On Wednesday, I got a notice on Facebook that an author friend of mine had been completely wiped out after identity thieves took everything from his bank account. Worse – they somehow intercepted his mortgage payments so the bank had foreclosed. He had been evicted and had to be out at noon.
This was some sort of targeted attack that’s been going on for some time, even after changing accounts and taking every step necessary to end it. It escalated recently until he literally had nothing in the bank and his credit was wrecked.
His wife set up a GoFundMe for $20K. It was a hail Mary and they didn’t dare expect to reach the goal. But he’s well known for his presence on Facebook and has had enough success that people know who he was. He reached the goal in 12 hours and now is over $30K.
He was able to collect his things yesterday and put them into storage (their cats are with friends). They are in a hotel as they try to deal with it, but the GoFundMe money keeps them afloat for now.
It was scary; he admitted he had thoughts of suicide before setting up the GoFundme and feared he wouldn’t come close to reaching the goal. He’s in a much better state of mind now.
He might be able to fix things, but he needs resources to fight it. A friend put him in touch with a lawyer and legal aid, so he may be able to get things fixed, but it’ll take time.
As an aside, he announced two short fiction sales to Analog, so that is very welcome.
This is why I have frozen all of our credit (my wife and I), have enabled MFA/2FA on every account possible, and have unique passwords for every account.
Who is going to give that money back to you? The thieves? The government? The financial companies that transferred your wealth to somebody else thinking you ordered the moves?
At least in the USA the general answer is d) none of the above.
It is hardly in the same category of enormity and complexity as the attack described in the OP, but once I wrote a letter to my bank to complain about an unauthorized debit of like $25, and the money was refunded to my account, in a timely manner, too. To this day, I have no idea if the bank was able to reverse the charge or reimbursed me themselves or what. Of course that was complete peanuts, but it never occurred to me that I might be left holding the short straw as if they had stolen cash from under my mattress.
The laws & regs applicable to banks, credit unions, credit granters like credit cards or mortgage lenders, and to investment houses like e.g. Vanguard or Schwab are each different.
As a general matter if a bank has reason to believe they goofed they’ll reimburse you and eat the loss if they can’t recover from whoever the real bad guy is. e.g. as a practical matter, nobody inspects paper checks to see if they’re altered or if the signatures match the sig card on file. It’s cheaper for the banking industry to just absorb the occasional forgeries than it is to verify them all to filter out the 0.001% that are bad. So if you’re a forgery victim they tend to just say “Oh well we lost that bet; at least we made it up on the volume. Here’s your $250 back.”
But … their cooperation is a lot more forthcoming when the check is for $25 than for $25,000.
Another example from the regs: If you give someone your ATM card and PIN, you have, as a matter of law, given blanket approval to whatever they then do. Including withdrawing all your money and escaping to Bali. Writing your PIN on your card or putting it on paper stored next to the card, and letting your neer-do-well adult child snag them and empty your account is your fault, not the bank’s. Expect them to tell you to go pound sand if this happens to you.
The terms of use for most online access pretty well transfers 100% of the risk of fraudulent activity onto the customer. By signing up to use the site you agree that whatever happens under your userID will be treated as your authorized act. If you sold all your Apple stock and sent the money to an account at the 2nd International Bank of Bulgaria, so be it.
What’s really evil about this is the Catch-22 nature. If you never sign up for online access at Institution X, you’re essentially leaving the way open for some bad guy to open that access in your name without them needing to hijack it or to steal your password first. Signing up yourself at least adds one obstacle: you have a (hopefully good) PW and you know that the institution knows how to find you and will therefore notify you if that access changes. But at the same time you’re agreeing that if your PW is later compromised, the bad guy can have all your money.
That is interesting. At least in your last example, what I would naively expect, and argue to the bank and regulators, is that I never agreed to the Catch-22 online access terms because it was not I who signed up for online access in the first place, it was the thieves. So, in that scenario at least, it is not the case that the bank had any approval to clean out my accounts, and it is hardly my fault that the bank accepted as genuine a forged identity document with my name (but someone else’s picture) on it when they opened that online account for the bad guys.
That’s incredibly scary. How can he be sure the thieving bastards will be unable to steal his gfm balance?
How in the world were the crooks able to infiltrate his accounts again after reporting it to the authorities and changing accounts. The intercepted mortgage payment boggles the mind. This is very concerning!
Don’t banks and other financial institutions have insurance policies (or mutual re-insurance compacts with other financial institutions) to cover stuff like this?
But if so that just protects the e.g. bank if they make a payout to a consumer. It doesn’t protect the consumer directly. And even though the bank may not lose on any given claim, their premiums will certainly be based on what claims the insurer pays out on. Just like as happens with your homeowner’s insurance. Every time you suffer a loss you have a debate with yourself: “Shall I claim this and risk premium rises, or will I ‘self-insure’ by just absorbing the loss?” Plus the effect of any deductibles of course on both your and the financial institution’s decisions.
He hasn’t talked about the details. Somehow he didn’t get notices of foreclosure. Possibly the thieves got into his account and changed the contact address on file.
This. The standard is the thieves get in, immediately change the email and mailing addresses, then there’s nothing to “intercept”. They are effectively now the customer; not you.
They’re counting on the victim being the sort of person that doesn’t pay attention to their email or their paper mail. If something comes in they might look at it, but they wont’ notice if it doesn’t come in.
More and more banks and credit cards have taken to only sending statements if you have activity on your account. They have also switched to attitudes like “with our online platform / app, it’s easy for you to always get up to the minute info via self-serve, so we’ll never send you any statement at all.” When your institution mails you anything at all, it’s far more likely to be advertising than it is to be actual content. This is true for both snail mail and for email.
That self-serve only approach encourages careful consumers to check their accounts regularly. And non-careful consumers to let things go totally out of sight out of mind. The latter plays directly into the hands of thieves.
Who is going to give that money back to you? The thieves? The government? The financial companies that transferred your wealth to somebody else thinking you ordered the moves?
At least in the USA the general answer is d) none of the above.
In Europe the banks will generally refund money from obvious fraud, although it can be a real battle to get it. The obvious question is whether the victim warned the bank that his account was under attack and asked them to make provisions to stop withdrawals, by arranging some kind of verification in addition to the normal measures.
A friend suggested this to me 40-some years ago, and I’ve done exactly that ever since, in particular by having two checking accounts at two different banks. Even in case of lesser problems or disputes, a bank may freeze your account until things get resolved. You may not lose any money, but in the interim you have no access to it.
Another thing: Most financial institutions have another verification trick: When a customer changes his mailing address, the bank sends TWO confirmation notices: One to the OLD address and one to the NEW address. They might do similar for other significant events too, like maybe changing a phone number or e-mail address? I recently created an on-line profile for a bank account – I’ve had this account for years but never had an on-line profile until now. The bank followed up by snail-mailing me a postcard about it.