If you have an online account of any kind, you’re likely familiar with the term Multi-Factor Authentication (MFA) or Two‑Step Verification. It’s a safeguard put in place to protect your personal information and reduce the risk for cyber-attacks by requiring multiple methods of authentication to gain access to an online account. Unfortunately, scammers are bypassing the tough questions by spamming people with text messages, pretending to be a bank representative.
Our Fraud Team says this isn’t uncommon, but rather a tactic called MFA phishing. In this particular case, our experts say scammers are sending out mass text messages to random cell phone numbers about fraudulent charges on their accounts and asking for a “yes” or “no” response. But no matter the response, the person is prompted to call the scammer, who pretends to be a bank representative.
The scammer will then ask the caller to verify their identity by asking for the username of their online banking account. If the caller hesitates to provide their password, the scammer will then tell the caller they are either emailing or texting a six-digit code to them that must be read back. While this is all going on, the scammer is actually logged in to the caller’s online banking account and going through the password reset process.
Once the scammer has access to your account, they can control your funds and even initiate real-time money transfers. To complete a real-time transfer, the scammer will keep the caller on the phone to respond “yes” to a confirmation text, which the scammer plays off as a refund confirmation.
As a reminder, The Merrimack would never call customers to request they release account information, such as online banking credentials or an MFA verification code. If you’re a Merrimack customer and are concerned your personal or financial information was compromised, please call us directly at 603.225.2793.