April 23, 2020

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit


144 thoughts on “When in Doubt: Hang Up, Look Up, & Call Back

  1. Dennis

    Yes, absolutely. Hang up. What I also do is this. I reply, “Thank you for the warning. I will come over to talk to you in person.” I then drive to the bank and resolve it that way. (Provided the bank is not an online one, that are prevalent these days.)

    Unfortunately though, in this BS virus lockdown, it makes it much more easy for scammers to use phones for their game. And for instance, I won’t be able to go to my bank now because their lobby is closed. Sigh.

    1. Jon Marcus

      “…Drive to the bank and resolve it that way…” only works for a very small set of bank customers who use a small bank within easy driving distance. Obviously it doesn’t work for online-only banking, nor do I think it’d work if you tried strolling into a little branch of BoA/Chase/megabank of your choice.

      As someone who just got done fighting with a small local bank to make them reverse thousands of dollars in unauthorized ACH payouts, I can tell you they’re no panacea!

      1. Evan

        One time, I went to my bank in person to try to resolve something, and the person I spoke to literally just dialed their call center and handed me the phone . (pretty sure I was using Chase at the time, but might have been Wells Fargo)

      1. Bubba

        Drive through? Now extinct/deprecated/obsolete/etc.

      2. Orv

        Where I live many towns have banned drive-throughs (other than ones that are grandfathered in) due to air pollution and pedestrian safety issues.

    2. Hugh

      BS virus lockdown? You don’t think the lockdown is necessary?

      1. JTT

        At some point the cure is worse than the disease. People are just now starting to realize this. At this point (a lot of my family and friends are medical) say we are just delaying heard immunity. We’ve lost 26 million jobs in the US in 2 months. Undoing all the gains since the 2008 recession. And it was self-inflicted, there were no outstanding economic issues. My wife was furloughed, so this is personal, and she’s in medical research. Remember that the great depression impacted 15 million jobs at its height. Newer studies on the virus are also showing it hit earlier and far more people have had it than originally thought. Do I agree we should still keep at risk people protected and sheltered, yes. Let the rest of us go back to work before we make the great depression look tame!

        1. JTT

          “there were no outstanding economic issues.”

          Non-stop money printing since 2008 and 0% interest rates, but “there were no outstanding economic issues.”

          Ok, Boomer!

          Sharp analysis there, LMFAO.

          1. David

            Ummm, If your looking at printing money, go back to 2000. GWB cut taxes and then started two very costly wars which are still going on.

        2. Jon

          I also have friends and family who are doctors and nurses, and from their experience, people who “recover” arw not guaranteed to become immune, and some get re-infected.
          In the meantime they go about their lives and might spread virus.
          Now it’s the tine for the “trickle down” economics to be out in practice, and the money actually trickle down from billionaires to the workers.

            1. Jon

              Weather is great! The air smells of free healthcare!

              1. Bubba

                Stand in line for that free health care. If you can wait that long.

                1. Jon

                  Don’t worry. It will still be free.

                  And by the way, I’m from Europe, so I don’t really have to wait 🙂

        3. Mark Obvious

          Saying that the only thing social distancing is doing is slowing down progress towards herd immunity is like saying the only thing a funnel does when pouring liquid into a bottle is slow down progress towards filling the bottle.

          Look a the graphs the epidemiologists— people who have literally spent their entire professional lives studying how diseases spread— have put together. If we open things up too quickly, the hospitals will be totally overwhelmed. At that point, it won’t just be COVID-19 deaths you’re counting, every single car accident, elderly slip-and-fall, construction accident, stroke, heart attack, diabetic attack, concussion, etc. etc. etc. becomes significantly more dangerous because you probably won’t have even been triaged in the time you normally would have been able to wrap up your treatment.

          That the treatment is worse that the cure is at talking point put out by a PAC backed by a lot of very wealthy people who are losing a lot of money having people out of work, and very little to lose if a huge number of those people die because they want to start their money machines back up again. If the government has the political will, it can help individuals through this. That’s exactly what it should do. Don’t fall for the corporatist BS line being touted, here.

        4. Pat

          Tell me about how the cure is worse than the disease when it has killed tens to hundreds of thousands of people in a month. Letting the entire population get sick at once will be sentencing many times that number to certain death. That anyone could place so little value in human life as to willingly sacrifice lives for the sake of the economy is beyond disgusting. And the idea that such a stupid sacrifice wouldn’t be similarly damaging to your precious economy is beyond shortsighted. I am embarrassed to share this planet with the likes of you.

        5. wcoenen

          > Remember that the great depression impacted 15 million jobs at its height

          Also remember that the US population was only 120 million at that time. 15M out of 120M back then, would be like 40M out of 320M now.

        6. Ryan

          According to preliminary studies, the lockdown has so far saved $5.2 trillion in the United States, compared to letting it run rampant. Turns out a lot of people dying suddenly is really bad for the economy, and taking extreme measures to save those lives is actually a good thing.

          The lockdown is really painful for a huge number of people right now, that’s absolutely true. And the pre-existing economic issues are being massively exacerbated by the lack of retail sales, and may lead to a full-scale depression within the next quarter. But a lot of people who are being laid off or furloughed right now would also have been at high risk of contracting and dying from this disease had nothing been done, and it’s been painfully obvious that we were sliding into an economic crisis for the last year or two, with some sectors of the economy already having slid into recession territory. This didn’t break what was whole, it merely pulled back the curtains on what was broken.

          Here’s the source for my claim regarding the costs of the lockdown:
          https://arstechnica.com/science/2020/04/the-value-of-lives-saved-by-social-distancing-outweighs-the-costs/

        7. RJFerret

          We’re going to have a depression that is going to take years to resolve regardless, meanwhile there’s little benefit to afflicting much of the populous with ARDS, neurological deficits, and potential death for no appreciable benefit.

          Depression? Already got it. Please don’t be fooled by the astroturfing from marketing agencies and/or foreign governments who don’t have our best interests at heart.

          We don’t want to cut off our noses despite our faces and also shoot ourselves in the foot! Yes, we’re going to have a depression, but that’s already the condition. There’s no benefit to adding an epidemic and overwhelming our medical resources on top of that too.

          Then when we come out of it, we want to not have neurological issues or ARDS impact our ability to work.

      2. Dennis

        Lockdown necessary? Perhaps at the beginning. The beginning is past and the lockdown should be rescinded.

      3. Tim

        I think the lockdown is BS! Healthy people — i.e., people with no symptoms/signs of COVID-19 — should NOT be quarantined. Sick people, yes; healthy people, no. Sick people include obese, immunocompromised, over aged 60. Healthy people include 0-59 age.

        1. Jim

          Yup, that’s why kids are dying, herd imunity, only works if it’s someone’s else’s kid dying. What if it’s your kid? Don’t buy that bull. This will be around for years, because of virus mutation. All viruses mutate. Just as we are mutating. We are saying one virus, reputable sources of Chinese papers say thirty viruses, so thirty vaccines are needed. How many years to produce one vaccine?
          Good job on the story. Shows how anybody can be suckered in. And how banks can help.

    3. Lindy

      Dennis, so sorry you feel we are in a “BS lockdown.” Besides the fact that it is flattening the curve, and keeping many of us safer…you are inconvenienced and mad about it. You want people to die so you have the freedom to go where ever you want? I call that “BS Selfish.”

      1. Dennis

        I am personally benefiting from the lockdown. No one has to die. If you are in a high-risk category take precautions. If not, go do what free people do. If I stay home, Lindy, and use Amazon and order in you couldn’t infect me if you wanted to. Stop being a bully and telling me what I can or cannot do.

    4. Tony Austin

      This is what I do. I never use a debit card for anything but personal banking inside the bank. I use a credit card for everything I can and pay it off at the end of the month. I have no banking or brokerage apps on my phone. I prefer to do inside the bank or from brokerage stuff on a desktop at home.

      I avoid writing checks to the best of my ability. Last time I wrote a check was six months ago at a dealership to buy a car.

      I am now going to add my personal security setup: When in Doubt: Hang Up, Look Up, & Call Back

  2. Ian

    I’m really glad he shared his story as it is a great learning experience but he should definitely be embarrassed. It sounds like the scammers were good at their craft but there were still a lot of red flags.

    The primary point I can’t get over is that he actually called the bank himself (as he should have) but then only used that the “verify” that he was talking to a legit bank employee on the other line??? Why not just stay on the line that you initiated the call from???

    Poor guy. He’s going to be kicking himself for a while over this one.

  3. Sam

    Thanks to “Mitch” for sharing this. I am also in IT and would probably be too embarrassed to tell you about it – even though you don’t know me from Adam!

  4. Greybeard

    It’s even worse than this. My sister almost fell for one of these complex scams. She knew enough to hang up and call back–but she was on a landline: as we later reconstructed, when she called back *the scammers had never hung up*. Remember that if I call you on a landline, you can hang up, but until I hang up, the line usually stays open.

    My sister couldn’t remember whether she’d heard a dialtone before calling back (with cellphones so common, we’re less used to checking for that), but they could have faked that, too. Fortunately something alerted her, perhaps the fact that the scammers claimed to be able to see both her Visa and her MasterCard, which are from different issuers.

    The lesson: if you get such a call on a landline, call back *on a different line*, or else place another call in between to be sure the line is cleared.

    I’ve since seen this scam described elsewhere; as my sister is very non-technical and wasn’t 100% sure of some of the details, it took me a few days to figure out how it might have worked enough to even search for it. Pretty clever. And nasty.

    1. Johnny

      Holy crap! I never realized landlines work like that.
      I recently encountered this behavior at my grandparents’ house and I just assumed the wiring of the phone must be bad or something like that.
      I didn’t investigate further.

      1. Aaron

        Only some particularly old, and relatively uncommon phone systems work that way, however there is a trick where a scammer might play the same tones that call waiting makes, including a fake caller ID to trigger user.

    2. Bubba

      You or your sister could verify that your sister’s landline is vulnerable to that caller no hang-up trick by calling from another phone. Unless she lives in an area with a very old phone system, that trick should not be possible since sometime in the 80’s.

  5. DelilahTheSober

    Here’s another thing that I do – if the call is on my cell phone, I copy and paste the phone number and immediately do a Google search, but let’s just say the number was 1-818-555-1212. I find that I get much better results by deleting the 1- and just searching for 818-555-1212.

    1. Martin

      If I understand correctly, that number can be spoofed:

      “Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

      But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers…”

      1. DelilahtheSober

        I absolutely never actually call these numbers – but if the number shows up on a Google search as a scam number I automatically block it on my iPhone. If the number doesn’t appear to be a scam I just wait for the person to call me back and I let my voicemail take the call.

  6. Sean

    Another thing he missed, if they called you, they shouldn’t need to verify you by sending a one time code via SMS. Verifying identity is when you call in to the bank, not vice versa.

  7. Jack Bauer

    While there can be skimmers or other devices in ATMs, they are more likely to be on POS readers such as on fuel pumps and in convenience stores and fast-food restaurants. Not sure why Mitch was using a debit card anywhere else. Minimize your attack surface as well by freezing all credit agencies’ accounts (TransUnion, Equifax, Experian, and Innovis). Also, freeze your ChexSystems and NCTUE accounts.

  8. The Sunshine State

    Real good story, I wonder if their is a money mule in Florida to transfer the transfer money out of this country?

    1. bill

      Don’t you have shops in the Sunshine State, where they take money from little old ladies?

  9. Rick

    How did the scammers find out Mitch’s phone number to set-up a pretend call from his bank?
    How did the scammers initiate a $9’800 payment from his account? ($9’800 smells as if the fraudster knew that the bank had a $10k limit for payments using their chosen procedure) – perhaps above which additional security measures would be required. In Europe, one would normally do that online and the multi-factor code (typically 8 A/n characters) would be computed based on:

    1. You having a MFC calculator with a card reader (either contact chip or contactless). Having an original debit card for the bank account in question.
    2. Inserting the debit card into the calculator or waving it past the contactless reader. The card generates a random code every time it is used as a token.
    3. Entering the bank contract number into the bank’s payment web page (which is different from the account number and is notified to the customer when they open the account)
    4. Entering a PIN which might be 10 digits into the calculator (one has 3 to 5 attempts to get it right, and then it locks down).
    5. Entering a random say 5 digits from the payee bank IBAN (international bank account number) eg the last five digits or some other block of 5 digits of the account number into the calculator.
    6. Entering the amount of the payment into the calculator
    7. The calculator computes the one time password from the above data elements eg G3 F3 W8 32 and one enters that into the bank webpage.

    In this way the payment credentials are locked down to somebody with the bank’s calculator and say a Visa debit card from the bank (skimmed cards won’t work), and further locked down to the destination account IBAN and further still locked down to a specified amount – not to mention the PIN entered into the calculator. So even a keystroke logger can’t replicate the one time password – because it only works for that single destination account and for the fixed sum one specified.

    I’m guessing that it was an inside job at the bank? Otherwise where did they get his phone number from? If I ignored online banking and sent an email or letter to my bank to transfer funds to another account (even in my own name), somebody who knew my voice would call me to confirm the payment details. And the system keeps templates for transfers to your confirmed other bank account numbers – and if a new account shows up as a transferee, even in my own name, I suspect they would have extra precautions. And it is a big bank, one of the largest in Europe with branches in the US, Asia, Latin America etc – but they are organised in teams where the team members get to know the voice of each customer.

    1. Adrian H

      Getting hold of the “Fullz” is a relatively easy task for scammers with access to dark web marketplaces. It may have cost them $25.00 to get his full social, email and phone number.

  10. Jay

    This is why I won’t use a Debit card for POS.

    It is one thing to be battling over credit card charges. It is a whole different ball game when you they have your debit card and pulled the money from your account.

    1. Security Guy

      Agreed, so many more bad things can happen to you when using a debit card? Customers are mostly insulated from credit card fraud.

  11. Osiris

    Great reporting, story, eventual outcome, lessons learned, and guidance… this adding to immediately hanging up…

    “…If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled)…”

    Thanks!

  12. bill

    The trouble is, we all think, we are smarter than we are.
    They upset you. Offer to sort it . . .
    Woman, nice accent.
    Oh sorry, I’m new, you’re only my second call . . . a little chuckle . . .

  13. Matt

    This type of scam is generally called a “man-in-the-middle” attack and does not just happen with card issuers. I had someone try to run this scam using my AT&T cell phone account. As soon as they told me they were going to send me an OTP I new they were trying to scam me. I hung up with them and called AT&T and found that someone had accessed my online account.

  14. Bonzo

    Nice read, thank you.
    In EU credit/debit cards are with chips and magnetic part of the card is rarely/never used. So “copying” the card is hard(er).

    1. grimes

      also, contact less payment methods and terminals are very common in EU, so you hardly enter the pin at the terminal for small transactions.

  15. Bill

    This is something I wrote in response to the scam listed above and after reviewing and listening to comments, it will go out to all of the email addresses in our neighborhood. Will your readers please critique it? Serious suggestions are welcome.

    Thanks.

    1. Don’t give them any information.
    2. Find out who it is that is calling
    3. And find out why they are calling
    4. Ask the person for a call-back number where the caller can be reached
    5. AND THEN HANG UP.
    6. Look on your financial institution’s financial statement and see if the number you were given matches the number you were given on the telephone
    7. If you can check your account online, do so and make notes of any charges (or deposits) that are in question
    8. Whether the number matches or not, call your financial institution directly and ask them this question: “Is there a problem with my account?”
    9. If you noted problems with your account, bring that to their attention

    1. Noor

      I would simplify your steps to:

      1. Don’t say anything other than “hello”. Let the caller talk and give their initial pitch.

      2. When the caller is done speaking, immediately disconnect the call. Do not say anything, especially the word “yes”. Just hang up.

      3. Call the financial institution using a known phone number from a document or card you already hold. Tell the rep you think the company tried to call you and you want to find out if anything is wrong with your account.

      1. Bill

        Yeah. I see your point; simpler is better. Thanks.

      1. Noor

        Not answering at all is, obviously, the most effective way to avoid scammers. Unfortunately, there are people who don’t have Caller ID, who have to answer all calls that come in, or are members of a generation that was trained to always pick up, particularly if the call is thought to be “long distance”.

        1. Bubba

          Similar to “moths to a flame” or the Eloi to the caves when the sirens wail the Morlocks (scammers) call their prey?

          Oh, but wait! There are also answering machines used to screen calls. They are still being made.

  16. Steve

    His initial mistake was not having transaction alerts set up for his bank account. If he’d had those in place, he would have know there was a problem with his account long before the phone call.

      1. Steve

        I don’t know how alerts work for every bank, but for mine, any change to the account–including email address or phone number–triggers an alert. Even logging in to the account from an IP address not previously used triggers an alert.

  17. Catwhisperer

    Alerts have saved me many a time. The last important one a fraudulent $500 ATM withdrawal at a branch. I got the notice within 10 seconds and was on the 800 number within 30 seconds. Interestingly, they would neither show me a picture from the ATM cams of the perpetrator, or report it to the police. This was in 2008, and a few weeks later the bank, one of the too big to fail banks, posted an $8 billion profit. Coincidence or something else?

  18. Stephanie

    I also got a similar call a few months ago (before the COVID-19 stay-at-home situation), but because I was not able to get to the phone, I let the call go to voice mail. Basically, the message stated that my credit card had suspicious activity on it and to call Bank of America back as soon as possible at the number they gave in the message. The number they asked me to call was different from the legitimate 800 Bank of America number on my credit card, and which is listed on Bank of America’s website. My Caller ID said simply in capital letters “BANK OF AMERICA.” No phone number listed. I have NomoRobo service on my phone, so I can only assume this was not a robocall, but one placed by an individual, which is why it was not filtered and bounced.

    I am ever vigilant about my credit and debit card. I call each day in the morning to check the balances and to verify that any pending and posted transactions are true. This is as much of a ritual as my morning cup of coffee. I had already done this in the morning prior to this call I received in the afternoon, but after receiving the call, I called the automated number on the back of my credit card (which is the number I call each day). There were no new pending or posted charges from when I called in the morning.

    Taking this a step further, I looked up the bank’s phone numbers for each service they provide on Bank of America’s website (first verifying that the web address site was encrypted and the certificate was valid). There was no number listed that matched the number I was given to call in the message. Then I called the number on the back of my card again. After pressing the prompt to get to a real person, I got a Customer Service Rep, and after identity verification, I asked the CSR to check if anyone from the bank had called me that day. She researched their phone logs, and confirmed that no one from Bank of America had called me that day or even in the last week. She said she could not verify if the phone number that I was asked to call in the message as a BOA outgoing phone number. She said her system did not list the number, only if a call was placed to me by BOA. I asked her to list the recent pending and posted amounts and all were legitimate and matched my previous calls.

    I then explained what prompted me to follow up on the phone call I had received. She totally understood my suspicions and actually admitted that Bank of America has been spoofed in the past, that there is nothing that BOA can really do about it, and that it was good that I was so thorough and diligent to not only follow up on the call, but that I actually checked the balances daily.

    You know, we all get busy and life can get worrisome and hectic, especially right now. And these fraudsters know this and take advantage of people. It upsets me that the gentleman in this piece was taken advantage of, and I am so glad that he got everything straightened out. And I want to thank him for having the courage to come forward with his story to warn others. Which is why I am writing this message to everyone explaining my experience and the steps I took to research the call I got.

    If you ever get a call like the one I got, HANG UP, and then contact your financial institution as soon as possible, directly at their legitimate phone number, not the one on Caller ID if listed, which in my case only said “BANK OF AMERICA” (which really raised a huge red flag for me), or the one given to you by the caller.

    It took me almost an hour to research and follow-up on this spoof call, but I consider it time well spent if it can forewarn someone else.

  19. Tim

    This item describes a real nightmare scenerio for me. Worse if your card is connected to your bank account I am sure.

    I went through a similar chain of events with an alert from Amex. I still don’t know if a scam. A fraud alert was texted to me and I called the number on it and confirmed I did not make a charge. A new card was coming soon as my card had nearly expired but the “Amex” rep offered me to cancel my my card and they would send me a new one. I gave up no personal information. In the middle of that night I could not sleep wondering if that number was really Amex and how might I be scammed. I got up called every department number I could find until I got assurances that the fraud was real and the new card would be real.

    The funny thing was that Amex or somebody sent my wife and I new cards three times. A new one which was linked to the Amex web page, and then cards with the old numbers on two occasions. The Amex excuse was that two computer systems were probably not talking to each other.

    btw – Our credit reports are frozen.

  20. Clay_T

    “When in Doubt:…”

    Why wait for “When”?
    How about never discuss financial stuff unless you initiate the call.

    I recently had my CC jacked. I knew immediately, since I get texts and emails for all transactions.

    After canceling the CC and getting a new one, I found that texts were no longer working for the new CC.

    I called the bank and discussed it. They said they would look into it and get back to me.
    When they did call back, it was the bank phone number in my contacts and showed up as the bank’s name.

    So far, so good.

    They reviewed what had already been discussed in the prior call and asked for the last four SS digits or some such, to verify it was me. I was ok with that since they already knew enough about the issue, they had to be looking at the bank’s records.

    Then they said there were going to give me a phone number to send a text in order to reinitialize texting for the CC.

    At that point I said thank you and I will call them back.

    I was confident they were actually the bank but I still didn’t want to violate rule #1.

  21. Kent Brockman

    A cautionary tale for sure. As an aside, I don’t use debit cards and I have notifcation sent to me daily for ANY charges on my credit cards. And I absolutely NEVER answer phone calls, let voice mail do it’s thing and then only call the organizations main number NOT what’s left on the message. Humans are conditioned to create stories, often from incomplete data that fits a preconceived notion of what is “nortmal”. The only way to stay safe is to not take shortcuts or operate off assumptions but go through proper proceedures. If you insist on wanting to assume, then assume all contacts are potentially fraudulent until proven otherwise.

  22. James Schumaker

    As a matter of security, I don’t like to talk to banks on the phone at all. I’ve instructed that all alerts come by e-mail so that there are readable headers and spoofing is not possible.

    I can also quickly travel to the bank in question if necessary and deal with the issue in person with someone I know there.

    If I got such a call, I agree that the best course is to be polite, hang up, and not call back.

    I would also note that I found the story about back and forth calling on different phones a bit confusing. What number was being used on the callback? If it was the same one the original caller used, no wonder the scam worked.

  23. JCitizen

    Thanks Brian for this timely article. I have a question, because I never knew crooks could spoof their electronic ID to any bank. I noticed an unfamiliar PayPal XFER of a small amount to my bank, so I checked at PayPal, and they couldn’t find it in the records!!

    I am probably assuming too much, but if my account was hacked, wouldn’t the charge show up on my account? Wouldn’t the criminal also used my credit card information listed in my account? I’m assuming they just found my bank information in one of those pools of stolen data somewhere and directly attacked my bank account with this spoofing transfer.

    Maybe I’m wrong, but we blocked PayPal for 3 months hoping this would be the last time; but I’ll have to watch my account like a hawk now, because it looks like they’ve found a new way to rob the bank!

  24. Jobani

    “If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name…”

    Freezing credit files would stop thieves from opening credit accounts. Freezing your ChexSystems file would stop thieves from opening bank accounts, as banks commonly base the decision of opening an account on the results of that report.

  25. jason

    this would not occur in China in AliPay or WeChat eco system. first, every phone number can only be obtained, verified in person with proven documentation (e.g. citizen ID card or passport), so if you use your phone number to call around, it can very easily be traced back to you and the cops will be knocking on your door very soon. second, in China electronic money system, there is no situation where some “agents” call you for “fraud”. every transaction, transfer in, transfer out is completed instantaneously, within second and the verification is a PIN code texted to your phone number and the PIN number expires in a few minutes. third, some transactions, including purchasing a train ticket, now requires customers to do Facial ID PLUS PIN#. there is slim opportunity in the eco system for criminals to pull scams like these. we really need to fundamentally reform our consumer financial system to catch up with the time. abandon the “old” system as detailed in this story and move ahead.

    1. Jackson741

      Stopped reading after “in China”.

      Nope.

  26. Berend de Boer

    That’s a lot of work for $9,800. Looks like the low hanging fruit is gone.

    But having said this, this sounds overly complex, and at some points I doubt it would work.

    1. BrianKrebs Post author

      $9,800 in exchange for a handful of free phonecalls and an hour or so of your time? Seems like pretty good money to me.

  27. Robert M

    Listen to the advice from Frank Abagnale, the person “Catch Me If You Can” is based on. During his “Talks at Google” video he gives out some advice at the end of the talk based on his years at the FBI. Tip #1: Use a credit card and not a debit card!

    Search for that video and go to 45:35.

    1. Steve

      Banks shouldn’t even allow debit cards to be used for anything other than ATM transactions.

  28. Alain

    Really, this person is a “one security and tech-savvy reader” and this person uses their debit card at gas pumps. Or uses an ATM without giving it a VERY careful look….

    I would use a description such as “one slightly stupid reader who pretends to know security”.

    Can we know for which corporation/tech service that person works ? So that I can avoid it like the plague ???

    1. Steve

      Alain, that is precisely the sort of attitude that leads to stories like this, as well as corporate breaches, etc.

      YOU ARE NO MORE PERFECT THAN ANYONE ELSE.

Comments are closed.