Risk of phone control from bank account number

The scammer intentionally entered the wrong password, causing the user's account to be locked, then pretended to be a bank employee and tricked them into installing malware on the phone.

Warnings about this method have been circulating on social networks in Vietnam recently. Accordingly, after obtaining the target victim's account number, the scammer can try to log in on the bank's website. According to the protection mechanism, if the wrong entry is made many times, the account will be locked.

"At that time, they will pretend to be a bank representative and call, luring users to click on a link to download a fake application," said Mr. Ngo Minh Hieu, founder of the Anti-Fraud project, adding that this method is similar to luring users to install other fraudulent applications in the past.

However, according to anti-fraud experts, this trick is dangerous because the account number and phone number are often made public by many people, and two numbers or emails can be used to log in. In addition, this information is also sold on the black market for data and there are many ways to collect it.

When their accounts are locked, inexperienced users are likely to panic and believe the scammers. They may provide the scammers with some personal information, login information, or be tricked into installing malware. Once these malware have penetrated the device, they may request deep access to the device, allowing the scammers to take control of the device and perform many actions, such as stealing data, remotely monitoring the device and user, capturing sensitive information such as passwords, OTP codes, and even transferring money using biometric facial recognition on the victim's phone.

Risk of phone control from bank account number Picture 1 Risk of phone control from bank account number Picture 1

A bank's login interface, announcing that the account will be locked if the wrong entry is made 5 times. Photo: Luu Quy

"The scenarios can vary, but generally the goal is to take control of the phone and withdraw money from the account," Mr. Hieu said.

A security expert at a bank confirmed that this scenario is possible. However, the fraudster needs the user to install the software or provide the OTP code. "If they don't do it, the user is still safe," he said.

In addition, to restore a locked account, some banks require you to go to a transaction point and use your identification documents to complete the reopening procedure, which will limit the risk of your account being taken over. Some banks also have protection features if they detect a login from an unfamiliar device.

Testing with some banking applications and websites in Vietnam, many systems allow login by account number or phone number and allow up to 5 incorrect password entries before locking. Others require the use of a unique login name or must go through a verified phone.

According to experts, similar to other scams, users can still avoid them if they follow the instructions correctly, such as when having problems with their bank accounts, they should go to the counter to do it directly or proactively contact the bank's official customer care channel. Users are also advised not to click on strange links or install files of unknown origin on their devices, and not to share OTP with anyone over the phone.

In addition, experts also recommend that information such as phone numbers and account numbers, which are often associated with many online activities, should be limited from being disclosed unless necessary.