...
2022-11-07

I Helped Myself Get Hacked

My Saturday started out like it normally would. Grab a coffee, check my emails, get a plan together for what I needed to do that day. By all accounts, it started out pretty normal. I went online to Z-Supply to order a pair of shorts that I wanted. During the checkout, I experienced an issue on the website while using Apple Pay, so ultimately, I tried to checkout for the pair of shorts multiple times! My card was authorized three different times, but Z-Supply customer support wasn’t open, so I went on with my weekend as normal, planning to contact them on Monday.

Monday rolls around, and I get a call from my bank, Wells Fargo. I knew it was them, because I have their number saved as a contact on my phone. I thought, “Oh, they are calling me about the triple transaction from Saturday.”

My Conversation with Wells Fargo

Evan: Hi, this is Evan with Wells Fargo Fraud.

Me: Oh, hey! Are you guys calling about the Z-Supply transactions from Saturday?

Evan: No. I do see those transactions, but I’m calling about the suspicious $1,000 and $500 charges that were made to your account. Before moving on, I want to confirm, that if we get disconnected for any reason, I’ll call you right back. Can you please verify your username for me?

Me: Oh, I didn’t even know about those. Sure, it’s @myusername

Evan: Thank you for confirming that, Erica. Does this name sound familiar? I have a Zelle transaction going to “RICHGIRLS” in Florida.

Me: No, that’s definitely not familiar. That wasn’t me.

Evan: Okay, thank you. How about a Zelle transaction going to “RICHGIRLS” in Kansas?

Me: No! Absolutely not.

Evan: Thank you for confirming that information for me, Erica. On my end, it looks like they have turned off your alerts, which is why you didn’t receive any notifications about these fraudulent charges that were made to your account. I’m going to go ahead and switch those back on for you, okay?

Me: Yes, please.

Evan: Okay, Wells Fargo is going to send you a text, and since I’m already in your account, just go ahead and read off that number for me. I’ll need it to begin the reimbursement process.

Where the Mistake was Made

This is the part where I made a mistake. Wells Fargo did text me. It read: “Wells Fargo will never call or text you for this code. Don’t share it. Enter advance access code online to verify your identity.”

Me: Okay, I have the text, but it says not to read it, though.

Evan: I know it does, but I’ll need the code to begin the reimbursement for the fraud.

It’s important to note that I was genuinely confused at this point. Wells Fargo had called me from their own number, then they ask me to do something that their text says not to do, but I was on the phone with Wells Fargo and receiving texts from them in real-time, so I just went along with it.

Me: Okay, the code is 123456

Evan: Thank you, Erica. I’ll take care of this for you. You have a good rest of your day.

Me: Thanks.

The Aftermath

That concluded the phone call, and I immediately began getting legitimate text message alerts from Wells Fargo about fraudulent transactions that said to respond “No” if it wasn’t me, and to call Wells Fargo. So, I responded “No” to both messages.

After this, I had this gut-sinking feeling that I had been hacked. I even messaged a coworker, “I think I just got hacked.”

So, I called Wells Fargo and spoke to someone. They said that the transactions were flagged as fraud (because I had responded “No” to the text messages), but that no one from Wells Fargo had called me. I relayed that Wells Fargo did call me from the number that I had saved to my phone, and that I thought it was strange that they would ask me for the number from my text message. That is when they confirmed that I shouldn’t have given that confirmation number over the phone (duh, I knew that), and to avoid situations like this, I should hang up the phone and call Wells Fargo back.

That’s when it all hit me. I helped myself get hacked in real-time, and I felt so stupid afterwards. Here’s the part I didn’t know about. Hackers can do something called Caller ID Spoofing. In short, that means that they can manipulate the Caller ID to appear as someone else, and in my case, they had spoofed themselves to appear as Wells Fargo. Initially, there was no way that I could have known that it wasn’t Wells Fargo calling me.

However, there were some red flags in hindsight.

  1. Verifying My Username
  2. Asking for Verification Code from Text Message

Now, I know the mistakes that I made and will never make those again, so my story is here to let you know just how crafty these hackers are. I was hacked in real-time, and had I verified that Wells Fargo was calling and not supplied him with my username and verification code, I very well could have avoided this.

After this incident, I got all my financial accounts set up for monitoring with IDSeal, so if there are any sort of transactions that I should be concerned about or if my information is found on the Dark Web, I get real-time alerts about it. Features like the DigitalSpy, Alternative Loan Monitoring, and Financial Transaction Monitoring are always working to help protect me. IDSeal really does make monitoring all my financial accounts simpler than it’s ever been before, and I only wish I would have done this sooner.

To learn more about all the features available with IDSeal’s full-spectrum solutions, visit the Protection & Plans page.

1It is not possible to prevent all identity theft or cybercrime, or to effectively monitor all activity on the internet. IDSeal cannot and does not guarantee complete protection against cybercrime or identity theft. IDSeal does not monitor the activities of all financial institutions, or all activities of any particular financial institution. Review the IDSeal Terms and Conditions for specific details regarding IDSeal services.

2The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company under group or blanket policy(ies). The description provided in the Summary of Benefits is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Review the Summary of Benefits.

3Recurring pricing shown excludes applicable sales tax. By enrolling as an IDSeal member under any plan, you authorize IDSeal to charge your payment method (credit/debit card) on a recurring basis for the fees associated with your membership plan. Review the IDSeal Terms and Conditions for important information regarding your membership, including your membership term, and your right to cancel; and review the IDSeal Privacy Policy for information regarding how IDSeal collects and processes your information.

4The credit scores provided are VantageScore 3.0 credit scores based on data from Equifax®, Experian® and TransUnion®. Any one bureau VantageScore mentioned is based on Experian data only. Please see the IDSeal Terms and Conditions for more information on credit scores.

5IDSeal Pro-Tec provides tools and resources to protect your data and identity, but no one can prevent all cybercrime or identity theft. Your own efforts are important to prevent unauthorized access to your personal information.

Terms and Conditions | Privacy Policy | Terms of Use | Accessibility Statement | Upgrade