CHICAGO -- A new scam is targeting users of popular mobile payment apps. Some said they've been tricked into paying criminals thousands of dollars.
"It's really distressing," Nausheen Brooks said. She's out $3,500. "You save your hard earned money to just be taken away from you. You just don't know what to do, you feel lost."
Brooks received a text saying it was her bank, Bank of America, verifying a purchase. When she answered, 'No,' she got a call from someone saying they were a Bank of America representative asking questions that made it sound real. Then Brooks was told there was a $3,500 Zelle withdrawal from her Bank of America account, which was "pending." All she had to do was transfer the money back to herself through Zelle to "reverse" it.
When she sent herself the $3,500 through Zelle, the money disappeared. What she can't figure out is why sending money through Zelle to her own email or phone number didn't get to her.
"That's where I'm lost for words. But now I'm out of thousands of dollars right now because of that," she said.
Even though the Zelle transaction has her information, another strange name appeared underneath, making it look like someone took over her Zelle account.
"I sent it to myself so it should go to me, but clearly it didn't go to me," said Brooks.
The same scam happened to Darlene Chelsey; she lost $3,500 to scammers after sending the money to herself through Zelle on Bank of America's app.
"I sent it to myself so it should go to me, but clearly it didn't go to me," she said.
Chelsey said the phone number was made to look like a real Bank of America phone number and she said the fraudsters even used the same hold music as Bank of America. But it wasn't the bank.
"These attackers gain the victims' trust. They know that they are talking to the bank because it shows on the mobile phone that they are being called from the bank's number," Bogdan Bodezatu, director of threat research at Bit Defender, said.
He said the scammers are impersonating banks with texts and phone numbers, using cheap software that routes the call through a specific cell or landline number. Experts say the attackers may have already have victim's information by studying their social media, and they may have sign-in info through software hackers use to hunt for passwords and user names.
"They definitely had access to the account if the money was wired to herself. In the past few years there have been a lot of data leaks from high profile websites. The theft itself is simple, there are few steps that the attacker needs to do to transfer the money. Keeping the money into the fraudulent account and then laundering it, making it disappear from the banking system, that's a little more difficult," he said.
Brooks said she was also fooled into handing over authentication codes from her texts, which may have allowed scammers access to the account on a new device.
Chelsey said she never gave the caller the confirmation codes.
"'Why are you asking me for that?' and that's when the call dropped and they were gone," she recalled. "And so was the money."
The I-Team contacted both Zelle and Bank of America which sent a statement saying, "We remind clients that they should not provide confidential account information to unidentified individuals. Bank of America and other legitimate companies would not ask for sensitive account information, such as passcodes or authentication codes. We have a number of measures in place to proactively warn clients about scams, and we periodically reach out to customers with information about how to stay safe and avoid scams."
Bank of America, which is a partial owner of Zelle, looked into Chelsey and Brooks' claims and credited both $3,500.
"I was blessed and lucky enough to have you guys help me with this," said Brooks.
"I want other people to be aware. Never take a call from a bank. Call them yourself. Hang up," advised Chelsey.
Experts agree it's always better to hang up and call your bank to make sure you are talking to the real bank. They say you should never use the same password. For example if your email password is compromised and it's the same as your bank, scammers can then get into your bank account.
-Try to create one password per each service and as different as possible to guess
-Whenever called by a bank or institution asking for validation, hang up and call yourself, most numbers can be spoofed
-Never give out codes you receive on phone to strangers.
BANK OF AMERICA: In addition, we keep clients informed about new scam alerts through our Client Security Center on our website