The Robservatory

Robservations on everything…

 

How I lost control of our bank accounts to a phone scammer

Yesterday, instead of having a productive afternoon at home, I had the privilege of sitting at the bank for a couple of hours, resolving a problem completely of my own doing: I fell for a phone scammer. My wife and I had to close our accounts—which were in excess of 25 years old—and set up new ones. I then spent hours updating our various bill paying services, Quicken account access, etc.

Do yourself a favor, and don't be me. I never thought I'd be "that guy" either, as I keep current on scams, look for signs of fishiness on phone calls, etc. Still, they got me, and it was painful—not necessarily in terms of financial loss (we're out $500 for maybe 60 to 90 days while they investigate), but in terms of time: Time to fix what I did, and even more time spent beating myself up over my stupidity.

Here's the tl;dr version: Do not ever, as in never ever, give out a verification code over the phone. I know that now. I knew that earlier today. I've known that for years. And yet, I did it. What follows is a bit of the nitty-gritty on how I got scammed, what I learned (beyond the above), and some technological things that affected my behavior during the call. Hopefully the sharing of my stupidity will help others avoid the same fate…

It began early in the afternoon with a phone call. The caller knew my full name, was either a native English speaker or had been speaking it since he was a tiny tot, had a very professional tone, and his grammar was better than that of many people I know. In short, none of my normal "it's a scam!" warning cues were triggered. Let's call the scammer Jerk, because I don't want to demean anyone's real name.

Jerk said, "Hi, I'm Jerk, calling from First Technology Federal Credit Union1I thought about hiding our bank's name in this writeup, but it's quite easy to find, i.e. I've tweeted about them quite often., and I need to speak to you about a couple possibly fraudulent debit card transactions in Alabama. Is this Rob?" At this point, I noticed that my phone did indeed show the call coming from First Tech.

With the smooth intro, and matching caller ID, no alarm bells were going off, but I was a bit confused as I never (as in never) use my debit card—so how could someone have gotten ahold of it? But still, things happen, so it was a possibility. But as I was a bit cautious, I said "How do I know you're from our bank? What number can I call you on?"

Jerk replied with "Check your phone, and compare the caller ID to the number on your debit card for customer service; they'll match." As I'd already done that, I knew he was right. Still, I was a bit concerned, so I asked again, and again he referred to the caller ID info.

Missed red flag #1: If it really was a call from First Tech, they would have offered a callback line, or told me to hang up and call the number on my card directly. I should have hung up right then.

I let him know that I knew it was easy to spoof caller ID, so then he said "And the last four digits of your social security number are 6789." Those numbers matched, and at that point, I was convinced enough to continue—because banks do call to discuss fraudulent transactions; my wife had such a call from her credit card's bank just a month or so ago.

He then said that before we could discuss the fraudulent claims, he needed to be certain it was really me on the other end of the phone. So he said he'd send out a confirmation code to my phone, which I'd then have to read back before we could proceed.

The text arrived and I did confirm that the texts were coming from First Tech, at least to this extent: They came on the same source number as had other texts from my bank in the past. But that's because Jerk was using the "I lost my password" feature on my account to generate the codes direct from First Tech.

This is when a technological issue bit me: I use a relatively large font, which meant the bank's text arrived in three balloons…and they arrived out of order.

The first balloon to arrive said "3 of 3," and contained "hours" and that was it. The second balloon (1 of 3) was the one that contained the "Do not share this code with anyone!" language, but it went off the screen when the third (2 of 3) arrived, which is where the code itself was, and ended with "…will expire in 8," as seen below:

Obviously, the text there says it's a login code. Did my eyes see that? Nope. All they saw was the code, because that's what I was looking for. This is partially due to another technological issue: The text is just that, text. Other than ALL CAPS, there's no way to call out an item (bold font, red font, outlined text box, etc.), so I just glossed over everything but the code.

Missed red flag #2: I did not carefully read the texts I received, and should never have read the code to anyone. I should have hung up right then.

Still, I had reservations, but I was worried about the fraudulent transactions, so I started reading the code. I read it pretty quickly, though not all the way through. As I was reading, Jerk asked me to slow down, which I thought odd: "If he's just reading a code to compare to mine, I shouldn't have to read the code this slowly."

Missed red flag #3: Jerk asking me to read slower should have clued me into the fact that he was typing it out as I read it back. I should have hung up right then.

As it turns out, I was reading so slowly that the code expired, and they had to send another one (or so he told me—but he clearly just typed it wrong, as it's good for eight hours).

But doubts were now in my mind, so I again asked for a callback number, or some other way to prove that they were my bank. And that's when Jerk got me with a piece of data that convinced me…he said "Earlier I gave you the last four of your social security number; the full number is 123-45-6789." And my brain immediately went, "Well, they must be legit, because who else would have that?!"

Missed red flag #4: Just because someone knows your social security number doesn't mean they're who they say they are. I should have hung up right then.

This was, to use an overused idiomatic expression, the straw that broke the camel's back. I figured nobody should have my full social security number, but the bank would definitely know it. So, despite my misgivings, I read the whole number back. And that's when I lost the battle, and the war, to the scammer.

After reading out the number to Jerk, he asked me about two separate transactions in Florida, which I stated were obviously not mine. I was pretty sure he'd said Alabama at the start of the call, but didn't think to question it—it just seemed odd that the state had changed.

Missed red flag #5: The state changed, and I noticed it, but ignored it. I should have hung up right then, although by that time, it was too late.

He then thanked me, said that I shouldn't use online banking as it would be locked while they investigated, and that FedEx would have a new card for me in the morning.

As soon as I hung up, I sort of worried that there was more bad stuff going on. So I tried to login to my bank, and couldn't—it said my password was wrong. Still, the irrational part of me was winning my battles, because I decided that this meant that whoever was accessing my card from Alabama or Florida had somehow gotten my account information. Honestly, I did not tie this to the phone call I'd just finished—I was that convinced the call was legit.

Apr 4 Update: A user named Bob commented that he thinks the bank may have suffered a data breach, and after thinking about it some more, I think he may be right. In order to use the "I lost my password" feature at our bank, you have to complete this form:

To even generate the code I received and then read back to him, Jerk had to know my login name, date of birth, and full social security number. If I assume that my social security number was obtained in some other leak, and that birth dates aren't that hard to find, that still leaves my login username for the bank.

And that's where I get stuck, because my ID wasn't easily guessable, and it's not something I'd ever use on another site, nor publish online in any way. So how did Jerk get my username, if not directly from the bank somehow? In the end, it was still my fault for reading back the code, but now I wonder how they even got to that point…

A couple minutes later, I got an email that alarmed me a fair bit (my emphasis added)…

You've activated your account with Zelle. You can now send money to just about anyone with an email address or a mobile phone number. If you have any questions, updates or concerns PLEASE DO NOT REPLY TO THIS EMAIL. Please send [the bank] an email using the secure email feature via Online Banking (accessible via thebankurl.com or the mobile app) or by calling us at 855.8555.1212.

Well, that can't be good, as it's clearly not something I would have done2I wish our bank didn't support Zelle. It can be disabled, but once you login, you can enable it again. (plus I couldn't login). Still, my brain wouldn't connect this to the phone call. Then, another minute later, this email arrives…

You sent money to Tyran White. Here are the details:

Date: 03/30/2020

From Account: *****123456

Amount: $ 500

Memo: Tyran White will receive their money within a few minutes. If you did not send this money, or if you have any questions, call First Technology at 855.555.1212.

OK, that really got my attention. And it was at this point that I (no, I still didn't connect this to the phone call) called First Tech (and got put into their hold queue), and also started madly tweeting at First Tech about my being robbed.

Current times issue: I love First Tech, and have been a customer for decades. But with the COVID-19 outbreak, their hold times are really long. More painfully, there's no special number for fraud, so I was basically stuck in the queue. That's when I started tweeting, which got the attention of a customer service rep, who then went looking for a fraud rep to call me back. She eventually found one, but before the callback happened, we took action ourselves…

Not making immediate progress with either front, I had my wife drive to the local branch, where she learned that our account had been taken over, and we'd both need visit the branch in person. And yet…I somehow still thought this was related to the debit card fraud and not the phone call!

It wasn't until I arrived at First Tech, and sat down with the specialist as she pointed out the language in the received texts (never give the code to anyone and that this code was to be used for logging in) that I realized I completely and totally screwed up. I said some bad words (then apologized for saying them), called myself every synonym for "stupid" in the thesaurus, and generally felt like a total idiot.

Interestingly, she told us that these scams have increased dramatically since the COVID-19 outbreak, probably because everyone's stuck at home, and they don't want to go out to a bank to deal with something like this. In fact, while we were there, a couple next to us was going through the exact same process, and she told us that they're averaging two to four a day some weeks. And our rep told us that even the bank's own mortgage finance rep had fallen for it. Still, I felt like a total idiot.

My wife and I then spent the next two or so hours in the bank, closing all of our existing accounts and opening new ones. We have a fair number of accounts, between checking, savings, bill pay, and the kids' accounts, so it was an involved process. But really, that was just the start of the work: I spent much of last evening and this morning setting up our various bill pay services, updating account numbers, trying to insure that scheduled payments were going to be made, etc.

Protect yourself

Obviously, I missed a number of red flags and made some stupid decisions yesterday. So that you don't do the same—or if you do do the same—here's what we're doing going forward…

  • I will never talk to anyone on the phone about financial matters unless I initiate the call.
  • Even if I initiate the call, I promise I will never read someone a code on the phone!
  • My wife and I have frozen our credit at all three US agencies; this is free and amazingly easy to do. We started at the FTC's credit freeze FAQ page, and just followed the links at the bottom of that page to each agency's site. With my social security number now clearly in the wild, this is a requirement. But even if that weren't the case, I think we'd still do this: It's very easy to unlock if needed, it's free, and it protects you from someone opening credit in your name.
  • We tried to freeze our kids' credit, too, but that's much tougher to do: You have to print a form, and then send it in, along with copies of birth certificates and social security cards. Personally, I'm not willing to put that kind of stuff in the mail any more, so for now, we're just checking their credit reports regularly: As children, they shouldn't have one at all. If they do, then there's a problem. This isn't perfect, but for now, it seems like a good balance.
  • I had two-factor authentication enabled before, but using SMS. I've switched over to tokens, which require me to launch an app to get a fresh token. I feel better knowing I won't ever be looking at an SMS again, wondering if I've just messed something up.

I have definitely learned my lesson…even though I thought I already knew the lesson and how to avoid being scammed. But they still got me. Hopefully my tale of trouble helps you not be me.

30 Comments

Add a Comment
  1. SO SORRY to read about your ordeal...BUT I can somewhat relate. It is SO EASY to fall into a stupor, even when you know better.

    Reminds me a of time over 30 years ago (in my 20s) when I was vacuuming my car at a public coin-operated location. I had taken all my stuff out of the car, including a detachable sunroof, tools, and other sundries. The vacuuming I was using did not work well so when another stall freed up I moved my car over to the freed up one but left all my stuff at the first location, as I could still see the items and it was only about 15-20 feet away. Meanwhile, about 10-15 mins into my heavy vacuuming, a van pulled up, and while I was watching started rummaging through my belongings but for some reason it did not dawn on me that this was MY stuff. I smiled, even waved. Then within a minute or so I finally clued in, tried to go after them but they were off... FORTUNATELY I did not have too much of value except a new toolkit I had recently purchased and they left behind the sunroof...PHEW!

    I remember feeling stupid has I realized how for a long enough moment I was in a stupor not connecting the dots.

    Though I have had a couple more incidents like that in my life (fortunately none truly grave), I am an extremely vigilant person when it comes to security and I too am VERY aware of many of the different types of scams BUT cannot help to think if I might fall into a stupor in the wrong moment.

    I feel for you.

    That said, I have been scammed and lost LOTS of money, though that involved the trust of some key people that I thought were trustworthy, which took over 10 years to get back to square one. HUGE lessons learned.

    And then there are stories with contractors that have partially scammed me (though I was careful to keep the leverage on my side the entire time so did not lose anything other than my sanity as jobs were not completed not done right as as as documented in contracts, BUT those are other stories.

    1. It's weird how the brain works—or seemingly, doesn't work. Thanks for sharing the story!

      -rob.

  2. P.S. I have worked in IT for over 25 years, so it is kinda odd to admit the above. But I hope in acknowledging it that keeps me more on my toes.

  3. Rob, you are a real mensch for sharing this story with us. As embarrassing as it is, you will probably save a lot of people the same fate. Thank you. It takes guts to do this.
    I hope Jerk gets caught and serves time!!!

  4. Part of the reason it worked is that they do it full time. They have trained and learned from others. You rarely face the issue. This is true for lots of issues in life. Like buying a car at the dealer. They know the tricks you don't. Don't be too hard on yourself, although I would feel the same in your place. In fact in the back of my mind I think I did something like this recently but the amount was small or I recovered in time. But still.

    1. This reminds me of the story of cuckoos. Each one has descended from untold generations of cuckoos, EVERY SINGLE ONE of which successfully fooled host parents. On the other hand, it is very unlikely that these particular host parents have even encountered a cuckoo before.

  5. Thanks for making this unsavory information available. It's good for everyone to be more aware of the extent to which the sophistication of these sorts of scams has been developed.

  6. So sorry to hear this happened to you Rob. Thanks for writing it up so we can all learn. I think your first point is really key. No matter how insignificant or genuine the issue seems to be, always call the bank back at their published number. This will neutralise the vast majority of these scams.

  7. I suspect the reason the scams are working better in COVID-19 days is that we are all stressed and distracted. Brains re not working well.

    So be careful folks - not just about things like this, but anything that requires attention. For example, if you're taking up woodworking as a new hobby, be extra careful. Same if you are up a ladder. Whatever.

    Thanks for sharing Rob.

    1. Thanks, Peter—good comments about general stress, too. I’ve asked our kids to be extra careful with sharp things in the kitchen, for instance, as the last thing we need to do is head to an overworked ER for a deep cut.

      -rob.

  8. Got me too a couple of mouths ago. The same scenario and language. Could be the same guy. And I'm tech savvy, which I think could be a disadvantage. Can't believe they can't trace where the money goes. If you or I tried this, we'd get caught.

    1. Yea, I'm surprised Zelle allows transfers without traceability—but I'm very thankful my bank didn't have other easy ways to get money out, or we could be waiting for more than just $500 to be returned.

      (I also don't like the fact that Zelle exists within the bank at all; it does not seem like a tool that needs to be offered by my financial institution.)

      -rob.

  9. I’m fascinated by the story, especially how a clearly smart person could make so many (objectively) stupid decisions. I agree that the stress of the current times has to play a part. I’m curious if you were especially tired when the call came in a well? I’ve noticed this phenomenon before, and it generally befalls very intelligent people that convince themselves of something and then new information simply doesn’t take hold.

    Thanks for sharing.

    1. I wasn't especially tired, but COVID-19 definitely played a role: I did *not* want to have to go into the bank (which he actually offered at some point), hence that probably played on my desire to resolve this over the phone.

      But I still have no real idea why I didn't go with my instincts the multiple times I had the chance to hang up.

      -rob.

  10. First: OUCH!!!
    Second: THANK YOU!
    I am certain you just saved a lot of people a lot of money and hassle. I will certainly be on the look out in the future.

  11. I don't understand why it takes two minutes on the telephone to totally own a person's credit and financials but it takes a conversation with the Archangel Michael which won't even get you to somewhere close to where you started before you were financially raped. I often consider how people in the 60+ age group must be such easy targets: failed patches, firewalls, antivirus, 'friendly helper' apps, free games, unsecured routers, simple passwords, global passwords, spoofing, Equifax epic failures. It doesn't end and won't get better.

  12. I think you are not stupid. It's your bank that screwed you, if you haven't notice already. How does Jerk know your name, your login name, phone number, your full SSN, and you have an account with the bank? Obviously, the bank leaked those in some way! Now that's the elephant in the room you didn't noticed.

    1. Good point—I thought the reset feature worked without username (just email), but it doesn't. The social isn't quite as surprising, given the number of hacks over the years. Our phone number has been listed for years, so that's explainable ... but yea, putting it all together, it does seem like it would've had to start at the bank somehow.

      Thanks for thinking it through for me!

      -rob.

      1. In addition, having a few other customers with the same issue is a sign that the bank's customer data has been compromised, I would think. The bank may know it. But it is to their interest to cover it up as much as they can to minimize liability and damage to their reputation.

    1. He had my full social; I assumed it was from another hack in the past. But as commenter Bob pointed out, he also had my bank login name, which I only use on the bank, and have never used elsewhere (or told anyone else). It seems more and more likely that the bank may have had a data breach, but I have no way to be sure.

      -rob.

  13. Thanks for the heads-up!

    Do you want to be pro-active and stop this from happening in the future to other people?

    Get together with a few other people that this has happened to and file a class action lawsuit against Zelle. I suspect there are uncountable numbers of lawyers out there salivating at the prospects of getting a chunk out of Zelle.

    Just imagine that if you had to spend several hours at a bank that day, and probably more later, to straighten all this out, how many hours would accumulate if you added up all of the victims. Further, though you might not be out $500 (and $500 might not be a hardship for you), there are probably victims out there who lost more or who won't be able to recoup their losses. The bank will take this as a fraudulent expense on their books, but it seems like Zelle suffers no consequence for their part in this; in fact, Zelle would have made a nice commission from being the middle-man in this transfer.

    I've never heard of Zelle, but I suspect the untraceablity is a feature they tout. Shouldn't this be able to undone in cases of fraud?

  14. As an addendum to my post, I should add that in Canada, there is a service called Interac that allows you to send money from your bank account to another person by email or text. You can even use it for online payments. Actually, Interac was started by the major banks for debit store purchases and ATM service, which they've updated to allow further uses. Interac transfers are not anonymous or untraceable, and you can reverse them within a certain span of time (for example, until the recipient has accepted the money).

  15. The 3rd red flag should not really be one. Here in Australia, Westpac asks you to read them the code they send you by SMS once they're done with the identification questions. They actually type this code in their system, but they don't compare it to any visible code.

    1. Well, given the text they send us says "We will never ask you to read us this code," or something like that, it's definitely a missed flag here. Interesting that you read it back there.

      -rob.

  16. They tried this one on me this morning. Fortunately I listened to the rational side eventually and hung up and called first tech to verify. They had me so close to the finish line I felt pretty stupid too. I also told him I knew how easy it was to spoof caller ID but that didn't push me over the edge. I was about to change my password to one he was reading to me when I called bullshit.

    Thanks for taking the time to write about your experience! By the way if you haven't checked out the "reply all" podcast episode about a similar scam (#102) it's entertaining and worth a listen. We happened to listen to it last night 12 hours before this call came in!

  17. I used to receive a couple of such calls but they are so obvious that I feel insulted. Once a guy called and said he is the bank manager. I asked him which bank and he literally called out the names of all top 5 banks in my country. He went ahead and said my card is about to expire and the 14 digit "renewal code" is typed in my card! I asked him how often this trick works and he said quite often and disconnected.

  18. YOU ARE MISSING A HUGE RED FLAG.

    Reps are not supposed call people and give out 4 SS numbers let alone all of them. That's a huge red flag you still haven't called out.

    1. I mentioned that someone knowing it shouldn't have been good enough, but I've had legit calls use the last four of the social as an identifier, so that alone doesn't concern me—it probably should, but I know it's been used before in a legit manner (not necessarily by my bank, though).

      -rob.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Robservatory © 2020 • Privacy Policy Built from the Frontier theme