This is how hackers cash out your bank accounts using a new ATM scam variant: FBI

In its latest security alert, the Federal Bureau of Investigation (FBI) recommends users stay on top of a fraudulent scheme affecting cryptocurrency ATMs and payment QR codes. Cybercriminals seem to have targeted these targets because of the difficulty involved in trying to track or reverse a transaction involving some variety of cryptocurrency.

As some users will know, it is possible to use QR codes at cryptocurrency ATMs to make transfers. This fraudulent scheme is based on the abuse of this feature by deploying phishing and social engineering campaigns.

Whatever the deception used by the hackers, the attack requires sending the target user a QR code associated with a cryptocurrency address under the attackers’ control. The victim is tricked into going to a cryptocurrency ATM, depositing cash to buy virtual assets, and sending them to hackers. Cybercriminals typically pose as collection companies, law enforcement agencies, and even tax institutions, giving the deception a legitimate appearance.

This is a more complex fraudulent campaign than usual, as threat actors must be in constant communication with the target user for the cryptocurrency transaction to be completed correctly.

As mentioned above, threat actors take advantage of the inherent characteristics of cryptocurrency for this fraud: “The decentralized nature of cryptocurrencies creates challenges that make it difficult to recover stolen assets… Once the victim makes the payment, the recipient owns the cryptocurrency and can be found anywhere in the world, creating ultimate financial losses for the victims,” the alert states.

The campaign is still active and can be truly effective, so the FBI concluded by issuing some safety recommendations to avoid falling into this trap, including:

  • Never send electronic payments to someone you’ve only talked to on the phone or online
  • Don’t follow instructions from anyone you don’t know, especially if they ask you to send a transfer or go buy cryptocurrency
  • Ignore calls from people claiming to be representatives of companies, bank employees or police officers
  • If you doubt the veracity of any call apparently coming from the bank, hang up the phone immediately and call the phone numbers on your card
  • Ignore any cryptocurrency submission requests, even if it is someone you know

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.