Cody Mullenaux and his family. Mullenaux was the victim of a sophisticated wire fraud scheme that has resulted in $120,000 being stolen
Courtesy: Cody Mullenaux
Banks have spent enormous amounts on cybersecurity and fraud detection but what happens when criminal tactics are sophisticated enough to even fool bank employees?
For Cody Mullenaux, it meant having more than $120,000 wired from his Chase checking account with little hope of ever recouping his stolen funds.
The saga for Mullenaux, a 40-year-old small business owner from California, began on Dec. 19. While Christmas shopping for his young daughter, he received a call from a person claiming to be from the Chase fraud department and asking to verify a suspicious transaction.
The 800-number matched Chase customer service so Mullenaux didn’t think it was suspicious when the person asked him to log into his account via a secured link sent by text message for identification purposes. The link looked legitimate and the website that opened appeared identical to his Chase banking app, so he logged in.
“It never even crossed my mind that I was not speaking with a legitimate Chase representative,” Mullenaux told CNBC.
Gone are the days when the only thing a consumer had to be wary of was a suspicious email or link. Cybercriminals’ tactics have morphed into multipronged schemes, with multiple criminals acting as a team to deploy sophisticated tactics involving readymade software sold in kits that mask phone numbers and mimic login pages of a victim’s bank. It’s a pervasive threat that cybersecurity experts say is driving an uptick in activity. They predict it will only get worse. Unfortunately, for victim of these schemes, the bank isn’t always required to repay the stolen funds.
After he was logged in, Mullenaux said he saw large amounts of money moving between his accounts. The person on the phone told him someone was in his account actively trying to steal his money and that the only way to keep it safe was to wire money to the bank supervisor, where it would be temporarily held while they secured his account.
Terrified that his hard-earned savings was about to be stolen, Mullenaux said he stayed on the phone for nearly three hours, followed all the instructions he was given and answered additional security questions he was asked.
CNBC has reviewed Mullenaux’s cellular records, bank account information, as well as images of the text message and link he was sent.
Chase spokesman said, “Banks will never ask consumers or businesses to send money to themselves or anyone else to prevent fraud, but scammers will. To confirm you are really speaking to Chase, call the number on the back of your card or visit a branch.”
Cody Mullenaux, the inventor and founder of Aquaphant, a technology company that converts moisture from the air into filtered water, with his team and family.
Courtesy: Cody Mullenaux
a “phishing-as-a-service” platform that sells ready-made phishing kits to cybercriminals that target U.S.-based companies, including banks. The customizable kits can cost as little as $50 per month and include code, graphics and configuration files to resemble bank login pages.
Joey Fitzpatrick, a threat analysis manager at IronNet, said that while he can’t say for certain that this is how Mullenaux was defrauded, “the attack against him bears all the hallmarks of attackers leveraging the same sort of multimodal tools that phishing-as-a-service platforms provide.”
He expects “as-a-service”-type offerings will only continue to gain traction as the kits not only lower the bar for low- to medium-tier cybercriminals to create phishing campaigns, but it also enables the higher-tier criminals to focus on a single area and develop more sophisticated tactics and malware.
“We’ve seen a 10% increase in deployment of phishing kits in January 2023 alone,” Fitzpatrick said.
In 2022, the company saw a 45% increase in phishing alerts and detections.
But it’s not just phishing schemes on the rise, it’s all cyberattacks. Data from Check Point showed in 2022 there was a 52% increase in weekly cyberattacks on the finance/banking sector compared with attacks in 2021.
“The sophistication of cyberattacks and fraud schemes has significantly increased during the last year,” said Sergey Shykevich, the threat group manager at Check Point. “Now, in many cases cybercriminals don’t rely only on sending phishing/malicious emails and waiting for the people to click it, but combine it with phone calls, MFA [multifactor authentication] fatigue attacks and more.”
Both cybersecurity experts said banks can be doing more to educate customers.
Shykevich said the banks should invest in better threat intelligence that can detect and block methods cybercriminals use. An example he gave is comparing a login to a person’s digital “fingerprint,” which is based on data such as the browser an account uses, screen resolution or keyboard language.