Banks have spent enormous amounts on cybersecurity and fraud detection but what happens when criminal tactics are sophisticated enough to even fool bank employees?
For Cody Mullenaux, it meant having more than $120,000 wired from his Chase checking account with little hope of ever recouping his stolen funds.
The saga for Mullenaux, a 40-year-old small business owner from California, began on Dec. 19. While Christmas shopping for his young daughter, he received a call from a person claiming to be from the Chase fraud department and asking to verify a suspicious transaction.
The 800-number matched Chase customer service so Mullenaux didn’t think it was suspicious when the person asked him to log into his account via a secured link sent by text message for identification purposes. The link looked legitimate and the website that opened appeared identical to his Chase banking app, so he logged in.
“It never even crossed my mind that I was not speaking with a legitimate Chase representative,” Mullenaux told CNBC.
Gone are the days when the only thing a consumer had to be wary of was a suspicious email or link. Cybercriminals’ tactics have morphed into multipronged schemes, with multiple criminals acting as a team to deploy sophisticated tactics involving readymade software sold in kits that mask phone numbers and mimic login pages of a victim’s bank. It’s a pervasive threat that cybersecurity experts say is driving an uptick in activity. They predict it will only get worse. Unfortunately, for victim of these schemes, the bank isn’t always required to repay the stolen funds.
After he was logged in, Mullenaux said he saw large amounts of money moving between his accounts. The person on the phone told him someone was in his account actively trying to steal his money and that the only way to keep it safe was to wire money to the bank supervisor, where it would be temporarily held while they secured his account.
Terrified that his hard-earned savings was about to be stolen, Mullenaux said he stayed on the phone for nearly three hours, followed all the instructions he was given and answered additional security questions he was asked.
CNBC has reviewed Mullenaux’s cellular records, bank account information, as well as images of the text message and link he was sent.
A team of scammers
What Mullenaux, who is the inventor and founder of Aquaphant, a technology company that converts moisture from the air into filtered water, didn’t know was the person on the phone was part of a sophisticated cybercriminal team.
While Mullenaux spoke with this fake fraud department rep, a second scammer was impersonating Mullenaux on another phone call with Chase to authorize the wire transfers. All the answers to the security questions Mullenaux was asked were then being fed to the second scammer. This allowed the fraudsters to provide the correct answers and convince the Chase employee they were speaking to the account holder.
The hoax worked. Once the Chase employee was convinced that it was Mullenaux who called to authorize the three wire transfers, over $120,000 disappeared from his bank account and despite his best efforts none of it has been recouped.
In a statement to CNBC, a Chase spokesman said, “Banks will never ask consumers or businesses to send money to themselves or anyone else to prevent fraud, but scammers will. To confirm you are really speaking to Chase, call the number on the back of your card or visit a branch.”
Little recourse for victims of wire scams
Mullenaux said he feels frustrated and defeated about his experience trying to recover his stolen funds.
“No matter what they do to try and safeguard customers, scammers are always one step ahead,” Mullenaux said, adding that his money would have been safer in a shoebox than in a big bank that cybercriminals are targeting.
The Federal Trade Commission advises that any customer who thinks they might have sent money to scammers via a wire transfer should immediately contact their bank, report the fraudulent transfer and ask for it to be reversed.
Time is critical when trying to recover funds sent via fraudulent wire transfer, the FTC told CNBC. The agency said victims should also report the crime to the agency as well as the FBI’s Internet Crime Complaint Center, the same day or next day, if possible.
Mullenaux said he realized something was wrong the next morning when his funds had not been returned to his account.
He immediately drove to his local Chase bank branch where he was told he had likely been the victim of fraud. Mullenaux said the matter wasn’t handled with any sense of urgency, and a reverse wire transfer attempt, which the FTC suggests customers ask for, wasn’t offered as an option.
Instead, Mullenaux said the branch employee told him he would receive a packet in the mail within 10 days that he could fill out to file a claim. Mullenaux asked for the packet immediately. He filled it out and submitted it the same day.
That claim, along with a second one Mullenaux filed with the executive branch, were denied. The employees investigating the matter said Mullenaux had called to authorize the wire transfers.
CNBC provided Chase with Mullenaux’s cellular phone records that showed he never made any outgoing phone calls to Chase on the day in question. The records also suggest, when compared with the wire transfer records, that it could not have been Mullenaux who called Chase to authorize the wire transfers because all three were authorized and went through while Mullenaux was still on the phone with the scammers.
However, that didn’t change the bank’s decision and, again, Mullenaux’s claim was denied since he had shared his private information with the criminals.
Scammers exploited regulatory loopholes
Whether the scammers realized they were doing it or not, they successfully exploited two loopholes in current consumer protection legislation that resulted in Chase not being required to replace Mullenaux’s stolen funds. Legally, banks do not have to reimburse stolen funds when a customer is tricked into sending money to a cybercriminal.
However, under the Electronic Fund Transfer Act, which covers most types of electronic transactions like peer-to-peer payments and online payments or transfers, banks are required to repay customers when funds are stolen without the customer authorizing it. Unfortunately, wire transfers, which involve transferring money from one bank to another, are not covered under the act, which also excludes fraud involving paper checks and prepaid cards.
The cybercriminals also transferred funds from Mullenaux’s personal checking and savings accounts to his business account before initiating the wire transfers. Regulation E, which is designed to help consumers get their money back from an unauthorized transaction, only protects individuals, not business accounts.
A representative for Chase said that the investigation is ongoing as the bank tries to recover the stolen funds.
That is something Mullenaux says he is praying for. “I pray that this tragedy is somehow reconciled, that [bank] management sees what happened to me and my money is returned.”
Mullenaux has also filed reports with the local police and the FBI’s Internet Crime Complaint Center, but neither have contacted him about his case.
Sophisticated scamming tactics on the rise
It’s not just Chase customers being targeted by cybercriminals with these sophisticated schemes. This past summer, IronNet uncovered a “phishing-as-a-service” platform that sells ready-made phishing kits to cybercriminals that target U.S.-based companies, including banks. The customizable kits can cost as little as $50 per month and include code, graphics and configuration files to resemble bank login pages.
Joey Fitzpatrick, a threat analysis manager at IronNet, said that while he can’t say for certain that this is how Mullenaux was defrauded, “the attack against him bears all the hallmarks of attackers leveraging the same sort of multimodal tools that phishing-as-a-service platforms provide.”
He expects “as-a-service”-type offerings will only continue to gain traction as the kits not only lower the bar for low- to medium-tier cybercriminals to create phishing campaigns, but it also enables the higher-tier criminals to focus on a single area and develop more sophisticated tactics and malware.
“We’ve seen a 10% increase in deployment of phishing kits in January 2023 alone,” Fitzpatrick said.
In 2022, the company saw a 45% increase in phishing alerts and detections.
But it’s not just phishing schemes on the rise, it’s all cyberattacks. Data from Check Point showed in 2022 there was a 52% increase in weekly cyberattacks on the finance/banking sector compared with attacks in 2021.
“The sophistication of cyberattacks and fraud schemes has significantly increased during the last year,” said Sergey Shykevich, the threat group manager at Check Point. “Now, in many cases cybercriminals don’t rely only on sending phishing/malicious emails and waiting for the people to click it, but combine it with phone calls, MFA [multifactor authentication] fatigue attacks and more.”
Both cybersecurity experts said banks can be doing more to educate customers.
Shykevich said the banks should invest in better threat intelligence that can detect and block methods cybercriminals use. An example he gave is comparing a login to a person’s digital “fingerprint,” which is based on data such as the browser an account uses, screen resolution or keyboard language.
Best advice: Hang up the phone
There was one thing that Chase, federal agencies and cybersecurity experts were all in agreement on: if a customer receives a phone call from their bank and the person starts asking for information, hang up and call the bank back yourself.
“If a consumer gets a call, text or email out of the blue from anyone claiming to be from their bank, alerting them of a problem, the consumer should hang up (or delete the text/email and don’t click on links) and try calling their bank on a phone number they know to be real,” said an FTC spokesman.
Cybercriminals have the ability to spoof caller ID and they may use stolen personal information to trick a victim into handing over money.
Please email CNBC your tips here.