Got a call from my bank this morning. For the sake of example, I’ll say it was Wells Fargo Bank (it isn’t actually, I’ll keep the bank name private). It came from their main number that I have saved in my contacts so my custom name for that bank contact and the official phone number appeared on the caller id. Guy had an American voice, very professional, said he was calling in reference to a suspected fraudulent charge that their systems had flagged. He said the charge was in person at a best buy in nevada paid through samsung pay. He said their security systems had just blocked the charge and Wells Fargo wanted to call me and see if it was me or not. For identity verification, he told me the last 4 of my social, my address, my email, and my Wells Fargo banking online username and asked if I was traveling or if it was fraudulent. I said that wasn’t me. So then he asked if I got a fraud warning notification on my phone from the banking mobile app. I said no. So then he said he was going to enable fraud warning push notifications on my account because it looked like they were not enabled and that he was going to set up 2 factor auth on my account. Okay fine sounds good I said.
But I wanted to log into the bank’s web app to confirm this myself, so I silently logged in and dug around in the settings. Right around that time, I got a text that said “Wells Fargo Bank: Your online banking is temporarily suspended and requires immediate action” but what was weird was that it came to my backup phone number – my google voice number – which is a number that I use for public things like posting stuff on Craigslist – instead of my main phone that I try to keep closely guarded and secret which I have tied into my Wells Fargo account. That’s what got my spidey senses tingling. Why did this message come to a different phone number. I checked Wells Fargo, and nowhere was that less guarded, google voice phone number in Region’s systems. Uh huh. So I logged out and logged back in. Was able to get into the web account in spite of this strange message I just got about my account supposedly being deactivated.
I then probed a little more. I asked him what card was the fraudulent charge on? And he told me it was the card with these first 4 digits – and those did match the first 4 digits of my Wells Fargo Mastercard. But that was the next strike against him. The first 4 digits of a card follow a certain convention that is public. That’s how a website can know if it is a Mastercard or a Visa when you start typing in the first few letters. But since he didn’t tell me the last 4, that reduced my trust in him even further. And then he said he was going to re-enable 2 factor auth on my account and I got another Wells Fargo 2 factor auth SMS text to my main number, the one that was actually registered to the Wells Fargo account. And this one looked official, like it was from Wells Fargo. He then asked me to share the 2 factor auth code. That’s when I knew he was a con man in the middle of doing a password reset request on Wells Fargo to try to get into my account. I told him I wasn’t giving him my 2 factor auth code and he immediately hung up.
So this guy had spoofed the caller id so the phone call looked like it came from the official Wells Fargo bank phone number and used my stored contact name on my phone, and he knew the last 4 of my social, my address, my email, and my Wells Fargo banking online username and he told me all these to try to make me believe he was legit. He also knew both my phone numbers that I own but he didn’t know which one was tied to the Wells Fargo account. So he sent a fake SMS himself saying that my account was suspended. But he guessed wrong the first time on his spoofed SMS, so then he initiated a real password reset request via Wells Fargo’s app, which then triggered an actual 2-factor auth cycle using the other phone number, the correct one. Thankfully I didn’t fall for it and give him the 2-factor auth code like he wanted, so he couldn’t get in and he immediately hung up when he realized I wasn’t going to play ball.
It’s a crazy world out there. Thought I would share this story as a reminder that there is a ton of information about you floating around online that seedy characters can acquire. But don’t let your guard down even if someone seems legit. Keep your credit accounts frozen if possible, keep an eye on your books, and always be suspicious when talking to people and verify independently before you act. Godspeed. 🫡