A small business owner recently fell victim to a sophisticated bank scam that drained her life savings, where scammers exploited two-factor authentication to gain access and withdraw money from her account. This cautionary story serves as a warning about the increasing prevalence of fraud and emphasizes the significance of using effective fraud detection systems.
THE SCAM: Life Savings Lost to a Bank Scam
A small business owner recently fell victim to a sophisticated bank scam that drained her life savings of nearly $160,000. Scammers contacted the victim directly and exploited two-factor authentication to gain access and withdraw money from her account. This cautionary story serves as a warning about the increasing prevalence of fraud and emphasizes the significance of using effective fraud detection systems.
After receiving a seemingly harmless text message from her bank, Chase Bank, Debbie Moss inadvertently divulged private authorization codes, allowing cyber scammers to access and withdraw her entire life savings. The first message she received through text informed her of an unauthorized $35 debit card charge from another state. Unaware of the impending threat, Moss promptly replied to the text, unknowingly engaging with scammers. Shortly after responding to the text, Moss received a call from someone posing as a representative from Chase Bank, with the caller ID displaying the bank’s name. The individual on the other end identified herself as “Miss Barbara” from Chase and requested permission to issue a new debit card to resolve the alleged fraudulent charge. “Miss Barbara” then asked Moss to verify her identity by reading authentication codes sent from Chase through subsequent text messages over the phone. During the following week, “Miss Barbara” repeatedly called Moss and claimed that there were issues with the card delivery. Each time, she asked Moss to verify her identity by reading the numbers from the text messages. The scammers manipulated her into providing two-factor authentication codes, always under the guise of identity verification. Unbeknownst to the victim, these codes were actually two-factor authentication codes for approving withdrawals initiated by scammers. Moss complied and revealed these authorization codes to the cybercriminals and continued to do so over a week of communication with them, not realizing that she has given authorization to withdraw funds.
Upon visiting her bank branch, Moss discovered that her account had been completely drained, wiping out her life savings. The scammers had conducted six wire transfers, some as high as nearly $48,000, within a week.Despite filing a police report and submitting a claim to Chase Bank, Moss’s hopes for recovering her funds were shattered when the bank denied her claim. The bank’s response placed the blame on Moss, stating she had not taken appropriate steps to protect her account from unauthorized use.
FRAUD GEEK EXPLAINS:
Two-factor authentication is a security measure used to protect user accounts from unauthorized access by adding an extra layer of security. With two-factor authentication, a user needs to provide two forms of identification to access their account or execute transactions, typically a password and a unique, one-time code sent to their phone via text or email. Many online services, particularly financial services, have come to rely on two-factor authentication to authenticate user access and activity. That’s exactly what happened in Ms. Moss’ story, her bank was using two-factor authentication to mitigate the risk of fraud.
Unfortunately, Ms. Moss didn’t realize that even though the codes being sent to her phone were real and from her bank, the true nature of the code was to authenticate the requested withdrawal transaction, not simply verify her identity as the scammers lead her to believe through their phone calls. Even more tragic, her bank failed to notice risk signals in her unusual behavior, such as unusual account access or unusual withdrawals that were draining her account, nor did they attempt another form of authentication.
In the end, the fraudster won, and both the bank and their customer could have done more to stop it.
It is important to note that Ms. Moss is a victim, and many people fall victim to these types of scams. That is why it is so important to stay educated on the tactics used by scammers to protect your assets and not fall victim and lose any money, including your life savings. When banks send time sensitive or disposable, one-time passcodes in a text message, the message always includes language warning the customer that the bank will never call asking for the code. This is the first thing most people overlook when caught up in the moment and end up reading back a random string of numbers to get help.
FRAUD GEEK’S ADVICE:
Ms. Moss should not have responded to the text or engaged in conversation over an unsolicited call. If she had hung up and called the bank directly, they would have been able to verify any fraudulent charges and communication. At no point over the timeframe when the scam unfolded, funds withdrawn, and calls made to Ms. Moss, does the story mention Ms. Moss contacting her bank, reviewing her account online, or taking any action to verify what she was told was being done with her money. Banks will never ask for passwords or private codes, so if you ever receive a call or text asking for personal information, immediately hang up or ignore the message and call the bank or business directly. Also, be wary of any emails or texts containing links. You should trust the financial institution holding your money, but it is imperative that as the owner of those funds, you take a proactive role in reviewing your accounts regularly for unusual activity to protect yourself.
Bank impersonation scams are not new, with the FTC reporting that these scams doubled from 2021 to 2022. A bank the size of Chase knows they are at risk, and they invest in very sophisticated fraud monitoring. Those facts make it even more surprising that a fraudster could withdraw over $100k in weeks without raising an alarm, leaving Ms. Moss a victim when her bank failed her and lost her trust.
THE DEFENSESTORM DIFFERENCE: Proactive Fraud Detection
Two-factor authentication is a first step in fraud detection, but this case demonstrates that financial institutions need to look for a more in depth and robust solution to stop fraud. DefenseStorm approaches fraud differently by looking at both monetary and non-monetary transactions to catch fraud before funds leave the bank. Our Fraud Detection product would have recognized the unusual patterns such as small debit card charges followed by withdrawal activity that is out of character for Ms. Moss. With GRID Active Fraud Detection, the bank would have received a real-time alert so the bank could block the suspicious activity, execute step-up authentication, and route anomalies to analysts for further investigation. DefenseStorm would have noted that the online account activity from different devices, browsers, and locations were out of line of normal activity for Ms. Moss, plus that the volume of transactions, even if authenticated with a second factor were unusual for her account. Our ability to monitor, detect and alert on suspicious activity across all departments – including Originations, Online and Mobile banking and Internal Fraud – allow the FI to stop fraudsters before funds leave the account.
Deborah Moss’s heartbreaking experience serves as a stark reminder of the growing threat of financial scams. With reported losses reaching staggering figures, the importance of robust fraud detection systems cannot be overstated.
CBS NEWS: Bank scam that began with a text message ends with woman losing life savings: “My whole world fell apart.”