from the American Bankers Association, I'm Evan Sparks. Today, in lieu of giving bringing you the another episode of the ABABAnking Journal podcast, I am going to bring you a Well, I'm delighted to share the premier episode of our brand new ABA Fraudcast, a podcast, all about cybersecurity and fraud with our own Paul benda.
Paul is having all kinds of great conversations with bankers, with leaders across the industry, leaders in the anti-fraud space and experts here at ABA on fraud, fraud prevention and what ABA and the industry are doing to mitigate the, the risk of fraud. This is gonna be a fantastic series of conversations. And so before I hand you over to Paul, what I'm gonna do is just say, go to aba.com/fraud. That's where you can find all the places you can download this episode.
We'll also have the Fraudcast in ABA Daily Newsbytes. You can find it on all of your favorite podcast apps or platforms. Thanks so much for listening and enjoy the very first episode of the ABA Fraudcast.
From the American Bankers Association, I'm Paul Benda. And this is the inaugural episode of our new podcast, the ABA Fraudcast. Many of you may remember me from the ABA Pandemic Update podcast and the dark days of the COVID pandemic. Well, we've moved from one epidemic, an epidemic of COVID, to another one, one focused on fraud and scams. And in this space, I'm going to try and give you the information you need to protect yourself. I hope to be entertaining and educational.
The current plan is to host a bi-weekly podcast sometimes with guest speakers focused on different topics. Ranging from discussing those fake fraud alerts everyone has probably gotten on their phones -- and what that scam looks like from the bank's perspective -- to how artificial intelligence can be used to fake voices and images to cause scams, to how criminals are spoofing your caller ID, pretending to be your bank or the U.S.
Government or USPS or Amazon, trying to convince you to do something. And what we in the banking industry are trying to do to stop it. To quantum computing. Talking about what it is and how it can potentially break the encryption systems we use today. Unfortunately, lots of topics to cover in the fraud and scam space and we'll address them in the coming weeks and months. But we're going to start with an interview with one of my favorite bankers, Dan Robb.
Dan's bank recently went through a coordinated attack from criminals who sent out thousands of those fake fraud alerts to his customers' phones, and even his non customers. And we're going to talk about how his bank handled that attack. So I want to welcome a very special guest here, Dan Robb, a good friend, both to myself personally and to the ABA. Former past chairman. I really appreciate you being here today to speak with me, Dan.
Why don't you tell me a little bit about yourself and your bank, kind of your perspective.
Paul, thanks for having me. This is a great opportunity. I sure appreciate everything that you're doing, everything that ABA is doing to help us out in the trenches, the banks that are unfortunately fighting against a whole bunch of fraud. So, Jonesburg State Bank is a small community bank. We're about $135 million in assets in three small towns just outside the St. Louis Metro area, and we unfortunately are seeing a lot of fraud of various different sources that we've been talking about.
But certainly glad to be with you today.
Well, I really appreciate taking the time and you know, I think it's important to get your perspective, you know, $135 million bank, small bank, I think a lot of our small community banks think, "Oh, the criminals aren't going to target me. I'm, not going to be subject to these attacks that I see coming down." That's clearly not true though, is it?
You know, you guys just a couple months ago were subject to kind of what I would say is a large scale ... you know, the fake fraud alerts that a lot of people get. Did you make those transactions? They kind of hit your bank. So tell me about that. What happened there?
You bet. Unfortunately, yeah, one morning I came in and had some people saying that they had heard that there were some texts coming in saying that they were from Jonesburg State Bank and like you said, I've seen them saying, "My FedEx package hasn't been delivered" or "Citibank ... " or you know something of a large scale has been mentioned and I don't really think much about it.
But all of a sudden when it was Jonesburg State Bank saying that a Walmart transaction had not gone through -- we love to shop at Walmart here locally -- and so it got everybody's attention and we started talking about it. I came back to my office and I got the text. And I said, okay, this is definitely something real, happening in real time. I went over to our bookkeeping department and everybody was on the phone.
The phones were ringing off the hook and customers were alerting us -- customers and non-customers -- were alerting us that these texts were coming in and we physically had people coming into the bank as well. I mean, that's a great thing about small towns is everybody wants to help each other out. So it was both Jonesburg State Bank customers and also non-customers that were alerting us. And we were saying, This isn't us, this is a fraud situation. And it started happening then in real time.
Fast forward to the end of the day, Paul, we ended up having almost 600 phone calls in that day. So yeah ... Paul Benda: 600 phone calls in one day. For ABAnk of $135 million, with 25 staff members. That's a lot of phone calls to try to field. But you know what we had been practicing and we'd been gathering information. And so the great thing is that we were able to act fast and minimize our losses.
What we discovered was that they were getting in and we only think we had about 15 customers that actually clicked on it. They went through and it was a fake website that looked like Jonesburg State Bank, signing on to our online banking. And they then entered the information. They told the customer to enter the information. We have dual factor authentication. So there was the code that was then sent.
The fraudster then said, enter this code, which allowed immediately for the fraudster to be able to get into their account. They were prepared, knew exactly what to do. Knew we were a Zelle bank, using Zelle, and they immediately went to there and started taking money out of the customer's accounts. So we got on the phone with our core and said, please get this shut down ASAP. I've got a little list here of the things that we created: We alerted all of our staff.
We shut down the products that we could. We called our marketing company to put a Facebook message out. We pushed a direct message on mobile banking. We froze the homepage banner to say there was a fraud alert going on, a fraud situation. We posted signs in the drive-thru and in the lobby. We had after-hour phone notices put up. We then later dealt with those customers who had actually fallen for it. We worked with them with changing their accounts, closing out accounts, opening new accounts.
And so I've got a checklist that I'd be happy to share with you or anyone. And I think ABA's started kind of gathering some of that information. But I applaud our staff who really, all hands on deck for the event and it came in waves.
What we theorized, maybe perhaps, is that it was a small group of scammers that were overwhelmed with too many transactions and they did so many that they could field those people that perhaps responded and then maybe an hour later the next wave and this happened all day long -- the wave after wave of those people. And obviously we know what they did. They took the prefix of our area. They focused on Jonesburg State Bank and they started blasting it. We were fearful at first.
Was it just our customers? But then like I said, we know that they just -- every 359 phone number -- they hit every one of 'em. Some were ours, some were not ours. But obviously, you know, it was a big swath of customers.
Well, and that's what's scary is these guys, we're no longer dealing with the, you know, mom and pop criminal. I mean, this is institutionalized crime. These guys are doing it at an industrial scale. They're well prepared. I remember when you and I talked about this earlier, you have had instances where they spoof the caller ID, the number of your bank, when they call the customers. Is that right?
Yeah, yeah, exactly. It appeared that it was coming from Jonesburg State Bank and you helped us working with the FCC, I believe. Another great thing that ABA has been doing is pushing back with the FCC saying, Hey, we need some action on this and working with the telecom companies to try to get this kind of spoofing not allowed, especially when it's a spoof of a financial institution. It's just not a safe thing to have out there.
Yeah. And I think that's why, you know, people are like: Oh, I'd never fall for this scam. Well, I mean the website looks exactly like your bank's. They've got ... They might even bought personal information. They might know your name, your address, last four of your social. They then all of a sudden call you up and it says Jonesburg State Bank on the caller ID. I mean, you know, it makes sense that someone would fall for this.
I, I think that list that you talked about, I think really shows how banks are trying to protect their customers. So I think that's some great work there, Dan. One of the things that surprises me: So you're going through this. I mean, it's got to be a stressful time. You know that, for all intents and purposes, people are being robbed in real time. Who do you call on the government for help?
That's a great question. And then there isn't anybody. You know, like we've talked about it and with the core as well, I still plead that the cores work with their customers, us, the banks, and get an emergency shutoff button. They still don't have, to my knowledge, that button that I talk about. You're at the gas pump and you're pumping that gas. And what do you see if something happens? You got a big red button you can push to stop the gas.
Well, we should have an emergency shutoff button that shuts Zelle down or whatever bill pay or whatever thing is that they're using to get the money out of customers' accounts. We need to be able to shut that down. So that's -- from the core perspective, but also, yes, law enforcement. Sadly, I get it. I understand, when we call the FBI they ask, well, how much we've lost now. "Less than $10,000? Well, sorry, we got bigger things to deal with right now."
So yeah, that's something definitely we need to look at.
Well, and I think, you know, just for our listeners that may not know what a core service provider is. I don't think people understand that those are the guys that provide, especially smaller banks, you know, their ability to do transactions. And so, you know, even though your small bank may want to do things, unless their core service provider, supports that, the bank is kind of hamstrung. They can't make those changes unilaterally. And it's just the world we live in.
It still amazes me though, that we know people are being robbed in real time and yet banks have nowhere to go, nowhere to call to ask for help on this space, trying to protect their customers. It's all on the bank and it really seems unfair. The other thing that I, that I look at is, isn't it amazing that the telecoms don't have any way to detect these fraudulent spoofs occurring in real time? It'd be like you having a credit card or a debit card that has no fraud alerts on it, right?
If ABAnk were to put that out there with no way to detect these suspicious transactions, and yet the telecoms allow these things to go through, and they don't do anything to stop them. It's totally up on the bank to then to try and protect the customers.
You know, wouldn't you think that there'd be some kind of a red flag that pops up? If we had 600 phone calls, that means there were thousands of texts that went out. So, somebody texting thousands of times to the 359 prefix or whatever it is. Yeah, you would think that that would send off some kind of an alarm.
Right, right, exactly. I mean, so they just choose not to do that. I mean, it'd be banks have chosen to protect their customers. Telecoms has chosen to let the customers fend for themselves.
Yeah.
You know, the one thing I do say, the FCC, we did meet with the enforcement bureau, fairly recently. And they really want to hear from banks. We actually use your example. Unfortunately for you, you went through it, but fortunately for us it's a great example for us to talk to the government folks and say, "Hey these small banks are suffering here. What are you doing to help?" And they've established a portal for banks to report these kinds of things.
We've reached out to others that, if other banks go through this to let us know. It may not stop it in the real time. But it has a chance to. So we're excited to see some progress on that.
That's great.
All right. So, unfortunately, that's not the only scams that you're seeing, right? So, what else is out there, Dan? What else are you seeing at your bank?
Well, I'll tell you of an event that is unfortunately unfolding right now. We were notified here within the last couple of weeks of a local church that had been doing repairs to their church, a large amount of repairs and they were working with the contractor and actually paying by check all along through the process. It was time that I believe they were being notified via email and they met or did something and checks were exchanged.
However, the very last email that came in was requesting final payment, $30,000 for the final payment on this. They then asked for that money to be ACH'd to ABAnk. I'm not sure if they knew exactly where the bank was, but it turned out it was in New Jersey and we're in Missouri. So that's unusual because it was a local contractor. There's no reason ... but unfortunately it appeared that it was from that contractor and the church complied.
They didn't suspect anything, unfortunately, and they sent that money. Now, I still don't know the final facts, but to me, that is a prime example of a hacking of email and doing a fraudulent transaction via the email. I'm afraid what has happened is that their $30,000 -- it was intercepted and it was sent out, and we did follow up with that bank in New Jersey and the money's gone.
So I would suspect either the contractor or the church or both are gonna' be out a chunk of money because of that fraud and we see that so much with people intercepting the emails that are out there
Yep. And I think that's where people have to recognize that the bank is going to follow the instructions of the customer when they're sending the money. You have no idea who the ... where the contractor's headquartered, you don't get involved in that. You're not going to question the customer on those kinds of things. And when they come and say, Oh, we want to make the final payment. You're like, Yeah, absolutely. We're happy to execute that on your behalf.
So I think it's really important for people to, you know, we talk about multi factor authentication, right? That people need to have that on their bank accounts, but also on your emails. Especially if you're a small business. Someone hacks into that and starts changing wiring instructions. You could see a savvy lawyer for the church making the case that that business was negligent. You know, gave him proper instructions and due to their negligence, they lost that payment.
They might end up losing that money. Or the church might, you know, it's a hard situation. When you get instructions at the last minute to change payment instructions, you got to question those, don't you?
Yeah, exactly.
I think we're seeing -- I know there's other scams that are out there and I think we're seeing, these criminals being really savvy. Have you had instances where people have come into the bank, the teller can tell something's not right, and that person still insists on making a transaction? How do you guys handle that? Have you seen that situation?
Yeah, absolutely, Paul. And again, I applaud our staff for their spidey senses have definitely become more fine-tuned with all the fraud that happens, whether it's our folks in bookkeeping, whether it's the tellers on the front line, the new accounts folks. And what we had been seeing so much of it that we actually even came up with a laminated placard card. Customer would come in and they would actually ... it just didn't feel right. The story seemed strange.
And what we were finding a lot of times is that the fraudster was on their cell phone in their purse or in their jacket and actually listening to exactly what the bank was saying. And I think they were doing it twofold to see if the transaction went through, to hear exactly what the bank said, and also to hone their skills to make it a better fraud. I've got one here in front of me.
"Fraud warning. Is someone currently on the phone listening, instructing you to do this transaction?" And they can easily point to yes or no, and then it says, "Hang up the phone, this is fraud." And then we say, "Are you withdrawing these funds for any of the following reasons? An agency official of any kind, such as FBI, FDIC, IRS, Social Security, CIA, local law enforcement, has contacted you and told you to do this transaction?" "To purchase Bitcoin or any other cryptocurrency?
To purchase gift cards? Have you been instructed to meet someone or mail the cash to them? We want to make sure you and your funds are protected from fraud." And this has really been a great thing for us. We have stopped ... We have had customers go into offices, leave their phone at the teller line and be in tears and say, "I didn't know what to do. I thought I was doing the right thing." And that's usually what happens.
Is that someone has gotten in and they've gotten in over their head and sadly it may be the second or third time. They come in for $5,000 then they leave and they come back for a little bit more and they come back. And whether it's the romance scam, the pig butchering, you know there's so many, the IRS officials, all of these. It just is sick how much it is out there and how many customers are getting scammed.
Well, and I applaud you guys for putting that placard together. I think that's great listing those things out. I think it's, they prey on the people that are trying to be helpful. I mean, we're seeing this big rise and saying, Oh we need your help in this investigation. Because you know, we think there's ABAd actor at the bank or we think they're ABAd actor, you know pick your agency, and so the people believe they're being helpful.
Yeah.
What we try and tell people, "Your money is always safest in the bank. Transferring your money elsewhere or taking the cash out and giving it to someone does not make it safer. It's always safest to keep it in that bank. You know, it's well protected there." And I think the hard part is, you know, people that haven't gone through this don't realize how convincing these scammers and these criminals are. And you know, they try and make the people distrust the bank.
"Oh, they don't want you to buy that Bitcoin because they want to keep your money in the bank. You know, they don't. They don't want you to go in a cryptocurrency."
Yeah.
So, I really applaud you, Dan for taking those proactive actions, and trying to protect your customers.
You know, one other thing on a local scale that we did, Paul, and I realize not as many people these days read the newspaper, print newspaper, but we know that elderly customers typically do, and unfortunately it is a lot of the elderly customers that are getting scammed. So Jonesburg State Bank and about half a dozen other community banks in our area ran a two-page, full-page color ad that basically gave red flags to customers and said, We want to protect you.
We as your local banks want to protect you and gave those same kind of red flags and said, If you get calls like this if you have any concerns, contact us before you do something with one of these. And we got a lot of great feedback from that. The local newspapers in two different counties worked with us and gave us a very, very discounted rates.
And we all worked together and chipped in on it and I think it was just good PR, you know, just a good public service announcement, but public relations on behalf of us. Because no banker wants their customer to lose money. Yes, we would rather them keep it here in the bank. But more importantly, we want them to have that money, their hard-earned money that they have earned. And we want it to stay in their pocket, not a scammer's pocket.
I think it's a great example of how, you know, the banks care about their customers and their community. We'd love to see other industries step up like that. You know, ABA has ABAnks Never Ask That campaign and our Practice Safe Checks campaign to try and educate consumers on risk to phishing and scams. But where are the telecoms? Where are the social media companies? Where are their outreach to customers? You know, saying, "Don't trust your caller ID."
"Don't trust those impersonation scams on social media sites." We really need an all-of-government and all-of-industry approach. Because what I try and tell people is, you know, people, we say, don't send money to someone you don't know and trust. But by the time they're making that payment, they believe they know and trust who they're talking to.
We've got to engage them earlier so they don't get to that point where they're standing in front of your teller and you're trying to convince them that that person that they're talking to can't be trusted. It's really hard to do when they're like, well, "It said U.S. Government on my caller ID." And then you're stuck trying to you know, save them from sending potentially their life savings away, to some criminal overseas.
Yeah, you know again: What you're doing, Paul, and the ABA is doing with working with the FCC and making sure that like you say the telecom companies are not just held accountable but doing the right thing. You know, we all want to do the right thing for our customers and I implore everybody that's listening to this podcast that they need to take action whether you're ABAnker, whether you're a consumer, and you need to raise your voice.
And you need to say something through our tools that we can do that to the FCC, to the telecom companies, that we want to protect our customers. We want to fight fraud and we've all got to continue to raise our voices and not just sit there and let it happen. But we've got to actually push back.
I think that's a great message, Dan. I think that's a great message. Well, I really appreciate you being here with me today.
Fantastic, Paul. Great to be with you as always.
All right, you too. That's all for this week. As a reminder, you can subscribe to the ABA fraudcast for free and Apple Podcasts, Google Podcast, Stitcher, or your favorite podcast app. You can also find episodes on the ABA site at aba.com/podcasts, and new episodes will also be shared in the ABA Daily Newsbytes email.
Please join me in a couple of weeks where we're going to talk about AI deepfakes and have a sample of what my voice sounds like when it's deepfaked, and maybe even what Rob Nichols' voice sounds like when it's deepfaked, and if you can tell the difference between the two. Thanks for listening.