January 16, 2025 • 21 mins
Today's episode features a crossover from ABA's brand new podcast series: ABA Fraudcast: Cyber and Fraud with Paul Benda. Community banks can be targets of large-scale fraud, just like larger banks. On the inaugural episode of the ABA Fraudcast, former ABA Chair Dan Robb, president and CEO of Jonesburg State Bank in Missouri, describes the recent targeting of his bank by fraudsters who texted thousands of residents of his community, seeking access to customer accounts. What followed for Robb and his team were fast lessons on all the areas his bank was prepared for, and a few challenges that were surprising. “We are no longer dealing with a mom-and-pop criminal,” says ABA’s Paul Benda, Fraudcast host. “This is institutional crime.”
To find the ABA Fraudcast, visit aba.com/fraudcast or look for it in your favorite podcast app.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Evan Sparks (00:00):
from the American Bankers Association, I'm Evan Sparks.
(00:03):
Today, in lieu of giving bringing youthe another episode of the ABABAnking
Journal podcast, I am going to bring youa Well, I'm delighted to share the premier
episode of our brand new ABA Fraudcast,a podcast, all about cybersecurity
and fraud with our own Paul benda.
(00:23):
Paul is having all kinds of greatconversations with bankers, with leaders
across the industry, leaders in theanti-fraud space and experts here at
ABA on fraud, fraud prevention andwhat ABA and the industry are doing
to mitigate the, the risk of fraud.
This is gonna be a fantasticseries of conversations.
And so before I hand you overto Paul, what I'm gonna do is
(00:46):
just say, go to aba.com/fraud.
That's where you can find all theplaces you can download this episode.
We'll also have the Fraudcastin ABA Daily Newsbytes.
You can find it on all of yourfavorite podcast apps or platforms.
Thanks so much for listening and enjoy thevery first episode of the ABA Fraudcast.
Paul Benda (01:08):
From the American Bankers Association, I'm Paul Benda.
And this is the inaugural episode ofour new podcast, the ABA Fraudcast.
Many of you may remember me fromthe ABA Pandemic Update podcast and
the dark days of the COVID pandemic.
Well, we've moved from one epidemic,an epidemic of COVID, to another
one, one focused on fraud and scams.
And in this space, I'm going totry and give you the information
(01:30):
you need to protect yourself.
I hope to be entertaining and educational.
The current plan is to host abi-weekly podcast sometimes with guest
speakers focused on different topics.
Ranging from discussing those fake fraudalerts everyone has probably gotten on
their phones -- and what that scam lookslike from the bank's perspective -- to
how artificial intelligence can be usedto fake voices and images to cause scams,
(01:53):
to how criminals are spoofing your callerID, pretending to be your bank or the U.S.
Government or USPS or Amazon, tryingto convince you to do something.
And what we in the banking industryare trying to do to stop it.
To quantum computing.
Talking about what it is andhow it can potentially break the
encryption systems we use today.
Unfortunately, lots of topics to cover inthe fraud and scam space and we'll address
(02:16):
them in the coming weeks and months.
But we're going to start with an interviewwith one of my favorite bankers, Dan Robb.
Dan's bank recently went through acoordinated attack from criminals
who sent out thousands of thosefake fraud alerts to his customers'
phones, and even his non customers.
And we're going to talk about howhis bank handled that attack.
So I want to welcome a very special guesthere, Dan Robb, a good friend, both
(02:37):
to myself personally and to the ABA.
Former past chairman.
I really appreciate you beinghere today to speak with me, Dan.
Why don't you tell me a littlebit about yourself and your
bank, kind of your perspective.
Dan Robb (02:48):
Paul, thanks for having me.
This is a great opportunity.
I sure appreciate everything that you'redoing, everything that ABA is doing
to help us out in the trenches, thebanks that are unfortunately fighting
against a whole bunch of fraud.
So, Jonesburg State Bankis a small community bank.
We're about $135 million in assets inthree small towns just outside the St.
(03:11):
Louis Metro area, and we unfortunately areseeing a lot of fraud of various different
sources that we've been talking about.
But certainly glad to be with you today.
Paul Benda (03:22):
Well, I really appreciate taking the time and you know, I think
it's important to get your perspective,you know, $135 million bank, small
bank, I think a lot of our smallcommunity banks think, "Oh, the
criminals aren't going to target me.
I'm, not going to be subject to theseattacks that I see coming down."
That's clearly not true though, is it?
You know, you guys just a couplemonths ago were subject to kind
of what I would say is a largescale ... you know, the fake fraud
(03:45):
alerts that a lot of people get.
Did you make those transactions?
They kind of hit your bank.
So tell me about that.
What happened there?
Dan Robb (03:51):
You bet.
Unfortunately, yeah, one morning Icame in and had some people saying
that they had heard that there weresome texts coming in saying that they
were from Jonesburg State Bank and likeyou said, I've seen them saying, "My
FedEx package hasn't been delivered" or"Citibank ... " or you know something
of a large scale has been mentionedand I don't really think much about it.
(04:14):
But all of a sudden when it was JonesburgState Bank saying that a Walmart
transaction had not gone through -- welove to shop at Walmart here locally
-- and so it got everybody's attentionand we started talking about it.
I came back to my officeand I got the text.
And I said, okay, this is definitelysomething real, happening in real time.
(04:35):
I went over to our bookkeeping departmentand everybody was on the phone.
The phones were ringing off thehook and customers were alerting
us -- customers and non-customers-- were alerting us that these texts
were coming in and we physically hadpeople coming into the bank as well.
I mean, that's a great thingabout small towns is everybody
wants to help each other out.
So it was both JonesburgState Bank customers and also
(04:57):
non-customers that were alerting us.
And we were saying, This isn'tus, this is a fraud situation.
And it started happeningthen in real time.
Fast forward to the end of theday, Paul, we ended up having
almost 600 phone calls in that day.
So yeah
...Paul Benda: 600 phone calls in one day.
For ABAnk of $135 million, with 25 staff members.
(05:20):
That's a lot of phonecalls to try to field.
But you know what we had been practicingand we'd been gathering information.
And so the great thing is that we wereable to act fast and minimize our losses.
What we discovered was that they weregetting in and we only think we had about
15 customers that actually clicked on it.
(05:42):
They went through and it was a fakewebsite that looked like Jonesburg State
Bank, signing on to our online banking.
And they then entered the information.
They told the customerto enter the information.
We have dual factor authentication.
So there was the code that was then sent.
The fraudster then said, enter thiscode, which allowed immediately
(06:04):
for the fraudster to be ableto get into their account.
They were prepared,knew exactly what to do.
Knew we were a Zelle bank, usingZelle, and they immediately went
to there and started taking moneyout of the customer's accounts.
So we got on the phone with our core andsaid, please get this shut down ASAP.
I've got a little list hereof the things that we created:
(06:26):
We alerted all of our staff.
We shut down the products that we could.
We called our marketing companyto put a Facebook message out.
We pushed a directmessage on mobile banking.
We froze the homepage bannerto say there was a fraud alert
going on, a fraud situation.
We posted signs in thedrive-thru and in the lobby.
We had after-hour phone notices put up.
(06:48):
We then later dealt with those customerswho had actually fallen for it.
We worked with them with changingtheir accounts, closing out
accounts, opening new accounts.
And so I've got a checklist that I'dbe happy to share with you or anyone.
And I think ABA's started kind ofgathering some of that information.
But I applaud our staff whoreally, all hands on deck for
(07:11):
the event and it came in waves.
What we theorized, maybe perhaps, is thatit was a small group of scammers that were
overwhelmed with too many transactionsand they did so many that they could
field those people that perhaps respondedand then maybe an hour later the next
wave and this happened all day long-- the wave after wave of those people.
(07:33):
And obviously we know what they did.
They took the prefix of our area.
They focused on Jonesburg StateBank and they started blasting it.
We were fearful at first.
Was it just our customers?
But then like I said, we knowthat they just -- every 359 phone
number -- they hit every one of 'em.
Some were ours, some were not ours.
But obviously, you know, itwas a big swath of customers.
Paul Benda (07:55):
Well, and that's what's scary is these guys, we're no longer dealing
with the, you know, mom and pop criminal.
I mean, this is institutionalized crime.
These guys are doing itat an industrial scale.
They're well prepared.
I remember when you and I talked aboutthis earlier, you have had instances where
they spoof the caller ID, the number ofyour bank, when they call the customers.
Is that right?
Dan Robb (08:13):
Yeah, yeah, exactly.
It appeared that it was coming fromJonesburg State Bank and you helped
us working with the FCC, I believe.
Another great thing that ABA has beendoing is pushing back with the FCC
saying, Hey, we need some action onthis and working with the telecom
companies to try to get this kind ofspoofing not allowed, especially when
(08:34):
it's a spoof of a financial institution.
It's just not a safething to have out there.
Paul Benda (08:40):
Yeah.
And I think that's why, youknow, people are like: Oh,
I'd never fall for this scam.
Well, I mean the website looksexactly like your bank's.
They've got ... They might evenbought personal information.
They might know your name, youraddress, last four of your social.
They then all of a sudden callyou up and it says Jonesburg
State Bank on the caller ID.
I mean, you know, it makes sensethat someone would fall for this.
I, I think that list that you talkedabout, I think really shows how banks
(09:02):
are trying to protect their customers.
So I think that's somegreat work there, Dan.
One of the things that surprisesme: So you're going through this.
I mean, it's got to be a stressful time.
You know that, for all intentsand purposes, people are
being robbed in real time.
Who do you call on thegovernment for help?
Dan Robb (09:17):
That's a great question.
And then there isn't anybody.
You know, like we've talked aboutit and with the core as well, I
still plead that the cores work withtheir customers, us, the banks, and
get an emergency shutoff button.
They still don't have, to my knowledge,that button that I talk about.
You're at the gas pump andyou're pumping that gas.
(09:39):
And what do you see if something happens?
You got a big red button youcan push to stop the gas.
Well, we should have an emergencyshutoff button that shuts Zelle down
or whatever bill pay or whateverthing is that they're using to get
the money out of customers' accounts.
We need to be able to shut that down.
So that's -- from the core perspective,but also, yes, law enforcement.
(09:59):
Sadly, I get it.
I understand, when we call the FBI theyask, well, how much we've lost now.
"Less than $10,000?
Well, sorry, we got biggerthings to deal with right now."
So yeah, that's somethingdefinitely we need to look at.
Paul Benda (10:12):
Well, and I think, you know, just for our listeners that may not
know what a core service provider is.
I don't think people understand thatthose are the guys that provide,
especially smaller banks, you know,their ability to do transactions.
And so, you know, even though yoursmall bank may want to do things, unless
their core service provider, supportsthat, the bank is kind of hamstrung.
They can't make thosechanges unilaterally.
And it's just the world we live in.
(10:32):
It still amazes me though, that we knowpeople are being robbed in real time and
yet banks have nowhere to go, nowhereto call to ask for help on this space,
trying to protect their customers.
It's all on the bank andit really seems unfair.
The other thing that I, that I look atis, isn't it amazing that the telecoms
don't have any way to detect thesefraudulent spoofs occurring in real time?
(10:54):
It'd be like you having a creditcard or a debit card that has
no fraud alerts on it, right?
If ABAnk were to put that out therewith no way to detect these suspicious
transactions, and yet the telecomsallow these things to go through, and
they don't do anything to stop them.
It's totally up on the bank to thento try and protect the customers.
Dan Robb (11:09):
You know, wouldn't you think that there'd be some
kind of a red flag that pops up?
If we had 600 phone calls,that means there were thousands
of texts that went out.
So, somebody texting thousands of timesto the 359 prefix or whatever it is.
Yeah, you would think that thatwould send off some kind of an alarm.
Paul Benda (11:29):
Right, right, exactly.
I mean, so they justchoose not to do that.
I mean, it'd be banks have chosento protect their customers.
Telecoms has chosen to let thecustomers fend for themselves.
Dan Robb (11:38):
Yeah.
Paul Benda (11:38):
You know, the one thing I do say, the FCC, we did meet with the
enforcement bureau, fairly recently.
And they really want to hear from banks.
We actually use your example.
Unfortunately for you, you wentthrough it, but fortunately for us
it's a great example for us to talkto the government folks and say, "Hey
these small banks are suffering here.
What are you doing to help?"
And they've established a portal forbanks to report these kinds of things.
We've reached out to others that, if otherbanks go through this to let us know.
(12:01):
It may not stop it in the real time.
But it has a chance to.
So we're excited to seesome progress on that.
Dan Robb (12:07):
That's great.
Paul Benda (12:08):
All right.
So, unfortunately, that's not theonly scams that you're seeing, right?
So, what else is out there, Dan?
What else are you seeing at your bank?
Dan Robb (12:15):
Well, I'll tell you of an event that is unfortunately unfolding right now.
We were notified here within thelast couple of weeks of a local
church that had been doing repairsto their church, a large amount of
repairs and they were working withthe contractor and actually paying by
check all along through the process.
(12:35):
It was time that I believe they werebeing notified via email and they met or
did something and checks were exchanged.
However, the very last email thatcame in was requesting final payment,
$30,000 for the final payment on this.
They then asked for thatmoney to be ACH'd to ABAnk.
I'm not sure if they knew exactly wherethe bank was, but it turned out it was
(12:57):
in New Jersey and we're in Missouri.
So that's unusual becauseit was a local contractor.
There's no reason ... but unfortunatelyit appeared that it was from that
contractor and the church complied.
They didn't suspect anything,unfortunately, and they sent that money.
Now, I still don't know the final facts,but to me, that is a prime example
(13:20):
of a hacking of email and doing afraudulent transaction via the email.
I'm afraid what has happened is that their$30,000 -- it was intercepted and it was
sent out, and we did follow up with thatbank in New Jersey and the money's gone.
So I would suspect either thecontractor or the church or both
(13:40):
are gonna' be out a chunk of moneybecause of that fraud and we see
that so much with people interceptingthe emails that are out there
Paul Benda (13:48):
Yep.
And I think that's where people haveto recognize that the bank is going
to follow the instructions of thecustomer when they're sending the money.
You have no idea who the ... wherethe contractor's headquartered,
you don't get involved in that.
You're not going to question thecustomer on those kinds of things.
And when they come and say, Oh,we want to make the final payment.
You're like, Yeah, absolutely.
We're happy to executethat on your behalf.
So I think it's really important forpeople to, you know, we talk about
(14:11):
multi factor authentication, right?
That people need to have that on theirbank accounts, but also on your emails.
Especially if you're a small business.
Someone hacks into that and startschanging wiring instructions.
You could see a savvy lawyer forthe church making the case that
that business was negligent.
You know, gave him properinstructions and due to their
negligence, they lost that payment.
They might end up losing that money.
(14:31):
Or the church might, youknow, it's a hard situation.
When you get instructions at the lastminute to change payment instructions,
you got to question those, don't you?
Dan Robb (14:40):
Yeah, exactly.
Paul Benda (14:42):
I think we're seeing -- I know there's other scams that are
out there and I think we're seeing,these criminals being really savvy.
Have you had instances where people havecome into the bank, the teller can tell
something's not right, and that personstill insists on making a transaction?
How do you guys handle that?
Have you seen that situation?
Dan Robb (15:00):
Yeah, absolutely, Paul.
And again, I applaud our staff for theirspidey senses have definitely become
more fine-tuned with all the fraudthat happens, whether it's our folks in
bookkeeping, whether it's the tellers onthe front line, the new accounts folks.
And what we had been seeing so muchof it that we actually even came
up with a laminated placard card.
(15:22):
Customer would come in and they wouldactually ... it just didn't feel right.
The story seemed strange.
And what we were finding a lot oftimes is that the fraudster was on
their cell phone in their purse or intheir jacket and actually listening
to exactly what the bank was saying.
And I think they were doing ittwofold to see if the transaction
(15:45):
went through, to hear exactly whatthe bank said, and also to hone their
skills to make it a better fraud.
I've got one here in front of me.
It says (15:52):
"Fraud warning.
Is someone currently on thephone listening, instructing
you to do this transaction?"
And they can easily point to yesor no, and then it says, "Hang
up the phone, this is fraud."
And then we say, "Are youwithdrawing these funds for
any of the following reasons?
An agency official of any kind, such asFBI, FDIC, IRS, Social Security, CIA,
(16:16):
local law enforcement, has contacted youand told you to do this transaction?"
"To purchase Bitcoin orany other cryptocurrency?
To purchase gift cards?
Have you been instructed to meetsomeone or mail the cash to them?
We want to make sure you and yourfunds are protected from fraud."
And this has really beena great thing for us.
(16:37):
We have stopped ... We have had customersgo into offices, leave their phone
at the teller line and be in tearsand say, "I didn't know what to do.
I thought I was doing the right thing."
And that's usually what happens.
Is that someone has gotten in and they'vegotten in over their head and sadly
it may be the second or third time.
(16:57):
They come in for $5,000 then theyleave and they come back for a
little bit more and they come back.
And whether it's the romance scam, thepig butchering, you know there's so
many, the IRS officials, all of these.
It just is sick how muchit is out there and how many
customers are getting scammed.
Paul Benda (17:15):
Well, and I applaud you guys for putting that placard together.
I think that's greatlisting those things out.
I think it's, they prey on thepeople that are trying to be helpful.
I mean, we're seeing this bigrise and saying, Oh we need
your help in this investigation.
Because you know, we think there's ABAdactor at the bank or we think they're ABAd
actor, you know pick your agency, and sothe people believe they're being helpful.
Dan Robb (17:34):
Yeah.
Paul Benda (17:34):
What we try and tell people, "Your money is always safest in the bank.
Transferring your money elsewhereor taking the cash out and giving it
to someone does not make it safer.
It's always safest tokeep it in that bank.
You know, it's well protected there."
And I think the hard part is, you know,people that haven't gone through this
don't realize how convincing thesescammers and these criminals are.
And you know, they try and makethe people distrust the bank.
(17:56):
"Oh, they don't want you to buythat Bitcoin because they want
to keep your money in the bank.
You know, they don't.
They don't want you togo in a cryptocurrency."
Dan Robb (18:02):
Yeah.
Paul Benda (18:03):
So, I really applaud you, Dan for taking those proactive actions,
and trying to protect your customers.
Dan Robb (18:09):
You know, one other thing on a local scale that we did, Paul,
and I realize not as many peoplethese days read the newspaper,
print newspaper, but we know thatelderly customers typically do, and
unfortunately it is a lot of the elderlycustomers that are getting scammed.
So Jonesburg State Bank and about half adozen other community banks in our area
(18:32):
ran a two-page, full-page color ad thatbasically gave red flags to customers
and said, We want to protect you.
We as your local banks want to protectyou and gave those same kind of red flags
and said, If you get calls like this ifyou have any concerns, contact us before
(18:55):
you do something with one of these.
And we got a lot ofgreat feedback from that.
The local newspapers in two differentcounties worked with us and gave
us a very, very discounted rates.
And we all worked together andchipped in on it and I think it
was just good PR, you know, just agood public service announcement,
but public relations on behalf of us.
Because no banker wantstheir customer to lose money.
(19:17):
Yes, we would rather themkeep it here in the bank.
But more importantly, we want themto have that money, their hard-earned
money that they have earned.
And we want it to stay in theirpocket, not a scammer's pocket.
Paul Benda (19:29):
I think it's a great example of how, you know, the banks care about
their customers and their community.
We'd love to see otherindustries step up like that.
You know, ABA has ABAnks Never AskThat campaign and our Practice Safe
Checks campaign to try and educateconsumers on risk to phishing and scams.
But where are the telecoms?
Where are the social media companies?
Where are their outreach to customers?
You know, saying, "Don'ttrust your caller ID."
(19:50):
"Don't trust those impersonationscams on social media sites."
We really need an all-of-governmentand all-of-industry approach.
Because what I try and tell people is,you know, people, we say, don't send
money to someone you don't know and trust.
But by the time they're making thatpayment, they believe they know
and trust who they're talking to.
We've got to engage them earlierso they don't get to that point
where they're standing in front ofyour teller and you're trying to
(20:11):
convince them that that person thatthey're talking to can't be trusted.
It's really hard to do whenthey're like, well, "It said U.S.
Government on my caller ID."
And then you're stuck trying toyou know, save them from sending
potentially their life savingsaway, to some criminal overseas.
Dan Robb (20:24):
Yeah, you know again
doing with working with the FCC andmaking sure that like you say the
telecom companies are not just heldaccountable but doing the right thing.
You know, we all want to do the rightthing for our customers and I implore
everybody that's listening to this podcastthat they need to take action whether
(20:46):
you're ABAnker, whether you're a consumer,and you need to raise your voice.
And you need to say something throughour tools that we can do that to the
FCC, to the telecom companies, thatwe want to protect our customers.
We want to fight fraud and we've allgot to continue to raise our voices and
not just sit there and let it happen.
But we've got to actually push back.
Paul Benda (21:06):
I think that's a great message, Dan.
I think that's a great message.
Well, I really appreciateyou being here with me today.
Dan Robb (21:11):
Fantastic, Paul.
Great to be with you as always.
Paul Benda (21:14):
All right, you too.
That's all for this week.
As a reminder, you can subscribe tothe ABA fraudcast for free and Apple
Podcasts, Google Podcast, Stitcher,or your favorite podcast app.
You can also find episodes on theABA site at aba.com/podcasts, and
new episodes will also be sharedin the ABA Daily Newsbytes email.
Please join me in a couple of weeks wherewe're going to talk about AI deepfakes
(21:37):
and have a sample of what my voice soundslike when it's deepfaked, and maybe
even what Rob Nichols' voice soundslike when it's deepfaked, and if you
can tell the difference between the two.
Thanks for listening.
from the American Bankers Association, I'm Evan Sparks.
(00:03):
Today, in lieu of giving bringing youthe another episode of the ABABAnking
Journal podcast, I am going to bring youa Well, I'm delighted to share the premier
episode of our brand new ABA Fraudcast,a podcast, all about cybersecurity
and fraud with our own Paul benda.
(00:23):
Paul is having all kinds of greatconversations with bankers, with leaders
across the industry, leaders in theanti-fraud space and experts here at
ABA on fraud, fraud prevention andwhat ABA and the industry are doing
to mitigate the, the risk of fraud.
This is gonna be a fantasticseries of conversations.
And so before I hand you overto Paul, what I'm gonna do is
(00:46):
just say, go to aba.com/fraud.
That's where you can find all theplaces you can download this episode.
We'll also have the Fraudcastin ABA Daily Newsbytes.
You can find it on all of yourfavorite podcast apps or platforms.
Thanks so much for listening and enjoy thevery first episode of the ABA Fraudcast.
Paul Benda (01:08):
From the American Bankers Association, I'm Paul Benda.
And this is the inaugural episode ofour new podcast, the ABA Fraudcast.
Many of you may remember me fromthe ABA Pandemic Update podcast and
the dark days of the COVID pandemic.
Well, we've moved from one epidemic,an epidemic of COVID, to another
one, one focused on fraud and scams.
And in this space, I'm going totry and give you the information
(01:30):
you need to protect yourself.
I hope to be entertaining and educational.
The current plan is to host abi-weekly podcast sometimes with guest
speakers focused on different topics.
Ranging from discussing those fake fraudalerts everyone has probably gotten on
their phones -- and what that scam lookslike from the bank's perspective -- to
how artificial intelligence can be usedto fake voices and images to cause scams,
(01:53):
to how criminals are spoofing your callerID, pretending to be your bank or the U.S.
Government or USPS or Amazon, tryingto convince you to do something.
And what we in the banking industryare trying to do to stop it.
To quantum computing.
Talking about what it is andhow it can potentially break the
encryption systems we use today.
Unfortunately, lots of topics to cover inthe fraud and scam space and we'll address
(02:16):
them in the coming weeks and months.
But we're going to start with an interviewwith one of my favorite bankers, Dan Robb.
Dan's bank recently went through acoordinated attack from criminals
who sent out thousands of thosefake fraud alerts to his customers'
phones, and even his non customers.
And we're going to talk about howhis bank handled that attack.
So I want to welcome a very special guesthere, Dan Robb, a good friend, both
(02:37):
to myself personally and to the ABA.
Former past chairman.
I really appreciate you beinghere today to speak with me, Dan.
Why don't you tell me a littlebit about yourself and your
bank, kind of your perspective.
Dan Robb (02:48):
Paul, thanks for having me.
This is a great opportunity.
I sure appreciate everything that you'redoing, everything that ABA is doing
to help us out in the trenches, thebanks that are unfortunately fighting
against a whole bunch of fraud.
So, Jonesburg State Bankis a small community bank.
We're about $135 million in assets inthree small towns just outside the St.
(03:11):
Louis Metro area, and we unfortunately areseeing a lot of fraud of various different
sources that we've been talking about.
But certainly glad to be with you today.
Paul Benda (03:22):
Well, I really appreciate taking the time and you know, I think
it's important to get your perspective,you know, $135 million bank, small
bank, I think a lot of our smallcommunity banks think, "Oh, the
criminals aren't going to target me.
I'm, not going to be subject to theseattacks that I see coming down."
That's clearly not true though, is it?
You know, you guys just a couplemonths ago were subject to kind
of what I would say is a largescale ... you know, the fake fraud
(03:45):
alerts that a lot of people get.
Did you make those transactions?
They kind of hit your bank.
So tell me about that.
What happened there?
Dan Robb (03:51):
You bet.
Unfortunately, yeah, one morning Icame in and had some people saying
that they had heard that there weresome texts coming in saying that they
were from Jonesburg State Bank and likeyou said, I've seen them saying, "My
FedEx package hasn't been delivered" or"Citibank ... " or you know something
of a large scale has been mentionedand I don't really think much about it.
(04:14):
But all of a sudden when it was JonesburgState Bank saying that a Walmart
transaction had not gone through -- welove to shop at Walmart here locally
-- and so it got everybody's attentionand we started talking about it.
I came back to my officeand I got the text.
And I said, okay, this is definitelysomething real, happening in real time.
(04:35):
I went over to our bookkeeping departmentand everybody was on the phone.
The phones were ringing off thehook and customers were alerting
us -- customers and non-customers-- were alerting us that these texts
were coming in and we physically hadpeople coming into the bank as well.
I mean, that's a great thingabout small towns is everybody
wants to help each other out.
So it was both JonesburgState Bank customers and also
(04:57):
non-customers that were alerting us.
And we were saying, This isn'tus, this is a fraud situation.
And it started happeningthen in real time.
Fast forward to the end of theday, Paul, we ended up having
almost 600 phone calls in that day.
So yeah
...Paul Benda: 600 phone calls in one day.
For ABAnk of $135 million, with 25 staff members.
(05:20):
That's a lot of phonecalls to try to field.
But you know what we had been practicingand we'd been gathering information.
And so the great thing is that we wereable to act fast and minimize our losses.
What we discovered was that they weregetting in and we only think we had about
15 customers that actually clicked on it.
(05:42):
They went through and it was a fakewebsite that looked like Jonesburg State
Bank, signing on to our online banking.
And they then entered the information.
They told the customerto enter the information.
We have dual factor authentication.
So there was the code that was then sent.
The fraudster then said, enter thiscode, which allowed immediately
(06:04):
for the fraudster to be ableto get into their account.
They were prepared,knew exactly what to do.
Knew we were a Zelle bank, usingZelle, and they immediately went
to there and started taking moneyout of the customer's accounts.
So we got on the phone with our core andsaid, please get this shut down ASAP.
I've got a little list hereof the things that we created:
(06:26):
We alerted all of our staff.
We shut down the products that we could.
We called our marketing companyto put a Facebook message out.
We pushed a directmessage on mobile banking.
We froze the homepage bannerto say there was a fraud alert
going on, a fraud situation.
We posted signs in thedrive-thru and in the lobby.
We had after-hour phone notices put up.
(06:48):
We then later dealt with those customerswho had actually fallen for it.
We worked with them with changingtheir accounts, closing out
accounts, opening new accounts.
And so I've got a checklist that I'dbe happy to share with you or anyone.
And I think ABA's started kind ofgathering some of that information.
But I applaud our staff whoreally, all hands on deck for
(07:11):
the event and it came in waves.
What we theorized, maybe perhaps, is thatit was a small group of scammers that were
overwhelmed with too many transactionsand they did so many that they could
field those people that perhaps respondedand then maybe an hour later the next
wave and this happened all day long-- the wave after wave of those people.
(07:33):
And obviously we know what they did.
They took the prefix of our area.
They focused on Jonesburg StateBank and they started blasting it.
We were fearful at first.
Was it just our customers?
But then like I said, we knowthat they just -- every 359 phone
number -- they hit every one of 'em.
Some were ours, some were not ours.
But obviously, you know, itwas a big swath of customers.
Paul Benda (07:55):
Well, and that's what's scary is these guys, we're no longer dealing
with the, you know, mom and pop criminal.
I mean, this is institutionalized crime.
These guys are doing itat an industrial scale.
They're well prepared.
I remember when you and I talked aboutthis earlier, you have had instances where
they spoof the caller ID, the number ofyour bank, when they call the customers.
Is that right?
Dan Robb (08:13):
Yeah, yeah, exactly.
It appeared that it was coming fromJonesburg State Bank and you helped
us working with the FCC, I believe.
Another great thing that ABA has beendoing is pushing back with the FCC
saying, Hey, we need some action onthis and working with the telecom
companies to try to get this kind ofspoofing not allowed, especially when
(08:34):
it's a spoof of a financial institution.
It's just not a safething to have out there.
Paul Benda (08:40):
Yeah.
And I think that's why, youknow, people are like: Oh,
I'd never fall for this scam.
Well, I mean the website looksexactly like your bank's.
They've got ... They might evenbought personal information.
They might know your name, youraddress, last four of your social.
They then all of a sudden callyou up and it says Jonesburg
State Bank on the caller ID.
I mean, you know, it makes sensethat someone would fall for this.
I, I think that list that you talkedabout, I think really shows how banks
(09:02):
are trying to protect their customers.
So I think that's somegreat work there, Dan.
One of the things that surprisesme: So you're going through this.
I mean, it's got to be a stressful time.
You know that, for all intentsand purposes, people are
being robbed in real time.
Who do you call on thegovernment for help?
Dan Robb (09:17):
That's a great question.
And then there isn't anybody.
You know, like we've talked aboutit and with the core as well, I
still plead that the cores work withtheir customers, us, the banks, and
get an emergency shutoff button.
They still don't have, to my knowledge,that button that I talk about.
You're at the gas pump andyou're pumping that gas.
(09:39):
And what do you see if something happens?
You got a big red button youcan push to stop the gas.
Well, we should have an emergencyshutoff button that shuts Zelle down
or whatever bill pay or whateverthing is that they're using to get
the money out of customers' accounts.
We need to be able to shut that down.
So that's -- from the core perspective,but also, yes, law enforcement.
(09:59):
Sadly, I get it.
I understand, when we call the FBI theyask, well, how much we've lost now.
"Less than $10,000?
Well, sorry, we got biggerthings to deal with right now."
So yeah, that's somethingdefinitely we need to look at.
Paul Benda (10:12):
Well, and I think, you know, just for our listeners that may not
know what a core service provider is.
I don't think people understand thatthose are the guys that provide,
especially smaller banks, you know,their ability to do transactions.
And so, you know, even though yoursmall bank may want to do things, unless
their core service provider, supportsthat, the bank is kind of hamstrung.
They can't make thosechanges unilaterally.
And it's just the world we live in.
(10:32):
It still amazes me though, that we knowpeople are being robbed in real time and
yet banks have nowhere to go, nowhereto call to ask for help on this space,
trying to protect their customers.
It's all on the bank andit really seems unfair.
The other thing that I, that I look atis, isn't it amazing that the telecoms
don't have any way to detect thesefraudulent spoofs occurring in real time?
(10:54):
It'd be like you having a creditcard or a debit card that has
no fraud alerts on it, right?
If ABAnk were to put that out therewith no way to detect these suspicious
transactions, and yet the telecomsallow these things to go through, and
they don't do anything to stop them.
It's totally up on the bank to thento try and protect the customers.
Dan Robb (11:09):
You know, wouldn't you think that there'd be some
kind of a red flag that pops up?
If we had 600 phone calls,that means there were thousands
of texts that went out.
So, somebody texting thousands of timesto the 359 prefix or whatever it is.
Yeah, you would think that thatwould send off some kind of an alarm.
Paul Benda (11:29):
Right, right, exactly.
I mean, so they justchoose not to do that.
I mean, it'd be banks have chosento protect their customers.
Telecoms has chosen to let thecustomers fend for themselves.
Dan Robb (11:38):
Yeah.
Paul Benda (11:38):
You know, the one thing I do say, the FCC, we did meet with the
enforcement bureau, fairly recently.
And they really want to hear from banks.
We actually use your example.
Unfortunately for you, you wentthrough it, but fortunately for us
it's a great example for us to talkto the government folks and say, "Hey
these small banks are suffering here.
What are you doing to help?"
And they've established a portal forbanks to report these kinds of things.
We've reached out to others that, if otherbanks go through this to let us know.
(12:01):
It may not stop it in the real time.
But it has a chance to.
So we're excited to seesome progress on that.
Dan Robb (12:07):
That's great.
Paul Benda (12:08):
All right.
So, unfortunately, that's not theonly scams that you're seeing, right?
So, what else is out there, Dan?
What else are you seeing at your bank?
Dan Robb (12:15):
Well, I'll tell you of an event that is unfortunately unfolding right now.
We were notified here within thelast couple of weeks of a local
church that had been doing repairsto their church, a large amount of
repairs and they were working withthe contractor and actually paying by
check all along through the process.
(12:35):
It was time that I believe they werebeing notified via email and they met or
did something and checks were exchanged.
However, the very last email thatcame in was requesting final payment,
$30,000 for the final payment on this.
They then asked for thatmoney to be ACH'd to ABAnk.
I'm not sure if they knew exactly wherethe bank was, but it turned out it was
(12:57):
in New Jersey and we're in Missouri.
So that's unusual becauseit was a local contractor.
There's no reason ... but unfortunatelyit appeared that it was from that
contractor and the church complied.
They didn't suspect anything,unfortunately, and they sent that money.
Now, I still don't know the final facts,but to me, that is a prime example
(13:20):
of a hacking of email and doing afraudulent transaction via the email.
I'm afraid what has happened is that their$30,000 -- it was intercepted and it was
sent out, and we did follow up with thatbank in New Jersey and the money's gone.
So I would suspect either thecontractor or the church or both
(13:40):
are gonna' be out a chunk of moneybecause of that fraud and we see
that so much with people interceptingthe emails that are out there
Paul Benda (13:48):
Yep.
And I think that's where people haveto recognize that the bank is going
to follow the instructions of thecustomer when they're sending the money.
You have no idea who the ... wherethe contractor's headquartered,
you don't get involved in that.
You're not going to question thecustomer on those kinds of things.
And when they come and say, Oh,we want to make the final payment.
You're like, Yeah, absolutely.
We're happy to executethat on your behalf.
So I think it's really important forpeople to, you know, we talk about
(14:11):
multi factor authentication, right?
That people need to have that on theirbank accounts, but also on your emails.
Especially if you're a small business.
Someone hacks into that and startschanging wiring instructions.
You could see a savvy lawyer forthe church making the case that
that business was negligent.
You know, gave him properinstructions and due to their
negligence, they lost that payment.
They might end up losing that money.
(14:31):
Or the church might, youknow, it's a hard situation.
When you get instructions at the lastminute to change payment instructions,
you got to question those, don't you?
Dan Robb (14:40):
Yeah, exactly.
Paul Benda (14:42):
I think we're seeing -- I know there's other scams that are
out there and I think we're seeing,these criminals being really savvy.
Have you had instances where people havecome into the bank, the teller can tell
something's not right, and that personstill insists on making a transaction?
How do you guys handle that?
Have you seen that situation?
Dan Robb (15:00):
Yeah, absolutely, Paul.
And again, I applaud our staff for theirspidey senses have definitely become
more fine-tuned with all the fraudthat happens, whether it's our folks in
bookkeeping, whether it's the tellers onthe front line, the new accounts folks.
And what we had been seeing so muchof it that we actually even came
up with a laminated placard card.
(15:22):
Customer would come in and they wouldactually ... it just didn't feel right.
The story seemed strange.
And what we were finding a lot oftimes is that the fraudster was on
their cell phone in their purse or intheir jacket and actually listening
to exactly what the bank was saying.
And I think they were doing ittwofold to see if the transaction
(15:45):
went through, to hear exactly whatthe bank said, and also to hone their
skills to make it a better fraud.
I've got one here in front of me.
It says (15:52):
"Fraud warning.
Is someone currently on thephone listening, instructing
you to do this transaction?"
And they can easily point to yesor no, and then it says, "Hang
up the phone, this is fraud."
And then we say, "Are youwithdrawing these funds for
any of the following reasons?
An agency official of any kind, such asFBI, FDIC, IRS, Social Security, CIA,
(16:16):
local law enforcement, has contacted youand told you to do this transaction?"
"To purchase Bitcoin orany other cryptocurrency?
To purchase gift cards?
Have you been instructed to meetsomeone or mail the cash to them?
We want to make sure you and yourfunds are protected from fraud."
And this has really beena great thing for us.
(16:37):
We have stopped ... We have had customersgo into offices, leave their phone
at the teller line and be in tearsand say, "I didn't know what to do.
I thought I was doing the right thing."
And that's usually what happens.
Is that someone has gotten in and they'vegotten in over their head and sadly
it may be the second or third time.
(16:57):
They come in for $5,000 then theyleave and they come back for a
little bit more and they come back.
And whether it's the romance scam, thepig butchering, you know there's so
many, the IRS officials, all of these.
It just is sick how muchit is out there and how many
customers are getting scammed.
Paul Benda (17:15):
Well, and I applaud you guys for putting that placard together.
I think that's greatlisting those things out.
I think it's, they prey on thepeople that are trying to be helpful.
I mean, we're seeing this bigrise and saying, Oh we need
your help in this investigation.
Because you know, we think there's ABAdactor at the bank or we think they're ABAd
actor, you know pick your agency, and sothe people believe they're being helpful.
Dan Robb (17:34):
Yeah.
Paul Benda (17:34):
What we try and tell people, "Your money is always safest in the bank.
Transferring your money elsewhereor taking the cash out and giving it
to someone does not make it safer.
It's always safest tokeep it in that bank.
You know, it's well protected there."
And I think the hard part is, you know,people that haven't gone through this
don't realize how convincing thesescammers and these criminals are.
And you know, they try and makethe people distrust the bank.
(17:56):
"Oh, they don't want you to buythat Bitcoin because they want
to keep your money in the bank.
You know, they don't.
They don't want you togo in a cryptocurrency."
Dan Robb (18:02):
Yeah.
Paul Benda (18:03):
So, I really applaud you, Dan for taking those proactive actions,
and trying to protect your customers.
Dan Robb (18:09):
You know, one other thing on a local scale that we did, Paul,
and I realize not as many peoplethese days read the newspaper,
print newspaper, but we know thatelderly customers typically do, and
unfortunately it is a lot of the elderlycustomers that are getting scammed.
So Jonesburg State Bank and about half adozen other community banks in our area
(18:32):
ran a two-page, full-page color ad thatbasically gave red flags to customers
and said, We want to protect you.
We as your local banks want to protectyou and gave those same kind of red flags
and said, If you get calls like this ifyou have any concerns, contact us before
(18:55):
you do something with one of these.
And we got a lot ofgreat feedback from that.
The local newspapers in two differentcounties worked with us and gave
us a very, very discounted rates.
And we all worked together andchipped in on it and I think it
was just good PR, you know, just agood public service announcement,
but public relations on behalf of us.
Because no banker wantstheir customer to lose money.
(19:17):
Yes, we would rather themkeep it here in the bank.
But more importantly, we want themto have that money, their hard-earned
money that they have earned.
And we want it to stay in theirpocket, not a scammer's pocket.
Paul Benda (19:29):
I think it's a great example of how, you know, the banks care about
their customers and their community.
We'd love to see otherindustries step up like that.
You know, ABA has ABAnks Never AskThat campaign and our Practice Safe
Checks campaign to try and educateconsumers on risk to phishing and scams.
But where are the telecoms?
Where are the social media companies?
Where are their outreach to customers?
You know, saying, "Don'ttrust your caller ID."
(19:50):
"Don't trust those impersonationscams on social media sites."
We really need an all-of-governmentand all-of-industry approach.
Because what I try and tell people is,you know, people, we say, don't send
money to someone you don't know and trust.
But by the time they're making thatpayment, they believe they know
and trust who they're talking to.
We've got to engage them earlierso they don't get to that point
where they're standing in front ofyour teller and you're trying to
(20:11):
convince them that that person thatthey're talking to can't be trusted.
It's really hard to do whenthey're like, well, "It said U.S.
Government on my caller ID."
And then you're stuck trying toyou know, save them from sending
potentially their life savingsaway, to some criminal overseas.
Dan Robb (20:24):
Yeah, you know again
doing with working with the FCC andmaking sure that like you say the
telecom companies are not just heldaccountable but doing the right thing.
You know, we all want to do the rightthing for our customers and I implore
everybody that's listening to this podcastthat they need to take action whether
(20:46):
you're ABAnker, whether you're a consumer,and you need to raise your voice.
And you need to say something throughour tools that we can do that to the
FCC, to the telecom companies, thatwe want to protect our customers.
We want to fight fraud and we've allgot to continue to raise our voices and
not just sit there and let it happen.
But we've got to actually push back.
Paul Benda (21:06):
I think that's a great message, Dan.
I think that's a great message.
Well, I really appreciateyou being here with me today.
Dan Robb (21:11):
Fantastic, Paul.
Great to be with you as always.
Paul Benda (21:14):
All right, you too.
That's all for this week.
As a reminder, you can subscribe tothe ABA fraudcast for free and Apple
Podcasts, Google Podcast, Stitcher,or your favorite podcast app.
You can also find episodes on theABA site at aba.com/podcasts, and
new episodes will also be sharedin the ABA Daily Newsbytes email.
Please join me in a couple of weeks wherewe're going to talk about AI deepfakes
(21:37):
and have a sample of what my voice soundslike when it's deepfaked, and maybe
even what Rob Nichols' voice soundslike when it's deepfaked, and if you
can tell the difference between the two.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.