David Welles, a retired lawyer, struggled for hours with his new iPad while trying to call tech support.
But instead of calling Microsoft to help him link his email address, the phone number he found on Google put him in touch with cybercriminals.
The smooth-talking scammer who answered called himself Alex and struck up a relationship with Mr. Welles, assuring him that he could solve his technical problems. Mr. Welles soon downloaded remote access software to both his iPhone and his laptop, allowing the fraudster to penetrate deep into his devices, where he stored his username and passwords on his hard drive.
“A big mistake,” said the 87-year-old Mr. Welles. “Suddenly I could see the laptop going blank and little lights flickering around.”
According to text messages and other records, the scammer wore him down with a series of calls over a period of nearly five hours. Shortly after 7 p.m., Mr. Welles finally called his work assistant and told her that he had been on the phone with Microsoft all day.
She immediately sensed that something was wrong.
The three of them quickly called the scammer. But they had no idea that Alex had already transferred $85,000 from Mr. Welles' checking account at Citibank.
It appears that Citi didn't immediately notice either – even after Mr. Welles and his assistant contacted the bank to warn it about the fraudster, just three hours after the money left Mr. Welles' account.
Cybercrime has become a global, industrialized operation that robs Americans of billions of dollars each year. Fraudsters develop sophisticated schemes by exploiting basic technologies – by displaying malicious ads purchased from search engines or social media companies, purchasing phone lines and sending fraudulent text messages from VoIP providers, and more.
They then do their best to slip through the banking system undetected with their ill-gotten gains. If they can transfer money from their own account and a customer's devices, they are far less likely to raise alarm bells.
Account takeovers — including those similar to Mr. Welles's — are on the rise and have tripled in the last five years, according to an analysis of financial data by David Maimon, a criminal justice professor and head of a cybersecurity research group at Georgia State University. In May, 16,556 reports were filed with the Financial Crimes Enforcement Network, an arm of the Treasury Department called FinCEN, up from 5,145 at the start of 2020.
“From the banking side, almost everything looks real” because the signals come from the customer's electronic devices, said Professor Maimon, who is also head of fraud analysis at SentiLink, a fraud prevention company.
According to the Federal Bureau of Investigation's Internet Crime Complaint Center, Americans over 60 lost about $982 million last year to tech support scams alone, one of the more lucrative scams. That number is up 66 percent compared to 2023, but is still only a fraction of the estimated $16.6 billion that cybercriminals stole in total in 2024, up 33 percent from the previous year and is widely seen as underrepresented because so much fraud goes unreported.
Many criminals move the stolen money using crypto or bank transfers, a method that offers weaker consumer protections than other electronic transfers through online banking platforms. That issue is now at the heart of a lawsuit brought by New York Attorney General Letitia James against Citibank, which argues that stricter rules should apply.
When Mr. Welles and his assistant called Citi around 8 p.m. after hanging up with the fraudster, the bank told him it was freezing his accounts. But the bank made no mention, nor did it mention, that $85,000 had been withdrawn from his account just hours earlier, at 4:45 p.m
Mr. Welles said he checked for suspicious withdrawals and noted his account balance of about $20,000 – but forgot that he had transferred a large amount a few days earlier to pay a tax bill.
As a 50-year customer of the bank, Mr. Welles said he was confident the bank would accommodate any unusual activity. But he still had trouble sleeping that night.
The next morning, he received a call on his caller ID from what appeared to be Citibank's private bank. “Did you make a transfer of $85,000?” asked a man who called himself Michael Wink. He assured Mr. Welles that he did not need to call the bank because it was already on the case.
But it was the hackers who called him.
Mr. Welles and his assistant called the real Citibank, which confirmed that $85,000 had indeed been withdrawn from his account the previous afternoon. The bank then initiated a callback via wire transfer, but it was too late – the money had ended up with Wells Fargo and had already been forwarded to its next destination.
If Citi had sounded the alarm bells the night before, when Mr. Welles first called, would he have been more likely to get his money back? Citi declined to comment on the details of its case.
The bank refused to reimburse him in a letter nine days after the incident. “Based on the information provided and the results of our research, the transfer was made using your Citibank online credentials and initiated using the registered device ID,” it said. “Therefore, we cannot comply with your request.”
Wire transfers are typically governed by a portion of the Uniform Commercial Code designed for business transactions that states that a refund is not required if “an agreed, commercially reasonable security procedure is in place” and the bank demonstrates that it accepted the transfer order in good faith.
However, Attorney General James' lawsuit argues that greater consumer protection is warranted: She argues that Regulation E, the regulatory portion of the Electronic Fund Transfer Act, known as EFTA, should apply when transfers are made available online and through mobile banking apps. That requires banks to pay compensation to victims, as they do with other electronic transfers or debit card fraud, when their money is lost or stolen through unauthorized electronic payments. Liability is generally limited to $500 if the bank is notified within 60 days.
Carla Sanchez-Adams, a senior attorney specializing in banking and payment systems at the National Consumer Law Center, agreed with the lawsuit's position and said that transfers initiated in the same way, electronically, should come with similar protections. From a consumer perspective, “everything is the same,” she added.
Banks argue that the law is clarified and bank-to-bank transfers are excluded from the EFTA. However, consumer advocates point out that when EFTA was founded in 1978, consumer transfers were rarely used – and certainly not through online banking, which did not yet exist.
In January, a federal district court judge rejected Citi's request to dismiss the New York lawsuit, a decision that Citi appealed in September. A coalition of other banks and credit unions have rallied behind Citi and filed an amicus brief supporting its appeal to the Second Circuit.
Some financial institutions are already threatening that a “seismic shift in regulatory treatment” could lead them to eliminate wired connections for consumers altogether.
Mr. Welles still has difficulty understanding exactly how the fraudster carried out the plan. His private banker answered some of his security-related questions in an email that said The transfer recipient was added using “direct debit/PIN verification” and a one-time password was sent via SMS to confirm the transfer – both of which the fraudsters had apparently accessed. Mr. Welles later learned from a police report that the money was transferred to an account registered with Wells Fargo under the name Adedela Sodiq.
A Wells Fargo spokesman declined to say whether that account was closed or under investigation.
In a statement, Citi said it takes customer protection seriously and has robust controls and processes in place. The bank said it also offers customizable alerts that customers can receive when transactions exceed an amount they choose.
There is no way to prevent transactions above a certain amount from being executed. When Mr. Welles asked his private bank representatives to call his advisor before making transfers of more than $10,000, they told him that the system itself determined the required authentication per transaction and “could not direct that a non-account holder be called for transactions above a certain amount,” according to their email correspondence last month.
Weeks later, the fraudsters continued to torment Mr. Welles.
He received a call from someone calling himself Mark Wood, who claimed to be a senior investigator at Citi – and promised he would get his money back in about a week. Mr. Welles notified his private bankers of the incident by email to confirm that they were indeed the fraudsters, which they did.
“Fortunately, even though it's a little worse, I'm still OK to get through the few years I have left to live a comfortable life,” he said in the Sept. 24 email, but not psychologically. “Fear dreams,” he added.
Susan C. Beachy and Alain Delaquérière contributed to the research.