A very sophisticated social engineering hack happened to a very un-expecting victim. To protect his identity, we will call him Bob. Here is Bob’s account; in his own words.

The story:

“I got a call from someone claiming they were with Wells Fargo and they’ve identified fraudulent charges on my account but they need to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called, which is my first clue this is phishing). They asked me to read back to them the 6-digit number just texted to me to verify my ID.

Being at a bar and two drinks in, slightly expecting what this was about, I had zero alarm bells going off. My bad, this was stupid of me. I read the number to them. They suggested it timed out and I needed to read another number they texted to me.

This person then read off 5 recent charges on my account, 4 of which I recognized as legit and a 5th that was a $1000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and they said “no prob dude, we’ll freeze your card and send you a new one”. They even gave me the last 4 on the card it was coming from. I was appeased enough to continue (sadly).

Finally, they said they sent me one final 6-digit code to “confirm that they were crediting my account back with the $1000 fraudulent charge”. I just needed to read off the final code they texted to me.

At this point, I see why my phone had been vibrating constantly through this call. I had 4 emails from Wells Fargo. 1) Your user name has been reset, 2) your password has been reset, 3) Welcome to Zelle! an awesome $$$ forwarding service, 4) You’ve just forwarded $1000!!!!!

I called Wells Fargo via the number on the back of my card. I spoke with a man that told me this was a scam they’ve been dealing with for 3 months and I needed to go into a branch with 2 forms of ID to deal with it. There was nothing he could do.”

Bottom Line: Dude spoofed Wells Fargo when calling me on my cell, requested a reset of my user name, password and approval for $1000 transfer. I stupidly read off the confirmation numbers I received via text to him, he entered them into Wells Fargo website to approve all these requests. Wells Fargo has known their customers have been getting scammed for 3 months and didn’t bother to warn anyone. I now have to go into a branch, hang my head and tell my shameful story to a person and beg for access to my account because someone else has control of it all night tonight.

Lesson: Never, ever give any kind of confidential data to someone WHO CALLS YOU. Always call back to the number on the back of your card. Let’s stay safe out there. For more security tips visit our blog each week.

Brought to you by Emerald City Solutions