Pieter Gunst, 34, received what he thought was a credible phone call from his bank. But in a matter of minutes, Gunst realized the call was anything but after he had nearly handed over the keys to his account.
The woman was a scammer, and Gunst was just the latest target in a growing trend that's left thousands of Americans frustrated, broke, and without a clue how to get their money back.
The over-the-phone scheme is a type of phishing scam.
And in the last year, a whopping 26,379 people reported being a victim of some sort of phishing scam. Together they reported nearly $50 million in losses, according to the FBI's 2018 Internet Crime Report.
While the number of reported scams increased slightly from the 25,344 phishing scams reported to the FBI in 2017, the losses skyrocketed by nearly $20 million.
They are not going away anytime soon, as scammers are getting more clever and devious in their phishing attempts. Here's how you can avoid being the next person to fall for one.
How it works
Gunst ignored the first call from the scammer -- he didn't recognize the number. But the same number called him again, and as a business owner accustomed to unknown numbers, he decided to pick up.
Gunst says the woman on the other end claimed she worked with the bank, and someone had attempted to use his card in Miami. Gunst, who lives in San Francisco, told the caller it wasn't him.
Still, having received legitimate calls from his bank regarding attempted fraud in the past, Gunst still did not suspect anything unusual.
Then it got weird.
After confirming that he did not use his card in Miami, Gunst says the caller told him that the transaction had been blocked, and then asked him for his member number.
Gunst then received a legitimate verification pin from the bank's regular number via text, which he promptly read back to the caller -- not realizing that it was a password reset code.
The person on the line -- a scammer -- was in. She could access his account and began to read off recent transactions that Gunst had actually made, lending a bit more credibility to the call.
Then came the next question, which immediately set off a red flag: "We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?"
Gunst hung up. That's a number no bank would ever ask for. He quickly called the fraud department at his bank, and began to rethink how the call went awry.
"The problem is the text should say what its purpose is," Gunst later explained to CNN of the verification pin, which he tweeted about in a widely-read thread. "'Someone is trying to reset your password. Don't give this number to everyone.' But it didn't. It was just a generic pin."
He said that was a lesson for the bank to learn from.
The 'hack' used social engineering
Hackers may use what's known as social engineering to try and obtain or compromise information about you, which could then be used to gain access to something such as your bank account.
What that means is simple: they tricked you, or someone who knows you, to compromise your account.
CNN reporter Donie O'Sullivan recently agreed to allow Rachel Tobac, a cybersecurity executive and hacker who specializes in social engineering, to hack him as a means to show how a scam can work. She was able to get his home address, phone number, have his hotel points transferred over to her and even change his seat on an upcoming flight.
And she was able to do this largely by using information that he posted online on social media: an Instagram check-in at a hotel and a tweet about a piece of furniture.
How? Both the hotel and the furniture company handed his personal details to the hacker over the phone.
It's not always your fault
Companies that don't have the proper security procedures in place can often leave themselves and their customers vulnerable to a social engineering attack.
A small company could easily be tricked into giving up personal customer information over the phone if a clever hacker has just enough information to seem credible.
Small banks and companies have been known to put out member newsletters or even hold member appreciation events where it's posted on social media and people are invited to accept or decline the invitation, according to Ron Schlecht, managing partner of security firm BTB Security.
A savvy hacker could've used that information to find members of that bank and use social engineering to find information such as their home addresses and phone numbers in order to phish them.
"It's unclear at this point where this happened, but there's no doubt in my mind that they knew that I was a customer of that bank and they thoroughly understood the security procedures of that bank," Gunst says. "It was rather targeted."
While it's possible that Gunst's bank was compromised, Schlecht says that "it's more likely that they disclosed information without really knowing it was bad to do so."
Spotting the scam
There are a number of clues out there that should raise your suspicions.
"If you've been randomly selected for a big prize, vacation, or to enjoy great savings or if all of a sudden the IRS, Medicare, or Social Security Administration needs to get a hold of you for a warrant or penalty, take a deep breath and consider the legitimacy of the call," Schlecht said.
He offered a simple rule: "Very broadly, if something seems too good to be true or too bad to be true, it probably is. Chances are that you haven't entered into a drawing, specifically sought out services, or even have an idea that you've done some misdeed."
Phishing scams are common, but particularly clever phishing attempts can deceive even those who are aware of them.
In the moment, with the scammer on the other end putting pressure on you to verify or give up information, it's easy to make a mistake or overlook a detail or clue that may hint at a scam.
Knowing the procedures your bank or institution takes with fraud attempts can be helpful in spotting a scam, but it's not foolproof. Gunst has received multiple calls from his bank for real fraud attempts in the past, and he says that the scammer stuck to the pattern very closely. He said it was a "very clever trick."
"When I read that thread now, that's one red flag after another," Gunst says. "But it's hard to express the social engineering component of it. My guard wasn't up in the way it should've been."
The FBI warned of scammers spoofing legitimate FBI phone numbers in August, so it's clear that you truly can't trust any inbound call no matter what the caller ID says. Your best bet at staying safe would be to hang up and to call the phone number your bank or institution has listed.
"Zero trust always wins," Schlecht said. "You can't verify that they are who they say they are, so call them after the notification instead of interacting with an inbound call."