Seven Citibank customers claim a total of $600,000 disappeared from their bank accounts.
Daly City’s Chapman Ng lost $80,000.
“To be honest, I can’t even sleep,” Ng said.
Stephen Lee of San Jose was robbed of $81,000.
“I got ripped off. I didn’t know what happened,” Lee said.
And Kai Chin said she lost $65,000.
“Well, my heart was really beating. So, I just, my hand was shaking a bit,” Chin said.
The seven victims have something in common. All were Citibank customers, lost their money via wire transfer, and all the victims were Asian.
According to Chin, it all started when someone changed their cell phone’s SIM card.
“Without any ID, without my signature, someone replaced my SIM card in Philadelphia. I’m in California,” he said.
From there, the hackers appeared to take over his Citibank account and wired $65,000 from it.
Mark Ostrowski of Checkpoint Software Technologies, an internet security company, says, “This is called a SIM swapping attack. It is very common and has great consequences.
And here’s how it works: A scammer buys your personal information on the dark web, walks into the store, and pretends to lose their phone. He gets a new SIM card and a new phone. It then connects it to your number.
Verizon says it is investigating.
“So it can have really disastrous effects when someone does a SIM swapping attack, because you lose that multi-factor authentication protection that you thought you had,” Ostrowski said.
For Lee, it all started when he had trouble logging into his Citibank account. A message from a supposedly Citibank phone number popped up asking her to call.
The person on the phone asked him for permission to take control of his computer remotely.
Lee was prompted to log back into his Citibank account and advised to wait two hours for the issue to be resolved. After the call ended, he became suspicious.
Citibank would later tell him that $81,000 had been wired from his account. Turns out the person he was talking to was an impostor.
“I was led to believe that I was working with a Citibank employee. I did the wrong thing,” Lee said.
Ng checks his bank account daily for possible overcharges.
“My money doesn’t fall out of the blue, you know,” he said.
However, someone managed to change the email address linked to his bank account. And within an hour, three successful wire transfers of $50,000, $30,000 and $75,000 had been completed.
Ng spotted the transfers and immediately informed Citibank.
All of the victims blamed Citibank for not verifying transactions using two-factor authentication.
Ostrowski said, “A sophisticated attacker would disable these notifications if they gained access to your account before they actually made the wire transfer.”
On Wednesday, Citibank refunded all of Ng’s money, while the others weren’t so lucky.
Ostrowski suggests changing passwords frequently and investing in a good password vault to track them.
Citibank also suggests that if a customer receives unsolicited messages, do not provide personal or account information. But instead, contact Citibank immediately through the Citibank app or website, or by calling the customer service number listed on their website.
Comments are closed.