Banks have invested a significant amount of money on cybersecurity and fraud detection, but what happens when criminals are able to deceive bank workers with their sophisticated criminal tactics?
It meant that Cody Mullenaux had more than $120,000 wired from his Chase bank account, with little chance of ever recovering the money that had been taken.
The saga for Mullenaux, a 40-year-old small business owner from California, began on Dec. 19. He received a call from someone pretending to be from the Chase fraud department requesting him to confirm a suspicious transaction while he was Christmas shopping for his young daughter.
The 800-number matched Chase customer service so Mullenaux didn’t think it was suspicious when the person asked him to log into his account via a secured link sent by text message for identification purposes. The link looked legitimate and the website that opened appeared identical to his Chase banking app, so he logged in.
“It never even crossed my mind that I was not speaking with a legitimate Chase representative,” Mullenaux told CNBC.
Gone are the days when the only thing a consumer had to be wary of was a suspicious email or link. The strategies used by cybercriminals have evolved into multifaceted schemes, with several offenders working together to use sophisticated techniques including ready-made software offered in kits that hide phone numbers and imitate login pages for a victim’s bank.
It’s a pervasive threat that cybersecurity experts say is driving an uptick in activity. They predict it will only get worse. Unfortunately, for victim of these schemes, the bank isn’t always required to repay the stolen funds.
After he was logged in, Mullenaux said he saw large amounts of money moving between his accounts. He was informed over the phone that someone was actively attempting to steal money from his account and that the only way to protect it was to wire funds to the bank supervisor, where they would be kept in escrow while they secured his account.
Terrified that his hard-earned savings was about to be stolen, Mullenaux said he stayed on the phone for nearly three hours, followed all the instructions he was given and answered additional security questions he was asked.
CNBC has reviewed Mullenaux’s cellular records, bank account information, as well as images of the text message and link he was sent.
A team of scammers
What Mullenaux, who is the inventor and founder of Aquaphant, a technology company that converts moisture from the air into filtered water, didn’t know was the person on the phone was part of a sophisticated cybercriminal team.
While Mullenaux spoke with this fake fraud department rep, a second scammer was impersonating Mullenaux on another phone call with Chase to authorize the wire transfers. All the answers to the security questions Mullenaux was asked were then being fed to the second scammer. This allowed the fraudsters to provide the correct answers and convince the Chase employee they were speaking to the account holder.
The hoax worked. Once the Chase employee was convinced that it was Mullenaux who called to authorize the three wire transfers, over $120,000 disappeared from his bank account and despite his best efforts none of it has been recouped.
In a statement to CNBC, a Chase spokesman said, “Banks will never ask consumers or businesses to send money to themselves or anyone else to prevent fraud, but scammers will. To confirm you are really speaking to Chase, call the number on the back of your card or visit a branch.”
Little recourse for victims of wire scams
Mullenaux said he feels frustrated and defeated about his experience trying to recover his stolen funds.
“No matter what they do to try and safeguard customers, scammers are always one step ahead,” Mullenaux said, adding that his money would have been safer in a shoebox than in a big bank that cybercriminals are targeting.
The Federal Trade Commission advises that any customer who thinks they might have sent money to scammers via a wire transfer should immediately contact their bank, report the fraudulent transfer and ask for it to be reversed.
Time is critical when trying to recover funds sent via fraudulent wire transfer, the FTC told CNBC. The agency said victims should also report the crime to the agency as well as the FBI’s Internet Crime Complaint Center, the same day or next day, if possible.
Mullenaux said he realized something was wrong the next morning when his funds had not been returned to his account.
He immediately drove to his local Chase bank branch where he was told he had likely been the victim of fraud. Mullenaux said the matter wasn’t handled with any sense of urgency, and a reverse wire transfer attempt, which the FTC suggests customers ask for, wasn’t offered as an option.
Instead, Mullenaux said the branch employee told him he would receive a packet in the mail within 10 days that he could fill out to file a claim. Mullenaux asked for the packet immediately. He filled it out and submitted it the same day.
That claim, along with a second one Mullenaux filed with the executive branch, were denied. The employees investigating the matter said Mullenaux had called to authorize the wire transfers.
CNBC provided Chase with Mullenaux’s cellular phone records that showed he never made any outgoing phone calls to Chase on the day in question. The records also suggest, when compared with the wire transfer records, that it could not have been Mullenaux who called Chase to authorize the wire transfers because all three were authorized and went through while Mullenaux was still on the phone with the scammers.
However, that didn’t change the bank’s decision and, again, Mullenaux’s claim was denied since he had shared his private information with the criminals.
Scammers exploited regulatory loopholes
Whether the con artists knew they were doing it or not, they were successful in taking advantage of two gaps in the current consumer protection laws, which allowed Chase to avoid having to replace Mullenaux’s stolen assets. Legally, banks do not have to reimburse stolen funds when a customer is tricked into sending money to a cybercriminal.
However, under the Electronic Fund Transfer Act, which covers most types of electronic transactions like peer-to-peer payments and online payments or transfers, banks are required to repay customers when funds are stolen without the customer authorizing it. The measure, which also prohibits fraud involving paper checks and prepaid cards, unfortunately does not cover wire transfers, which involve moving money from one bank to another.
The cybercriminals also transferred funds from Mullenaux’s personal checking and savings accounts to his business account before initiating the wire transfers. Regulation E, which is designed to help consumers get their money back from an unauthorized transaction, only protects individuals, not business accounts.
A representative for Chase said that the investigation is ongoing as the bank tries to recover the stolen funds.
That is something Mullenaux says he is praying for. “I pray that this tragedy is somehow reconciled, that bank management sees what happened to me and my money is returned.”
Mullenaux has also filed reports with the local police and the FBI’s Internet Crime Complaint Center, but neither have contacted him about his case.
Sophisticated scamming tactics on the rise
It’s not just Chase customers being targeted by cybercriminals with these sophisticated schemes. This past summer, IronNet uncovered a “phishing-as-a-service” platform that sells ready-made phishing kits to cybercriminals that target U.S.-based companies, including banks. The customizable kits can cost as little as $50 per month and include code, graphics and configuration files to resemble bank login pages.
Joey Fitzpatrick, a threat analysis manager at IronNet, said that while he can’t say for certain that this is how Mullenaux was defrauded, “the attack against him bears all the hallmarks of attackers leveraging the same sort of multimodal tools that phishing-as-a-service platforms provide.”
He expects “as-a-service”-type offerings will only continue to gain traction as the kits not only lower the bar for low- to medium-tier cybercriminals to create phishing campaigns, but it also enables the higher-tier criminals to focus on a single area and develop more sophisticated tactics and malware.
“We’ve seen a 10% increase in deployment of phishing kits in January 2023 alone,” Fitzpatrick said.
In 2022, the company saw a 45% increase in phishing alerts and detections.
But it’s not just phishing schemes on the rise, it’s all cyberattacks. Data from Check Point showed in 2022 there was a 52% increase in weekly cyberattacks on the finance/banking sector compared with attacks in 2021.
“The sophistication of cyberattacks and fraud schemes has significantly increased during the last year,” said Sergey Shykevich, the threat group manager at Check Point. “Now, in many cases cybercriminals don’t rely only on sending phishing/malicious emails and waiting for the people to click it, but combine it with phone calls, MFA (multifactor authentication) fatigue attacks and more.”
Both cybersecurity experts said banks can be doing more to educate customers.
Shykevich said the banks should invest in better threat intelligence that can detect and block methods cybercriminals use. An example he gave is comparing a login to a person’s digital “fingerprint,” which is based on data such as the browser an account uses, screen resolution or keyboard language.
Best advice: Hang up the phone
There was one thing that Chase, federal agencies and cybersecurity experts were all in agreement on: if a customer receives a phone call from their bank and the person starts asking for information, hang up and call the bank back yourself.
“If a consumer gets a call, text or email out of the blue from anyone claiming to be from their bank, alerting them of a problem, the consumer should hang up (or delete the text/email and don’t click on links) and try calling their bank on a phone number they know to be real,” said an FTC spokesman.
Cybercriminals may exploit stolen personal information and the capacity to spoof caller ID to deceive a victim into parting with money.