Banking Trojan Distribution via Fake Support Calls
How vishing calls impersonating banks or tech support trick victims into installing banking trojan software under the guise of resolving a fraudulent transaction.
Part of: Banking Trojan and Infostealer Malware Scams
Last reviewed: 9 June 2026
Banking trojan delivery by phone differs fundamentally from email-based distribution. A phone caller who poses as a bank fraud department and walks the victim through an installation process in real time — providing live verbal reassurance at each step — achieves a level of compliance that a malicious email attachment rarely does. The caller controls the pace of the installation, answers questions that might otherwise cause the victim to stop, and provides a false sense of institutional authority.
Phone-delivered trojans are particularly dangerous because the victim believes they are receiving help rather than being attacked. They may stay on the call for thirty to sixty minutes, during which the installed software establishes full remote access to their device, and the caller — now watching the screen — can access banking apps, harvest stored passwords, and initiate transfers.
How this scam works on phone calls
The call opens with a claim that the bank's fraud monitoring has detected suspicious transactions on the victim's account. To secure the account, the caller instructs the victim to download a 'bank security tool' or remote access application such as AnyDesk or TeamViewer. Once installed, the caller asks for the device PIN or remote access code to 'verify identity' and gains full screen control.
Once in control, the caller navigates the banking app directly or instructs the victim to approve transactions under the pretext of moving money to a 'safe account.' Alternatively, a properly packaged banking trojan is installed during the session, providing persistent backdoor access after the call ends.
Common red flags
- Bank representative calls asking you to download software to your phone or computer
- Caller instructs you to install a remote desktop or screen-sharing application
- Request to read out or enter a code from the downloaded app to 'verify' the connection
- Caller asks you to approve an in-app transaction to 'test' the fraud protection
- Call originated from a number that looks like your bank but you did not initiate contact
- Caller has knowledge of your name, partial account number, or recent transactions — which may come from a data breach
How to protect yourself
- Know that legitimate banks never ask customers to install software during a phone call
- Hang up and call your bank's official number from the back of your card
- Never share screen access, PIN numbers, or in-app authentication codes over the phone
- If you installed any software during a suspicious call, disconnect from the internet and contact your bank immediately
- Tell your bank what happened so they can place a fraud alert on your account
How to report it
- Contact your bank's fraud team immediately using the number on the back of your card
- Report to Action Fraud (UK) or IC3 (US)
- Report the phone number to Ofcom (UK) or the FTC (US)
Frequently asked questions
Why did the caller know my account details if they were a scammer?
Partial account details can be purchased from data brokers, obtained in data breaches, or guessed using information from your social media profiles. This knowledge is used to build credibility — it does not prove the caller is your real bank.
If I gave remote access, what should I do now?
Disconnect the internet connection on the device immediately. Do not use the device for banking or any sensitive activity. Contact your bank by phone using the number on your card, explain what happened, and have them freeze your accounts. Take the device to a professional to have it cleaned.