The FBI released the below information:
Nearly half a million Alabama cell phone numbers received identical text messages in 2015 telling them to click a link to “verify” their bank account information. The link took recipients to a realistic-looking bank website where they typed in their personal financial information.
But the link was not the actual bank’s website—it was part of a phishing scam. Just like phishing messages sent over email, the text message-based scam was easy to fall for. The web address was only one character off from the bank’s actual web address.
While most recipients appeared to ignore the message, around 50 people clicked on the link and provided their personal information. The website asked for account numbers, names, and ZIP codes, along with their associated debit card numbers, security codes, and PINs. Within an hour, the fraudster had made himself debit cards with the victims’ account information. He then began to withdraw money from various ATMs, stealing whatever the daily ATM maximum was from each account.
“It was a fairly legitimate-looking website, other than the information it was asking for,” said Special Agent Jake Frith of the Alabama Attorney General’s Office, who worked the case along with investigators from the FBI’s Mobile Field Office.
The fraudster, Iosif Florea, stole about $18,000 (including ATM fees), with losses from each individual account ranging from $20 to $800. (Banks typically reimburse customers who are victims of fraud.)
Investigators believe Florea bought a large list of cell phone numbers from a marketing company, and he only needed a few victims out of thousands of phone numbers for the scheme to be successful.
The damage was minimized, however, because of the bank’s quick response. As soon as customers reported the fraud, the bank reached out to federal authorities as well as the local media to alert the community to the fraudulent messages.
“The loss amount could have been huge,” said FBI Special Agent Dennis Reed, II. “The bank was very proactive in contacting law enforcement so we could immediately start tracking it.”
And while this was a technology-enabled crime, the Internet also helped investigators find the perpetrator. Florea had been captured withdrawing victims’ money by several ATM security cameras. Investigators posted the surveillance photos to a national law enforcement message group, and an officer in California recognized Florea.
Florea lived in Arizona but his victims were primarily in Alabama. He also withdrew money in several other states over the course of about two months in 2015. Reed and Frith worked with other FBI offices and local law enforcement across the country to investigate and arrest Florea.
Florea was indicted and pleaded guilty to aggravated identity theft and bank fraud charges in 2018, and in February 2019, he was sentenced to 32 months in prison.
While the FBI and law enforcement partners investigate these cases and work to bring criminals to justice, it’s also crucial for consumers to protect themselves and to come forward quickly if they are victimized.
In addition to never giving out your PIN, Reed and Frith emphasized that if you receive a request from your bank through email or text message, always look into it before providing any information. Banks don’t ask you for your PIN over the phone or in emails or text messages.
Frausters are also becoming more sophisticated and including “customer service” numbers in their phishing messages that route callers back to the fraudsters themselves, not the bank. That’s what happened in Florea’s case. So not only do consumers need to verify the authenticity of messages, they also need to ensure they’re calling the right number to do so.
“Don’t use the phone number provided in the message; always look up the bank’s actual phone number on your own or visit the local branch,” Reed said. “Go to an independent source to verify that text message or email request.”