I Helped Myself Get Hacked
My Saturday started out like it normally would. Grab a coffee, check my emails, get a plan together for what I needed to do that day. By all accounts, it started out pretty normal. I went online to Z-Supply to order a pair of shorts that I wanted. During the checkout, I experienced an issue on the website while using Apple Pay, so ultimately, I tried to checkout for the pair of shorts multiple times! My card was authorized three different times, but Z-Supply customer support wasn’t open, so I went on with my weekend as normal, planning to contact them on Monday.
Monday rolls around, and I get a call from my bank, Wells Fargo. I knew it was them, because I have their number saved as a contact on my phone. I thought, “Oh, they are calling me about the triple transaction from Saturday.”
My Conversation with Wells Fargo
Evan: Hi, this is Evan with Wells Fargo Fraud.
Me: Oh, hey! Are you guys calling about the Z-Supply transactions from Saturday?
Evan: No. I do see those transactions, but I’m calling about the suspicious $1,000 and $500 charges that were made to your account. Before moving on, I want to confirm, that if we get disconnected for any reason, I’ll call you right back. Can you please verify your username for me?
Me: Oh, I didn’t even know about those. Sure, it’s @myusername
Evan: Thank you for confirming that, Erica. Does this name sound familiar? I have a Zelle transaction going to “RICHGIRLS” in Florida.
Me: No, that’s definitely not familiar. That wasn’t me.
Evan: Okay, thank you. How about a Zelle transaction going to “RICHGIRLS” in Kansas?
Me: No! Absolutely not.
Evan: Thank you for confirming that information for me, Erica. On my end, it looks like they have turned off your alerts, which is why you didn’t receive any notifications about these fraudulent charges that were made to your account. I’m going to go ahead and switch those back on for you, okay?
Me: Yes, please.
Evan: Okay, Wells Fargo is going to send you a text, and since I’m already in your account, just go ahead and read off that number for me. I’ll need it to begin the reimbursement process.
Where the Mistake was Made
This is the part where I made a mistake. Wells Fargo did text me. It read: “Wells Fargo will never call or text you for this code. Don’t share it. Enter advance access code online to verify your identity.”
Me: Okay, I have the text, but it says not to read it, though.
Evan: I know it does, but I’ll need the code to begin the reimbursement for the fraud.
It’s important to note that I was genuinely confused at this point. Wells Fargo had called me from their own number, then they ask me to do something that their text says not to do, but I was on the phone with Wells Fargo and receiving texts from them in real-time, so I just went along with it.
Me: Okay, the code is 123456
Evan: Thank you, Erica. I’ll take care of this for you. You have a good rest of your day.
That concluded the phone call, and I immediately began getting legitimate text message alerts from Wells Fargo about fraudulent transactions that said to respond “No” if it wasn’t me, and to call Wells Fargo. So, I responded “No” to both messages.
After this, I had this gut-sinking feeling that I had been hacked. I even messaged a coworker, “I think I just got hacked.”
So, I called Wells Fargo and spoke to someone. They said that the transactions were flagged as fraud (because I had responded “No” to the text messages), but that no one from Wells Fargo had called me. I relayed that Wells Fargo did call me from the number that I had saved to my phone, and that I thought it was strange that they would ask me for the number from my text message. That is when they confirmed that I shouldn’t have given that confirmation number over the phone (duh, I knew that), and to avoid situations like this, I should hang up the phone and call Wells Fargo back.
That’s when it all hit me. I helped myself get hacked in real-time, and I felt so stupid afterwards. Here’s the part I didn’t know about. Hackers can do something called Caller ID Spoofing. In short, that means that they can manipulate the Caller ID to appear as someone else, and in my case, they had spoofed themselves to appear as Wells Fargo. Initially, there was no way that I could have known that it wasn’t Wells Fargo calling me.
However, there were some red flags in hindsight.
- Verifying My Username
- Asking for Verification Code from Text Message
Now, I know the mistakes that I made and will never make those again, so my story is here to let you know just how crafty these hackers are. I was hacked in real-time, and had I verified that Wells Fargo was calling and not supplied him with my username and verification code, I very well could have avoided this.
After this incident, I got all my financial accounts set up for monitoring with IDSeal, so if there are any sort of transactions that I should be concerned about or if my information is found on the Dark Web, I get real-time alerts about it. Features like the DigitalSpy, Alternative Loan Monitoring, and Financial Transaction Monitoring are always working to help protect me. IDSeal really does make monitoring all my financial accounts simpler than it’s ever been before, and I only wish I would have done this sooner.
To learn more about all the features available with IDSeal’s full-spectrum solutions, visit the Protection & Plans page.