More of you are turning to financial tech companies to manage your money from your mobile phones, but a woman said a stranger got access to her account and drained her life savings.
Briana Bell of Dallas said she was home on the evening of Dec.15 when she started getting alerts from her online banking provider, Chime.
“All of a sudden, I get a text that says your phone number has been changed,” Bell told NBC Responds in Dallas.
Responding to every consumer complaint
Bell said she received a second notice right away that the email tied to her account changed to an email address she didn’t recognize.
“I look at my email and my email has been changed to an email that included my name in it. I’m like, wait, this isn't mine,” Bell said.
A stranger was in Bell’s account. Panicked, she said, she called Chime customer service and asked about the status of her checking and savings accounts.
“What's in my savings? She said, zero,” Bell recalled. “Ma'am, I've been hacked. Somebody is doing this. I've been hacked because I had $14,000 in my savings account.”
Bell said she was told to dispute the charges and was transferred to another department as it was closing for the night. Bell said there was some money left in her checking account that night. By the next morning, it was gone.
“I'm a single parent. I've been working for a really long time to build that up. I'm trying to save for a home,” Bell said.
Bell filed a police report and disputed the charges with Chime.
Bell said two of the fraudulent transactions didn’t go through and the money was back in her account.
She said she also called Sears about a third pending transaction and learned someone in Florida ordered a mobile phone with Bell’s money.
Bell said Sears stopped the transaction and provided her with the shipping information for the cellphone. Bell shared it with police.
For nearly a month, Bell said she continued disputing the other charges with Chime.
“I spoke to a lot of different supervisors who said they were going to do X, Y, Z. Then, I called the next day and they told me something completely different,” Bell said.
Bell contacted NBC Responds on Jan. 12.
A few days after our station in Dallas reached out to Chime, Bell said it credited most of the missing money to her account. By Jan.19, Bell said Chime credited the rest of the disputed transactions to her account.
In an email to NBC Responds in Dallas, Chime’s director of corporate communications writes, “While we can’t disclose information about individual member accounts, please be assured Chime takes matters like this very seriously and our Member Services team has worked quickly to investigate and fully resolve this member’s issue.”
Chime also said, “As reported across the industry, fraud has unfortunately been on the rise throughout COVID-19 and our member services team is aware of this and working diligently to provide a safe and secure online banking experience for our members. We’ve also prepared the following resource that you may find helpful.”
Chime published information about red flags customers should watch for to avoid cybercriminals. The website also provides samples of phony text messages and social media direct messages that cybercriminals may use to try to trick customers into giving out personal information.
By now, you may be wondering how this happened to Bell and if she was targeted.
Bell would like to know too.
“Mind you, even after the theft and I'm down to nothing in my account, the person who is in my phone or had hacked the phone or the Chime app or whatever the situation was, had done it two more times,” Bell said. “They changed my email and the phone number two additional times.”
Alain Espinosa, cybersecurity expert and director of security operations at Online Business Systems, said victims of crimes like this are sometimes picked at random.
“It could have been 100% automated where there is no particular targeting,” Espinosa explained.
Though he doesn’t know what happened in Bell’s case, he said cybercriminals have a common method of operation.
In some cases, they use a phishing scam to send legitimate-looking alerts to random phone numbers. The goal is to get people to sign into a fake link and turn over their password.
It’s not always obvious those alerts are fake.
Criminals also buy up email addresses, usernames and passwords that have, at some point, been compromised on the internet.
This is why you shouldn’t use the same email address, user name or password for multiple sites. If one site is hacked, that means you’re at risk on other sites you use.
“Someone doesn't sit there and try to access them one-by-one. It is done an automated fashion and they'll take that same username, that password, the email address and try to access accounts,” Espinosa said.
Eventually, they may hit on the website where you bank and gain access.
Espinosa recommended setting up multi-factor authentication. It’s not fool-proof, Espinosa said, but it requires a hacker take multiple steps to get into your account.
Also, don’t trust messages that look like they’re from your financial institution. If you get an urgent text or email, don’t respond. Instead, call the number on the back of your card to confirm your financial institution is trying to reach you.
The same advice applies if someone calls you. Hang up and call the number on the back of your card.
If you believe you’re a victim, you need to contact your financial institution immediately. Let them know there’s a problem with your account and to freeze any activity.
Report the crime to the FBI as soon as possible, ideally within 24 hours.
The Texas Department of Banking explains some banking services, like Chime, are financial technology companies that partner with banks. A customer can glance at the back of their card to confirm which bank.
The Consumer Financial Protection Bureau is a resource for financial tech customers. If a customer has trouble connecting with their financial tech provider, the CFPB says customers can contact the agency online or call 855-411-2372.
The National Consumer Law Center said when a customer disputes an unauthorized charge on a bank or prepaid account, the financial institution is required to conduct a reasonable investigation.
If the investigation takes longer than 10 days, the financial institution must give the consumer a provisional credit to the account – which can be reversed later if the investigation shows the consumer authorized the charge.
"The burden is on the company to show that the consumer authorized the charge,” said National Consumer Law Center Associate Director Lauren Saunders.
Bell said she is glad the ordeal is over. She said she’s taken extra precautions to protect herself in the future.
“It kind of makes you feel like nothing is safe,” Bell said. “It really does.”