Back to Posts

Learn How Bank Impersonation Scams Work

March 23, 2026

Elderly person holding a smartphone near an ATM, representing bank impersonation scams targeting seniors

Across the country, people are losing tens of thousands of dollars to a scam that requires no hacking, no malware, and no technical sophistication on the criminal's part. Just a phone call, a spoofed number, and a script that's been refined to near perfection.

What makes these attacks so effective is the combination of real financial data, manufactured fear, and a new generation of banking features most victims never knew existed.

Here we break down how this works, technically and psychologically, because the more people understand the mechanics, the harder this script is to run. Share this with your parents. Share it with your grandparents, colleagues, and management. Share it with anyone who trusts caller ID. No one should trust caller ID anymore.

Step 1: They Have Your Information Before They Call

The first thing most victims say is: "How did they know my account details?" It feels like proof the caller must be legitimate. Your bank knows your last six transactions. Your bank knows your balance. Of course it must be your bank calling.

It's not. That data was purchased.

The dark web operates as a functioning marketplace for stolen financial credentials. Every major data breach, every phishing campaign, every time a merchant's payment system gets compromised, the harvested account numbers, login credentials, and transaction histories eventually end up for sale. Scammers buy this data in bulk before they ever make a call. The detail they recite back to you isn't a verification. It's a sales technique, specifically designed to make you drop your guard.

In the cases we're seeing across the country, the preliminary account probe often happens days before the call. Fraudsters will run a small test transaction, sometimes as little as $1, to confirm stolen card data is active. That probe charge also generates a fraud alert from the bank, which the criminals then piggyback on. You receive a legitimate-looking fraud alert, you respond, and suddenly you are communicating with the people who caused the problem in the first place.

Want to Fortify Your Company's Defenses?

Email: info@stackcyber.com
Phone: (734) 744-5300

Step 2: The Call Sounds Exactly Like Your Bank

Caller ID spoofing costs almost nothing and requires almost no technical skill. Anyone can purchase software or a service that makes an outgoing call display any number they want. The number that shows up on your screen when the "PNC fraud department" calls could be PNC bank's actual published customer service line. You can verify it against the back of your card or bank statement and it will match. That's not a coincidence. That's the point.

Once you're on the call, the script moves through a predictable sequence. There's an invented crisis: a large wire transfer is being processed out of your account right now. There's an invented authority: a federal judge is involved, this is part of a larger sting operation, there may be an inside job at your branch. There's an invented urgency: you need to move fast, don't tell anyone at the bank what you're really doing, and here's a code word so you know it's really us calling next time.

Every one of those elements serves a specific purpose. The crisis bypasses rational decision-making. The authority figure prevents you from questioning the instructions. The urgency prevents you from pausing to verify. And the secrecy isolates you from anyone who might talk you out of it.

This is called social engineering, and it works on intelligent, educated, skeptical people every single day. A Macomb County woman lost nearly $110,000 to a caller claiming to be from the U.S. Treasury and Social Security Administration. A Shelby Township couple in their 80s handed over $50,000 in cash to someone who drove from Toledo to collect it in a box at their front door. These aren't isolated incidents. They're documented, repeatable patterns. Law enforcement has confirmed additional suspects and arrests are forthcoming in both cases.

Step 3: Digital Wallet Trick

Here's where the technology gets genuinely new, and where most people have no idea what's possible.

Major banks including Chase, Bank of America, and Wells Fargo offer cardless ATM access. You load your debit card into Apple Pay or Google Wallet, tap your phone at an ATM, enter your PIN, and conduct your transaction without a physical card. Some ATM lobby doors use the same near-field communication readers, meaning a valid digital wallet session can also open the building after hours. This is a legitimate convenience feature. Scammers have learned to weaponize it.

Once a fraudster has your online banking credentials, they can log into your account, generate a one-time cardless access token, and send it to you as a link. When you open that link, it provisions a digital payment card directly into your phone's wallet. You didn't know that happened. You think you're clicking a security verification step.

But that card in your wallet is now tied to an account the grifter controls. When you tap your phone at the ATM and make a deposit, the cash goes directly to them.

This is how people deposit large sums of cash at ATMs belonging to banks where they have no account. The ATM processes any valid digital card regardless of which institution issued it. The machine is functioning exactly as designed. The fraud happens at the provisioning step, before the victim ever walked up to the machine.

In the more sophisticated versions of this attack, fraudsters direct the victim through six or more different account numbers and PINs at the same ATM location, each deposit routing to a different criminal-controlled account. The victim cycles through them believing each one is part of a law enforcement operation. By the time anyone realizes what happened, the money has moved through multiple accounts and is largely unrecoverable.

Step 4: Hijacking Your Security Settings

The most technically significant detail in the cases we're seeing, and the one most people miss, is the two-factor authentication hijack.

At some point during the initial account compromise, before the victim ever picks up the phone, criminals add a phone number they control to the victim's bank account as a two-step verification contact. This is a standard account setting available to any user. Once their number is registered, every security code the bank sends goes to the criminal first. Every one-time passcode for a wire transfer, a large withdrawal, or a login attempt is intercepted before the account holder ever sees it. This is how perpetrators initiate transactions from a victim's account in real time while keeping the victim distracted on the phone.

This also explains something that confuses many victims: unsolicited passcode texts. If you suddenly receive a one-time passcode for a transaction you didn't initiate, stop. Don't call the number that called you. Open a new browser tab, go directly to your bank's website, log in, and check your security settings immediately. Look for any phone number or email address that isn't yours. Remove it. Then call your bank using the number on the back of your card or on your statements.

PNC Bank states explicitly in its published security policies it will never ask for a Card Free ATM access code by phone, text, or email. Chase states it will never ask customers to move money or assist with an investigation over the phone. These are their own words, and they're the most important two sentences in this entire post.

Step 5: Surveillance and Real-Time Coordination

In the most organized versions of this scheme, the caller isn't operating alone. One person handles the phone call and keeps the victim engaged. Others monitor the transactions in real time. Some cases involve a physical lookout near the ATM, or remote access to the victim's phone camera, allowing operators to watch the transaction as it happens and confirm deposits are going through before releasing the victim.

This level of coordination isn't what most people picture when they hear the words "phone scam." This is organized crime. The scripts are standardized. The tools are commercially available on Telegram as fraud-as-a-service (FaaS) packages, complete with spoofing infrastructure, digital wallet provisioning guides, and what amounts to customer support for the people running the scheme. The barrier to entry is low. The payout is high. And the chance of recovery once the money moves is nearly zero.

The Broader Threat Environment

None of this is happening in a vacuum. The U.S. financial sector is operating under an elevated cyber threat right now. Iranian state-sponsored threat groups are actively targeting American financial institutions. The Financial Industry Regulatory Authority issued a warning to member firms on March 16, 2026, specifically flagging credential theft, multi-factor authentication (MFA) bypass, and voice phishing (vishing) as the primary attack methods in current Iranian campaigns.

That connection matters for everyday consumers because when state-level actors breach a financial institution, the stolen data doesn't stay in a government database. It gets sold. It flows into the same dark web marketplaces that consumer scammers buy from. The digital consequences of the war overseas are showing up in living rooms throughout the United States.

The numbers reflect a crisis that's been building for years. The Federal Trade Commission (FTC) reported fraud losses among adults 60 and older skyrocketed from $600 million in 2020 to $2.4 billion in 2024. When underreporting is factored in, the agency estimates real losses could reach $82 billion. The FBI received more than 5,100 complaints about bank account takeover fraud in 2025 alone, with losses exceeding $262 million. Impersonation scam losses exceeding $100,000 increased eightfold between 2020 and 2024.

Most victims never report. Shame and embarrassment keep these cases invisible, which is exactly what makes the pattern so durable.

What to Do Right Now

Log into every financial account you have today and check the phone numbers and email addresses registered under your security or two-factor authentication settings. If you see anything you don't recognize, remove it immediately and call your bank using the number on your statements or the back of your card.

If you receive a call from someone claiming to be your bank, hang up regardless of how convincing they sound, regardless of what number appears on your screen, and regardless of what account details they recite. Call your bank directly using the number on the back of your card, not a number the caller gave you, not a number in a text message, not a number from a Google search result. The card.

No bank, government agency, or law enforcement operation will ever ask you to withdraw cash and deposit it somewhere else to protect it. No federal judge will contact you through your bank's fraud department. No inside job investigation requires you to close your account and move the money yourself. Those elements exist in exactly one place: a scam script.

Never open a link someone texted you and hold your phone up to an ATM. Never accept a digital card into your wallet from a link you received by text. Never enter account numbers and PINs provided by a caller at any ATM anywhere.

Talk to your parents and grandparents about this scenario specifically, not just "watch out for scams" but this exact pattern: the caller who recites your real transactions, the federal judge story, the link that opens the ATM door. The reason these scripts work is that most people have never heard of them. The reason they keep working is that shame keeps victims quiet after the fact. If someone you know has been targeted, the most important thing they need to hear is that this has nothing to do with their intelligence.

The people running these operations are professionals who have refined their approach against millions of victims. The only real defense is knowing the script before they run it on you.

If you or someone you know has been targeted, file a complaint with the Federal Trade Commission (FTC). Report the scam to the FBI at ic3.gov. Call your bank immediately using the number on your statements or your bank-issued card.

STACK Cybersecurity is a Detroit-based managed security service provider (MSSP) and CMMC Registered Practitioner Organization serving businesses across the country. We work exclusively with companies, not individual consumers, helping them protect their employees, customers, and sensitive data from social engineering, fraud, and the full spectrum of cyber threats. If your business wants to understand its exposure or build stronger defenses, reach out to our team using our Contact Form.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment