Seven Citibank customers say a total of $600,000 disappeared from their bank accounts.
Chapman Ng of Daly City lost $80,000.
“I cannot even sleep to be honest,” Ng said.
Stephen Lee of San Jose was robbed of $81,000.
“I was being scammed. I did not know what happened,” Lee said.
And Kai Chin said she lost $65,000.
“Well, my heart was really pumping. So, I just, my hand was kind of shaking,” Chin said.
All seven victims have something in common. All were Citibank customers, lost their money via wire transfer and all victims happened to be Asian.
According to Chin, all of this started when someone changed the SIM card from his cell phone.
“Without proper ID, without my signature, somebody replaced my SIM card in Philadelphia. I’m in California,” he said.
From there, the hackers seemed to take over his Citibank account and wired $65,000 from it.
Mark Ostrowski of Checkpoint Software Technologies, an internet security firm, says “It’s called a SIM swap attack. It’s very common and has big consequences.”
And this is how it works: A scammer purchases your personal information from the dark web, goes into the store, and pretends to lose his phone. He gets a new SIM card and a new phone. He then connects it to your number.
Verizon says it is investigating.
“So it can have really dire effects when someone does a SIM swapping attack, because you lose that muti-factor authentification protection that you thought you had,” said Ostrowski.
For Lee, it all began when he had trouble logging into his Citibank account. A message from a supposedly Citibank phone number popped up and requested that he call.
The person on the other line asked him for permission to take over his computer remotely.
Lee was instructed to log in again to his Citibank account and was advised to wait for two hours for the problem to be fixed. After the call ended, he became suspicious.
Citibank would later tell him that $81,000 had been wired from his account. It turns out that the person he talked to was an imposter.
“I was lead to believe I was working with a Citibank employee. I did the wrong thing,” Lee said.
Ng checks his bank account daily for any possible overcharges.
“My money is not, you know, falling from the sky to me,” he said.
Yet someone managed to change the email address linked to his bank account. And within one hour, three successful wire transfers of $50,000, $30,000, and $75,000 had been made.
Ng spotted the transfers and notified Citibank immediately.
All victims blamed Citibank for not verifying transactions by using two-factor authentication.
Ostrowski said, “A sophisticated attacker would turn these notifications off if they have access to your account before they actually made the wire transfer.”
On Wednesday, Citibank refunded all of Ng’s money, while the others were not as fortunate.
Ostrowski suggests changing passwords frequently and investing in a good password vault to help keep track of them.
Citibank also suggests that if a customer receives unsolicited messages, do not provide personal or account information. But instead, contact Citibank immediately via Citibank app, or website, or by calling the customer service number listed on their website.