I think the attackers had Mitch’s bank card and PIN and was making those fraudulent charges to see if Mitch would notice. If he did, the attackers would have been shut out then and there.
Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”
Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.
At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.
This is exactly what I meant. If the attackers already could make fraudulent discharges, then why should they put up such a complicated and risky attack? Could they not simply have gotten the money via the debit card?
Probably not anything like $9,800 dollars in one go - there's usually a daily limit. And the scammers may know (e.g. from doing it before) that after a few small transfers, the victim's bank will call him if he had not already noticed, in which case they preempted that call and effectively subverted it for their purpose.
The risk of the scheme not working might be high, but I am not sure that the risk of being caught is much increased.
Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”
Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.
At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.