Your phone rings. The screen shows your bank’s name and the exact customer-service number printed on the back of your debit card. The caller knows your name, the last four digits of your account, and references a “suspicious transaction” that just posted. Within minutes, you have read back a one-time passcode or approved a wire transfer. By the time you realize what happened, the money is gone.
That sequence has played out thousands of times across the United States since early 2025. In a November 2025 cyber alert, the FBI disclosed that its Internet Crime Complaint Center (IC3) had received more than 5,100 complaints tied to financial-institution impersonation since January 2025, with reported losses exceeding $262 million. The bureau called it the fastest-growing category of account-takeover fraud and issued blunt guidance: “Don’t trust caller ID. Hang up, verify the correct number, and call it yourself.”
Among the cases that have drawn the most public attention: a Chase customer who reportedly lost $40,000 during a single phone call after the caller ID displayed Chase’s real support number. The incident, widely cited in consumer-protection reporting, fits a pattern the FBI has tracked across three separate public service announcements spanning 2022 to 2025, in which spoofed calls from seemingly legitimate bank numbers led to five- and six-figure losses.
How the scam works, step by step
The attack almost always starts with a text message designed to look like a bank fraud alert. A typical version reads: “Did you authorize a $1,200 purchase at [retailer]? Reply YES or NO.” Regardless of how the target responds, a phone call follows within seconds from what appears to be the bank’s legitimate number. The caller already holds partial personal data, sometimes including fragments of a Social Security number, harvested from prior data breaches available on dark-web marketplaces.
That combination of a familiar number and accurate personal details is what makes the opening seconds so convincing. A 2024 IC3 advisory confirmed the scheme had matured into a scripted, multi-step process. Criminals now walk victims through sharing one-time passcodes sent by the real bank, installing remote-access software such as AnyDesk or TeamViewer, or approving wire transfers to accounts the fraudster controls. The entire interaction can take less than 15 minutes. By the time the actual bank flags unusual activity, the funds have already been routed through multiple accounts, making recovery difficult or impossible.
The Federal Trade Commission has documented an additional layer: some scammers “transfer” the victim to a second caller posing as an FBI or FTC agent. According to the FTC’s consumer guidance on impersonation scams, that handoff is designed to suppress any remaining skepticism. If the victim believes law enforcement is involved and directing the process, they are far less likely to hang up or question instructions to move money.
Why caller ID no longer means what you think
Spoofing a phone number does not require sophisticated hacking tools. Widely available Voice over Internet Protocol (VoIP) services allow anyone to set an outgoing caller ID to virtually any number, including your bank’s published customer-service line. The same technology that made cheap internet calling possible made spoofing trivial, and the cost to criminals is negligible.
The telecommunications industry has been rolling out STIR/SHAKEN, a caller-ID authentication framework that flags calls with forged origin information. Major U.S. carriers are required to implement it, and the protocol can attach a “verified” label to calls that pass authentication checks. But the framework has clear limits. The FBI’s advisories do not credit STIR/SHAKEN with reducing bank-impersonation losses, and security researchers have noted that criminals can sidestep the protocol by routing calls through smaller carriers with weaker implementation, using compromised internal phone systems, or shifting to app-based messaging channels that fall outside the framework entirely.
The FDIC has separately identified bank-impersonation scams as the most commonly reported text-message scam category, reinforcing that the pipeline from spoofed text to spoofed call has been active for years and spans every major financial institution.
What banks are and aren’t telling customers
No major U.S. bank has publicly disclosed how often spoofed-number calls succeed versus how often they are intercepted before a customer loses money. Chase, the institution named in the most widely reported case, has not released internal detection metrics for this type of fraud. That silence leaves customers unable to compare institutions or evaluate which safeguards are actually working.
The FBI’s $262 million figure covers all financial-institution impersonation complaints filed since January 2025, but the bureau has not broken out what share involved caller-ID spoofing specifically versus other social-engineering channels like email or chat. Without that granularity, it is hard to measure whether any single defensive technology is making a dent.
There is also an unresolved question about liability. Under Regulation E, banks are generally required to reimburse customers for unauthorized electronic fund transfers. But when a customer verbally authorizes a wire or reads back a passcode under false pretenses, banks have argued the transaction was “authorized” even though it was induced by fraud. The Consumer Financial Protection Bureau has signaled that it is scrutinizing these denials, but as of June 2026, there is no uniform rule requiring reimbursement for socially engineered losses. That gap means victims who followed a scammer’s instructions often face an uphill fight to recover their money.
What to do if you get the call
Hang up immediately. This is the FBI’s core recommendation, and it rests on a simple fact: a criminal can spoof the number on your screen, but they cannot intercept a fresh call you place yourself. If someone claiming to be your bank says your account is compromised, end the conversation and dial the number printed on the back of your debit card, on your most recent statement, or on the bank’s official website.
Never share one-time passcodes over the phone. Banks send those codes as a second layer of verification for actions you initiate. A legitimate bank employee will never ask you to read one back during an inbound call. If someone does, that alone confirms the call is fraudulent.
Do not install remote-access software at a caller’s request. Programs like AnyDesk or TeamViewer give a remote user full control of your device. No bank fraud department will ever ask you to download one.
Treat urgency as a warning sign, not a reason to comply. If the caller insists you must act “right now” or offers to connect you with law enforcement to validate the situation, that pressure is the scam’s most important tool. Real fraud investigations do not require you to move money to a “safe” account on a phone call you did not initiate.
Report it. File a complaint with the FBI’s IC3 at ic3.gov and contact your bank directly using a verified number. If you already shared credentials or authorized a transfer, call your bank immediately. The faster you act, the better the chance of freezing the transaction before funds clear. You can also file with the FTC, which tracks patterns across scam types and uses complaint data to build enforcement cases.
Why this fraud keeps scaling
The evidence assembled across three years of FBI advisories points to a fraud method that is simple, scalable, and devastatingly effective. Criminals need only a VoIP account, a list of partial customer data purchased from prior breaches, and a convincing script. The victim’s own phone does the rest by displaying a trusted name and number.
For consumers, the practical lesson is uncomfortable but necessary: the number on your screen is a cosmetic detail, not a security guarantee. Every unexpected call from your bank should be treated as unverified until you hang up and call back yourself. That is not paranoia. As of June 2026, with losses still climbing and no single technical fix in place, it is the minimum standard of self-defense the FBI is asking Americans to adopt.
