Scam Targets Banking Customers in the Indianapolis Area

Regardless of your locality, or your banking relationships, you need to be made aware this latest fraud alert…

Today, we came across another phishing attempt that took the low-tech route… the telephone. “Phishing” (usually associated with computers) is the increasingly common fraudulent practice of trying to get consumers to turn over private information through the impersonation of a legitimate authority or service provider, such as a financial institution. For more details on “phishing”, visit: Wikipedia – Phishing. Also, see the article about “vishing” (voice phishing) in the resources section at the bottom of this page.

Earlier this morning, we received word that some phones in the Indianapolis area started receiving calls notifying them that their Flagstar Bank accounts had been disabled. My home also received a call.

  • Red Flag #1: The account holder’s name wasn’t mentioned.
  • Red Flag #2: We don’t even have a Flagstar account.

This is a variation of an already common fraudulent practice of notifying consumers (via the web) that their accounts have been disabled. Unfortunately, it is very inexpensive to harvest massive numbers of e-mail addresses and then send out a bulk e-mail transmission. And, even though most people will not have accounts with the institution being impersonated, some will. And, even though most people will not be fooled into providing private information to “reactivate their account”, some will. This practice has been going on for quite some time, and is now fairly easy to spot for anyone that receives a decent amount of email. General public awareness to this scam is on the rise, but people are obviously still getting tricked into giving up their private financial information. Otherwise, the practice wouldn’t continue. Banks are targeted because they have money, and because people have reason to place faith in our banking system. These criminals are preying upon the public trust of a system that has gone to considerable lengths to make it safe for us to conduct our daily personal and business transactions.

What makes this phishing attempt concern me the most, is that it uses the telephone. Fraud over the phone is nothing new. However, I feel that this method will still work on quite a few people. The reason being, is that this technique puts the non-tech savvy crowd at particular risk. Those who spend little or no time online would not necessarily be familiar with this scam and what to do in case they receive a call. The answer is, of course, DO NOTHING. If you know someone that falls into this group, please let them know what to look for and how to avoid becoming a victim. Part two of this series (to be published soon) will identify various phishing techniques, and how to identify them, so that you can avoid becoming a victim of identity theft or fraud.

Our caller ID showed: (706) 210-5644 from Augusta, GA

Calls back to this number state that it is disconnected.

The phone call comes in from an auto dialer with an artificial female voice and does not address anyone in particular. It merely informs you that your Flagstar Bank account has been deactivated and that you need to call a different number to have it reactivated.

This is a recording of the initial phishing call:

The call instructs you to phone a call-back number in order to reactivate your account: (313) 918-1383. A simple look-up revealed this to be a Detroit area code, however, it had no connection with Flagstar. What I find interesting is that Flagstar (according to their web site) operates in Michigan, Indiana and Georgia. The calls targeted Indiana and were “supposedly” placed from Georgia. The call-back was to be made to a Michigan number. This alone, may have been enough to fool some people. We did a *67 and then called the number to see what kind of information they were trying to collect. Not unlike the auto dialer, the system was rather unsophisticated and used an automated male voice.

“Welcome to the Flagstar Bank Account Reactivation System”. The “system” then proceeds to ask you ask you a series of questions: 1) Card number 2) Four digit expiration date 3) ATM pin code 4) Three digit security code (CVV2)… everything they would need to start draining your bank account or running up charges on your credit card. We simply started entering numbers, beginning with “1” for each question. There obviously wasn’t a process to validate if the information was entered correctly. It was merely a recorder hoping to collect and steal credit and debit card information for these criminals. After inputting the numbers, the system informed us that our account had been reactivated.

This is the recording of our call-back to the “Account Reactivation System”:

After making our phone call, I contacted Flagstar Bank through their online banking number, to notify them of the attempted fraud. I was told that they had been aware of the problem since Monday the 17th and that the call back number had already been shut off. After trading numbers, however, we realized that our call-back number, (313) 918-1383, was the same number that the bank had. And, that it had not yet (in fact) been shut off.

UPDATE – 9/26/07: A call back to this number now confirms that it has been disconnected. Per the pre-recorded message, it is registered to a company that offers phone to IP services worldwide, which leads me to speculate that this scam was possibly perpetrated from outside the United States. However, I cannot be sure of that. In addition, the original number in Georgia, most likely was spoofed. Please keep in mind that the the purpose of this series of articles is not to investigate, but rather to educate you about these practices so that you do not become a victim. We’ll leave the investigation to law enforcement and bank officials. Also, phone to IP has some very useful business and personal applications, but like almost any technology, it can be abused. For more information on the topic, USA Today has an interesting article at the following url: http://www.usatoday.com/tech/news/2006-03-01-caller-id_x.htm

If you believe that you may have become a victim of this fraud, you should contact Flagstar Bank immediately. I would like to commend them for posting a notice on their home page about this issue. Also, when I called them, their service representative was knowledgeable and readily discussed it with me. I got the impression that they were eager to protect their customers or any other consumer that might be tricked by this scam. Visit the Flagstar Fraud Information Center for details or call (800) 642-0039 which is the phone number that they have listed on their web site. Obviously, if you are not a Flagstar customer, and were tricked by this fraud, you should also contact your own financial institution immediately.

Please remember that this article should be of concern to all consumers. This week, it was Flagstar Bank in Indianapolis. Next week, it could be the same issue with a completely different bank in a different city. Most importantly, as a general tip, if you ever receive any communication (e-mail, phone, etc.) that seems suspicious, make sure that you do not act on it or reply directly. You should use the official contact numbers or web address that your financial institution has provided you with to inquire about the situation. Do not become a victim of fraud!

Posted in