The phone rang, and the caller ID said Chase. A person identifying themselves as a fraud specialist warned of suspicious activity on the account and walked the customer through what sounded like standard security steps. Within minutes, $40,000 had been transferred out of the account and into wallets the caller controlled. The customer never shared a password or clicked a phishing link. They simply followed instructions from someone who appeared to be their bank.
That incident, reported in consumer fraud coverage and consistent with patterns federal investigators have documented, is not an outlier. Since January 2025, the FBI’s Internet Crime Complaint Center has logged more than 5,100 complaints involving criminals who impersonate bank support staff to take over accounts. Combined reported losses exceed $262 million, according to FBI Alert I-112525-PSA, published in November 2025. Those numbers almost certainly undercount the problem: IC3 has long noted that most cybercrime victims never file a formal complaint. As of June 2026, the FBI has not released updated totals, but the agency continues to flag bank impersonation as a top consumer threat.
How the scam works, step by step
Everything hinges on a technique called caller ID spoofing, which lets criminals display any phone number they choose on a victim’s screen. The scammer either calls directly, showing the bank’s real customer service number, or sends a text that mimics the bank’s fraud alert system. When the target responds, a live caller takes over.
The caller follows a rehearsed script. They use the victim’s name, sometimes reference a partial account number, and describe transactions that supposedly need to be reversed. The “fix” they walk the victim through, whether it involves approving a transfer, reading back a one-time passcode, or moving money to a “safe” account, actually routes funds to accounts the criminals control.
The FBI’s Phoenix field office has flagged a related variant it calls the “Phantom Hacker.” In that version, victims are told their savings are at risk and instructed to wire money into fictitious Federal Reserve or government-backed accounts for “protection.” The urgency is deliberate. Scammers know that once a victim pauses to verify, the scheme collapses.
Federal investigators have also targeted the back-end infrastructure that feeds these calls. The Justice Department seized a domain and database used to store stolen bank login credentials. Scammers had purchased ads and manipulated search engine results to funnel bank customers to fake login pages, harvesting usernames and passwords that gave them direct access to real banking portals.
Earlier IC3 guidance from 2022 on reversal-style fraud described nearly identical scripts: callers claiming an accidental deposit needed to be returned, or that a fraudulent charge required the customer to authorize a “corrective” payment. Those techniques have carried directly into the current surge.
Why caller ID can no longer be trusted
The Federal Communications Commission began rolling out STIR/SHAKEN, a caller ID authentication framework, in 2021. The system is designed to verify that the number displayed on an incoming call actually belongs to the party placing it. Major carriers are required to implement it, and the FCC has taken enforcement actions against providers that failed to comply, including ongoing robocall enforcement actions through 2025 and 2026 targeting carriers that facilitate illegal spoofed traffic.
But STIR/SHAKEN has real gaps. Calls that originate on older copper-line networks, pass through smaller regional carriers that lack full implementation, or route through international gateways can still arrive with spoofed numbers intact. Criminals exploit exactly those seams. A call appearing to come from Chase, Bank of America, or Wells Fargo may carry no authentication flag at all, and nothing on the average phone screen tells the recipient whether the number has been verified or not.
This is why the FBI’s core advice is blunt: never trust a call you did not initiate. If someone claims to be from your bank, hang up and dial the number printed on the back of your debit or credit card. Legitimate fraud departments expect this and will not pressure you to stay on the line.
What banks say, and what the law actually requires
JPMorgan Chase, the largest U.S. bank by assets, states on its website that it will never call customers and ask them to transfer money to a “safe” account or read back one-time passcodes. Chase also says it will not ask for full Social Security numbers or online banking passwords over the phone. Bank of America, Wells Fargo, and Citibank publish similar warnings.
Under the Electronic Fund Transfer Act and its implementing rule, Regulation E, banks are generally required to reimburse customers for unauthorized electronic transfers reported promptly. But the legal picture gets complicated when the customer technically authorized the transaction, even if they did so under pressure from a scammer. Banks have argued in disputed cases that a transfer initiated by the account holder does not qualify as “unauthorized” under the regulation, regardless of the manipulation involved.
The Consumer Financial Protection Bureau has pushed back on that interpretation. In 2023 and 2024, the CFPB issued guidance specifically addressing peer-to-peer payment fraud, scrutinizing how banks handle claims in which consumers were induced into authorizing transfers. Still, as of June 2026, reimbursement practices for scam-induced authorized transfers remain inconsistent across institutions. Victims whose banks deny a claim can file a complaint with the CFPB, contact their state attorney general’s office, or consult a consumer protection attorney.
What we know, and what we don’t, about the $40,000 case
The $40,000 Chase loss referenced in the headline has been reported in consumer news outlets but has not been confirmed through a named law enforcement case file, a public court record, or an official statement from JPMorgan Chase. No FBI or IC3 document identifies the victim by name or details the exact sequence of transfers. The case is consistent with the patterns described in federal alerts and serves as a concrete illustration of how these scams play out, but the precise timeline and recovery status of those funds have not been independently verified through government records.
The broader FBI data stands on firmer ground. The 5,100-plus complaints and $262 million in losses come directly from IC3’s own intake system and were published in an official public service announcement. Those numbers represent a floor, not a ceiling.
What remains unclear is how the losses break down by method. The $262 million figure covers account takeover fraud involving impersonation broadly, including phone calls, texts, emails, and fake websites. Federal agencies have not published data isolating what share involved live voice calls with spoofed numbers versus text-only or email-only schemes. Anecdotal evidence and case studies strongly suggest that live voice calls create the most pressure and produce the fastest, largest losses, but the precise breakdown is not publicly available. It is also unclear how many of the 5,100-plus complaints have led to arrests or prosecutions; the FBI has not released case-resolution data tied to this specific alert.
How to protect yourself right now
Hang up and call back. If you receive any call claiming to be from your bank’s fraud department, end the call immediately. Look up the bank’s number independently from the back of your card or the bank’s official website, and call that number directly.
Never share one-time passcodes. Banks send verification codes to confirm actions you initiate. No legitimate bank employee will ever ask you to read a code back over the phone during an inbound call.
Do not transfer money on someone else’s instructions. Any caller who tells you to move funds to a “safe” account, a government account, or a cryptocurrency wallet is running a scam. Banks do not operate this way.
Enable account alerts. Most banks let you set up instant notifications for transactions above a certain dollar amount, new payee additions, and login attempts from unrecognized devices. These alerts give you a real-time check against any claim a caller might make.
Report it fast. If you suspect you have been targeted, contact your bank immediately using a verified number, then file a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov. Speed matters: the faster a fraudulent transfer is flagged, the better the chance of recovery. If your bank denies your fraud claim, file a separate complaint with the CFPB.
Why this keeps working
The mechanics of this scam are not new. What has changed is the scale. More than 5,100 complaints in roughly 18 months, with losses exceeding a quarter of a billion dollars, signals that spoofed bank calls have moved well past isolated incidents. The technology to fake a phone number is cheap and widely accessible. The stolen personal data that makes the calls convincing is readily available on dark web marketplaces. And the psychological pressure of a live caller who sounds professional and references real account details is far harder to resist than a suspicious email sitting in an inbox.
The only reliable defense is a habit most people have not built yet: treating every inbound call from your bank as suspicious until you verify it yourself. That single step, hanging up and calling back, breaks the scam every time.
