Screen-sharing fraud is a type of social engineering (phishing) fraud where the hackers impersonate an employee of a bank or payment app and ask people to download a screen-sharing app to gain remote access. The fraudsters who are behind this fraud deceive people by making them believe that screen sharing provides them with easy access to the bank or payment app related information for quickly resolving their issues, as there is a complex process of multiple clicks and confirmations to be made by the victim. They prompt customers to let them access it via the screen sharing applications.
There are many screen sharing applications. The most popularly used are (a) https://www.anydesk.com (b) https://www.teamviewer.com There are quite a few other apps like this one too, like (c) https://www.freeconferencecall.com (d) https://www.join.me (e) Windows Remote Desktop Connection (f) https://www.screenleap.com (g) https://www.mikogo.com (h) https://www.splashtop.com
- Step 1 – A problem with a payment app transaction, an e-commerce transaction, or a bank transaction occurs.
- Step 2 – The victim searches the internet for customer service and does not find it on the respective official websites. (Most of the numbers found on internet searches are fake customer care numbers.)
- Step 3 – Unaware of the fake customer care number, the victim calls the number and enters into a conversation. Usually, the victim doesn’t find an issue as the fraudsters mimic the entire process of official customer care.
- Step 4 – The fraudster will continue the conversation with the victim and ask them to download the screen-sharing app and share a pass code. By providing the passcode, the fraudsters now have access to the victim’s phone or computer.
- Step 5 – Once the scammer has remote access, the scammer uses the UPI payment app already installed on the victim’s phone to transfer money to his/her own account.
- Step 6 – The fraudster needs the one-time-password (OTP) or scan the QR Code to finish the transaction, which the victim provides them. Under the impression that the fraudster may be a customer care representative, helping the victims to clear the stuck payments or helping the victims to get the credit bonus or complete the KYC, etc., victims provide all the requested information.
- Step 7- The trick here is that the fraudsters keep the victims in continued conversations, not allowing them to see notifications received from the bank. The victim assumes that money is getting credited, but instead the money gets debited. As the victim is on the phone, the fraudster continues to use his payment apps to transfer victims’ money to their accounts.
Detecting the Fraudster:
- If someone whom you don’t know is asking to access any of your devices and desires to download specific software, you will become a victim of social engineering fraud.
- No bank or company will ask you over the phone to download a screen share or any other software.
- If someone who is remotely connected to your device is asking you to login to your bank account, asks for personal passwords, or asks you to unlock your payment apps, then they are fraudsters.
- If you feel you are getting scammed, immediately stop the telephone conversation and end all the remote sessions by turning off your device.
How to avoid screen sharing fraud:
The social engineering tactics of cyber criminals are unthinkable and foreseeable these days, and the best way to address them is through self-awareness and common-sense alone, so be vigilant while dealing with financial transactions online.
- Never install apps while on call.
- Never do transactions while on call.
- All apps installed on the smartphone should be password protected.
- Don’t entertain any suspicious calls or messages that request you to download apps or to update apps / accounts.
- Never, ever share the OTP or scan the QR code with anyone. Sharing OTP and scanning QR codes means money is getting debited from our accounts. Don’t click on short links and messages without verifying them.
- If just in case you’ve inadvertently fallen victim, do call the bank or wallet service provider by calling the numbers that are taken from official websites only.
- Download apps only from the App Store or Play Store.
- Enable two-factor authentication and assign secondary email and phone numbers to all your social, banking, and payment apps.
- Never trust free offers, reward points, and lottery offers that appear on email , SMS , WhatsApp, and social media platforms.
What to do when you are scammed:
- Report the fraud to the respective service providers (bankers, payment apps, or e-commerce Platforms).
- Immediately change all the passwords of the accounts that were compromised.
- Report the scam to your local Cyber Crime Police authorities or register a complaint on https://www.cybercrime.gov.in or alternatively dial the toll free number 1930 immediately