A Chase customer picks up the phone, sees Chase’s own number on the screen, and hears a voice warning that someone is moving money out of their account. Within minutes, $40,000 is gone. The caller was not from Chase. The number was spoofed. And the money, transferred at the caller’s direction to a supposedly “safe” account, vanished into a fraud network.
That case, reported by NBC News, is one of thousands following the same script. The FBI’s Internet Crime Complaint Center has flagged bank impersonation via caller ID spoofing as one of the fastest-growing fraud categories in the country. In its 2023 annual report, the most recent available as of June 2026, the IC3 documented $12.5 billion in total cybercrime losses, with impersonation and call center fraud among the top complaint types. The actual toll is almost certainly higher: the IC3 has long acknowledged that most victims never file a formal report.
How the scam works
The mechanics are straightforward, and that is what makes them dangerous. Criminals use widely available spoofing software to make outbound calls display a bank’s real name and phone number on the recipient’s caller ID. Once someone picks up, the caller claims there has been suspicious activity on the account and pressures the victim to “verify” login credentials, authorize wire transfers, or move funds to a new account the scammer controls.
The scripts are polished. Scammers mirror the language, hold music, and security questions a real bank representative would use, making it nearly impossible for even experienced customers to detect the fraud in real time. The entire call is engineered around one goal: preventing the victim from hanging up and dialing the bank independently.
A public service announcement the IC3 issued in August 2024 describes a more elaborate version. In that variant, the fraudster convinces the victim that a replacement debit card with an embedded chip needs to be issued for security purposes. An accomplice then physically picks up the new card, giving the criminal network direct access to the account through a legitimate piece of bank-issued hardware. Because the initial call displayed the bank’s actual number, the victim had no reason to doubt any of it.
Multiple federal agencies are raising the same alarm
The FBI is not the only agency flagging this. The FDIC’s Office of Inspector General published a dedicated warning explaining how call spoofing works in a banking context, noting that spoofed numbers can appear as either the bank’s name or its phone number on the recipient’s device. That same OIG page disclosed that one FDIC-supervised institution reported $5 million in call-spoofing attempts in a recent period. While that figure represents attempted rather than fully realized losses, it shows the volume of fraud hitting individual banks.
The Federal Trade Commission has weighed in with direct consumer guidance that leaves no room for ambiguity: anyone who tells you to move money to “protect it” is running a scam. The FTC says legitimate financial institutions will not pressure customers to act immediately, will not ask for online banking passwords or full one-time passcodes over the phone, and will not require funds to be moved to a different account as a condition of keeping them safe.
Why your phone company hasn’t stopped this
Readers familiar with robocall crackdowns may wonder why spoofed bank calls still get through. The answer involves a technology gap that regulators have been slow to close.
In 2020, the FCC mandated that major carriers implement STIR/SHAKEN, a caller ID authentication framework designed to verify that the number displayed on an incoming call actually belongs to the caller. Large carriers like AT&T, Verizon, and T-Mobile have deployed it on their networks. But STIR/SHAKEN has significant limitations: it does not cover calls that originate on older landline networks, it cannot authenticate calls routed through smaller carriers or international gateways, and many spoofed bank calls exploit exactly those gaps. The result is that a fraudulent call can still arrive on a victim’s smartphone displaying a bank’s verified number, with no warning flag attached.
The FCC has continued to tighten requirements on smaller carriers and gateway providers, but enforcement is uneven, and scammers adapt quickly. For now, caller ID remains an unreliable signal of who is actually on the other end of the line.
The liability question no one has answered
Perhaps the most consequential gap in the current landscape is who pays when a customer transfers money under fraudulent pretenses. When a scammer initiates an unauthorized transaction, Regulation E generally requires the bank to make the customer whole. But when the customer is the one who authorizes the transfer, even if they were manipulated into doing so, banks have historically argued the transaction falls outside Reg E’s protections.
The Consumer Financial Protection Bureau under its previous leadership signaled interest in holding banks more accountable for scam-induced transfers, particularly on platforms like Zelle. But as of June 2026, no formal rule change has taken effect, and the regulatory outlook remains uncertain. Victims are left navigating a patchwork of individual bank policies and state consumer protection laws, with outcomes that vary widely depending on the institution and the jurisdiction.
How to protect yourself right now
Federal agencies agree on a short list of steps that can stop these scams before any money moves:
- Hang up immediately. If you receive an unexpected call claiming to be from your bank, end the call. Do not engage, no matter how convincing the caller sounds or what the caller ID displays.
- Call back using a verified number. Flip your debit or credit card over and dial the number printed on the back, or use the number listed on your bank’s official website. Do not use any number the caller provides, and do not press redial. Some spoofing setups can intercept return calls placed to the same number.
- Never share credentials on an inbound call. The FBI specifically advises consumers not to share login passwords, one-time passcodes, or full account numbers during any call they did not initiate.
- Treat urgency as a red flag. Scammers rely on panic. A real bank will not demand that you act within seconds or threaten account closure if you pause to verify.
- Report it. If money has already been sent, contact your bank immediately, file a report with the IC3, and submit a fraud complaint to the FTC. Early reporting improves the chances of recovering funds and helps law enforcement identify emerging patterns.
Why hanging up and calling back remains the strongest defense against spoofed bank calls
The technology behind caller ID spoofing is not new, but the scale at which criminal networks are deploying it against bank customers is. Federal agencies, from the FBI to the FTC to the FDIC, are all saying the same thing: you cannot trust an incoming call based on the number it displays. Until regulators, banks, and telecom providers close the gaps that make spoofing so easy, the most reliable protection is also the most basic. If someone calls and asks you to move your money, hang up. Then call your bank yourself.
