Yesterday, instead of having a productive afternoon at home, I had the privilege of sitting at the bank for a couple of hours, resolving a problem completely of my own doing: I fell for a phone scammer. My wife and I had to close our accounts—which were in excess of 25 years old—and set up new ones. I then spent hours updating our various bill paying services, Quicken account access, etc.
Do yourself a favor, and don't be me. I never thought I'd be "that guy" either, as I keep current on scams, look for signs of fishiness on phone calls, etc. Still, they got me, and it was painful—not necessarily in terms of financial loss (we're out $500 for maybe 60 to 90 days while they investigate), but in terms of time: Time to fix what I did, and even more time spent beating myself up over my stupidity.
Here's the tl;dr version: Do not ever, as in never ever, give out a verification code over the phone. I know that now. I knew that earlier today. I've known that for years. And yet, I did it. What follows is a bit of the nitty-gritty on how I got scammed, what I learned (beyond the above), and some technological things that affected my behavior during the call. Hopefully the sharing of my stupidity will help others avoid the same fate…
It began early in the afternoon with a phone call. The caller knew my full name, was either a native English speaker or had been speaking it since he was a tiny tot, had a very professional tone, and his grammar was better than that of many people I know. In short, none of my normal "it's a scam!" warning cues were triggered. Let's call the scammer Jerk, because I don't want to demean anyone's real name.
Jerk said, "Hi, I'm Jerk, calling from First Technology Federal Credit Union1I thought about hiding our bank's name in this writeup, but it's quite easy to find, i.e. I've tweeted about them quite often., and I need to speak to you about a couple possibly fraudulent debit card transactions in Alabama. Is this Rob?" At this point, I noticed that my phone did indeed show the call coming from First Tech.
With the smooth intro, and matching caller ID, no alarm bells were going off, but I was a bit confused as I never (as in never) use my debit card—so how could someone have gotten ahold of it? But still, things happen, so it was a possibility. But as I was a bit cautious, I said "How do I know you're from our bank? What number can I call you on?"
Jerk replied with "Check your phone, and compare the caller ID to the number on your debit card for customer service; they'll match." As I'd already done that, I knew he was right. Still, I was a bit concerned, so I asked again, and again he referred to the caller ID info.
I let him know that I knew it was easy to spoof caller ID, so then he said "And the last four digits of your social security number are 6789." Those numbers matched, and at that point, I was convinced enough to continue—because banks do call to discuss fraudulent transactions; my wife had such a call from her credit card's bank just a month or so ago.
He then said that before we could discuss the fraudulent claims, he needed to be certain it was really me on the other end of the phone. So he said he'd send out a confirmation code to my phone, which I'd then have to read back before we could proceed.
The text arrived and I did confirm that the texts were coming from First Tech, at least to this extent: They came on the same source number as had other texts from my bank in the past. But that's because Jerk was using the "I lost my password" feature on my account to generate the codes direct from First Tech.
This is when a technological issue bit me: I use a relatively large font, which meant the bank's text arrived in three balloons…and they arrived out of order.
The first balloon to arrive said "3 of 3," and contained "hours" and that was it. The second balloon (1 of 3) was the one that contained the "Do not share this code with anyone!" language, but it went off the screen when the third (2 of 3) arrived, which is where the code itself was, and ended with "…will expire in 8," as seen below:
Obviously, the text there says it's a login code. Did my eyes see that? Nope. All they saw was the code, because that's what I was looking for. This is partially due to another technological issue: The text is just that, text. Other than ALL CAPS, there's no way to call out an item (bold font, red font, outlined text box, etc.), so I just glossed over everything but the code.
Still, I had reservations, but I was worried about the fraudulent transactions, so I started reading the code. I read it pretty quickly, though not all the way through. As I was reading, Jerk asked me to slow down, which I thought odd: "If he's just reading a code to compare to mine, I shouldn't have to read the code this slowly."
As it turns out, I was reading so slowly that the code expired, and they had to send another one (or so he told me—but he clearly just typed it wrong, as it's good for eight hours).
But doubts were now in my mind, so I again asked for a callback number, or some other way to prove that they were my bank. And that's when Jerk got me with a piece of data that convinced me…he said "Earlier I gave you the last four of your social security number; the full number is 123-45-6789." And my brain immediately went, "Well, they must be legit, because who else would have that?!"
This was, to use an overused idiomatic expression, the straw that broke the camel's back. I figured nobody should have my full social security number, but the bank would definitely know it. So, despite my misgivings, I read the whole number back. And that's when I lost the battle, and the war, to the scammer.
After reading out the number to Jerk, he asked me about two separate transactions in Florida, which I stated were obviously not mine. I was pretty sure he'd said Alabama at the start of the call, but didn't think to question it—it just seemed odd that the state had changed.
He then thanked me, said that I shouldn't use online banking as it would be locked while they investigated, and that FedEx would have a new card for me in the morning.
As soon as I hung up, I sort of worried that there was more bad stuff going on. So I tried to login to my bank, and couldn't—it said my password was wrong. Still, the irrational part of me was winning my battles, because I decided that this meant that whoever was accessing my card from Alabama or Florida had somehow gotten my account information. Honestly, I did not tie this to the phone call I'd just finished—I was that convinced the call was legit.
To even generate the code I received and then read back to him, Jerk had to know my login name, date of birth, and full social security number. If I assume that my social security number was obtained in some other leak, and that birth dates aren't that hard to find, that still leaves my login username for the bank.
And that's where I get stuck, because my ID wasn't easily guessable, and it's not something I'd ever use on another site, nor publish online in any way. So how did Jerk get my username, if not directly from the bank somehow? In the end, it was still my fault for reading back the code, but now I wonder how they even got to that point…
A couple minutes later, I got an email that alarmed me a fair bit (my emphasis added)…
You've activated your account with Zelle. You can now send money to just about anyone with an email address or a mobile phone number. If you have any questions, updates or concerns PLEASE DO NOT REPLY TO THIS EMAIL. Please send [the bank] an email using the secure email feature via Online Banking (accessible via thebankurl.com or the mobile app) or by calling us at 855.8555.1212.
Well, that can't be good, as it's clearly not something I would have done2I wish our bank didn't support Zelle. It can be disabled, but once you login, you can enable it again. (plus I couldn't login). Still, my brain wouldn't connect this to the phone call. Then, another minute later, this email arrives…
You sent money to Tyran White. Here are the details:
From Account: *****123456
Amount: $ 500
Memo: Tyran White will receive their money within a few minutes. If you did not send this money, or if you have any questions, call First Technology at 855.555.1212.
OK, that really got my attention. And it was at this point that I (no, I still didn't connect this to the phone call) called First Tech (and got put into their hold queue), and also started madly tweeting at First Tech about my being robbed.
Not making immediate progress with either front, I had my wife drive to the local branch, where she learned that our account had been taken over, and we'd both need visit the branch in person. And yet…I somehow still thought this was related to the debit card fraud and not the phone call!
It wasn't until I arrived at First Tech, and sat down with the specialist as she pointed out the language in the received texts (never give the code to anyone and that this code was to be used for logging in) that I realized I completely and totally screwed up. I said some bad words (then apologized for saying them), called myself every synonym for "stupid" in the thesaurus, and generally felt like a total idiot.
Interestingly, she told us that these scams have increased dramatically since the COVID-19 outbreak, probably because everyone's stuck at home, and they don't want to go out to a bank to deal with something like this. In fact, while we were there, a couple next to us was going through the exact same process, and she told us that they're averaging two to four a day some weeks. And our rep told us that even the bank's own mortgage finance rep had fallen for it. Still, I felt like a total idiot.
My wife and I then spent the next two or so hours in the bank, closing all of our existing accounts and opening new ones. We have a fair number of accounts, between checking, savings, bill pay, and the kids' accounts, so it was an involved process. But really, that was just the start of the work: I spent much of last evening and this morning setting up our various bill pay services, updating account numbers, trying to insure that scheduled payments were going to be made, etc.
Obviously, I missed a number of red flags and made some stupid decisions yesterday. So that you don't do the same—or if you do do the same—here's what we're doing going forward…
- I will never talk to anyone on the phone about financial matters unless I initiate the call.
- Even if I initiate the call, I promise I will never read someone a code on the phone!
- My wife and I have frozen our credit at all three US agencies; this is free and amazingly easy to do. We started at the FTC's credit freeze FAQ page, and just followed the links at the bottom of that page to each agency's site. With my social security number now clearly in the wild, this is a requirement. But even if that weren't the case, I think we'd still do this: It's very easy to unlock if needed, it's free, and it protects you from someone opening credit in your name.
- We tried to freeze our kids' credit, too, but that's much tougher to do: You have to print a form, and then send it in, along with copies of birth certificates and social security cards. Personally, I'm not willing to put that kind of stuff in the mail any more, so for now, we're just checking their credit reports regularly: As children, they shouldn't have one at all. If they do, then there's a problem. This isn't perfect, but for now, it seems like a good balance.
- I had two-factor authentication enabled before, but using SMS. I've switched over to tokens, which require me to launch an app to get a fresh token. I feel better knowing I won't ever be looking at an SMS again, wondering if I've just messed something up.
I have definitely learned my lesson…even though I thought I already knew the lesson and how to avoid being scammed. But they still got me. Hopefully my tale of trouble helps you not be me.