A man in Carlsbad, California said a hacker was able to drain $38,000 from his Bank of America account after compromising his phone in a SIM-swapping attack.
“I can't let this go. I'm never gonna let this go,” said Justin Chan in an interview with Scripps News San Diego at his home.
During an evening in September, he said he started getting strange notifications on his iPhone and realized it had been disconnected from the cellular network.
He later learned he had been a victim of SIM swapping, a scam where a criminal hijacks access to a victim’s cell number.
“I couldn't make any calls in or out, and it shows up on your phone in the upper left-hand corner that there's SOS rather than bars that show," Chan said.
Chan later learned someone had taken over his Xfinity Mobile number by calling the company and pretending to be him.
“I told them that this is not me. Why did you switch the phone line over? And they basically said, ‘We have verification.’ And I asked them, ‘What kind of verification did you have?’ And they said, ‘We had the last four digits of your credit card.’ And I thought, ‘That was not me, and why would you do that?’” Chan said.
A week later, Chan got a letter in the mail from Bank of America stating three wire transfers had taken place totaling $38,000. He said the wires were sent in the middle of the night while he was sleeping.
“I've never wired money out of Bank of America. It's just been money that's been sitting there waiting for my mom to use as rent, as funds, as food, as utility payments," Chan said.
One of the wires was for $20,000 and went to a Wells Fargo account.
Scripps News San Diego learned the beneficiary’s name on the Wells Fargo transfer matches the identity of a Sacramento resident, who is a convicted felon and served time for fraud.
Scripps News San Diego is not naming the recipient because he has not been charged in this case.
Chan reported the fraudulent transfers to Carlsbad police and Bank of America. Soon after, he got another letter in the mail.
This time, Bank of America told him his fraud claim couldn’t be honored.
“Our investigation found the transaction in question was confirmed valid by you via SMS text message," a message from the bank to Chan read.
“That was just as bad as the criminal taking the money from me initially,” Chan said, adding he thinks the bank should’ve stopped the wires from going through.
The FBI told Scripps News San Diego that about 800 cases of SIM swapping have been reported nationwide this year. The number is likely much higher due to underreporting.
“I read a lot of these that come in, and some of them are really horrific,” said FBI intelligence analyst, David Tomasz.
The crime cost victims more than $48 million nationally last year, according to the FBI.
Tomasz said there are several ways a criminal can take over a victim’s cellphone number.
“They'll have done research on your victim, and they'll know all of the potential security questions, stuff like their street address or their age or any of that stuff that they can find online," said Tomasz.
Once a fraudster has a victim’s number ported over, they can get two-factor codes, giving them access to bank accounts, email and other important websites.
Tomasz said if the crime is caught and reported early, law enforcement can execute a "financial kill chain” that freezes the money. But he said it’s still rare, and if time has passed, it’s very unlikely a victim will be able to get their money back.
“For crypto specifically, it's extremely hard because it's not FDIC backed. It can transfer into different currencies and get cashed out very, very quickly. The traditional banking system is a little easier because there's more security awareness on the part of the traditional finances and banks." said Tomasz.
Nerd Wallet personal finance expert Melissa Lambarena said there are steps consumers can take to protect themselves.
“You want to make sure that you're keeping unique passwords. That's very important," Lambarena said. "You can also contact your phone carrier and ask about setting up a PIN. So, whenever there is a change to your account, this PIN will be required.”
After Scripps News San Diego got involved, Bank of America reopened its investigation of Chan’s case. However, the bank has not yet said if Chan will receive a refund for the stolen funds.
Bank spokeswoman Naomi Patton said she couldn’t comment on this case while the investigation is ongoing. But she said Bank of America prioritizes client protection and reimburses customers for fraud losses it determines were from verified, unauthorized transactions.
A spokesperson for Xfinity Mobile told Scripps News San Diego it is working to help address the issue for Chan.
“SIM swapping is an issue affecting the entire mobile industry, and all providers are trying to combat it. Xfinity Mobile has protocols in place and is implementing recent guidance from the FCC to attempt to mitigate consumer scams like this one,” said Joel Shadle in a statement.
Chan said he is speaking out hoping his story will prevent others from becoming a victim of SIM swapping.
“This could happen to anybody,” he said.
The FBI encourages victims of the crime to report it to the Internet Crimes Complaints Center by visiting IC3.gov.
This story was originally published by Austin Grabish at Scripps News San Diego.
