It’s happened to many of us: The bank calls to warn you about suspicious transactions on your account. So when Donna Carleo of Redondo Beach, Calif., saw her Chase private banker’s name on her cell phone screen, she picked up and answered the questions. Had she authorized a purchase at an Apple store in Texas? Of course not!
Later the same day, Donna’s daughter, Cerise Carleo, logged into her checking account to pay a vendor for her wedding, which was just six weeks away. To her shock, the account was empty.
Only later did the Carleos learn that Donna had received a call from a scammer impersonating her banker. In all, $130,000 was taken from accounts belonging to Donna Carleo and her two adult daughters.
Even when the family realized the money had disappeared, they didn’t panic.
“We’ve had fraud happen before, and it’s always been reversed or stopped in time,” Cerise Carleo said.
Yet, seven months later, the Carleo family was still fighting to get most of their money back.
What happened?
As the Carleos dug into their account histories, they saw that the heist had played out in two steps. First, someone apparently gained online access to their bank accounts and transferred thousands from Cerise and her sister, Cosette Carleo, to Donna’s account. Second, the hacker sent three wires—each for tens of thousands of dollars—from Donna’s account to accounts at three different banks.
Experts say fraud victims have the best chance of getting their money back if they report the loss to their bank the same day it happens. But, although the Carleo family reported it in person just hours after the three wires went out, Chase was initially only able to retrieve around $40,000. The bank sent them a letter denying their reimbursement claim for the remaining $90,000.
Much of that had belonged to Cerise. She and her fiance, Danny Orozco, tried to cancel their wedding, but it was too late to get refunds from vendors.
“We were supposed to use that money to buy our first house together, to go on a honeymoon. We were hoping to have kids soon, and now — everything is stopped,” Cerise said, her voice strained with emotion.
An increasingly common nightmare
The Carleos are far from alone. Reports from the Federal Trade Commission and FBI peg 2023 losses from fraud and cybercrime at $10 billion to more than $12.5 billion, up markedly from 2022.
Those are just the losses that are reported.
“Some people estimate that that’s only maybe 20% of what’s actually going on out there. It’s a huge problem,” said Galen Cheney, a San Francisco attorney who handles cybersecurity cases.
These crimes happen to people of all income levels and walks of life—even to family offices that handle finances for Ultra-High-Net-Worth account holders. According to JP Morgan’s 2024 Global Family Office Report, one in four family offices has had a cybersecurity breach or financial fraud. Alarmingly, the same report revealed that 40% of family offices acknowledge their cybersecurity service as lacking. Nearly a quarter of offices offer no cybersecurity services at all.
“Family offices probably experience an attempt at least once a month,” said Kris Marney, director of family office services for accounting firm BPM.
Marney said several factors lead criminals to target UHNW individuals. For one, they tend to have a higher profile than the average citizen.
But the main attraction, of course, is that UHNW individuals have more money to steal. While criminals were able to siphon more than $100,000 from the Carleos’ accounts, a family office might control hundreds of millions, said Chris Pierson, founder and CEO of cybersecurity firm BlackCloak.
“You don’t have to knock over a large corporation to steal $200 million — you can knock over a five- or 10-person single-family office. This is a path of least resistance for cybercriminals. These same attacks that are happening to everyday individuals can be amplified times a million,” Pierson warned.
Financial fraud targets all types of accounts, from checking accounts to investment accounts, using tactics that range from phone calls impersonating bankers (like what apparently happened to the Carleos) to texts promising investment opportunities to outright hacks involving stolen passwords. Funds are moved by wire transfer and through payment apps such as Zelle and Venmo or cryptocurrency. Sometimes, victims are convinced to withdraw cash from their bank and deposit it into the criminal’s cryptocurrency wallet.
A phone call from an empty desk
The Carleo family believed they were doing everything right to protect their savings. When their accounts were hit with fraud attempts in the past, at the advice of their banker, they closed their old accounts and opened new ones with new passwords. They don’t believe they did anything that would have helped the hackers get into their accounts this time.
They had no reason to expect their bank would not believe them. After all, they say, their branch manager actually witnessed proof that they were being hacked.
While Donna Carleo was sitting at her local bank branch on the phone with Chase’s fraud department, her cell phone rang. Once again, the caller ID showed the name of her Chase private banker. The family let the branch manager answer the call.
“The branch manager immediately realized it was a hacker,” Cerise Carleo said. While on the phone with the fraudster, the manager walked over to the desk the call was supposedly coming from. The desk was empty, the phone unengaged.
The criminal was apparently using a technique called spoofing, where a caller’s true ID is masked and the call appears to be coming from a different phone number.
The Carleos say the manager told them the bank would take 10 days to investigate their loss. Since the manager had witnessed the attempted fraud firsthand, the Carleos felt confident that they’d be getting their money back.
Ten days later, they sat down with their branch manager once again. What they heard shocked them.
“She said, they’ve closed all investigations. They don’t think it’s fraud,” Cerise recalled.
In a follow-up letter, Chase stated that their claim was denied because Chase had sent codes to Donna’s cell phone to verify all three wire transfers.
In another conversation, Donna said, “They said that I had called them and told them that I needed all that money transferred for a funeral. What kind of a funeral is 130 grand?”
It appears that someone with access to Donna’s phone verification codes must have called Chase to provide them, authorizing the wire transfers.
‘We’ve resolved this issue’
The Carleos’ loss happened in early February. After the bank closed its investigation, the family filed reports with every authority it could think of: the local police, the FBI, the Consumer Financial Protection Bureau, etc. It also tried to move up the management chain with Chase, but it kept hitting dead ends.
Finally, in September, after being informed that an article about the Carleos’ nightmare was being published, Chase reinstated the family’s lost funds.
“We’ve resolved this issue with our customer,” wrote JPMorgan Chase spokesman Peter Kelley in an email.
When they finally got the money back, the family wept with relief.
“I’m so excited that Danny and I can plan our honeymoon now,” Cerise Carleo said.
And yet, the Carleos didn’t feel fully restored. For one thing, they’d already hired an attorney to fight the bank.
“And I just feel like we’ve lost months of our lives,” Cerise said.
Who is responsible?
Many fraud victims never see a penny of their money again. A recent Senate report [PDF] revealed that reimbursement rates for fraud have been plummeting, with the nation’s three biggest banks reimbursing only 38% of fraud victims in 2023, compared to 62% in 2019.
With thousands of American families losing their savings, who is responsible — banks or their customers?
JPMorgan Chase declined interview requests and instead offered advice on avoiding scams. Spokespeople for Morgan Stanley, UBS, and Goldman Sachs also declined to comment. Several other major banks did not reply to queries for this story.
Marney said that banks generally resist reimbursing losses due to fraud, whether the customer is an individual with a basic checking account or a family office with millions in investment accounts.
“If you suffer fraud on a credit card, the banks will absorb that. With bank account fraud, with wire fraud, there’s not a lot of recourse, because once the money is gone, it’s gone,” Marney said.
Legally, where the liability lies is a murky question.
“This area of law is evolving and changing pretty rapidly, and courts are seeing many, many cases of people losing their entire life savings. Courts are looking for ways to hold financial institutions accountable,” said Cheney.
Existing laws offer some consumer protection, but they also provide some cover to banks. New York’s attorney general is suing Citibank over millions of dollars in fraud losses by New York residents. In this suit, New York invokes the Electronic Funds Transfers Act, which requires banks to reimburse customers for unauthorized transactions. Citibank’s defense lies in the fact that the EFTA doesn’t cover wire transfers, the method criminals used to move funds in the Carleos’ case and many others.
In its defense, Citibank invokes the Uniform Commercial Code, which protects banks from liability as long as those banks provide reasonable security measures. However, with support from the Consumer Financial Protection Bureau, New York maintains that when banks connect their wire transfer services to online portals and apps, losses should be covered by the EFTA.
A bill recently introduced in the US Senate and House of Representatives could force banks to take responsibility for the mounting customer losses. The Protecting Consumers from Payment Scams Act would amend the EFTA to include wire transfers. It would also enforce “shared liability for unauthorized or fraudulent payments between a consumer’s financial institution and the financial institution that receives the funds … incentivizing them to strengthen fraud prevention efforts.”
Fighting the bank
Given the shifting sands of legal liability, fraud victims should be ready to fight to get reimbursed by their banks. Cheney advises victims to treat interactions with their banks like any dispute.
“Be very shrewd, advocate for yourself,” he advised. This includes taking detailed notes of every interaction and avoiding signing anything that accepts blame for what happened.
As more and more people lose their savings, the need for change is evident, whether that change happens in the banking system, in the courts, or at the regulatory or legislative level.
“This can’t go on,” Cheney said. “We can’t have a system where fraud is happening in our financial system against everyday consumers.”
More From Better
- 5 Scams and Ripoffs: How to Avoid or Resolve
- Avoiding Scams: Protecting Your Parents
- 7 Tips for Success in Business and Life From Chicago’s Most Successful Banker
Carrie Kirby spends a lot of time asking people about something they think about but rarely talk about: money. Her work on personal finance, business and technology has appeared in San Francisco Magazine, The San Francisco Chronicle, Wise Bread and more publications. She lives on an island (Alameda) with her husband and three kids, and blogs about family travel and mileage rewards at The Miles Mom.
