CARLSBAD, Calif. (KGTV) — A Bank of America customer says a hacker was able to drain $38,000 from his account after compromising his phone in a SIM-swapping attack.
“I can't let this go. I'm never gonna let this go,” said Justin Chan in an interview with Team 10 at his Carlsbad home.
During an evening in September, he said he started getting strange notifications on his iPhone and realized it had been disconnected from the cellular network.
He later learned he had been a victim of SIM swapping, a scam where a criminal hijacks access to a victim’s cell number.
“I couldn't make any calls in or out, and it shows up on your phone in the upper left-hand corner that there's SOS rather than bars that show," Chan said.
Chan later learned someone had taken over his Xfinity Mobile number by calling the company and pretending to be him.
“I told them that this is not me. Why did you switch the phone line over? And they basically said, ‘We have verification.’ And I asked them, ‘What kind of verification did you have?’ And they said, ‘We had the last four digits of your credit card.’ And I thought, ‘That was not me, and why would you do that?’” Chan said.
A week later, Chan got a letter in the mail from Bank of America stating three wire transfers had taken place totaling $38,000. He said the wires were sent in the middle of the night while he was sleeping.
Team 10 traces wire to convicted fraudster
“I've never wired money out of Bank of America. It's just been money that's been sitting there waiting for my mom to use as rent, as funds, as food, as utility payments," Chan said.
One of the wires was for $20,000 and went to a Wells Fargo account.
Team 10 has learned the beneficiary’s name on the transfer matches the identity of a Sacramento resident, who is a convicted felon and served time for fraud.
We are not naming the recipient because he has not been charged in this case. Chan reported the fraudulent transfers to Carlsbad police and Bank of America. Soon after, he got another letter in the mail.
800 cases of SIM swapping
This time, Bank of America told him his fraud claim couldn’t be honored.
“Our investigation found the transaction in question was confirmed valid by you via SMS text message," a message from the bank to Chan read.
“That was just as bad as the criminal taking the money from me initially,” Chan said, adding he thinks the bank should’ve stopped the wires from going through.
The FBI told Team 10 about 800 cases of SIM swapping have been reported nationwide this year. In San Diego, there have been nine cases, but the number is likely much higher due to underreporting.
“I read a lot of these that come in, and some of them are really horrific,” said FBI intelligence analyst David Tomasz.
The crime cost victims more than $48 million dollars nationally last year, according to the FBI.
Criminals using online info to target victims
Tomasz said there are several ways a criminal can take over a victim’s cellphone number.
“They'll have done research on your victim, and they'll know all of the potential security questions, stuff like their street address or their age or any of that stuff that they can find online," said Tomasz.
Once a fraudster has a victim’s number ported over, they can get two-factor codes, giving them access to bank accounts, email and other important websites.
Tomasz said if the crime is caught and reported early, law enforcement can execute a "financial kill chain” that freezes the money. But he said it’s still rare, and if time has passed, it’s very unlikely a victim will be able to get their money back.
“For crypto specifically, it's extremely hard because it's not FDIC backed. It can transfer into different currencies and get cashed out very, very quickly. The traditional banking system is a little easier because there's more security awareness on the part of the traditional finances and banks." said Tomasz.
Tips from finance expert
Nerd Wallet personal finance expert Melissa Lambarena said there are steps consumers can take to protect themselves.
“You want to make sure that you're keeping unique passwords. That's very important," Lambarena said. "You can also contact your phone carrier and ask about setting up a PIN. So, whenever there is a change to your account, this PIN will be required.”
After Team 10 got involved, Bank of America reopened its investigation of Chan’s case. However, the bank has not yet said if Chan will receive a refund for the stolen funds.
Bank spokeswoman Naomi Patton said she couldn’t comment on this case while the investigation is ongoing. But she said Bank of America prioritizes client protection and reimburses customers for fraud losses it determines were from verified, unauthorized transactions.
A spokesperson for Xfinity Mobile told Team 10 it is working to help address the issue for Chan.
“SIM swapping is an issue affecting the entire mobile industry, and all providers are trying to combat it. Xfinity Mobile has protocols in place and is implementing recent guidance from the FCC to attempt to mitigate consumer scams like this one,” said Joel Shadle in a statement.
Back in Carlsbad, Chan is still waiting to see if he’ll get a refund.
He is speaking out hoping his story will prevent others from becoming a victim of SIM swapping.
“This could happen to anybody,” he said.
The FBI encourages victims of the crime to report it to the Internet Crimes Complaints Center by visiting IC3.gov.
Team 10 Investigative Reporter Austin Grabish can be reached at austin.grabish@10news.com
