On spoofing: "those fake bank advisers who want to do you good".
Have you been scammed by a bogus bank adviser? Here's how to defend yourself.
1. What are the signs of a scam?
The term spoof comes from the word spoof. In fact, this is precisely what the fraudster is doing: spoofing, pretending to be a bank adviser to encourage you to visit your banking application and use your payment methods.
The technique used by spoofing scammers is particularly tried and tested. They have learned how to deceive your vigilance.
How can you spot a fake bank adviser?
It makes suspicious requests A legitimate bank adviser will never ask for sensitive information (password, PIN, etc.) by telephone or e-mail. If you receive such a request, be extremely vigilant.
It creates a sense of urgency False advisers often insist on an immediate response, creating a sense of panic in the victim. It is essential to remain calm and verify the information.
He makes tempting offers Some fraudsters offer loans on "exceptional" terms or supposedly safe investments. Don't fall into the trap of promises of quick profits.
Always check the contact details If you are contacted by a bank adviser, take the time to check their identity by calling your bank directly on an official number.
Illustration of telephone spoofing
R. receives a suspicious call from someone claiming to be the financial adviser at his branch. R. has no reason to be suspicious, as the bank's name appears on his telephone screen (thanks to a formidable technical process that allows a renamed telephone number to be assigned).
The fake advisor is initially vigilant. The caller claims to have spotted an account usurpation or hacking. The customer is warned that an attempt at fraud has been made. To avoid this, they have to re-register the details of certain recipients of transfers.
The fake advisor then reassures us. The alert has been given. All the user has to do is go to their personal space and validate one or more modification operations. Validation is carried out by entering the security code. The fraudster knows that he needs the full confidence of the person he is dealing with. He plays the benevolent adviser. This is a perfectly secure operation. He could almost add in his speech that he will remain online for the duration of the modification. The fraudster asks for the confidential code. R. receives a message and sends him the information it contains. The manoeuvre is successful. The new bank details are saved.
R. hangs up, relieved to have avoided being swindled. Only to discover a few days later that the fraud had actually taken place, without his knowledge. Several transfers had been made. His accounts were empty. R. immediately contacted the bank, but its response was definitive. R. had used his personal security details. This was a breach of the rules of the current account agreement and the personal digital space. He will not be reimbursed. Whether the fraud amounts to 3,000 or 50,000 euros.
2. What techniques do fraudsters use?
The example of R. is the most common, but it does not explain how the fake advisor managed to pass himself off as a fake technical support person for the bank. It's easy to imagine that he may have undergone training, enabling him to master the banking vocabulary. But the manoeuvre cannot succeed without the victim's bank telephone number. It is in fact the display of the bank's identity during the telephone call that enables the user to be fooled.
Le telephone spoofing and the bank spoofing are not the only methods used by fraudsters, far from it. Here's a quick overview of the methods used.
Email spoofing and spoofing by alias spoofing
What these two techniques have in common is the use of email to contact victims.
Le email spoofing is one of the most common forms. The fraudster imitates a legitimate e-mail address. They change a letter or symbol in the original address.
Victims do not notice these small changes. They think they are communicating with someone they trust. This makes scams easier. The fraudster can extort data or money.
With thealias impersonationThe fraudster does not change the e-mail address. They only change the name displayed in the inbox.
It targets a specific audience that receives a significant number of e-mails and does not have the time to look into the identity of the fraudster. Law firms are particularly affected.
At Solent Avocats, we receive around ten messages every month under the following aliases: "Gestion locative"; "Loyer impayé"; "Location-Habitat".
The subject line begins as if it were a reply: "RE: REMINDER TO PAY JANUARY 2025". The fraudster claims to be reminding us about the rent payment. Friendly, he wished us a happy new year and informed us that his bank details had been updated. He says no more and invites us to regularise the situation, confirming the payment date. A quick glance at the email address will identify the author of the email. His email address usually has nothing to do with the business he claims to be in.
IP spoofing and ARP spoofing
Le IP spoofing consists of concealing a pirate's IP address. He uses another address to mask his real identity.
This technique is often used for DDoS attacks. Hackers can overload a website or access sensitive data.
L'ARP spoofing focuses on internal networks. The hacker intercepts a company's data flows without being detected.
This enables them to obtain confidential information. Companies need to be particularly vigilant in the face of this type of attack.
Spoofing crypto and spoofing Pokémon Go
Le crypto spoofing concerns cryptocurrency exchange platforms.
Hackers are trying to recover your identifiers. Their aim is to empty your digital wallets. This practice has become widespread with the popularity of cryptocurrencies.
Le Pokémon Go spoofing is a different technique. It targets a younger audience: your children. It is not based on data theft, nor does it pursue that objective.
It involves modifying GPS data to gain access to specific areas of the game. Although not malicious, spoofing is prohibited by the game rules.
3. What to do after a fake adviser scam
Faced with this situation, it is essential to be aware of the remedies available to react effectively and recover the sums lost.
Identify the scam and act quickly
The first step for victims is to react as soon as they suspect fraud. They should follow the steps below:
Stop payment on your bank card. If fraudulent payments or transfers have been made, contact your bank immediately to stop the card. Remember to systematically refuse when you are asked to validate transactions intended to resolve the scam.
Contact your bank. Under the Monetary and Financial Code, banks are obliged to reimburse unauthorised transactions under certain conditions. File a claim as soon as possible. Keep a copy of the claim and send it by recorded delivery.
Keep proof of the scam. Keep any e-mails, text messages or screenshots relating to the scam. This information will be essential if your bank refuses your request for a refund.
How do I obtain a refund after fraud?
The first two remedies do not necessarily lead to repayment of the sums fraudulently extorted. However, they are necessary and complementary to legal action.
1. Contact the Banque de France. Is your bank refusing to pay? Contact the banking ombudsman.
It is not certain that you will be vindicated, as our experience shows that response times are fairly long and that consumers rarely win their cases.
But this prior recourse has the merit of demonstrating that you have attempted conciliation.
2. Filing a complaint File a complaint with the police or gendarmerie. Then report the scam on the Pharos.
This won't bring back the lost funds, but it may help to catch the hackers and warn other users of new scripts used by the crooks.
3. Legal action In the event of an ongoing dispute with your bank, you must take your case to the appropriate court.
Under the terms of articles L. 133-16 and L. 133-17 of the French Monetary and Financial Code, it is the responsibility of the Payment Service User to take all reasonable steps to maintain the security of his personalised security devices and to inform his Payment Service Provider without delay of any unauthorised use of the payment instrument or the data linked to it.
There are two things to remember about these two texts:
The speed of the claim Notify us of the fraud within the time limit set out in your banking contract.
- Absence of negligence Make sure you provide evidence that you have taken all reasonable precautions.
The Court of Cassation considers that banks have a reinforced security obligation to protect their customers.
In a judgment handed down on 18 January 2017, the Commercial Chamber ruled that it is incumbent on them "to ensure that the company's assets are not used for purposes other than those for which they are intended". by application of articles L. 133-19, IV, and L. 133-23 of the same code, to prove that the user, who denies having authorised a payment transaction, acted fraudulently or did not fulfil his obligations intentionally or by gross negligence; that this proof cannot be deduced from the mere fact that the payment instrument or the personal data linked to it were actually used jurisprudence" .
Just recently, the Commercial Chamber ruled a major stopreported in the Bulletin :
" After stating that it is incumbent on the payment service provider to prove gross negligence on the part of its customer, the judgment noted that the call number appearing on Mr [J]'s mobile phone was displayed as being that of Mrs [Y], his BNP advisor. [J] was displayed as being that of Mrs [Y], his BNP advisor, and held that he believed he was in contact with an employee of the bank when she re-registered and re-validated the beneficiaries of transfers to his account that he knew, and that he believed he was validating the disputed transaction on his application, which the bank assured him was a secure transaction. He added that the spoofing method had given Mr [J] confidence and reduced his vigilance, which, in the face of a telephone call allegedly from his bank informing him that his account had been hacked, was less than that of someone receiving an e-mail, who would have had more time to notice any anomalies revealing its fraudulent origin.
6. From these observations and assessments, the Court of Appeal was able to deduce that Mr [J] had not acted with gross negligence. "
We intend to use this case law, which is favourable to victims, in our various appeals.
4. How can you protect yourself against bogus advisers?
The consequences of bogus adviser fraud can be dramatic.
We have seen that fraudsters use phishing strategies to deceive victims and obtain confidential information.
This manipulation could result in colossal financial losses for our customers.
What's more, scammers are able to usurp your identity and open new bank accounts or order credit cards in the victim's name.
Economic players have been urged to take part in the fight against bogus advisers. Since 1 October 2024, telephone operators have been obliged to interrupt malicious calls. They must make calls secure by implementing strong authentication of calling numbers.
But at the time of writing, only landlines are affected. In other words, crooks still have a vast territory ahead of them! So it's important to stay informed and protect yourself.
5 ways to protect yourself effectively
1. Protect your bank details. We can't stress this enough. A bank will never ask for your personal details over the phone, by e-mail or on unsecured websites.
2. Use official numbers.If you have the slightest doubt about the identity of the person you are calling, hang up. Then contact your bank directly using the numbers shown on their official documents.
3. Install protection for your accounts. Activate SMS or e-mail alerts to be notified of any suspicious activity on your bank accounts.
4. Be vigilant about e-mails and text messages. Do not click on links or attachments in suspicious messages. Always check the sender's address to make sure it is your bank.
5. Report any attempted fraud. If you have been contacted by a bogus bank adviser, it is important to report the incident to your bank and the relevant authorities to avoid other people falling victim to the same trap.
#### FAQ
1. What should I do if I receive a suspicious call from my bank?
Never give out sensitive information. Make a note of the details of the call and contact your bank directly via an official number.
2. How do I know if an e-mail is really from my bank?
Check the sender's address. Banks use official domains and never ask for your login details by e-mail.
3. What should I do if I've shared my details by mistake?
Contact your bank immediately to block your accounts and report the fraud to the authorities.
4. How do I report fraud to my bank advisor?
To report fraud, victims must alert their bank, report it online and lodge a complaint with the gendarmerie or the criminal court, in accordance with the Criminal Code.
5. Can I be reimbursed in the event of fraud?
This depends on the terms and conditions of your bank and insurance. Act quickly to increase your chances.
6. What are the signs of a false advisor?
Urgent requests, tempting promises or threatening language are warning signs.
EN 
FR