Cyber Talk: Spot, avoid, report screen-sharing frauds
Screen-sharing fraud is a type of social engineering (phishing) fraud where hackers impersonate an employee of a bank or payment app and ask people to download a screen-sharing app to gain remote access. They then deceive people by making them believe that screen sharing provides them with easy access to the bank or payment app-related […]
Published Date - 8 August 2022, 10:47 PM
Screen-sharing fraud is a type of social engineering (phishing) fraud where hackers impersonate an employee of a bank or payment app and ask people to download a screen-sharing app to gain remote access.
They then deceive people by making them believe that screen sharing provides them with easy access to the bank or payment app-related information for quickly resolving their issues, as there is a complex process of multiple clicks and confirmations to be made by the victim. They prompt customers to let them access it via screen-sharing applications.
There are many screen-sharing applications. The most popular are (a) www.anydesk.com (b) www.teamviewer.com and a few apps like (c) www.freeconferencecall.com (d) www.join.me (e) Windows Remote Desktop Connection (f) www.screenleap.com (g) www.mikogo.com and (h) www.splashtop.com
Modus operandi
• A problem with a payment app transaction, an e-commerce transaction, or a bank transaction occurs
• The victim searches the internet for customer service and does not find it on official websites. (Most numbers found on internet searches are fake customer care numbers)
• Unaware of the fake customer care number, the victim calls the number and enters into a conversation.
Usually, the victim doesn’t find an issue as fraudsters mimic the entire process of official customer care.
• The fraudster continues the conversation and asks them to download the screen-sharing app and share a passcode. By providing the passcode, the fraudsters now have access to the victim’s phone or computer
• Once the scammer has remote access, he uses the UPI payment app already installed on the victim’s phone to transfer money to his own account
• The fraudster needs the one-time password (OTP) or scan the QR Code to finish the transaction, which the victim provides them. Under the impression that the fraudster may be a customer care representative, helping the victims to clear the stuck payments or helping the victims to get the credit bonus or complete the KYC, etc., victims provide all information
• The trick here is that fraudsters keep victims in continued conversations, not allowing them to see notifications received from the bank. The victim assumes that money is getting credited, but instead, the money gets debited. As the victim is on the phone, the fraudster continues to use his payment apps to transfer victims’ money to their accounts
Detecting the fraudster:
• If someone you don’t know is asking for access to your devices to download specific software, you will become a victim of social engineering fraud
• No bank or company will ask you over the phone to download a screen share or any other software
• If someone remotely connected to your device is asking you to log in to your bank account asks for personal passwords, or asks you to unlock your payment apps, they are fraudsters
• If you feel you are getting scammed, immediately stop the conversation and end all remote sessions by turning off your device.
How to stay safe:
Social engineering tactics of cybercriminals are unthinkable and foreseeable these days, and the best way to address them is through self-awareness and common sense alone. So be vigilant with financial transactions online.
• Never install apps while on call
• Never do transactions while on call
• All apps installed on smartphones should be password protected
• Don’t entertain suspicious calls or messages requesting to download apps or to update apps/accounts
• Never share OTP or scan QR codes with anyone. Sharing OTP and scanning QR codes means money is getting debited from your account
• Don’t click on short links and messages without verifying
• If just in case you’ve inadvertently fallen victim, call the bank or wallet service provider on numbers taken from official websites only
• Download apps only from App Store or Play Store
• Enable two-factor authentication and assign secondary email and phone numbers to all your social, banking and payment apps
• Never trust free offers, reward points or lottery offers on email, SMS, WhatsApp or social media platforms
What to try to do when scammed:
• Report the fraud to service providers (bankers, payment apps, or e-commerce platforms)
• Immediately change all passwords of accounts that were compromised
• Report the scam to your local Cybercrime authorities or register a complaint on www.cybercrime.gov.in or dial toll-free number 1930 immediately