MURRAY – A clever group of scammers spoofed The Murray Bank’s (TMB) phone number on Saturday as part of a phishing scam aimed at collecting people’s online banking credentials. While the source of the breach is unknown, it is not believed that TMB’s security measures were compromised. Rather it is thought the breach likely occurred with a national retailer, such as Walmart or Amazon, because not everyone contacted was a TMB customer. In fact, many live in other states.
Eleshia Brandon, TMB senior vice president, compliance and BSA, described Saturday as frantic as the bank was “bombarded” by phone calls from people saying TMB had contacted them about fraudulent charges on their account. The information requested by the scammers varied from call-to-call – some were asked for usernames and passwords, while others were asked for email information and answers to security questions. One thing was consistent – the supposed $600.08 charge from a Walmart in Davenport, Florida.
“They spoofed our number to make it appear like (TMB) was calling, and then they were phishing for information,” Brandon said. “We were not hacked. What we believe is that a list of phone numbers was purchased or they just randomly were sent out to different phone numbers in a phishing attempt.
“It’s just the people who had Murray Bank accounts believed that it was legit, but the people that had never heard of (TMB) knew that it was a scam. We were getting phone calls from people that did not live here; they were not local; they do not have bank accounts with (TMB); and that’s how we knew that it was not something of ours that had been compromised.”
Brandon said that most legitimate businesses will not text to ask about potentially fraudulent charges. Her advice is to call the bank or business directly if you believe it might be real; however, she noted it is very important to not use any number provided in the text or email. Instead, call the number that you have saved for that bank or business or look it up on a legitimate website. She also said to never trust anyone that calls you and asks for personal information.
“There is nothing that we need your username or password for at the bank,” Brandon advised. “We can go in and disable your account without your username or your password. There are no reasons why we would need your username, your password or (answers to) any of your security questions.
“We have your debit card number on file; we don’t need you to read it to us, the entire thing. Sometimes, we will ask for the last four (digits) just to confirm which card we’re looking at, but we would never ask you for the entire card number.”
Brandon said that the bank contacted its core processor once the influx of calls began, and they were able to advise bank officials on what the scam was likely to be and what steps needed to be taken to protect customers. It is believed that scammers intended to use online banking to initiate peer-to-peer (P2P) transactions, which are cash transfers through intermediaries such as Venmo or Cash App.
“Once we talked to the core and they said what (the scammers) are needing access to is the P2P, we disabled P2P,” she said. “That’s probably some sort of inconvenience to people currently, but we just felt like it was safer to turn that off so that nothing could be accessed fraudulently.”
At the suggestion of the bank’s core processor, Brandon said the “Forgot Password” feature for online banking was disabled “because they are seeing this widespread. It is a trend, that’s what they’re seeing from their perspective. And it all comes from spoofing and phishing. … Tomorrow it may be a different bank but (Saturday) was (TMB).”
The bank closes at noon on Saturdays; however, last Saturday, two employees stayed until 2 p.m. to answer the phone. Brandon noted a sudden, sharp decline in calls, implying that the incident was a one-time blast attack. Out of an abundance of caution, the bank added an option on its after-hours recording that sent potential victims of the scam directly through to Brandon’s cell phone. As of Sunday afternoon, she had not received a call since Saturday.
“We did want to have the ability that if someone still gets one of those that we could turn off their online banking over the long holiday weekend,” she said and added, “That might be another thing that they thought on a Saturday morning that the bank might not be open on a long holiday weekend that they could try to do some damage as opposed to during normal business hours.”
Brandon declined to comment on whether any TMB customers were hacked as a result of giving out online credentials to the scammers; however, comments on Facebook posts from various sources related to the scam suggest that at least some were.
Christopher Robertson, owner of Robertson’s Repairs and More in Hazel, was among those who received phone calls from the scammers. He commented on TMB’s Facebook post about the incident, noting the scammers made him feel “rushed and that everything had to be done with haste.” He suggested that people “take a breath and slow the conversation down for yourself.”
“The reason why I said just slow down the conversation was because they ‘war-dialed’ my phone,” Robertson said in an interview, noting that caller ID identified The Murray Bank as the caller. “‘War-dialing’ is an old internet term; basically, when you dialed up a modem in the ‘80s, you would just start dialing a bunch of numbers until you hit another modem. When I say it, I mean they were continually just calling one after the other – like it would hit voicemail, and they would hang up and call right back. That’s what got me in a rush on it – because they kept calling and I was like, ‘Oh, no, something is really bad wrong!’”
When he did answer, the man on the phone said he was with TMB, that there was an issue with Robertson’s account and that he needed information from Robertson.
“They just started asking for information,” Robertson said. “I finally hung up on them when it dawned on me that they wanted my personal banking information to get online with, and it dawned on me that I’ve always seen on (TMB’s) website ‘We will never ask for your password.’ That’s when it sort of clicked. So, I hung up the phone and called (TMB) right back.”
It was not a bad experience for Robertson, even though he gave the scammers enough information about his debit card for them to use it. In spite of him calling the bank immediately after hanging up on the scammers, the bank had already intercepted charges that it traced back to Florida.
“I guess somebody was doing it while they were getting the information out of me, and (the bank) had already stopped some of it,” he said. “They were pretty much on top of it. I’ve got to give it to (TMB).”