Dr. Anders Apgar was out for dinner last month with his family, and his phone would not stop buzzing. It looked like a robocall, so he tried to ignore it.
But the calls would not stop. Then his wife’s phone also started to ring.
“When she picks it up, a banner came across, a notification that says, ‘Your account’s in jeopardy,’” he said.
The warning, which he said was a text message, prompted him to pick up his phone. That was when the couple’s nightmare started.
It’s the kind of nightmare many crypto account holders around the country are facing as hackers target a boom in the industry, cybersecurity experts said.
The Apgars, who are both Maryland-based obstetricians, began investing in cryptocurrency several years ago. By December, their account had grown to about $106,000, mainly held in bitcoin. Like millions of investors across the country, their account is with Coinbase, the country’s largest cryptocurrency platform.
When Apgar picked up the phone, a female voice said, “Hello, welcome to Coinbase security prevention line. We have detected unauthorized activity due to failed log-in attempt on your account. This was requested from a Canada IP address. If this (is) not you, please press 1, to complete precautions recovering your account.” The call lasted just 19 seconds.
Alarmed, Apgar pressed 1.
He said he cannot remember if he manually entered his two-factor authentication code or if it came up automatically on his screen. But what happened in that moment led to his account being locked in less than two minutes. As Apgar has not regained access, he said he assumes the fraudsters stole most if not all of the crypto, but he can’t be sure.
“It was just dread and an emptiness of just, ‘Oh my gosh, I can’t get this back,’” he said.
The Apgars were targeted by a particularly insidious type of fraud that takes advantage of two-factor authentication, or 2FA. People use 2FA, a second level of security that often involves a passcode, to safeguard a range of accounts at crypto exchanges, banks or anywhere else they carry out digital transactions.
But this new type of fraud goes right at that 2FA code, and it uses people’s fear of their accounts being hacked against them. In taking action they think will protect them, they actually expose themselves to thieves.
The fraud tool is called a one-time password, or OTP, bot.
A report produced by Florida-based cybersecurity firm and CNBC contributor Q6 Cyber said the OTP bots are driving substantial losses for financial and other institutions. The damage is hard to quantify now because the bot attacks are relatively new.
“The bot calls are crafted in a very skillful manner, creating a sense of urgency and trust over the phone. The calls rely on fear, convincing the victims to act to ‘avoid’ fraud in their account,” the report said.