Criminals were one text message away from draining my bank accounts…
This is a cautionary tale. I will explain what happened, how I believe they did it, and what you can do to protect yourself. I was rudely awakened on 11/30/2017 just before 6a by my phone buzzing. I looked at the 1800 number and decided not to take it. This happened about 9 times, so I decided to block the caller. Then calls started coming in on another 1800 number so I decided to turn my phone off. When I turned it back on around 8a a lot of interesting things happened that after translating a bunch of email and text alerts from my bank from Spanish to English I will share with you. Here is what the criminal was doing on my account.
- 550a Changed the password and changed the mobile language to Spanish. This kept me out of the account and semi-hid what they were doing (perhaps a good reason to learn Spanish?).
- 550a Changed the Account I receive money from using Zelle to be checking. Zelle is a service that my bank offers to email people money.
- 552a Started calling on a 1800 number and texting (dialing as fast as possible).
- 604a My bank tries to call me, but it is hidden amongst the other 1800 calls.
- 604a Allowed money to be received through my email. Likely to get me to add more money to the account or transfer from another stolen account.
- 604a Allowed money to be received through my phone number. Likely to get me to add more money to the account or to transfer from another stolen accounts.
- 616a Start getting text messages that my bank account is being hacked.
- 634a-728a Tries to facetime video me 4 times.
- 729a Changed my email address.
- 734a Changed my username.
- 740a Added an email address on Zelle to transfer money to.
- 753a Starts calling again.
- 754a Tried to transfer money to a new account but needed the access code.
- 817a Changed all the notifications to come through regular mail (so I would see no more emails).
So when I turned my phone back on I was getting phone calls and text message so fast from the crook that I could not dial out to my bank. So I took one of his calls. He sounded very professional here is how the conversation went.
- Criminal: Hello this is Wells Fargo is this Guy Bieber. We are calling about suspicious activity on your account.
- Me: Yeah all my messages from the bank seem to be in Spanish and I can’t log in.
- Criminal: Can you verify some transactions on your account…. He repeats my account balances and some transactions. He was obviously in my actual account. My freaked-out-meter starts to max.
- Criminal: I need to verify your identity before we can continue. Can you read back to me the verification number we just texted you?
I noticed what looked like small transfer requests (still reading this in Spanish). My answer was “There is no way in hell I am giving you that number!!” I hang up. The calls and text messages start coming in like crazy again. I reach for my debit card and try to dial the service number on the back and eventually get through. I told the bank that I couldn’t login to my account and someone was in it. After they locked the account the onslaught of calls stopped. They thought I just forgot my account address and it was a simple phishing call. When they asked me to verify a code on my phone I said that is the same number I was getting codes on from the criminal. Then they transferred me to the fraud department.
I was one text message from having all my accounts drained. Had I given the criminal the verification code (just like the bank asked me to do) he would have completely taken over my accounts. Needless to say, we undid all the things the criminal did, created a new hard to guess username, a new password, virus scanned my devices and some other security measures. I spent the rest of the day securing all of my accounts.
How They Did It
Here are my thoughts on how they did this.
- The put up a fake website with a spelling close to wellsfargo.com and I entered my name and password. I remembered not being able to login a week earlier and thought it was odd.
- They got a burner cell phone and used the bank’s mobile app to login.
- They then changed the notification language to Spanish (effects email and text messages; this setting is only on the mobile app).
- They had a bank of 1800 numbers they could dial out from.
- They used the burner phone to text and initiate Facetime.
This is how I believe they attacked me. However, there are many avenues to get your initial username and password. Here are some of them:
- Website: Use a fake website that looks like the real one to collect your data.
- Public Computer: Put a keylogger on a publicly accessible computer.
- Network: Create a free wifi access point then redirect your banking websites to their fake website.
- Virus: Infect your computer and browser with a virus to collect the data.
How You Can Protect Yourself
Some here are something you can do to protect yourself. You need to secure your devices, your bank accounts, Paypal / Amazon / Ebay, investment accounts, cloud storage, password vaults and email accounts.
- Change your username (not your name) and your password to something hard to guess.
- Register your phone and add alerts for suspicious activity.
- Add multi-factor authentication if available. Typically, this uses your phone to text you a code or software like VIP Access to generate a code.
- If your bank offers voice verification activate it. Basically, when you call it verifies your voice characteristics.
- Only access your accounts on devices you own.
- Only access accounts on networks you know are valid (home, work, or your cellular hotspot).
- Virus scan your phones, tablets, and laptops. The App Store for IoS devices does a good job keeping out viruses, so there is no need to scan them. There is one virus scanner that Apple recommends for your laptop called mallwarebytes.com. It is worth scanning that device.
- Be sure to have password access and lock codes enabled for all your devices (especially your phone). If you still use swipe to open on your phone, you are really at risk. Your phone and primary email account are the things you have that are hard for criminals to replicate.
- Use an app on your phone instead of a website. Your phone is more secure, over a more secure network, and you can’t accidentally enter the wrong URL.
- If you do use a website create a pinned tab or link where you don’t need to enter the website by hand.
You Are Hacked…. What To Do
If you think you were hacked don’t give information to any incoming source call or text. Get the number off the back of the card for your account and call the bank directly. Then start doing the prevention activities above.