In a world where scammers are increasingly finding new ways to steal from our accounts, my guard is instantly up when I receive a text message from my bank. But hackers are getting a lot wiser on their games. So much so that I almost fell for a scam this month.
Here’s what happened – and the (slightly embarrassing) lessons I learned.
One recent morning, Bank of America appeared to reach me via text message to notify me of a fateful attempt to hack my checking account. My first thought? “Yeah right.” I assumed this was a phishing scam aimed at retrieving my account username and password.
But upon closer inspection, I did not know what to believe.
Here is a snapshot of the text to which I replied, “No.”
The part I was stuck in was mentioning Waltham, Massachusetts. I had been near that town while on vacation a week before. I had actually used my bank card a few places while I was visiting.
Was it possible that scammers had “shimmed” my card and stolen information on his chip? Had they then tried to access my account? And Bank of America caught them in the act and sent me this warning?
Another compelling part was that after I answered “No” to the text, I received a reply that said call 866-500-6260 to change my username and password. The detective in me decided to dial the number. After a few rings, the “Bank of America Client Protection” board came on the line.
I hung up and continued to investigate.
While the Waltham reference was interesting, I saw some red flags suggesting that the text was probably fake. First, my “online ID” was incorrect. A junior hacker might like to use my first initial followed by last name to log in, but they will not succeed!
I also found that the Bank of America logo after the text was a bit skewed. Was it an attempt to legitimize a text that was not otherwise truthful?
Furthermore, when I googled the 866 number in the text, it was not clear if it belonged to Bank of America. No search results linked this number to the bank.
And then strange things happened.
I received a phone call from a suspected Bank of America representative who followed up on the text exchange. She called from 877-551-0215, which I quickly looked up and also found no sign of being affiliated with the bank. To my surprise, this person was polite, friendly, calm and pronounced my name correctly (no easy feat).
This “rep” started by saying that when I confirmed that the transaction had not been approved in that text with a “No”, I had to reset my password with her. Before she could continue, I told her I was confused. I said honestly, I was not really sure the text I received was legitimate. Since I did not take any risks, I kindly let her know that I just wanted to call Bank of America myself to see what this was all about. She said she understood and that I should call the number on the back of my bank card. Good advice from a hacker? Now I’m really amazed.
My next step was to log in to my Bank of America online account. And would you not know, the first page that appeared after I successfully logged in said I had to reset my password due to suspicious activity. It did not refer to any activity in Waltham, but it was a strange case.
After all, was the text legit? Was this representative who called me a real Bank of America employee and not a poser I doubted? Was I too skeptical for my own good? I followed the instructions on the Bank of America website (after double checking the site was actually correct) and reset my account information.
I was annoyed with myself for being so confused about the situation. Scams are usually easy enough to detect. You may see word misspellings in a text or an explicit request for your password. Sometimes communication sounds urgent and alarming. I did not really experience it here.
I contacted Bank of America’s PR team to better understand its protocols to warn customers of possible fraud. I also sent them the message I had received, including the text message and phone numbers involved.
Here is what a bank spokesman confirmed:
- Bank of America sometimes sends text messages asking customers to verify a transaction, but the text I received was not from the bank. The phone number in the text was not a Bank of America line.
- Actual text messages from the bank would not be alarming or ask clients to provide sensitive information.
- The phone call after the text message was also fraudulent, which is creepy but not unusual.
- Asking me to change my password over the phone was a serious red flag.
And there you have it. The text was fake and the friendly woman on the phone with an ability to pronounce Iranian names correctly was a thief. She was trying to steal my money. And think about it, when she called, she did not say, as Bank of America representatives usually do, that the call was “recorded.” Nothing official. Just “Hi Farnoosh. We need to reset your password.”
But why did Bank of America make me reset my password after logging in to my online account? Well, like I originally assumed, it’s because the person who texted me (from Waltham) was actually trying to hack my account. They had tried at least once, were unsuccessful and decided to text me to get my password. At that point, when he saw the attempts, Bank of America got me to reset my password after I logged in.
In the end, my skepticism (thankfully) prevailed. But it was not always clear what was going on and whether the bank messages were fake or genuine. But I’m not going to beat myself up about it. The overall lesson is – whether via text, email or a voice call – be suspicious and go with your pessimistic gut. I trust that financial institutions are working hard to protect customer accounts and prevent fraud. After all, the loss of money and customer trust are serious costs to them. But we must be the greatest economic advocates we can be for ourselves. No one cares more about my money than me. And that’s bad news for scammers.