‘Phishing-As-A-Service' Kits Are Driving an Uptick in Theft: What You Can Learn From One Business Owner's Story

Cybercriminals used sophisticated technology to fool Cody Mullenaux, a small business owner, convincing him that they were from Chase's fraud department. They stole over $120,000 in wire transfer fraud. They expect the threat to increase in severity this year. Chase was not responsible for paying Mullenaux's stolen money because of regulatory loopholes that were exploited by scammers. While banks have invested huge amounts in cybersecurity and fraud detection, what happens when criminal strategies are so sophisticated that they can fool bank employees? It meant Cody Mullenaux had more than $120,000 wired to his Chase checking account. There was little chance of him ever recovering his stolen funds. Mullenaux, a small-business owner of 40 years, was caught up in the scandal on December 19. He was shopping for Christmas presents for his daughter when he got a call from someone claiming to represent Chase fraud. Mullenaux did not believe it suspicious because the 800 number matched Chase customer support. The person then asked Mullenaux to log in via a secure link sent by text message. He clicked the link and found that the website opened was legitimate. The website looked identical to his Chase bank app so he logged into it. Mullenaux said that it never crossed his mind that he was not talking with a legitimate Chase representative. No longer is a suspicious link or email the only thing consumers should be concerned about. Cybercriminals have evolved into multi-pronged scammers. Multiple criminals are now working together to implement sophisticated strategies that use readymade software. These kits can be disguised as phone numbers or mimic login pages at victim's banks. Cybersecurity experts believe it is a serious threat, and that this is driving an increase in activity. It's only going to get worse, they predict. Unfortunately, these scams don't always require the bank to return the stolen funds. Mullenaux claimed that he noticed large sums of money being moved between his accounts after he was logged into the system. He was told by the person on the other end that someone was trying to steal his money. They suggested that he wire money to his bank supervisor to secure his account. He was terrified that his hard-earned savings would be taken. Mullenaux stated that he spoke on the phone for almost three hours and followed the instructions. He also answered any additional security questions. CNBC reviewed Mullenaux’s cell records, bank information, and images of the link and text message he received. Scammers. What Mullenaux, the founder and inventor of Aquaphant (a technology company that converts moisture in the air into water) didn't realize was that the person on the other end of the line was part of a sophisticated team of cybercriminals. Mullenaux was speaking with a fake fraud department representative, but a second scammer was calling Chase in order to authorize wire transfers. The second scammer was then given all the information Mullenaux had provided to him regarding security questions. The fraudsters were able to give the correct answers, convincing Chase employees that they were talking to the account holder. It worked. After the Chase employee convinced Mullenaux was calling to authorize three wire transfers, $120,000 vanished from the Chase account. Despite his best efforts, none of it has ever been recovered. CNBC received a statement from Chase. A Chase spokesperson stated that banks will not ask customers or businesses to send money to anyone to stop fraud. However, scammers will. Call the number on your card back or visit a bank to confirm that you are speaking with Chase. Courtesy of Cody MullenauxCody Mullenaux is the inventor and founder at Aquaphant. This technology company converts moisture from air into water. He lives with his family.

There is little recourse for victims in wire frauds, Mullenaux stated. He feels defeated and frustrated by his efforts to recover the stolen funds. Mullenaux stated that scammers always have a step ahead of customers. He added that his money would have been more secure in a shoebox rather than in a bank that cybercriminals are targeting. Federal Trade Commission advises customers who suspect they have wire transferred money to scammers to immediately notify their bank and request that the fraud be stopped. CNBC was told by the FTC that it is crucial to get funds returned via fraudulent wire transfers. CNBC was told by the FTC that victims should report the crime to both the FBI's Internet Crime Complaint Center and the FBI's Internet Crime Complaint Center as soon as possible. Mullenaux stated that he noticed something was wrong when his funds were not returned to his account the next day. He drove straight to Chase Bank, where he was informed that he had been the victim of fraud. Mullenaux stated that the matter was not handled in an urgent manner and that a reverse wire transfer, which the FTC recommends customers request, wasn't offered. Mullenaux claimed that the branch employee informed him that he would be receiving a packet by mail in 10 days. This packet contained information that he could use to file a claim. Mullenaux requested the packet immediately. Mullenaux completed the packet and submitted it that day. This claim and another Mullenaux's were denied by the executive branch. According to the employees who investigated the matter, Mullenaux called to authorize wire transfers. Courtesy of Cody MullenauxCody Mullenaux with his daughter. Mullenaux was shopping for Christmas gifts when he got a call from an impersonating Chase fraud department employee.

CNBC gave Chase Mullenaux's cell phone records, which showed that he had not made any outgoing calls to Chase on this day. These records are also consistent with wire transfer records that show it was not Mullenaux calling Chase to authorize wire transfers. All three were authorized while Mullenaux was on the phone with scammers. But, the bank didn't change its decision. Mullenaux's claim that he was calling to authorize wire transfers was again denied. He had given the criminals his personal information. Scammers used regulatory loopholes. Whether they realized it or not, the scammers successfully exploited two loopholes within current consumer protection legislation. Chase was not required to replace Mullenaux’s stolen funds. Banks are not required to reimburse stolen funds if a customer is tricked to send money to a cybercriminal. The Electronic Fund Transfer Act covers all types of electronic transactions, including peer-to-peer and online payments. However, banks are required by law to reimburse customers if funds are stolen without authorization. Wire transfers, which involve money being transferred from one bank to the other, are not covered by the Act. This also excludes fraud involving paper checks or prepaid cards. Before initiating wire transfers, the cybercriminals transferred funds from Mullenaux’s personal savings and checking accounts to his business account. Regulation E is designed to protect consumers from losing their money in an unauthorized transaction. It does not protect business accounts. Chase representatives said that Chase is still investigating the theft of funds. Mullenaux said that he is praying for this. "I pray this tragedy is somehow reconciled. That [bank] management sees the damage done to me and that my money is returned." Mullenaux also reported to the FBI's Internet Crime Complaint Center and the local police, but neither has contacted him. As-a-service offerings are expected to continue to grow in popularity as they not only lower the bar for low to medium-tier cybercriminals creating phishing campaigns but also allow the more advanced criminals to concentrate on one area and create sophisticated tactics and malware. Fitzpatrick stated that there was a 10% increase of phishing tools deployed in January 2023. The company experienced a 45% rise in phishing detections and alerts between 2022 and 2022. It's not only phishing schemes that are on the rise. Cyberattacks are all around. Check Point data showed that there was an increase of 52% in cyberattacks against the banking and finance sector in 2022 compared to 2021. Sergey Shykevich from Check Point, the manager of the threat group, stated that "the sophistication of cyberattacks has increased significantly over the past year." Cybercriminals no longer rely on sending spam emails or waiting for people to click them. They combine the email with phone calls, multifactor authentication fatigue attacks, and other methods. Both cybersecurity experts agreed that banks should do more to educate their customers. Shykevich suggested that banks invest in stronger threat intelligence to detect and block cybercriminals' methods. Shykevich gave an example of comparing a login with a person's "digital fingerprint," which is calculated based on data like the account's browser, screen resolution and keyboard language. Best advice: Hang up. Chase, federal agencies, and cybersecurity experts all agreed on one thing: If a customer gets a call from their bank asking for information, hang up. An FTC spokesperson stated that if a customer receives a call, text, or email from someone claiming to be from their bank and alerting them to a problem, they should hang up. To trick victims into paying money, cybercriminals can spoof caller IDs and use stolen personal information. Send tips to EMAIL