The FBI released the below
information:
Nearly half a million Alabama cell
phone numbers received identical text messages in 2015 telling them to click a
link to “verify” their bank account information. The link took recipients to a
realistic-looking bank website where they typed in their personal financial
information.
But the link was not the actual
bank’s website—it was part of a phishing scam. Just like phishing messages sent
over email, the text message-based scam was easy to fall for. The web address
was only one character off from the bank’s actual web address.
While most recipients appeared to
ignore the message, around 50 people clicked on the link and provided their
personal information. The website asked for account numbers, names, and ZIP
codes, along with their associated debit card numbers, security codes, and
PINs. Within an hour, the fraudster had made himself debit cards with the
victims’ account information. He then began to withdraw money from various
ATMs, stealing whatever the daily ATM maximum was from each account.
“It was a fairly legitimate-looking
website, other than the information it was asking for,” said Special Agent Jake
Frith of the Alabama Attorney General’s Office, who worked the case along with
investigators from the FBI’s Mobile Field Office.
The fraudster, Iosif Florea, stole
about $18,000 (including ATM fees), with losses from each individual account
ranging from $20 to $800. (Banks typically reimburse customers who are victims
of fraud.)
Investigators believe Florea bought
a large list of cell phone numbers from a marketing company, and he only needed
a few victims out of thousands of phone numbers for the scheme to be
successful.
The damage was minimized, however,
because of the bank’s quick response. As soon as customers reported the fraud,
the bank reached out to federal authorities as well as the local media to alert
the community to the fraudulent messages.
“The loss amount could have been
huge,” said FBI Special Agent Dennis Reed, II. “The bank was very proactive in
contacting law enforcement so we could immediately start tracking it.”
And while this was a
technology-enabled crime, the Internet also helped investigators find the
perpetrator. Florea had been captured withdrawing victims’ money by several ATM
security cameras. Investigators posted the surveillance photos to a national
law enforcement message group, and an officer in California recognized Florea.
Florea lived in Arizona but his
victims were primarily in Alabama. He also withdrew money in several other
states over the course of about two months in 2015. Reed and Frith worked with
other FBI offices and local law enforcement across the country to investigate
and arrest Florea.
Florea was indicted and pleaded
guilty to aggravated identity theft and bank fraud charges in 2018, and in
February 2019, he was sentenced to 32 months in prison.
While the FBI and law enforcement
partners investigate these cases and work to bring criminals to justice, it’s
also crucial for consumers to protect themselves and to come forward quickly if
they are victimized.
In addition to never giving out your
PIN, Reed and Frith emphasized that if you receive a request from your bank
through email or text message, always look into it before providing any
information. Banks don’t ask you for your PIN over the phone or in emails or
text messages.
Frausters are also becoming more
sophisticated and including “customer service” numbers in their phishing
messages that route callers back to the fraudsters themselves, not the bank.
That’s what happened in Florea’s case. So not only do consumers need to verify
the authenticity of messages, they also need to ensure they’re calling the right
number to do so.
“Don’t use the phone number provided
in the message; always look up the bank’s actual phone number on your own or
visit the local branch,” Reed said. “Go to an independent source to verify that
text message or email request.”
