Cody Mullenaux and his family. Mullenaux was the victim of a sophisticated wire fraud scheme that resulted in the theft of $120,000
Courtesy: Cody Moulineaux
Banks spend huge amounts of money on cyber security and fraud detection but what happens when the criminal tactics are sophisticated enough to fool bank employees?
For Cody Moulineaux, that meant more than $120,000 was withdrawn from his Chase checking account with little hope of ever getting the stolen funds back.
For Mullenox, a 40-year-old small business owner from California, the saga began on Dec. 19. While Christmas shopping for her young daughter, she received a call from a man claiming to be from the Chase fraud department and asked to verify. a suspicious transaction.
The 800-number matched Chase customer service so Moulineaux didn’t guess when the person asked her to log into her account via a secure link sent by text message for identification purposes. The link looked legit and the website that opened looked similar to her Chase banking app, so she logged in.
“It never crossed my mind that I wasn’t speaking with a legitimate Chase representative,” Mullenox told CNBC.
Gone are the days when the only thing a consumer had to be wary of was a suspicious email or link. Cyber criminals’ tactics have changed to multi-pronged schemes, with several criminals working as a team to include readymade software sold in kits, which Mimic the victim’s bank phone numbers and fake login pages. It’s a widespread threat that cyber security experts say is increasing in activity. They predict it will only get worse. Unfortunately, for the victims of these schemes, the bank is not always required to repay the stolen funds.
After logging in, Moulineaux said he saw large amounts of money being transferred between his accounts. The person on the phone told her that someone in her account was actively trying to steal her money and that the only way to keep it safe was to wire the money to a bank supervisor, where it would be held temporarily while they examined her. Account was saved.
Fearing that his hard-earned money was about to be stolen, Moulineaux said he stayed on the phone for nearly three hours, following all the instructions he was given and answering additional security questions.
CNBC has reviewed Mullennox’s cellular records, bank account information, as well as images of text messages and links sent to him.
gang of scammers
Moulineaux, who is the inventor and founder of Aquafant, a technology company that converts moisture from the air into filtered water, did not know that the person on the phone was part of a sophisticated cybercriminal team.
While Mullennox spoke with this fake fraud department representative, a second scammer was impersonating Mullennox on another phone call with Chase to authorize a wire transfer. All answers to security questions asked from Moulineaux were being passed on to another scammer. This allowed fraudsters to provide correct answers and convince a Chase employee that they were speaking to the account holder.
The hoax worked. Once a Chase employee was convinced that it was Mullenox who called to authorize three wire transfers, more than $120,000 disappeared from his bank account and despite his best efforts none of it was retrieved Went.
In a statement to CNBC, a Follow “Banks will never ask consumers or businesses to send money to themselves or anyone else to prevent fraud, but scammers will,” the spokesperson said. To confirm that you are indeed speaking to Chase, Call the number on the back of your card or visit a branch.”
Cody Mullenaux, inventor and founder of Aquafant, a technology company that converts moisture from the air into filtered water, with his team and family.
Courtesy: Cody Moulineaux
Little help for victims of wire scams
Moulineaux said he felt frustrated and defeated about his experience recovering his stolen money.
“No matter what they do to try and keep customers safe, the scammers are always one step ahead,” Mullenox said, adding that their money is more like a shoe than a big bank. Safe in the box, which is being targeted by cyber criminals.
The Federal Trade Commission advises that any customer who thinks he or she has sent money to scammers via wire transfer should contact their bank immediately, report the fraudulent transfer, and ask for it to be returned.
The FTC told CNBC that timing is critical when trying to recover funds sent via fraudulent wire transfers. The agency said victims should report crimes to the agency as well as to the FBI’s Internet Crime Complaint Center on the same day or, if possible, the next day.
Moulineaux said he realized something was wrong the next morning when the money was not returned to his account.
He immediately went to his local Chase Bank branch where he was told he had been a victim of fraud. Moulineaux said the matter was not handled with any sense of urgency, and a reverse wire transfer attempt, which the FTC suggested customers demand, was not offered as an option.
Instead, Moulineaux said the branch employee told her she would receive a packet in the mail within 10 days that she could fill out to file a claim. Moulineaux immediately asked for the packet. He filled it and submitted it the same day.
That claim as well as a second one Mulyneux filed with the executive branch were denied. Staff investigating the case said that Moulineaux made the call to authorize the wire transfer.
Cody Moulineaux and his daughter. Moulineaux was shopping for Christmas presents for his daughter when he received a phone call from a man impersonating an employee of the Chase fraud department.
Courtesy: Cody Moulineaux
CNBC provided Chase with Mullennox’s cellular phone records, which showed that he never made any outgoing phone calls to Chase on the day in question. The records also suggest, when compared with the wire transfer records, that it could not have been Mullenaux who called Chase to authorize the wire transfer as all three were authorized and gone through when Mullenaux Was still on the phone with the scammers.
However, this did not change the bank’s decision, and Mullenox’s claim was again rejected because she had shared her personal information with the criminals.
Scammers took advantage of regulatory loopholes
Whether the scammers realized they were doing this or not, they successfully exploited two loopholes in current consumer protection legislation that resulted in Chase not being required to replace Mullenix’s stolen funds. Legally, banks are not required to reimburse stolen funds when a customer is tricked into sending money to a cyber criminal.
However, under the Electronic Funds Transfer Act, which covers most types of electronic transactions such as peer-to-peer payments and online payments or transfers, banks are required to repay customers if funds are stolen without the customer’s authorization. Unfortunately, wire transfers, which involve transferring money from one bank to another, are not covered under the act, which does not include fraud involving paper checks and prepaid cards.
The cyber criminals transferred funds from Mullennox’s personal checking and savings accounts to their business accounts before initiating the wire transfers. Regulation E, which is designed to help consumers get their money back from unauthorized transactions, only protects individuals, not business accounts.
A Chase representative said the investigation is ongoing as the bank seeks to recover the stolen funds.
Mullenaux says that’s what he’s been praying for. “I pray that this tragedy is somehow resolved, that [bank] Management looks into what happened to me and my money is returned.”
Moulineaux has also filed reports with local police and the FBI’s Internet Crime Complaint Center, but no one has contacted him about his case.
Sophisticated scamming tactics are on the rise
It is not just stalking customers that are targeted by cyber criminals with these sophisticated schemes. Last summer, IronNet disclosed a “phishing-as-a-service” platform that sells ready-made phishing kits to cybercriminals targeting US-based companies, including banks. Customizable kits can cost as little as $50 per month and include code, graphics, and configuration files that are similar to bank login pages.
IronNet’s Threat Analysis Manager Joy Fitzpatrick said that although he could not say with certainty that Mullennox was duped in this way, “the attack against him has all the hallmarks of attackers who take advantage of the same multimodal tools.” pick up which are phishing-like.-provide-as-a-service platforms.”
He expects the “as-a-service”-type offering will only continue to gain traction as the kits not only lower the bar for low- to medium-level cybercriminals to create phishing campaigns, but also allow higher Also enable high-level criminals to concentrate. Develop more sophisticated tactics and malware on the same field.
“We see a 10% increase in phishing kit deployments in January 2023 alone,” Fitzpatrick said.
In 2022, the company sees a 45% increase in phishing alerts and detections.
But it’s not just the rise in phishing schemes, it’s all cyberattacks. Data from Check Point in 2022 shows that there was a 52% increase in weekly cyber attacks on the finance/banking sector compared to attacks in 2021.
“The sophistication of cyberattacks and fraud schemes has grown significantly over the past year,” said Sergei Shaykevich, Threat Group Manager at Check Point. “Now, in many cases cyber criminals don’t just rely on sending phishing/malicious emails and waiting for people to click on it, but combine it with phone calls, MFA [multifactor authentication] Fatigue attacks and more.”
Both cyber security experts said banks could do more to educate customers.
Shaykevich said banks should invest in better threat intelligence that can detect and block methods used by cybercriminals. One example he gave is comparing a login to a person’s digital “fingerprint”, based on data such as the browser an account uses, screen resolution or keyboard language.
Best Tip: Hang up
There was one thing Chase, federal agencies and cybersecurity experts all agreed on: If a customer receives a phone call from their bank and the person starts asking for information, hang up the phone and call the bank yourself.
“If a consumer receives a call, text or email out of the blue from someone claiming to be from his/her bank, the consumer should hang up the phone (or delete the text/email and not click on the link should) and try to call their bank on a phone number they know to be real,” said an FTC spokesperson.
Cyber criminals have the ability to spoof caller ID and can use stolen personal information to trick a victim into handing over money.
please email suggestions [email protected]