Scammers lock bank accounts to deploy malware and hijack phones

The fraudsters first obtain a victim’s bank account number and deliberately enter incorrect passwords multiple times so that security protocols cause the account to be locked. "They then impersonate bank staff, calling the victim and directing them to download fake apps through links they provide," Ngo Minh Hieu, founder of the Anti-Fraud project, explains. This is similar to previous scams involving fake apps, he says.

This method is particularly dangerous because account numbers and phone numbers are often publicly accessible, he points out. Many people also use their phone numbers or email addresses as login credentials, and these are frequently sold in the black market or collected through other means.

Panicked by their locked accounts, users are more likely to fall for the scam, inadvertently disclosing personal information, sharing login credentials or installing malicious software. Once installed, the malware can gain complete access to the device, enabling attackers to steal data, monitor activities remotely and obtain login credentials as well as one-time passwords (OTPs).

"The scenarios may vary, but the ultimate goal is to gain control of the victim’s phone and withdraw funds from their accounts," Hieu says.

A person holding a phone and a bank card. Illustration by Pexels

A cybersecurity expert at a bank admitted the scam could work, but pointed out that it requires users to install software or provide OTPs to criminals. "If users do not comply with these requests, their accounts remain secure."

To unlock locked accounts, some banks require users to visit branches in person and present identification, reducing the risk of such scams. Besides, some banks have incorporated features that detect logins from unfamiliar devices for extra security.

Tests of several banking apps and websites revealed that many allow logins using account numbers or phone numbers. Accounts are locked after five incorrect password attempts. But some platforms require unique usernames or verification through pre-registered devices.

Experts said users could avoid falling victim to such scams by following a few key precautions. If an account issue arises, users should visit bank branches in person or contact official customer service channels. They should always desist from clicking on unfamiliar links and downloading files from unverified sources. Sharing OTPs with anyone over the phone is also to be strictly avoided.

Experts called for limiting the public disclosure of phone numbers and account numbers since it could be exploited by criminals.