They took tens of thousands of zlotys from her account. The bank rejected the complaint. “I was manipulated”

Online banking has become part of our everyday life. No wonder – with just a few clicks you can transfer funds, pay bills and manage your finances from anywhere in the world. However, this convenience leaves us vulnerable to cybercriminals who are constantly finding new ways to gain access to our accounts.

Criminals often very convincingly pose as a technician, employee of a company or a bank. All this to trick victims into granting them access to the computer. This can be done via simple telephone calls and e-mails, which seem convincing enough.

Tricked for spoofing and remote desktop. Sounds harmless, but whoever falls for it loses everything

A reader of Gazeta.pl found out about it, who described her story. It all started with a simple phone. The woman was convinced that the bank was calling, because it was the number of the bank where the woman actually had an account. She lost tens of thousands of zlotys in the attack. The thief wiped accounts, credit card.

Around 9am I got a call from a man claiming to be a bank employee. The conversation started like any other with this bank. After conducting a security survey, he asked if I had made a transfer of PLN 500 in the last 15 minutes. I denied it. The man asked if anyone else had access to the account. I explained that my husband could transfer the money, but he didn’t either

– reports Gazeta.pl reader.

– The man stated that my account was hacked and it is necessary to secure it. I didn’t believe him. I made it clear that I wasn’t sure who I was talking to,” the woman said. She also said that she would call the bank.

But before she dialed the number, the phone rang again. The voice on the phone was telling me to check the phone number on the bank’s website. – That number was right. However, this was not enough for the victim to believe that he was definitely talking to a bank employee, he asked a few more questions to verify the interlocutor whether he was really talking to a trusted person. After all the expected answers, she was just convinced that I was talking to the bank.

The woman’s voice reassured her. He assured that he was making the right decision, because there are many burglaries. He had a lot of information about me. – He also said that he sees in the system that I have accounts in other banks. I was a bit surprised by the information where he got such data, but nowadays so much information about customers is collected that I treated it as another credible aspect that I was talking to the right person – says the victim.

The next step of the attack was to get the victim to install an application used to control the phone. Completely legal and popular, but often used by criminals. Now he knows that under no circumstances should he do that. Any request of this type gives us complete confidence that we are talking to a criminal. However, Gazeta.pl’s interlocutor understood this too late.

I was giving details and this man was taking money out of my account. I didn’t receive any text messages from the bank – the woman complains. Only after the conversation ended did I log into my account. I saw a transfer for the amount of 26 thousand. zloty. For the purchase of a car. I immediately called the bank, tried to stop the transfer, but it was a quick transfer. Failed to

– he admits.

After despair came anger. The woman could not understand why the bank did not allow to defend itself against criminals. They struck again. Shortly after withdrawing funds from one bank, someone immediately called someone claiming to be an employee of the other. In the second case, it was the bank that reacted and automatically blocked the account.

Today I understand what “to be manipulated” means. I was just 100% sure it was someone from the bank – he knew my finances, he knew my details, he did the background check. I was vigilant, and I was manipulated anyway. However, I don’t understand why my bank failed me. After all, people have bad moments. Then artificial intelligence and bank security systems should help

– he complains.

The bank’s devastating response. “Transfer authorization correct”

There was also anger when the bank responded to the complaint. “The transfers were made in accordance with the security rules. They were authenticated” – we read in the letter sent to the victim. The bank emphasizes that there was no hacking, but that the correct login details – username and password were provided. And also to properly authorize via the push message displayed on the woman’s device.

The bank also clearly states that the victim may still appeal, but she will have to fight for a refund in court.

Spoofing, i.e. impersonating a telephone number. For criminals, it’s child’s play

But how is it possible that victims believe they are talking to a bank? Criminals use a fairly simple trick. They call the victims themselves. And these see on the smartphone screen that the bank is calling – because the phone number is correct. If it’s saved in the phone book as “My Bank”, that’s how it will show up. But how is that possible? Criminals use technology that it’s called spoofing.

This technique causes the phone number displayed in the recipient’s caller ID to change. This can be done through specialized software or services that allow users to enter any phone number as caller ID. You can also use the services of an intermediary or operator registered in a country where the market is not regulated well enough to effectively prosecute this type of irregularities. Fraudsters also use VoIP (Voice over Internet Protocol) and so-called telephone gateways. Thanks to these solutions, they impersonate, for example, the official hotline of a bank, cable TV or gas or electricity supplier.

What about loans taken “by a hacker”

There are two important issues when it comes to losing money as a result of this type of cybercriminal activity. Whether the bank will accept the complaint and give us back the funds that were on the account is one thing. There is still the issue of loans or credits that criminals, having access to a bank account, sometimes take out. One such case was described by Niebezpeicznik.pl. As in the case of our heroine, it is about remote desktop scam. The criminals managed to conclude a loan for nearly PLN 100,000 on behalf of the victim. zloty. The amount to be returned was even greater – it amounted to approx. PLN 170,000. zloty.

The case went to the court, the victim of the criminal attack wanted to cancel the loan agreement. The court released the woman from having to pay back such a huge debt. He considered that “the funds that were credited to the plaintiff’s account came from an invalid contract.”

“The perpetrators of the fraud acted with a predetermined intention to conclude a loan and then withdraw the funds from it to a foreign account or to make a transaction using a card. Thus, they did not so much deplete the funds brought by the plaintiff to the bank account as used her account as a “technical” account to carry out a criminal act of extorting money from the bank.

In the case of money that we already had on the account, the situation is different. The court must decide whether authorization has actually taken place and the bank is not liable for anything. One of such cases was described by the website praw.pl. In this case, the victim was tricked into installing software. After – it seemed – she logged into the official website of the bank. Criminals ordered several transfers, and about 200,000 disappeared from the account. zloty. The victim claimed that she did not authorize the transaction, but the bank refused to refund the money.

The case went to court. He found no “gross negligence” on the part of the plaintiff. He stated that since the victim did not authorize the payment, the bank had to return the money. It is worth emphasizing, however, that each case is considered individually and “gross negligence” is quite a broad term.

Criminals argue that they are bank employees on the phone and more. Be careful with remote desktop

Not only spoofing is dangerous. One of the frequently used methods are remote desktop applications – completely legal tools that allow cybercriminals to take control of a computer or phone and do something much worse than steal confidential information. Manipulation can make a criminal take over our life savings.

How is this possible? Remote desktop management applications are tools that allow users to access and control a computer from another location. They are commonly used by IT professionals to provide technical support or troubleshoot on remote devices. They are also used by ordinary companies – so that the computer does not have to be sent back to the IT department every time. These applications work by establishing a connection between two computers – the one to be controlled (client) and the one to control (server). Once connected, the user can access files, run programs, and perform other functions as if they were sitting in front of the remote computer. He has full control over it. And this – as evidenced by hundreds of reports – can lead to the loss of money.

Criminals argue that they must, for example, log into a special investment account or open a special account. And in front of the victim, using the data provided by him, they log into the bank. And before she realizes it – they transfer funds to their own account, not an investment account. A much less common method of cybercriminals is to gain unauthorized access to the victim’s computer or network by exploiting a vulnerability in the remote desktop software. More often, it is possible to use phishing attacks, i.e. forcing the victim to provide a login and password for remote management of the machine. Criminals can then install malware that enables them to monitor keystrokes, steal sensitive information such as bank account details, and even transfer money from victims’ accounts without their knowledge.

How to defend yourself?

Protection against spoofing is basically one thing. Common sense. No technology will protect us from believing that someone from the bank is actually calling. Common sense is also your best guide when it comes to computer hijacking. No investment firm works this way. To protect yourself from the capture of login data – for example, to manage a computer online, it is necessary what cybersecurity experts have always been saying. A strong and unique password. Applied to all your online accounts – including bank accounts. This means that you should avoid passwords that are easy to guess or frequently used.

Another effective way to protect yourself is to enable two-factor authentication on your accounts. This adds an extra layer of security. This additional firewall will either give us a moment to sober up or even discourage us from attacking. It is also important that all programs on your computer and smartphone are updated. Patches are mostly about security, not functionality.

For the same reasons, be careful when opening emails or clicking on links from unknown sources. Phishing scams are often designed to trick the user into providing sensitive information such as login details, and at first glance look innocent. By taking these simple steps, you can greatly reduce your risk. The human being will always be the weakest link.