Phishing attackers remarkably successful at Bunq: ‘Security not an issue’

May 27, 2024 Sara Coughlin Technology 0
Bunq

This article was last updated on May 27, 2024

Canada: Free $30 Oye! Times readers Get FREE $30 to spend on Amazon, Walmart…
USA: Free $30 Oye! Times readers Get FREE $30 to spend on Amazon, Walmart…

Phishing attackers remarkably successful at Bunq: ‘Security not an issue’

Phishing scammers are targeting customers of online bank Bunq, often managing to steal amounts of tens of thousands of euros per victim. This is evident from research by NOS and NRC.

According to experts, the attackers’ method is unlikely to be successful at other banks, and the amount of money captured is also surprising. Security measures that other banks have are lacking, and customers are generally not compensated.

NOS and NRC verified the stories of 28 victims who were scammed in the past seven months. Together they lost more than 1.6 million euros, an average of almost 60,000 euros per case.

In five cases the amounts involved were 100,000 euros and more. “It all happened very quickly, in 45 minutes all my savings were gone,” says Geraldine. She also lost more than a ton.

“Security has the highest priority at Bunq,” the bank said in a written response. “That is why we use advanced technologies such as AI, biometric security and secure communication. The only way to become a victim is to provide your personal and login details yourself.”

The bank also states that “the average fraud amount among victims of phishing at Bunq is lower” than at other banks, but does not want to substantiate this when asked.

Phishing

With phishing, criminals trick you into providing login details. They do this with a fake website that looks exactly like the real site of, for example, a bank. Links to them are distributed via SMS or email, with calls like: “Confirm your account!”

The login details entered can be misused to plunder accounts. At Bunq, customers also have to confirm login, which is why criminals usually also call the victim to encourage them to perform a facial scan, for example.

Legal expenses insurers are also seeing an increase in the number of cases. According to judicial sources, the number of ready-made Bunq phishing sites offered on the black market is increasing, which criminals can set up without much work.

Bunq has been offering bank accounts since 2015 and likes to present itself as a contemporary alternative to traditional banks. It has no physical branches and has also been described as primarily a tech company. Last year it gained many savings customers due to relatively high interest rates.

Unnoticed

The bank is to blame for the fact that attackers can steal so much money, experts say. “The banks I know can stop this,” says fraud expert Pepijn Sklapdel of DataExpert, who represents several banks.

Shairesh Algoe, responsible for combating fraud at ABN Amro for many years: “This is not a new type of attack. You cannot prevent fraud 100%, but I think that banks generally detect this.”

“We cannot imagine that an expert familiar with the facts would draw such a conclusion,” Bunq responds.

The attackers mainly use two methods. In at least eight cases verified by the NOS, they manage to hijack the login details and the required facial recognition scan of customers, they can break into the account and then transfer large sums of money. “That is really suspicious behavior, that should be a red flag,” says Sklapdel.

With the other method, which the NOS recognized in at least nine cases, the attackers manage to convince victims to install software on their device, with which they can take control. “That is a little more difficult to recognize, but there are ways to do that too,” says Sklapdel.

Safety is not a topic that really drives Ali. He just wants to offer the best possible product to customers.

Former Bunq employee

In recent years, all major banks have introduced a cooling-off period in the fight against phishing. If a customer wants to transfer more than his daily limit, he must increase it and then wait four hours.

Bunq never took that measure, but it did take something similar: if customers gave access to a new device, they had to wait 24 hours before they could transfer money again.

This was soon shortened to an hour and then abolished, according to Bunq in response to customer complaints and because it made no difference in practice.

The victims are collateral damage, a former Bunq employee told NOS and NRC. “Safety is not a topic that really drives Ali,” he says about Bunq CEO Ali Niknam. “He just wants to offer the best possible product to customers. That doesn’t mean you have to wait hours if you want to increase a limit.”

NOS and NRC continue to investigate Bunq and are happy to speak to employees and former employees. Would you like to contact us? This can be done by email (ellen.kamphorst@nos.nl) or via Signal/Whatsapp: 06 84 61 39 16

Three other former employees also say that the bank subordinates security to user-friendliness, but Bunq states that this is “demonstrably incorrect”.

Settlement

The 28 affected customers are generally angrier with the bank than with the scammers. None of them were able to contact an employee, everything was done via the chat in the app.

It is policy at the bank, which only wants to communicate digitally. The group of 28 victims received an invitation from Bunq for an interview on Thursday afternoon.

‘Gone is gone’

Victims also complain about Bunq’s SOS option for fraud cases, which is said to work poorly. They say that application has not made any difference.

One customer, Floor Hendriks, felt that she received such poor service at Bunq that she called the fraud desk of her other bank. “I have my current account at Rabobank; they helped me file a tax return there in the middle of the night.” She didn’t hear anything from Bunq until ten hours later.

Bunq contradicts that the option is useless. “This may be the perception of the victims, but it is demonstrably incorrect.”

The handling also differs. Other banks give scam victims in similar cases their money back if they meet certain conditions.

As a rule, victims do not receive anything back from Bunq. Gone is gone, is the mantra of Bunq founder Niknam. “It’s like giving someone your car keys outside on the street. Then your car is gone,” Niknam said in conversation with a victim.

Accountability

For this article, NOS collaborated with NRC journalist Stijn Bronzwaer. We shared our source material, such as reports of conversations and underlying documents, and jointly asked Bunq a series of 21 questions for response. Bunq did not comment on this substantively, but did respond to passages in this article and provided a general response.

We also attended a meeting in Durgerdam where victims of fraud at Bunq gathered. We checked the stories of 28 victims and spoke to most of them, physically or by telephone. We verified the reports of 27 victims. In addition, the victims provided us with screenshots of chat conversations with Bunq and other evidence.

For this story, further discussions were held with former Bunq employees, trade organizations, security experts, lawyers and legal expenses insurance representatives.

To find out exactly how the scammers worked, NRC and NOS jointly purchased a so-called Bunq phishing toolkit, illegal software with which criminals can defraud Bunq customers. 275 euros was paid for the software.

In addition, NOS and NRC, together with security researcher Matthijs Koot, analyzed phishing links and the websites behind them and we had a phishing scammer call us.

In podcast De Dag victims say how the theft happened. They are not only furious with the criminals, but also with Bunq. They received no help or aftercare from the bank, no compensation, and they never received an employee on the phone.

Share with friends
You can publish this article on your website as long as you provide a link back to this page.

Be the first to comment

Leave a Reply

Your email address will not be published.


*