ING Remote Access Scammer Alert - Lost $2000 to Scammer

WARNING: Scammer is able to mask their text messages as coming from an ING phone number.

This morning I was on my usual day of work. Received a text message saying "someone logged into your account. If this is not you. Visit link."

ACTUAL MESSAGE:

You just logged in on a NEW device. If you did NOT login, go to: login.au-my-acc.net to cancel.

I use an iPhone, so the messages come in a conversation. The above message is in the same thread as the one that ING uses to send me update messages. Unsupecting anything I clicked on the link in a frenzy in fear of someone taking my money, without realising it's a dodgy link.

Entered my client and access number. Shortly after, 2k money was transferred out. They were even able to register their phone for mobile banking (ING sent me a verify message) and somehow able to bypass this 2FA.

Significant security features issues I found with ING are:

  • NO 2FA once you log in with client number and access code. That's it. They have full control. Even for new payee Pay ID or account number, no PayCode or 2FA verification like Commbank does. Straight to the scammer account via Osko. Edit: 2FA is only enabled for new payee/edit payee if you are on desktop/laptop. No 2FA if the scammer successfully bypassed the 2FA for the first mobile banking registration.

  • Scammer somehow able to mask their sender end into ING's number or conversation.

  • Scammer able to bypass the new phone for mobile registration 2FA (text sent to my phone, I did not give anyone the code).

Edit: The link that I posted is now shown as under Google review and flagged as "suspicious". When I first clicked on it, it took me straight to an ING looking webpage.

Any ING account holders beware. The scam team is saying a lot of people are falling for it.

TLDR: ING account scam going on, do not click on any suspicious links. ING never asks you to put in client number and pass code via SMS.

I have learned my lesson, so please don't victim blame. I am setting this thread up as a support thread for (I suspect) many more victims to come. ING themselves have acknowledged their scam team is very very busy today.

Update 29/10/22:
- Orange Everyday Terms and Conditions states:
"You are liable for the loss if: the security of one or more Codes has been breached and if the breach of the Codes are more than 50% responsible for the loss"
Called their scam team today and basically told "you deliberately gave away the Client Number and Access Code. That's on you." So ING will absolutely not reimburse me if the recall fails.
- I am going to now finally let go. Not helpful for my mental health ruminating on this other than learning my lesson to never click any links.
- Hope no OzB members fell for this like I did.

Update 21/11/22:
- VicPol actually contacted me and filed a report. Detective said she is looking at multiple similar cases, said ING is very slow with responses, so anything that I can supply will be very helpful. Another reason to never bank with them.
- Contacted by ING's complaints team today. Hoping for good news.

Update 22/11/22:
- Goodwill payment of the total amount credited to my account.
- Said they are reviewing the security breaches that I raised but remained that 'the four-digit access codes are secure and you can change it anytime according to our clause X of blah blah blah'
- Key point is that I have evidence that ING does send genuine text messages with link asking their customers to log-in via the link provided to open the account. Initially they claimed that ING never sends text messages with links.

Related Stores

ING
ING

Comments

  • +53

    Do not click on any links in text messages, generally speaking. Your bank will never send you an SMS with a link that takes you to a login page.

    • +6

      I learned my lesson. I was at work and because of the text coming from the same thread that the legit ING sent to me, I fell into their scam. Normally they come from unknown numbers and I am pretty good at picking it up.

      Just setting this up as a support thread as I suspect some of us will also start reporting this… especially with the new 4.05% interest there was lots of interest.

      • +1

        Regardless, the fact that the scammer is able to bypass 2FA for new payee and new mobile phone registration is beyond me. Commbank (the bank I normally use) would have sent me messages to verify those transactions first.
        I am going to move my money to the Big4s now.

        • +4

          please update us of what ING says about "bypass 2FA for new payee and new mobile phone registration" can happened. cheers

          • +2

            @CyberMurning: the rep said she has escalated to their scam team. I got a 2FA message on my phone "This is the code for mobile banking device registration" at 09:58am. I was actually seeing a patient that time. I never sent anyone or clicked any link for the 2FA to work. And at 10:02am an email came "Thanks, your iPhone is now successfully registered for mobile banking." LOL!?

            • +2

              @mariahwerk: oh so the system works, you get the code when adding new device… but you werent the one requested it, and you didnt act on it so the code should expire and the device will not get added…..

              gessus that is TERRIBLE.. hmmm wait means yes someone cloned your phone they able to see the code ! omg quick format your phone probably got trojan inside

        • +2

          Amazing. All the banks I have accounts with require a passcode to be entered for any new account transfer.

          Stopped using ING as they become a non-friendly back in the past 2 years.

      • +1

        there was lots of interest.

        4.05% interest to be exact :)

  • +6

    That's rough, mate.

    2FA via text has always been known to be pretty poor, easy to by-pass (I don't know how though). I hope they reimburse you promptly.

    • It's interesting, banks have insurance for this sort of things for their customers, right?
      But given OP opened the link and functionally provided their account credentials to the other party, I wonder if that would void the coverage for it?

  • +6

    sorry this happened to you it really sucks when you become victim of a scam its an awful feeling. Unfortunately I believe these types of things in Australia are only going to get worse over the next 6-12 months with all the data that has been accessed in the last few months..

  • +3

    This is a common scam unfortunately. There was an ABC news article on it a while back - similar thing happened to a woman with a CBA account I think. I remember being surprised that they could make it look like the text was coming from your bank, it makes it so hard to realise it's a scam.

    ID Care has some good guidance on what to do to prevent further damage. https://www.idcare.org/fact-sheets/sms-scams

    • +3

      not victim blaming but it is never a good idea to try and secure your system with fundamentally insecure communications methods (sms/phone)

      it wasnt until just maybe 5 years ago that voip providers stopped letting you spoof numbers in sms sending field

      banks should shoulder some of the blame as ss 2fa is no more than just another hurdle to jump rather than a real wall/door

  • +6

    ING doesn't have outbound fast payments for above $1k so you may still be able to have it and any other transfers held.

    • Thanks for the info, I was wondering what their osko limit was.

      • It seems to be $1k per day, the same as Virgin Money. If it is over, standard transfer mode applies.

    • -1

      The scammer did a number of transactions under $500 to bypass this.

      • +3

        No, the 3rd lot of $500- probably won't be Osko transfer.

        • The other ones the scammer did by changing my address book (my real estate agent trust account) to their account and the transfer was instant.

          • +5

            @mariahwerk: The point you seem to be missing is that the total OSKO outbound limit is $1K per day per ING account. This is not changeable even if you ask ING.

            Any amount over this threshold will be a slow (non-OSKO) transfer. So, your loss from OSKO should be limited to $1K if you can get onto ING fast enough to stop the remaining transfers.

            • +1

              @DoctorCalculon: The first two were Osko under 1k. The last two were actually transferred to an account with an ING bsb. I called half an hour after the transfers (only looked at my phone then) and even that they said they can’t do anything about it “it’s more complicated than just stopping it” and it’ll take 45 calendar days for an outcome.
              I took all my money away from ING after this response.

              • @mariahwerk:

                I took all my money away from ING after this response.

                I'm surprised they didn't block that transaction to ensure its validity.

  • +6

    I don't know how fake but genuine looking correspondence can be dealt with but I think ING should reimburse you for their poor security regarding 2FA.

    • +2

      regarding 2FA

      I don't think there is any 2FA from ING.

      I tried it now. Completely new browser + VPN from USA. All you need is account number and access code, and you are logged in.

      • 2FA is required for new phone registration. They used the phone app instead of internet banking because I received a mobile registration request.

        • For either channel, 2FA is broken. Otherwise, the scammers would have been stopped in their tracks.

  • +8

    Unsupecting anything I clicked on the link in a frenzy in fear of someone taking my money, without realising it's a dodgy link.

    This is on you.

    • +8

      Yep. Banks make it very clear. Never log in via a provided link. Always type in the bank URL or use the app already installed on your mobile device.

  • +6

    Sorry to hear that, man.

    I'm not going to victim blame, but next time just go directly to their website. If there's a legit breach, it would likely be in the account messages.

    One time I had a suspicious email from ebay asking me to verify my identity and update my details. It came with a link. I didn't click the link, but went directly to the ebay app. I had the same message on there from ebay. And one the web browser. I was still suss about it and refused to obey the email. Then they kept sending the email. Then they locked me out of my account. Turned out the email was legit. I obeyed it (through the ebay website) and my account was reinstated.

    Still can't believe they would actually ask for these things in a provided link. Most businesses will make you go directly to the website.

  • +3

    Can you share a screenshot that shows the scam message with the other legit ING messages? Of course hide any personal info and the scam link. I want to show my parents how some elaborate scams work.

    • Don't know how to upload an image to OzB.

      The message says "You just logged in on a NEW device. If you did NOT login, go to: login.au-my-acc.net to cancel."

      The message above this scam message is an authentic ING message telling me my legit client number when I signed up 4 weeks ago. However if you lclick on ING as a contact, no number shows up. That's when I knew I (profanity) up.

      I know, how stupid that heated moment I didn't even bother to check the link address.

      • Always delete legit text messages from banks to avoid scam text messages coming through in one chain. Save your client number elsewhere.

      • OzBargain file upload

        Its very easy for them to spoof phone numbers as you've seen, but yeh the dodgy links usually give it away if the bad English doesn't.

        I admit I've almost been caught out once when they got lucky with their timing and received a message right in the middle of doing something with that bank that seem somewhat related. They tried a bit harder with the URL in that case too and it almost looked legit.

    • +2

      The scam text message looks similar to this. Adelaide man enlists help from former South Australian senator Nick Xenophon after losing $36,000 to scammers. Never click on links sent in text messages.

      Types of Scams

      • +3

        Thanks! That's what I was looking for. These scammers are getting good. I'm tech savvy and I nearly got caught once. I can't imagine how many people are getting scammed and don't even realise it.

    • https://files.ozbargain.com.au/upload/42072/99397/screenshot…

      I got same message as Op, though mine went straight to spam box. I've never had an account with ING.

  • +1

    Thank you for sharing Op. Sometimes I wonder how people fall for scams though not my thoughts on this one.

  • +6

    Just so people are more aware, you absolutely cannot trust the "From" number on text messages. You also can't trust the "Caller" number on phone calls, or the "From" address on emails.

    To understand why you need to think of those paper letters people used to send. The sender can put anything under "senders address", no one along the path can verify whether its correct or not.

    So unless you initiated an action, you should never click on links in SMS or Emails. And if you receive strange requests make sure you pick up the phone and check with the person directly. It's far too common for scammers to email receptions "from" the CEO, asking for an emergency payment.

  • +2

    login.au-my-acc.net

    That's not an ing site though.

    • +4

      They are using other similar addresses too. I reported acc-ref.com a few days ago for running this scam and the registrar took that site down.

      • +4

        I suppose my point was that it's glaringly obvious that it isn't from ING.

  • +1

    I recently received 2FA codes from ING. I also bank with them. I had not requested the codes. I tried to call ING but couldn't get through. I ended up sending a message on internet banking. It took a week of back-and-forth before somebody called me and said "yes, we have records of somebody with an Indian IP trying to make transfers and use your card."

    Needless to say, I was annoyed at the time it took for them to deal with it - notwithstanding the fact that I couldn't get through on the phone. But moreso, the first exchange in messages they said "totally normal, you requested them".

    • +3

      This is what should’ve happened. The fraud should’ve stopped at 2FA because I had it activated and I have the phone with me. Instead somehow they bypassed it and set up their phone with my account without the code.
      ING has some serious banking security breaches going on here.

      • +2

        ING has some serious banking security breaches going on here.

        I would say more security holes than any other bank that I have dealt with.

        Here is a glaring one. When they send out your debit card in the mail, your client ID is clearly listed in the letter along with a whole bunch of other identifying details.

  • +4

    Wow, sorry to hear OP.
    I got exact same message on Tuesday. I was actually freaking out that someone had gotten into my account and was xfering funds out!
    Lucky, I was at work, and logged onto my work PC and everything looked fine. No new payee in address book, no message in the inbox, and then it pinged it was a scam.
    I consider myself a veteran at picking scams, and this one looked pretty damn good - what got me was this point : Scammer somehow able to mask their sender end into ING's number or conversation.

    Also, they prob got your SMS 2FA message when you entered it into their website

    • logged onto my work PC and everything looked fine

      Or check your phone app to check if there is movement of funds.

      Also have the bank phone number in your contact list and call them (not taking calls from that number)

    • +1

      The phishing link also asked for my client number and access code, no 2FA request.

      • Oh wow…hmm
        Did ING say how they managed to xfer the funds ?
        When ever I add a new contact I am asked for a phone code…well at least I am sure I do

        • +2

          Apparently 2FA only applies for new payee when you are on the webpage, not for the banking app. I tried it myself, and once you registered your phone, you can Pay Anyone or Edit Address Book without 2FA. Big loophole and when I told them they don't seem to care!

  • Thanks for letting everyone know. This has me thinking about moving away from ING. I'll need to look into a bank with better 2FA and a good interest rate

  • -3

    This is an old basic scam that still works. If you look closely to the email address before you had clicked it then you could had picked it up.
    Hope you get your money back.
    Think before you click 🙏🏿

    • +8

      Maybe you need to look closely as well as it wasn’t an e-mail.

  • +1

    The spoof won't just be with ING, I had the same with ANZ, I just ignore it

    • I received a similar phishing attempt on the official AUSPOST SMS ID.

      Even though it was right underneath a legitimate package delivery message, it was very easy spot due to:

      a) their terrible English
      b) I wasn't expecting any parcels. Nice try, scammers!

      • +2

        Haha i like to spot how many grammatical and spelling errors are in the scam sms and emails. Even punctuation gives it away. I've actually never seen a perfectly written scam sms/email so far

        • Agreed. If the "Click Here" link doesn't give it away, it is always their rubbish English.

      • +1

        Same thing happened to me recently but there was no grammatical errors, and I was expecting a parcel… so was wondering if the delivery company is sharing details with scammers…

        • I like to click the links and add hundreds of fake ID/password combos just to keep the scammers on their toes ;)

          Scammers get paranoid with fake attempts as the banks log and investigate too many of them!

  • My husband clicked on a link once because he was curious to see what the site looks like. Luckily he doesn't have any banking apps on his phone. But do you actually need to 'login' the fake links to get scammed or is clicking the link itself bad enough for spyware or something to be installed?

    • Well the scammer could install something and they can listen to your husband private conversations that may involves financial. Good luck.

    • Clicking the scam link can be enough to trick you into installing malware apps. Read this article about the flubot scam.

    • +2

      Simply clicking on a link won't cause a problem, contrary to what mainstream media says/implies. Just don't then start entering personal/account/login details on whatever site that link leads you to.

    • I often click on these dodgy links, just for a look, and sometimes I put in false username/password to waste their time. I never do it from a Windows PC (it's higher risk than a phone or tablet) and I've never had a problem, but there is a very low risk a dodgy website might have an exploit into your device, but it really is low nowadays. Country security services is another matter …

  • +1

    its not just ING, mum got scammed into a commbank looking one too.

    Luckily we got the money back (3k)

    • Did she login through the fake link? My mum was telling me how she knew someone who lost $33k just from clicking a link. I'm like… Yeh… Nah she totally logged in. But obviously she's not going to admit that since that's saying bye bye to the money

    • Can you share how she got her money back?

      • Call your bank asap and report the scam, bank will try freeze the bank account it was transferred to, to recover the funds.

        • ING said they’re osko transfers so they could only recall it, but up to the other end to accept the recall. Kept saying because I gave them the details it’s harder. Kept avoiding talking about the 2FA fail.

          • +3

            @mariahwerk:

            ING said they’re osko transfers

            Interesting you mentioned $2000 was transferred.

            My ING account only allows $1000 via "instant" Osko. Anything above that amount is delayed ~12 hours.

            Is this your case? Is your account somehow different?

            • @LFO: 4 lots of under $1000 payments transferred to 2 different accounts (one ANZ one ING). There were "instant" according to ING records. The scammer clearly knows >$1000 will take longer.

              • +1

                @mariahwerk: The $2000 daily limit was reached (for my rent payment) therefore the scammer could not withdraw further luckily.

  • +2

    Everyone’s talking about 2FA but when I searched the ING site, I could find no way to add 2FA to my accounts. You can add it to a NEW account when applying but, as far as I can, see exisiting customers aren’t catered to. Did I miss something?

    • Im a ING customer from 2017 also dont have f2A

  • +4

    I don't even trust legit SMSes from Auspost!

    Never click on links in SMS messages.

  • +1

    Sorry to hear that, it is very easy to be taken in. Similar thing happened to me – I received a text from Amazon from the same number that I had previously received Amazon verification texts. This was clear from my phone records. I rang the number and the person was able to give details of my past several Amazon purchases (Kindle books I had bought). She said there was a suspicious transaction and I needed to reset my password.
    I almost provided them with the code they then texted to me, but simultaneously I decided to ring the bank to find the transaction. Fortunately the bank security immediately said DO NOT provide this code, you are a few seconds away from losing$15,000. This happened about a year ago, I didn’t know text/phone number masking existed – but it definitely does. Be very, very careful. NEVER, EVER SHARE a code that is sent to you by text message.

  • +2

    This is why I regularly clean out my SMS/Messages of corporate texts especially since they appear in a threaded/conversation style on the phone.

  • +1

    I recently had the same issue with a message coming in as ‘AusPost’ into my same conversation thread as legitimate auspost texts, coincidentally on the day I was expecting a package. Was definitely a scam as the link wasn’t right.

    Phone companies should verify numbers from financial institutions with like a blue tick like Instagram lol.

    • I also had an AusPost one sent, but it was separate from the legitimate one I usually get and I was also expecting a package from eBay.

  • Received the same masked messages from Citylink/Linkt yesterday. Same number I had previously received legitimate SMS from.

    The fact some banks still have SMS MFA is insane.

  • +1

    simple rule never trust an SMS, that goes double for a link in one. Phone numbers are easy to fake and phone sims to be duplicated or potentially churned. If your bank only relies on SMS you should find yourself a new bank.

  • ING have 2fa though?
    You didn't have it activated?

    • +1

      ING has weak 2FA. Using a physical security key to login is the best or using single-use codes generated by mobile apps. ING has neither.

    • ING have 2fa though

      LOL!

      ING 2FA is horribly broken. I have reported this security issue to them a long time ago, and it is still not fixed.

      I also asked them to allow me to change to a 9-digit PIN for my access key. They said it cannot be done.

  • +1

    I always go to the websites by myself never click through anything. I have ANZ messages before and called them up asking why they keep sending me messages and it wasn't them.

    ALWAYS go to the websites by yourself.

  • +3

    Thanks op for alerting us.

  • +1

    I suggest changing to a bank that does 2FA via authentication app and not just SMS, jesus.

  • +1

    I'm curious what can be done to help educate people not to click links in sms or emails. I thought it was common knowledge by now. I still get "spam" emails from my banks often to not click on links and they won't send links.

    • +1

      It's a slip of mind when emotions took over "God people are in my account! Gotta act fast" Fight or Flight response. I usually never click any links on SMS.

      • which is exactly the behaviour scammers have targeted for years. No offense but I highly recommend going and reading a little bit about scams and researching secure MFA (which SMS does not fall under). Find a bank with a secure form of MFA and have a read through https://www.scamwatch.gov.au/

        • What is it about SMS that makes it less secure than an authenticator app?

          • +1

            @kiitos: The source phone number can be faked, many phones show the SMS on the front screen so subject to shoulder surfing, the phone sim can be duplicated meaning the scammer can receive the SMS, your phone number can be churned meaning again the scammer can potentially receive the SMS. SMS was never meant as a security mechanism and is inherently unsafe to use as one, it is better than nothing at all but if you are going to the effort of a 2nd factor then use one that isn't so fundamentally broken security wise. an authenticator app isn't subject to these attacks (that doesn't mean they are all perfect either, but they are a significant step up).

  • Get onto Up Bank.
    All app based, everything is authenticated on your phone with biometrics and password, instant notifications for every transaction in and out and any changes to the accounts.

    • +1

      But you've failed to mention their 2FA method.

  • login.au-my-acc.net

    There is no way this URL is ING 🤔

  • +1

    get rid of ING that is a huge security risk, go with Macquarie or some other better banks with apps based 2FA
    even without scam message anything that don't provide 2FA is a no go zone these day

  • I have a 4 digit access code but I thought I seen somewhere that you can have a 6 or 8 digit access code. Apparently not and I asked them about 2FA at the same time for their website.

    From ING

    We don't have the option to extend your access code, I apologise.

    Having said that, we do have two-factor authentication available on the website. You log in initially using your confidential access code. If you are making any changes to personal details or higher risk transactions (e.g. external transactions, BPAY's, etc.), you are generally required to receive and confirm a SMS security code to proceed.

    I do apologise for any inconvenience caused, I will lodge feedback on your behalf.

    • not good enough get rid of them seriously, SMS based can be intercept or phone get port out etc…

  • +3

    Raised a complaint to ING demanding to implement app-based 2FA ASAP due to recent cyber attacks in Australia and the increasing number of scams targeting ING clients. My complaint won't change anything, but what if we get the ING complaint team "Ozbargained" if you guys know what I mean?

    • If anyone here is an ING customer, PLEASE file a complaint and send them a link to this post!

      • +1

        Done. A complaint filed with ING.

Login or Join to leave a comment