Here, in a nutshell, is how the whole thing works:

Ÿ Weeks or months before the phone calls start, a criminal uses social engineering tactics or malware to elicit personal information from a victim that this person's bank or financial institution would have like account numbers and passwords. Perhaps the victim responded to a bogus e-mail phishing for information, inadvertently gave out sensitive information during a phone call, or put too much personal information on social networking sites that are trolled by criminals.

Ÿ Using technology, the criminal ties up the victim's various phone lines.

Ÿ Then, the criminal either contacts the financial institution pretending to be the victim … or pilfers the victim's online bank accounts using fraudulent transactions. Normally, the institution calls to verify the transactions, but of course they can't get through to the victim over the phone.

Ÿ If the transactions aren't made, the criminals sometimes recontact the financial institution as the victim and ask for it to be done. Or they add their own phone number to victims' accounts and just wait for the bank to call.

By the time the victim or the financial institution realizes what happens, it's too late.

Source: FBI