David Welles, a retired lawyer, had been struggling with his new iPad for hours when he tried to call tech support.

But instead of dialing Microsoft to help him connect his email, the phone number he found on Google put him in touch with cybercriminals.

The smooth-talking scammer who answered called himself Alex and built a rapport with Welles, assuring him that he could resolve his tech headaches. Before too long, Welles downloaded remote access software, both on his iPhone and his laptop, allowing the scammer to burrow deep inside of his devices, where he stored his username and passwords on his hard drive.

“A big mistake,” said Welles, who is 87. “All of a sudden, on the laptop, I could see it going blank, and little lights flashing around.”

The scammer wore him down over a series of calls over nearly five hours, according to text messages and other records. Finally, a little after 7pm, Welles called his work assistant and told her he had been on the line with Microsoft all day.

She immediately sensed something was off.

They quickly called the scammer on a three-way call. But they had no idea Alex had already made a wire transfer of US$85,000 (RM347,650) from Welles’ checking account at Citibank.

It seems Citi didn’t immediately notice either – even after Welles and his assistant contacted the bank to alert it of the scammer, just three hours after the money left Welles’ account.

Cybercrime has become a global, industrialised operation that captures billions of dollars from Americans every year. Con artists create sophisticated schemes by exploiting basic tech – planting malicious ads bought from search engines or social media companies, buying phone lines and sending deceptive text messages from VoIP providers and more.

Then they do their best to slide through the banking system undetected with their ill-gotten gains. If they can move money from a customer’s own account and devices, it’s far less likely to set off any alarm bells.

Account takeovers – including those similar to Welles’– are surging, having tripled over the past five years, according to an analysis of Treasury data by David Maimon, a criminal justice professor and director of a cybersecurity research group at Georgia State University. In May, there were 16,556 reports filed to the Financial Crimes Enforcement Network, an arm of the Treasury known as FinCen, up from 5,145 at the beginning of 2020.

“From the bank side, almost everything looks legit” because the signals are coming from the customer’s electronic devices, said Maimon, who is also head of fraud insights at SentiLink, a fraud prevention company.

Americans over age 60 lost roughly US$982mil (RM4.01bil) last year to tech support scams alone, one of the more lucrative frauds, according to the FBI’s Internet Crime Complaint Center. That figure is up 66% from 2023, but it’s still just a fraction of the estimated US$16.6bil (RM67.89bil) cybercriminals took in 2024 overall, up 33% from the year before, and widely viewed as an under representation since so much fraud goes unreported.

Many criminals move the stolen money using crypto or wire transfers, a method that carries weaker consumer protections than other electronic transfers made through online banking platforms. That issue is now at the center of a lawsuit – filed by New York’s attorney general, Letitia James, against Citibank – which argues that stricter rules should apply.

When Welles and his assistant called Citi around 8pm after they hung up with the scammer, the bank told him it would freeze his accounts. But the bank didn’t flag, or even mention, that US$85,000 (RM347,650) had been wired from his account just hours earlier, at 4.45pm.

Welles said he had checked for any suspicious withdrawals, noting his balance of about US$20,000 (RM81,800) – but had forgotten that he transferred a large sum a few days earlier to pay a tax bill.

As a 50-year client of the bank, Welles said he felt confident that the bank would pick up any unusual activity. But he still had trouble sleeping that night.

The next morning, he received a call from what appeared to be Citibank’s private bank on his caller ID. “Did you make an US$85,000 wire?” asked a man who called himself Michael Wink. He reassured Welles that he didn’t need to call the bank because they were already on the case.

But it was the hackers calling him.

Welles and his assistant called the real Citibank, which confirmed that US$85,000 (RM347,650) had indeed left his account the afternoon before. The bank then initiated a recall on the wire, but it was too late – the money had landed at Wells Fargo and had already moved on to its next destination.

Had Citi set off alarm bells the night before, when Welles first called, would he have been more likely to recover his money? Citi declined to comment on the specifics of his case.

The bank refused to reimburse him, news that arrived in a letter nine days after the incident. “Based on the information provided and the results of our research, the transfer was made using your Citibank online credentials and were initiated using their registered device ID,” it said. “As a result, we’re unable to honour your claim.”

Wires have typically been governed by a part of the Uniform Commercial Code, designed for business transactions, which says that reimbursement isn’t necessary if “an agreed-upon commercially reasonable security procedure is in place” and the bank proves it accepted the wire order in good faith.

But James’ legal action asserts that greater protections for consumers are warranted: She argues that Regulation E, the rules part of the Electronic Fund Transfer Act, known as EFTA, should apply when wires are made available online and through mobile banking apps. That requires banks to reimburse victims, as they do with other electronic transfers or debit card fraud, when their money is lost or stolen through unauthorized electronic payments – liability is generally limited to US$500 (RM2,045) if the bank is notified within 60 days.

Carla Sanchez-Adams, a senior lawyer focusing on banking and payment systems at the National Consumer Law Center, agreed with the suit’s position and said transfers that were initiated the same way, electronically, should come with similar protections. From the consumer’s perspective, she added, “it’s all the same.”

Banks argue the law is settled, and that bank-to-bank wire transfers are excluded from EFTA. But consumer advocates point out that when EFTA was written in 1978, wires were rarely used for consumers – and certainly not through online banking, which didn’t exist.

In January, a US District Court judge denied Citi’s request to dismiss New York’s suit, a decision that Citi appealed in September. A coalition of other banks and credit unions have lined up behind Citi, filing an amicus brief supporting its appeal to the Second Circuit.

Some financial institutions are already threatening that a “seismic shift in regulatory treatment” could lead them to eliminate wires for consumers altogether.

Welles is still struggling to understand exactly how the fraudster pulled off the scheme. His private banker answered some of his security-related questions in an email, which said that “debit/pin verification” was used to add the wire recipient, and a one-time password was sent via text message to confirm the wire – both of which, it seems, the scammers had accessed. Welles later learned from a police report that the money was wired to an account registered under the name Adedela Sodiq at Wells Fargo.

A Wells Fargo spokesperson declined to say if that account was closed or had been investigated.

In a statement, Citi said that it took client protection seriously, and that it had robust controls and processes in place. The bank said it also offered customisable alerts that customers could receive when transactions exceeded an amount they selected.

There isn’t a way to stop transactions above a certain amount from going through. When Welles asked his private bank representatives to call his adviser before making wires for more than US$10,000 (RM40,900), they told him the system itself determines the authentication required on a per-transaction basis, and it “would not be able to direct that a non-account owner be called for transactions over a certain amount,” according to their email correspondence last month.

The scam artists continued to torment Welles weeks later.

He received a call from someone calling himself Mark Wood, who claimed to be a senior investigator at Citi – and promised he would get his money back in a week or so. Welles emailed his private bankers about the incident to confirm it was indeed the fraudsters, which they did.

“Fortunately, although a bit worse, I am still OK to make it through the few years I have left to live comfortably,” he said in the Sept 24 email, but not psychologically. “Anxiety dreams,” he added. – ©2025 The New York Times Company

This article originally appeared in The New York Times.