecurity company Check Point explains.
"Such information can come from databases that were leaked in previous attacks and are offered for sale on the dark web," they continue.
"This combination gives the attacker a kind of credibility in the eyes of the victim, even though there is no reason for police officers to mess with bank accounts and passwords in a phone call."
"We live in an era where our information is in the hands of many parties, and it is enough for just one of them to not protect it properly for the information to end up in the wrong hands, which then use it for targeted attacks," Check Point explains.
"The best solution for managing this as the broader public is awareness of the situation, not to share personal information with any unauthorized party and to be suspicious, and sharing it only after receiving unequivocal proof from a reliable source that the case presented to us is authentic."
This particular phishing scheme is a well-known one from around the world and is not particularly sophisticated, cyber-threat intelligence expert Tom Malka explains to Walla News.
"It mainly targets Russian audiences, particularly the older generations," he added.
"It's important to note that you should always check with your bank and Moked 100 for any suspicions you may have, the attackers will try as much as possible to exert pressure in order to influence your judgment."
According to May Brooks-Kempler, cyber expert and founder of Think Safe Cyber, "spoofing an ID number, as done in this instance, is essentially similar to a familiar attack that includes spoofing the origin of an SMS message, as we've seen in the past with impersonations of Israel Post, various banks, and others."
How can you keep yourself safe from these scams?
- Do not give your bank or credit card username and password to any third party.
- If you did not initiate the call, do not give the caller the verification code sent by your bank or credit card company - this will give them access to your account.
- Pay attention to calls from alleged bank representatives, credit card companies, or the police when the caller only speaks in Russian. Ask them to speak Hebrew, or hang up and call the relevant parties yourself, according to the numbers found on their official websites.
- If they pressure you, and stress that there is a police investigation into supposed fraud, this is a warning sign, even if the caller sends a photo that claims to confirm their identity. Hang up and contact the police.
- Be alert to attempts to get personal details from you - a bank representative would not ask for those details - even if they seem to have called from a legitimate number.
- In case of a concern, hang up and contact your bank or credit card company directly to report the incident.