It’s heartbreaking to think that people can save money all their lives for retirement just to see it disappear in a flash at the hands of clever scammers. But that’s a story that continues to be told as scammers get wilier and more elaborate, like they have in the Phantom Hacker scam that recently made its way into an FBI alert. 

Seems that this time around, the hackers are using a three-part scam to convince their marks to transfer funds…to them. And while half of the victims have been seniors, others across age groups have fallen for the scam, too. As tempting as it is to question how victims can continue to be lured into these traps, it’s important to note that the FBI says the Phantom Hacker scammers have gone to great lengths to make their ploy seem real. 

“One of the greatest heartaches is not being able to help our elders when they’re taken advantage of, especially after they’ve worked so hard to build and preserve their life savings,” says Randolph Barr, CISO at Cequence Security.  

Calling the scheme “an evolution of more general tech support scams,” the alert said it layers “imposter tech support, financial institution and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target.” 

In the first phase of the scam, someone posing as a tech support or customer support rep from a legit company calls, texts or emails the targets — or in some cases contacts them through a pop-up on their computer. The mark is told to contact a number provided for assistance. Once the victim does so the scammer gains remote access to their computer, then asks them to access their financial accounts to check for unauthorized charges, and then notes they’ll receive a call from a financial institution. Lo and behold, when the “representative” calls, the victim is told “move their money to a ‘safe’ third-party account, such as an account with the Federal Reserve or another U.S. government agency,” the FBI warned.  

Not surprisingly, once the victim is instructed to send funds through a wire transfer, cryptocurrency and cash, they are also cautioned not to tell anyone why they are moving money. As part of phase three, the mark may get contacted by an “employee at the Federal Reserve or another U.S. Government agency,” and if that raises suspicions, “the scammer may send an email or a letter on what appears to be official U.S. Government letterhead to legitimize the scam,” says the FBI. 

Elaborate, yes, but it’s well worth the effort for the scammers — in the last year or so, they’ve managed to steal more than $1 billion.  

“The simplicity of this scam is what makes it particularly convincing,” says Aditi Gupta, senior manager, professional services consulting at Black Duck.  

“Attackers exploit the trust associated with phone calls, making it easier to deceive vulnerable individuals,” she says. “The straightforward, step-by-step instructions to install an app or perform other actions add to the scam’s credibility.” 

And things are only going to get worse with AI in the mix. “It’s bad enough that these scams already target seniors, but AI will make them far more convincing and scalable,” says Barr. “Attackers will soon impersonate not just law enforcement or banks, but even family members, making it easier for seniors to fall victim.” 

The potential to scale is even more concerning. “AI removes the need for one-to-one social engineering,” says Barr, so that attackers can “execute many simultaneous, highly convincing scams at once.” 

To counter this, Barr says, “there needs to be a shift in responsibility, with stronger controls implemented at the vendor, partner and service provider level to detect and stop these attacks before they ever reach our most vulnerable.” 

Barr suggests precautions to prevent such scams, such as restricted installs, preventing devices from installing apps without a second factor approval; the use of non-admin accounts so that users don’t have admin rights; transaction alerts and dual authorization; spending and accounting segmentation; communication filters; and routine reviews of accounts and devices. Whether those things are implemented depends entirely on the willingness of the accountholders — the potential victims — to impose and live by them. 

Gupti offers a simple but straightforward tactic. “If you receive suspicious requests or messages, verify the authenticity by contacting the source directly,” like visiting the bank in person or calling the bank’s official phone line, she says. “Lastly, avoid taking any immediate action related to installing applications or transferring money until you’ve verified the request.” 

Just don’t do it.