A retired teacher in Ohio picks up a call that shows her bank’s name on the screen. The voice on the other end knows her full name, the last four digits of her account, and says there’s been suspicious activity. Within eight minutes, she’s read a one-time passcode aloud and watched $14,000 vanish from her savings. She never spoke to her bank at all. Variations of that scenario are playing out across the country at an accelerating pace, and federal agencies say the mechanics behind it have become disturbingly efficient.
How the scam works, according to the FBI
The FBI has published multiple public service announcements describing what it calls account takeover fraud through impersonation of financial institution support. The playbook follows a consistent pattern: a target receives an automated text message that appears to come from their bank, typically asking them to confirm or deny a suspicious transaction. If the person responds, a follow-up phone call arrives from someone posing as a fraud specialist.
During that call, the scammer walks the victim through steps that actually authorize wire transfers or instant payments to accounts the criminal controls. In some cases, victims are told to move money into what is described as a “safe” or “temporary” holding account. Because the victim initiates the transfer, banks frequently classify the transaction as authorized, which sharply limits the institution’s obligation to reimburse the loss.
What makes the calls so convincing is a technique the FDIC’s Office of Inspector General has documented in its guidance on call spoofing practices: fraudsters fake the caller ID so the incoming number matches the bank’s real customer service line. Victims see a familiar number, hear professional-sounding scripts, and are given accurate personal details likely harvested from prior data breaches or public records. The entire sequence, from the first text to the final unauthorized transfer, can unfold in minutes.
The scale of the problem
The FBI’s Internet Crime Complaint Center reported that Americans lost a record $12.5 billion to online fraud in 2023, the most recent year with published data. Bank-impersonation spoofing is not broken out as a standalone category in that report; losses from these schemes are spread across broader classifications like phishing, social engineering, and business email compromise. That makes it difficult to isolate the exact toll, but the trajectory is clear: total reported losses have climbed year over year, and impersonation tactics are among the fastest-growing vectors.
Industry estimates suggest the volume of fraudulent bank-related text messages now reaches into the hundreds of thousands per day. The figure of 100,000 daily scam texts has circulated in news coverage and telecom industry commentary, though it does not originate from a single published FBI or IC3 dataset. Similarly, reporting has attributed a $15 billion fraud figure to Fidelity Investments, but no publicly available Fidelity statement or regulatory filing reviewed as of June 2026 confirms that specific number. Both figures reflect the broad scale of concern among financial institutions and law enforcement, but readers should treat them as approximate benchmarks rather than audited totals.
What is not in dispute is the speed. A separate IC3 advisory on social engineering techniques warned that criminals who gain phone-number control or extract one-time passcodes can defeat standard multi-factor authentication entirely. Once inside an account, they route funds through multiple intermediary accounts in rapid succession, a laundering chain that frustrates recovery efforts and often moves money offshore within hours.
Why getting your money back is so difficult
Federal law, specifically Regulation E under the Electronic Fund Transfer Act, generally requires banks to reimburse consumers for unauthorized electronic transfers. But the legal picture gets murkier when the victim is the one who pressed “send.” If a scammer manipulates you into initiating a wire or instant payment yourself, many banks argue the transaction was authorized, even though it was obtained through deception.
The Consumer Financial Protection Bureau has signaled that it views some of these cases differently, suggesting that transactions induced by fraud may still qualify as unauthorized under certain circumstances. But enforcement actions have been limited, and individual bank policies vary widely. The result is a patchwork system in which some victims are made whole quickly while others spend months disputing losses with no guarantee of recovery.
This gap is especially painful for older Americans and retirees whose savings or retirement distributions sit in checking and brokerage accounts that scammers specifically target. Unlike credit card fraud, where liability caps and chargeback mechanisms offer a safety net, wire transfers and peer-to-peer payments often lack comparable protections once the money has left the originating account.
How to protect yourself right now
Every federal advisory reviewed for this article converges on the same core guidance, and it is worth stating plainly: a legitimate bank employee will never call or text you and ask for your multi-factor authentication code, your full password, or instructions to move money to a “safe” account. If that request comes in, it is a scam, regardless of what the caller ID says.
Beyond that baseline, security professionals and federal agencies recommend several concrete steps:
- Hang up and call back. If you receive an unexpected call about suspicious activity, end it. Then dial the number printed on the back of your debit card or on your bank’s official website. Do not use any number the caller provides.
- Do not reply to unsolicited texts. Responding to a “confirm or deny” fraud alert text, even with “NO,” signals to scammers that your number is active and monitored.
- Switch to app-based authentication. One-time codes sent via SMS can be intercepted through SIM-swapping or extracted during a spoofed call. Authenticator apps like Google Authenticator or Authy, or hardware security keys, are significantly harder for criminals to compromise.
- Freeze your credit. A credit freeze at all three major bureaus (Equifax, Experian, TransUnion) will not stop an account-takeover call, but it limits what criminals can do with stolen personal information if they try to open new accounts in your name.
- Report it immediately. File a complaint with the FBI’s IC3 at ic3.gov and contact your bank’s fraud department. Speed matters: the sooner a bank flags the receiving account, the better the chance of freezing funds before they are moved again.
What regulators and banks still need to address
The verified record makes one thing uncomfortably clear: the tools criminals use to spoof calls and blast fraudulent texts are cheap, widely available, and often routed through international networks that sit beyond the practical reach of U.S. law enforcement. A Government Accountability Office report examining federal efforts against caller ID fraud found that enforcement remains difficult precisely because the infrastructure is decentralized and cross-border.
Meanwhile, consumers are left navigating a system where the burden of vigilance falls almost entirely on them. Banks have invested in fraud-detection algorithms and real-time transaction monitoring, but those systems are less effective when the customer is the one authorizing the transfer under duress. Until financial institutions adopt stronger default protections, such as mandatory cooling-off periods for large outbound wires initiated after inbound calls, or real-time voice verification that confirms the customer is not on a concurrent call with a third party, the gap between the speed of the scam and the speed of the defense will persist.
For now, the most reliable protection is also the simplest: treat every unexpected phone call or text about your bank account as suspicious until you have verified it yourself, on your own terms, through a channel you initiated. The FBI’s warnings are not hypothetical. These calls are happening daily, the losses are real, and the window to act once a scam is underway is measured in minutes, not hours.
