Social engineering in action: how bank impersonation scams work

Bank impersonation scams rely on social engineering, where criminals manipulate their victims into trusting them. By pretending to be a trusted financial institution, fraudsters convince targets to share sensitive information, approve transfers, and unknowingly empty their bank accounts.

Closely linked to authorised push payment (APP) fraud, bank impersonation scams happen when a fraudster persuades a victim to authorise transactions under false pretence. APP fraud plays on human vulnerabilities within payment processes, making it dangerous and effective.

In this blog, Tony Sales, CIO at We Fight Fraud, author and former fraudster, shares an anonymised victim story based on true events to illustrate how bank impersonation fraud works.

Tony’s unique perspective as a reformed career criminal offers insights into the tactics used to deceive victims, helping the industry adopt a more proactive approach.

Bank impersonation scam example

Bank impersonation fraud is often part of a larger scheme, usually following another scam—such as a marketplace or romance scam—where the victim has already shared personal information. To understand marketplace scams in more detail, check out this blog.

Once criminals have secured a victim, they enter the next phase: posing as the victim’s bank and guiding them through ‘security’ steps to authorise further transactions. This manipulation can feel incredibly convincing to victims, who believe they’re talking to a legitimate bank representative working to protect their money.

The following scam is taken from our e-book Inside the Scam: How APP Fraud Fits into the Fraudsters playbook.

Step 1: A text from the bank

Dear customer, Your payment of €2400 to account ending 2688 has been flagged as suspicious.

If you did not mean to make this payment, please reply with NO.

After the victim replies NO, criminals posing as the victim’s bank, call up. Using all the information gained in the prior scam, it’s easy to convince victims that they are speaking to someone who can help.

Step 2: A call from the bank

“Hello and welcome to Nunster Bank. Please hold while we connect you with our Fraud Prevention and Customer Welfare Department. A representative will be with you shortly.”

Everything about the call sounds normal, lulling victims into a false sense of security. They hope a quick explanation will get their money back so they can get on with their day. The victim often has no idea not to trust the caller. The victim is asked security questions, such as the name of their primary school and their mother’s maiden name. It’s no different from when the victim usually speaks to their bank.

“And for your third and final verification question, can I take the password on the account, please?”

Step 3: Coercing the victim into transferring more funds

With mandatory security ‘passed’ the criminal, posing as a Fraud Prevention Agent, tells the victim that it’s common practice to run through a series of ‘test’ transactions to check everything is working correctly, so the bank can get their stolen money back.

“I’m going to send you some test transactions. The first is for €90. Can you please press approve when you see the transaction come through?”

Each time the victim approves a test transaction, money leaves their account and enters the control of criminals. There are three transactions of increasing amounts — the final for €1,000.

“Even if they authorised three payments for €1 or less, it wouldn’t matter. The criminals have been impersonating the victim’s bank to get everything they need to completely empty his account.” —Tony Sales.

This example is taken from our e-book Inside the Scam: How APP Fraud Fits into the Fraudsters playbook.

Step 4: Preparing for account takeover

Throughout the interactions with the victim the ‘agent’ continues to effectively impersonate the bank, reassuring them that everything will be restored shortly while gaining more personal information.

After the three test transactions, the victim starts to feel uneasy. The agent reassures him that everything is okay and all will be returned to him shortly. There’s just one more piece of information the criminals need to take over the account to empty it.

“So at the end of this call, your account will be restored and you’ll have the €2400 back in your account. One moment… Okay, so I’ve just sent you a code. Can you tell me the six digits, please?”

“I’m not sure about this. You’re not supposed to give these codes out, are you?” * *“Yes, that is usually the case but unless you give me the code, I’ll have to send it to you by post. And unfortunately, you won’t be able to use your account for seven days. Will you need your account over the next week?”

Step 5: Account takeover

The six-digit code the victim shared was an OTP. The criminals can now use this to log in to online banking and see the balance of the victim’s current account and everyday saver.

“Let me just check that for you, sir. Yeah, that’s all fine. That’s all good. Your account will be up and running in the next 20 minutes. Finally, if you could delete the app for me then reinstall it in 20 minutes. Once that’s rebooted, you’re good to go and you will see all the money from the test transactions back in your account.”

The victim confirms they’ve deleted the app. This is the signal the criminals need to begin transferring the contents of this bank account to a money mule account. Without a banking app, the victim can’t receive balance update notifications as the account is emptied. Everything is in place to extract the balance of their bank account.

“Before you go, is there anything else I can help you with today?”

The call is then wrapped up using the same script the victim’s bank uses. The criminals have taken just over €14,000 from the victim. The second part of the scam has been executed successfully.

To see what happens in the next step of the criminal playbook, based on real victim accounts, read our e-book Inside the Scam: How APP Fraud Fits into the Fraudsters playbook.