Hackers were assaulting my checking account from Sunday, August 28, to Friday, September 2, and it’s taken me this long to recover. I’ll tell you what happened as a cautionary tale.
Two Sundays ago, my bank emailed me a Security Alert. In part, it read [verbatim]:
On 8/28/2022 12:46 AM, there was the forgot password process was attempted for your login ID… If you suspect fraudulent activity, please contact us… Please do not reply to this message.
The bad grammar and absence of contact info looked like spam. I knew my little community bank doesn’t do weekends, so I was helpless until Monday.
But that afternoon at 4:50 p.m., a quick succession of more Security Alerts arrived about: 1) forgot password, 2) change to secure access code contact information, 3) added a Tempia Otey (??!!) to account, 4) a process was started to add an external contact.
At 5 p.m., my landline rang. Caller ID showed my bank and its local number, so I answered. Mistake ONE.
It was “Jacob” from the “Fraud Department,” following up since they hadn’t heard from me (how?).
Jacob was a criminal newbie with Swiss-cheese story he kept having to “check with his supervisor,” which kept dropping the call. Once, he called back from 843-474-1626 in Beaufort, SC, stammering that that line was “more secure” than the bank’s. (If this doxes you, Jacob, tough. The bank and the FCC has this number now, too.)
MAJOR POINT: You know two-factor authentication, where they phone or text a code number to you so you can access a website or account? To “verify” me, Jacob somehow sent one of those to my landline, and it actually came from my bank. I’m still kicking myself for telling him what it was, but I hadn’t yet realized he was a hacker. Mistake TWO.
Jacob’s real mission was to “verify” (i.e., steal) my debit card information.
When I refused to tell all (I did give some, like a dummy) Mistake THREE, Jacob transferred me to his “supervisor” Jessica. She’d only say, “We need your debit card number,” so I hung up on her.
The next day, Monday at 7 a.m., this Security Alert arrived…
On 8/29/2022 6:54 AM there was your security alert preferences were changed.
I called the bank as soon as it opened and we found the bogus Tempia Otey online withdrawal and another one. They totaled $500 and luckily had been blocked by Zelle, a third-party money transfer thing my bank has. So, I changed my password and drove to the bank to close my debit card.
At 3 p.m. Monday afternoon, the hacker phoned again, spoofing the bank on Caller ID, calling himself “Jonathan.” I answered because the bank had promised to call back about the Zelle situation. Once again, not knowing it wasn’t the bank, he sent an authentication code to my cellphone this time (so he had both my phone numbers), and I told him the code. Mistake FOUR.
I think this call sealed my fate.
As soon as I realized it was Jacob again, I hung up. A few minutes later the Security Alert emails started rolling in…
On 8/29/2022 3:11 PM, there was an invalid password for your login ID was submitted.
…forgot password process was attempted…
…security alert preferences were changed…
Since Zelle had blocked suspicious activity, bank customer service was on the case, and I’d notified my branch there was a problem in person, I thought they all had my back and we were done. Mistake FIVE.
Beginning Tuesday, the hackers siphoned daily increasingly large amounts from my checking account into another account they’d opened in my name somewhere until I was out $14,000, which I’d set aside for some major bills.
I discovered these thefts Friday, September 2, after I was locked out of my online account trying to get my monthly checking statement.
Hair ablaze, I dashed back to the bank to close the checking account and file a fraud report. (When they printed my statement, the daily theft withdrawals were screamingly obvious.)
The bank said it might take “months” to research and recover my “disputed” $14K. And they said it was now in MasterCard’s hands. WTF? Who ever said anything about MasterCard? The debit card was closed BEFORE the withdrawals started.
This crime began within days of the bank launching a new app. I think the app has security issues a cruise ship could sail through. The bank employee who helped me had been getting the same Security Alerts on HER account and blowing them off. And she said other customers had been making similar reports (presumably also being blown off).
With a new checking account, all my online bill-paying information, automatic drafts, the direct deposit arrangements with clients got obliterated. I’ve spent most of this week piecing my finances back together like a jigsaw puzzle.
BUT THERE’S A HAPPY ENDING: Instead of months, the disputed $14K was restored to me within 24 hours — but it was deposited in the now-closed account. ANOTHER trip to the bank got the funds over to the new account. I’m a familiar (if masked) face at the bank now.
LESSONS LEARNED: I can’t trust my bank. Their “security” is nothing but useless ungrammatical emails. They’re unable to detect a multi-day theft in progress. And if I hadn’t been proactive, my $14K would STILL be sitting in a closed account.
I’ll take your questions now.