Luca Bencini looked at his bank account one day and was stunned.
“I got an email from Bank of America, and it said, 'did you open up a bill-pay to an unknown American Express card?'" Bencini said. “I went to my account, I saw that $27,000 was drawn to that American Express card. At that point, I immediately called the Bank of America for fraud, and that's where the whole thing started.”
Bencini, an Ivy League graduate and FAA flight instructor, noticed his inbox was flooded with what might have been a few hundred emails.
One expert said could have be a case of "email bombing," which is when fraudsters overflow your inbox with spam so it’s harder to see emails warning you about the fraud.
The Hurricane season is on. Our meteorologists are ready. Sign up for the NBC 6 Weather newsletter to get the latest forecast in your inbox.
“You get so many notifications, it might take you a while, and by the time you realize what happened, the money is already gone," FIU cybersecurity expert Sebastian Schuetz said.
He said criminals rely on data leaked online.
“There are huge data sets online with names, email addresses, phone numbers, bank account numbers," Schuetz said. "Then they would use that to try to get access to your bank account."
Responds
Responding to every consumer complaint
The Bencinis filed a claim with Bank of America, hoping to get their money back, but that was denied twice.
“Their conclusion was that there was no fraud committed because they used a device that was known to use bill pay,” Bencini said. “But it wasn't my laptop nor my PC. Both of them were shut down while I was traveling. So, I and nobody came into the house.”
The Bencinis said they also reached out to detectives at the Broward County Sheriff’s Office to see if they could determine how their Bank of America account was breached.
Ultimately, they turned to NBC 6. We reached out to Bank of America.
A spokesperson said “due to privacy” they couldn’t share information about an individual account but they followed up with Bencini directly.
“Well, I got a call a few days later," Bencini said “It was a call from executive offices of Bank of America, telling me that they had decided to return the money or refund the money.”
They got the $27,000 back.
"So, we were obviously ... extremely happy about it," he said.
Schuetz said there are several steps you can take to protect yourself.
“The first thing you want to do is you want to contain the breach,” he said. “So, that means you change all the passwords to all your accounts, not just your banking account, also your email.”
Additionally, make sure to set up two-factor authentication and never ignore emails from your bank. He also recommends using a credit monitoring service.
The Bencinis said they have taken some of these steps already. BSO said they’re still investigating what happened.
"The source of a device compromise can be complicated to uncover and they thoroughly investigate each case," the Bank of America spokesperson said.
Click here for additional ways to protect your bank account.