Nearly half a million Alabama cell phone numbers received identical text messages in 2015 telling them to click a link to “verify” their bank account information. The link took recipients to a realistic-looking bank website where they typed in their personal financial information.

But the link was not the actual bank’s website—it was part of a phishing scam. Just like phishing messages sent over email, the text message-based scam was easy to fall for. The web address was only one character off from the bank’s actual web address.

While most recipients appeared to ignore the message, around 50 people clicked on the link and provided their personal information. The website asked for account numbers, names, and ZIP codes, along with their associated debit card numbers, security codes, and PINs. Within an hour, the fraudster had made himself debit cards with the victims’ account information. He then began to withdraw money from various ATMs, stealing whatever the daily ATM maximum was from each account.

“It was a fairly legitimate-looking website, other than the information it was asking for,” said Special Agent Jake Frith of the Alabama Attorney General’s Office, who worked the case along with investigators from the FBI’s Mobile Field Office.

The fraudster, Iosif Florea, stole about $18,000 (including ATM fees), with losses from each individual account ranging from $20 to $800. (Banks typically reimburse customers who are victims of fraud.)

Investigators believe Florea bought a large list of cell phone numbers from a marketing company, and he only needed a few victims out of thousands of phone numbers for the scheme to be successful.

The damage was minimized, however, because of the bank’s quick response. As soon as customers reported the fraud, the bank reached out to federal authorities as well as the local media to alert the community to the fraudulent messages.

Read More