Joseph Tiegue thought he was helping his bank stop fraud. Instead, he handed scammers the keys to his retirement account β€” and lost over $9,000.

The Philadelphia-area man’s story is a textbook example of a modern phishing attack, and a warning to anyone who has financial accounts they’ve worked years to build.

The Attack, Step by Step

It started with a text message that looked like it came from Fidelity Investments:

β€œDid you use your card for $503.50 at Kroger CO on 12/26/25? Reply yes or no.”

Tiegue replied. Then his phone rang. The caller ID displayed: Fidelity Investments.

The caller said they were following up on the suspicious charge and needed to verify his identity. They asked him to confirm personal information β€” and then read back a one-time security code from a text message.

He did. Within hours, someone had accessed his retirement account and withdrawn over $9,000.

Fidelity Denied the Claim

Tiegue filed a fraud claim with Fidelity the same day. Weeks later, he received a denial letter:

β€œYou interacted with a phishing link and provided your one-time security password to an unknown party which led to funds being removed from your account. The Customer Protection Guarantee would not cover this and no compensation is due.”

Fidelity’s position: because Tiegue voluntarily provided the security code, the transaction was considered authorized from a technical standpoint.

This outcome β€” a victim losing their savings and receiving no reimbursement β€” is not unusual. It’s one of the most painful aspects of modern phishing attacks. The technical authorization framework of financial institutions often does not distinguish between a customer who intended to authorize a transaction and one who was manipulated into doing so.

Why This Scam Is So Effective

This attack is a form of multi-factor authentication (MFA) bypass β€” and it’s one of the most common techniques scammers use against financial accounts.

Here’s the mechanics:

  1. Scammer sends a spoofed text mimicking a fraud alert from your bank
  2. You reply or engage β€” confirming your number is active
  3. Scammer calls with a spoofed caller ID matching your bank’s real number
  4. They trigger a real one-time code to be sent to your phone (by actually trying to log in to your account)
  5. You read it back β€” and they use it to complete the login

The one-time code is the last lock on your account. Reading it to anyone defeats the entire purpose of two-factor authentication.

The sophistication here is worth understanding. The scammer doesn’t just make up a one-time code β€” they actually attempt to log into your account with your existing credentials (which they obtained earlier, likely through a previous data breach or phishing page). That attempt triggers your bank to send you a real code to your real phone. The code is legitimate. The person asking you to read it is not.

This means that the text message you receive with the code looks exactly like every legitimate two-factor authentication text you’ve received before β€” same formatting, same sender designation, same style. There’s nothing visually different about it. The only thing that makes it dangerous is the phone call accompanying it.

The Anatomy of a Modern Phishing Attack

The Tiegue case combines multiple techniques that are increasingly common in financial fraud:

Smishing (SMS phishing). The initial contact was a text message. Smishing has surpassed email phishing in volume because mobile users are conditioned to respond to texts quickly and with less scrutiny than emails. A text arriving on your phone feels immediate and personal in a way that a phishing email in your inbox doesn’t.

Caller ID spoofing. The follow-up call displayed β€œFidelity Investments” β€” the bank’s actual name. Caller ID can be spoofed with freely available technology. The number that appears on your screen is not necessarily the number from which the call originated.

Social engineering. The caller positioned themselves as solving a problem β€” the β€œunauthorized charge” β€” rather than creating one. The victim wasn’t being asked to do something suspicious; he was being asked to cooperate in what felt like a fraud prevention effort. The emotional framing shifted from β€œI’m being scammed” to β€œI’m protecting my account.”

MFA bypass. The one-time code request is the culminating technical step. It represents the transition from social engineering to actual account takeover.

For a deeper look at how AI is amplifying phishing techniques: AI-Enhanced Phishing Emails: A New Era of Cyber Deception

The Scale of the Problem

Tiegue is far from alone. The FBI’s 2025 Internet Crime Report ranked Pennsylvania #6 nationally in internet crime complaints, with over $538 million in reported losses. Phishing is consistently one of the top three crimes reported.

Retirement accounts are an increasingly targeted asset class. They typically hold larger balances than checking or savings accounts, and many account holders check them less frequently. The combination of higher balances and lower monitoring creates an attractive target.

The investment fraud and phishing overlap is significant. Americans lost $5.7 billion to investment fraud in 2024 β€” a 24% increase over the prior year β€” and a substantial portion of that loss came through account takeover and fraudulent withdrawal attacks like the one Tiegue experienced. Once money leaves a retirement account, it often also triggers tax and penalty consequences on top of the theft itself.

What Financial Institutions Actually Do

Fidelity’s guidance after Tiegue’s case: if anyone contacts you asking for personal information, do not reply. If someone calls asking for personal information, hang up. If you’re unsure, contact your financial institution directly using the number on the back of your card or their official website.

The core rule: No legitimate bank or investment company will ever ask you to read back a security code sent to your phone. That code is yours alone.

It’s worth understanding why banks send these codes in the first place. Two-factor authentication was designed to ensure that even if a scammer obtains your password, they still can’t access your account without the code sent to your physical device. The code is the second factor β€” it’s meant to be something only you can access. The moment you read it aloud to someone else, you’ve transferred that factor to them.

No bank has a legitimate process that requires this. If a caller β€” regardless of who they claim to be β€” asks you to read them a code that just arrived on your phone, end the call.

The Claim Denial Problem

The outcome of Tiegue’s fraud claim deserves specific attention because it reflects a broader pattern that many phishing victims discover: financial institutions often deny fraud claims when a victim was manipulated into authorizing the transaction rather than having their account accessed without any action on their part.

This distinction matters legally and financially. True unauthorized access β€” where someone logs in with stolen credentials without the victim doing anything β€” may be covered under fraud protections. But when a victim reads a code to a scammer (even under manipulation), many institutions classify this as an β€œauthorized” transaction.

This doesn’t make the victim at fault. It does mean that the burden of prevention is almost entirely on the account holder, because recovery is extremely difficult after the fact.

The practical implication: the only effective protection is prevention. No one can reliably recover money from a retirement account accessed via a social engineering attack.

How to Protect Your Retirement Accounts

The most important rule: Never read a one-time code to an inbound caller β€” even if their number looks legitimate. Even if they already know your name, address, and account information. Even if they’ve convinced you they’re trying to help.

Additional protective steps:

  • Set up voice verification or security words with your financial institutions β€” words that any legitimate agent should know to provide before you take any action
  • Use a dedicated email address for financial accounts that you don’t use elsewhere, reducing your exposure in data breaches
  • Enable account activity alerts on all accounts so you’re notified of any login or withdrawal in real time β€” ideally to a phone number separate from the one used for two-factor codes
  • Call your financial institution back using the number on their official website or the back of your card if you have any doubt about an inbound contact
  • Check your retirement account balance and activity at least monthly β€” frequent monitoring catches theft faster
  • Consider requesting that your financial institution require a verbal security phrase before processing any withdrawals, particularly for large amounts

Related reading: Tax Season 2026 Scam Alert: The Complete Guide to Protecting Yourself From IRS Imposters, AI Voice Cloning, and Refund Theft

If You’ve Already Been Targeted

If you believe you’ve experienced a similar attack:

  1. Contact your financial institution immediately β€” within the same day if possible. While claim denials like Tiegue’s are common, early reporting improves your options.
  2. File a police report β€” this creates an official record that may be required for insurance claims or dispute processes.
  3. Report to the FBI at ic3.gov β€” the Internet Crime Complaint Center tracks these cases and their reports contribute to investigations.
  4. Report to the FTC at ReportFraud.ftc.gov.
  5. Change your passwords and enable a new two-factor authentication method for any affected accounts.
  6. Monitor credit reports β€” phishing attacks often capture enough data for identity theft beyond the immediate financial account.

Report financial fraud to the FBI at ic3.gov and the FTC at ReportFraud.ftc.gov. Stay protected with ScamWatch HQ.