Column: That fraud alert on your phone? It could be part of the scam
Most con artists are just rolling the dice, laying traps they hope unwary consumers will stumble into.
This one did his homework in targeting a specific victim — and made off with more than $10,000 from a Chase bank account.
The episode serves as a wake-up call for all of us to be very cautious when interacting with businesses, even when everything appears to be on the up and up.
It also once again raises questions about how adequately Chase protects its customers.
Denise Denton, 41, recently received a legitimate-looking fraud alert from Chase notifying her about a $505 purchase at Walmart. The text message asked her to confirm that the purchase was hers.
“I texted back to say I didn’t know anything about it,” the Texas resident told me. “Then, almost immediately, I got a call from a Chase customer service representative.”
The call appeared to originate from Chase. The rep said he needed to secure Denton’s checking account. He texted her a verification code to make sure she was the account holder.
The rep also shared with Denton the last four digits of her Social Security number, which she confirmed.
“There was nothing suspicious,” Denton said. “How could anyone but Chase have so much information about me — my name, my phone number, my Social Security number?”
Wait, it’s about to get much, much worse.
Denton said that as she was speaking with the service rep, she opened the Chase banking app on her phone and changed her password.
“The guy immediately said he saw that my password was just changed.”
Not that Denton was particularly surprised. She was talking to Chase, after all. Of course they could see her account, including her new password.
The rep quickly brought the call to a close. He said he’d be sending a case number via email. And then he hung up.
“It was very abrupt,” Denton recalled.
Within seconds, she said, her husband, with whom she shares her Chase account, received a text from the bank notifying him that $10,600 had just been transferred elsewhere — almost all their money.
Let’s pause a moment to appreciate the deviousness of this scam. The fraudster either was a Chase insider or had gone to great lengths to dupe his victim.
He clearly had access to Denton’s personal information, which could have been caught up in one of the hundreds of data security breaches reported each year.
The fraudster, if not a Chase insider, also apparently had hacked Denton’s phone or banking app (or both). The fact that he saw the password change in real time is perhaps the most alarming aspect of all this.
This next part of the story will be familiar to anyone who remembers my other recent columns about Chase. In one, I wrote about a La Palma couple who discovered $22,000 was missing from their account.
They said Chase gave them the run-around in recovering the funds until I got involved. Within days, their money was restored.
Then there was an episode involving a Sherman Oaks man who nearly lost $60,000 to a scammer. But shortly afterward, the same fraudster returned and managed to make off with $19,000.
Paul Benda, senior vice president of risk and cyber policy for the American Bankers Assn., told me that scammers “have increased their efforts to gather customer information that lets them hack accounts.”
When money goes missing, some banks appear to have more difficulty than others making customers whole. Chase has shown itself in recent months to be among the most reluctant to do this.
That initial fraud alert arrived in Denton’s phone on April 1 (I know — April Fool’s Day). After the $10,600 was whisked from their account, she and her husband rushed to a nearby Chase branch to report the incident.
The necessary paperwork, they were told, wasn’t available. They’d have to return about a week later to submit a written report.
After they did that, they called Chase repeatedly to ask when their funds would be restored. The bank kept telling them to try again in a few days, Denton said.
Gradually, she told me, it became evident that Chase suspected she was complicit in the fraud. How else to explain all the details the scammer knew about her and the degree of access he had to her account?
So Denton set about proving her innocence. Using security data available on her Chase app, she saw that the $10,600 wire transfer didn’t originate on her phone. It was made via the Chase.com website.
“I don’t use the website,” Denton said. “I only use the banking app.”
Moreover, the records showed that the Chase site had been accessed with a Mac computer. That too provided a pretty solid alibi.
Denton is an executive with Texas-based Dell, maker of personal computers and laptops that run the Windows operating system.
“I don’t own a Mac,” she said. “All my computers are Dell.”
Nevertheless, Denton said, Chase refused to back down. So she contacted me last week to see if I could help. I in turn reached out to Chase and walked a company exec through the known facts.
I suggested they try to corroborate Denton’s story by checking on her history with the Chase.com website and whether she’d ever accessed her account using a Mac. I pointed out that it’s unlikely she’d have gotten in touch with me if she was perpetrating a crime.
I also noted that she’d reported the incident to the police, the Texas attorney general and the Consumer Financial Protection Bureau — not the typical moves of a bank robber.
The whole thing appeared to have been an elaborate ruse by a con artist to obtain the password necessary to initiate an online cash transfer.
A day later, Denton told me, Chase restored the $10,600 to her account.
Gone was Chase’s concern that she was trying to pull a fast one on the bank. Instead, Denton said, a company official told her she “did everything I should have done in a timely manner as a customer.”
Peter Kelley, a Chase spokesman, cited “security reasons” in declining to provide specifics about what the bank’s investigators learned.
“Unfortunately, our customer was a victim of an outside scam,” he said. “After reviewing the details of her situation, we reimbursed her.”
I asked if it seemed as though Chase customers often have to struggle to resolve incidents of fraud.
Kelley said only that “we deploy a number of measures to defend against and identify new security threats, and we work directly with our customers when they tell us of their concerns.”
If customers have questions about a call, text or email from the company, he said, don’t provide any personal info.
“Call the number on your debit or credit card and ask to speak to someone about the inquiry,” Kelley advised. “Ask us to confirm if we sent you a communication.”
And if weeks or months pass without the company returning your money, you know where to find me.