“YOUR CHECKING ACCOUNT balance is low.” It’s an alert none of us wants to receive, especially if we’ve just been paid. But that was the message that a friend—let’s call him Ron—got recently. A hacker had gained control of his account and started bleeding it dry.
Ron, it turns out, was lucky to have received that alert. Another friend—let’s call him Arthur—received no such alert when his account was also taken over by hackers this summer.
Both are customers of Bank of America, which was the victim of a data breach earlier this year. The reality, though, is that this could occur at any bank, so it’s worth understanding what happened and what steps consumers can take to toughen their defenses against a similar attack.
For both Ron and Arthur, the thieves’ playbooks were similar. The first step was to gain control of their online accounts. In Arthur’s case, it was a two-step process. First, the crooks tricked his cell phone carrier into activating a new phone with Arthur’s number. Then, the thieves went to Bank of America’s website and requested a password reset. To authenticate the hacker, Bank of America sent a text message to Arthur’s phone number, which the thieves had in their control. That gave them access to Arthur’s account, where they were able to make a note of Arthur’s account number and—he thinks—see copies of canceled checks with Arthur’s signature.
Next, the crooks walked into a Bank of America branch in another state and requested a cash withdrawal. They had Arthur’s account number, and the signature used matched the signature on file. The thieves didn’t have any identification, though, so for authentication purposes the bank teller sent a code to Arthur’s phone number, which the crooks had in their possession. While the details are still unclear, apparently that process is sufficient for a teller to authenticate a customer. The hackers were then able to walk out with $10,000 in cash from Arthur’s account. Later that day, the crooks did the same thing at another branch and walked out with Arthur’s remaining account balance.
Hearing this story, you might wonder about the safeguards that should have been in place. Sadly, thieves are often a step ahead. They knew that banks typically email customers when their passwords have changed, and Bank of America did do that. But to cover their tracks, the hackers buried Arthur’s email box in spam messages. In the space of minutes, hundreds of thousands of messages came in, making it impossible for Arthur to see the all-important message from the bank.
Ron’s experience was very similar, including the flood of spam. But instead of walking into a branch, the hackers took a different tack. After gaining access to Ron’s online login, they opened a new joint account in the name of Ron’s wife and another, presumably phony individual’s name. They then transferred Ron’s checking account balance into this new account and, from there, wired the funds out to an account owned by the crooks.
While Bank of America has committed to restoring the stolen funds to both Arthur and Ron, these experiences have nonetheless been a significant headache. By siphoning off nearly every available penny, the thieves triggered a financial domino effect. Scheduled transactions—from mortgage payments to electric bills—all failed, and neither had any access to cash.
Years ago, I recall attending a presentation by technology executives from J.P. Morgan. What surprised me was the frequency of cyberattacks they described. They measured them by the number of attempted attacks per day. In other words, it’s an ongoing battle, and there’s no silver bullet, so I recommend doing everything you reasonably can. Here are 12 steps to consider:
- Job No. 1 is to secure the logins to all your financial accounts. Use a password manager that will generate long passwords. Be sure you have two-factor authentication (2FA) enabled. If your bank offers a choice, go for the 2FA option that employs an authenticator app, such as Google Authenticator, Authy or Symantec VIP. That way, even if hackers get hold of your cell phone number, as they did in Arthur’s case, they’ll have a much harder time accessing your account. If your bank offers only text message-based two-factor authentication, I’d switch banks. It’s that important.
- Set up account alerts. If your balance falls too low, or if a withdrawal is unusually large, your bank can let you know immediately. Most banks offer a variety of flexible alert options. Fortunately, despite the flood of spam, Ron spotted an alert like this, and that allowed him to take action more quickly. But as noted, since hackers sometimes target email inboxes and sometimes target cell phones, be sure you have alerts set up to communicate through both channels. Your bank might also offer alerts that are sent through their mobile apps, offering a third channel.
- Secure your cell phone account. Call your carrier and ask if you can put in place an account password. That would prevent a hacker from tricking a hapless phone store employee into giving out your phone number.
- Secure your bank account with a verbal password. If a hacker tries calling your bank to initiate a transaction, a verbal password—which is different from your online password—can help thwart that line of attack.
- Because this year’s Bank of America data breach included account logins, I suggest changing your user ID if you’re a Bank of America customer.
- Have more than one bank account. While I generally advocate consolidating accounts, Arthur was lucky to have another ATM card in his wallet. Even though Bank of America committed to restoring his funds, it took time. And in Ron’s case, the bank understandably locked down all his accounts. But with all of his accounts at Bank of America, that put him in a difficult position, unable to pay bills for an extended period.
- Don’t use your ATM card as a debit card. If you use your ATM card only for cash withdrawals, that will prevent your card number from being swept up if there’s a data breach at a retailer where you’re a customer.
- If you have a safe in your home, hold some cash there. I don’t mean to sound extreme, but it could help in certain situations. Years ago, for example, a blackout affected New York City, knocking out large numbers of ATMs for an uncomfortably long period.
- Never respond to inbound inquiries of any kind, no matter how authentic they might look or sound. If you receive a text or email, ignore it. Never click on any links or call any numbers that these messages provide. And if you receive a call, hang up. If you aren’t sure whether the communication was legitimate, call your financial institution using a phone number you find on the back of your bank card or on the bank’s website.
- Install malware protection software such as Malwarebytes on your computer.
- If you see any of the warning signs described here—whether it’s a flood of spam or a “no service” message on your cell phone—call your financial institutions immediately.
- If you ever have a problem along these lines, consult the Federal Trade Commission’s website, which provides useful resources and recommendations. Also, file an incident report with your local police department, and contact credit agencies to put a fraud alert in place.
Adam M. Grossman is the founder of Mayport, a fixed-fee wealth management firm