I recently fell into the trap of nearly transferring my entire bank balance to a hacker. I was probably 30 minutes away from draining our account. Fortunately wire transfers are slow and I was able to cancel. This is the story of what happened.

For starters, I’ll share that prior to this, if I were to rank myself on a scale of 1-10 in terms of both knowledge and preparedness of how NOT to get hacked, I would have said that I was an 8 or 9. We pay for a premium, family password manager account. All my passwords are unique and a 30-character long jumbled mess (the most secure password you can have). I have two-factor authentication set up everywhere I can. I make it a practice to never answer inbound calls from phone numbers I don’t have in my phone. I never open suspicious emails and report spam, phishing, etc at every turn. Blah, blah, blah… The point is that I think a lot about this and am wary at every turn. But after this incident, my confidence waned, but hopefully I learned a lesson and have some valuable learnings to share.

We had just arrived in Canada for a family ski trip. I woke up the first day after our long drive and as I was getting ready for our first day of skiing, I got a call from “Wells Fargo”.

Now, as I mention, I don’t answer inbound calls from strangers and I NEVER answer calls from our bank, Wells Fargo. It’s much safer to let the call go to voicemail, and if you need to call them to handle a fraudulent charge or something, go to the website and call the number on the website. Initiating contact with your financial institution and calling a published number (rather than the number on the VM) is a great way to ensure you won’t get scammed–this way you can be sure you are talking to the bank. If you stop reading here, this is the one takeaway–always initiate the call.

On this morning, I chose to answer the call, which was my first big mistake. Why did I answer rather than stick to my “always initiate contact” rule? Well, I had just arrived in Canada to a ski town I’ve never been in and we had charged a few things on a credit card on the way up and the night before. So I was expecting to get a call. This was pure luck for the hackers, and had nothing to do with how clever & professional they were–they just lucked out that I happened to be expecting a call from the bank and let my guard down. I was lazy–I figured picking up the call was faster than listening to the VM, then having to look up the phone number on Wells Fargo website and call them back. Hey, I just traveled to Canada so it makes sense the bank would be calling.

“Hello, Chris Rodde here”

“Hello, Mr Rodde. I’m calling from Wells Fargo because we have seen some potentially fraudulent charges on your account.”

I was on the phone for a full 22 minutes with this hacker. The hackers goal: trick me into gaining online access to my bank account, then keep me on the phone long enough so they could add themselves as an approved wire transfer recipient and execute a wire transfer, then trick me into not canceling the wire transfer they set up (wire transfers trigger lots of notifications).

While on this call, the unspoken game we were both playing was a game of my suspicions going up and this person building trust and calming my suspicions. Even after deciding to pick up the call I was cautious but this hacker was a real pro and knew the game well.

He talked for a few minutes, telling me about the fraudulent charges on my debit card and talking about the process of what would happen in getting a new debit card. He confirmed the address to send the debit card (my correct address). He had my address and read it to me (trust goes up).

He confirmed the user name on the account (he had our user name, which increased my trust…) Mistake #2… Using our sophisticated password manager, with the worlds longest, ugliest and all unique passwords, I’ve been dismissive of the importance of user names. I’ve used the same user name across many accounts and somewhere along the way, this user name made it’s way to the dark web, where this hacker must have picked it up. If you are using a password manager, pick a unique, long user name for your important accounts. The fact that he already had our user name made it one step easier for him to get access to my account.

He confirmed the last four of my social security number, sharing this with me. Foolishly, in the moment, I didn’t recognize this is backward… banks never give out even the last four of your SS#–they ask you for it.

He didn’t ask me for any info for the first 4-5 minutes, and came across as calm, professional and knowledgable. I still was suspicious at this point but I hadn’t given out any info.

Ok… on to my third and biggest mistake… Four to five minutes into the conversation, I knew I needed to confirm that this wasn’t a scam and asked, “how do I know that you are legit?”. The hacker said “Look at phone number on the back of your debit card. It should match the number I am calling from.” I pulled out my Wells Fargo debit card and compared it with the caller ID. The numbers matched! I had no idea that caller IDs are spoof-able. My big, big, gigantic, nearly-very-expensive mistake.

At this point, my guard dropped way down and trust went way up. I thought this must be the bank if the numbers match. Caller-IDs aren’t spoofable! UGHHHHH!!!!!

So now, this hacker has really gained my trust.

Mistake #3… He told me that in order to take the hold off my account he was going to send me a text and I needed to read back the code in the text. Normal thing, eh? We’ve all done this. To unlock the account you get a text and put that code into the website. I’m a puppy dog on his leash now (…the phone numbers matched!). Just as he said, I got a text and I gave him the code.

I didn’t read the text which says clearly “Wells Fargo will NEVER call or text you for this code. DON’T share it.” I’ve seen this text language a thousand times and of course I’d never share it, unless I’m already on the phone with Wells Fargo, and the agent that I trust tells me that I’m going to get a text from Wells Fargo and then I do get a text from Wells Fargo.

Of course, what was happening here, is the hacker’s partner (there must have been more than one person working on this) was going through the lost password protocol on the Wells Fargo’s website.

He then said he would be sending a second text. I received the second text and I gave him the code. This allowed them to get past the two-factor authentication.

After I gave him the second code in the text on my phone, his partner had access to my account.

At this point, I wanted to get into my account myself and tried, but of course, they’ve now changed my password. I try to log in and failed. I tell the agent that I would like to get access to my account and see what’s going on. He says ok and gives me the password they’ve just created. I log in.

As I think back on the entire 22 minute phone call, one thing that really stood out is how calm, professional and choreographed the whole call was. While the hacker I was talking to had a pretty heavy accent (pretty normal for customer service these days), the way he progressed through the conversation was impressive. After getting access to the account, he started reading back many other recent charges on my account, all of those legit, to confirm that these weren’t fraud. Tactics like this gained my trust and bought him time.

The hacker tells me that there has also been a fraudulent wire transfer that was set up. He asks if I knew “Ashton Cutler”. I said no. He said that Ashton Cutler had been set up as a wire transfer recipient on the account. He said I might be getting some texts suggesting that Ashton Cutler was added.

While talking, I’m in my account online at Wells and don’t see any charges in Texas. Suspicion increases.

I got the text. “Ashtian Tavon Cutler added as a Wells Fargo Online wire transfer recipient. Questions? Call 1-800-956-4442”

My suspicion goes up. Why would I suddenly get a text suggesting that Ashton was added? I ask him this and he says sometimes these alerts get queued. He says I might get a text that a wire transfer was set up, too.

I get this text: “You sent a Wells Fargo wire transfer of $[large amount that I’d really hate to lose]. Questions? Call 1-800-956-4442”

Now I’m totally suspicious.

I tell the “Wells Fargo agent”, hey this seems wrong… I’m going to hang up and call you back. I hang up the phone, go to to the Wells Fargo website and call them back at the number published (…which is the exact phone number that showed in the caller ID). The agent transfers me to the fraud department. I tell the story (quickly) because now the panic is setting in.

The agent confirms that it was not Wells Fargo that had called before and says that yes, there is a wire transfer for $[large amount that I’d really hate to lose] that is about to go. I say “cancel it!”. Fortunately, she’s able to cancel it before it goes.

Whew! Crisis barely averted.

The agent completely locks all access to our account. I’m kicked out of the online banking site.

The agent explains how my account will be closed (this is our primary checking account), that she would be creating a new account for me and transferring the entire amount into this new account because our other account had been breached. She explains that I’m going to have to change any and all direct deposits and auto-payments from this account (there are many).

I’m on the phone with this agent for 33 minutes.

While on the phone with her, in a panic, I’m logging into our primary brokerage account where we have our retirement accounts and stock accounts. Phew… the balances are where they should be. I’m changing passwords and user names for these accounts, madly. Double checking that the “Lock feature” on these accounts are all properly set up. (Not all of them were…)

For the rest of the day, I log onto Wells Fargo at least seven more times, to ensure that everything looks good.

I clearly lucked out in this incident.

A few takeaways:

• Always initiate contact with financial institutions or important companies using a published number. Don’t ever let your guard down as I did.
• Call back. If you do answer a call, before giving away any info at all, tell the person you are going to call them back. Again, look up a published number and call them back.
• Use a password manager. Password managers will ensure you have unique, secure passwords. Sign up for the family account, if you share accounts with a spouse or someone else. I’m not an expert on password managers, but some of the common ones are Bitwarden, Dashlane, and 1Password. Direct message me and I’ll share which one we use.
• Review security settings for important accounts. Check your bank account, stock accounts, etc that you have the highest security settings on. Two-factor authentication is a must. Our stock account has a “Lock” feature that means no money can be withdrawn without going through a secure obstacle course. This Lock feature is an example of one that is a pain in the butt if you do need to withdraw money, but is a great protection. It’s worth it.
• Know which accounts are important to secure. Of course, your bank account and any stock accounts are important, but your email account is nearly as important to secure. If someone gets access to your email, they can authorize things like two factor authentication.
• No matter what you do, know that your information is in the hands of hackers. Nearly every month, I get an email from an insurance company, a medical clinic, an online service, etc, etc, saying that they’ve had a data breach and that my information was stolen. Understand that your data is out there, but that with the right precautions, you are still protected.

If you have any suggestions for me, or if there’s anything important I’ve left off this list, I’m all ears. Post your suggestions in the comments.