Here is an article about how an attacker changed the address on one of billionaire Paul Allens accounts, to trick the bank into sending the attacker a debit card. It doesn't say how the account was changed. It may have been changed via social engineering into the banks contact center, or possibly via malware on a PC.
Once the address had been changed, the attacker then called in, said they lost their debit card, and had a new one sent to the modified address. The attacker was obviously able to complete this through social engineering/fraud. I don't know if they had more info about Paul Allen or the bank simply sends a new card without requiring any other sort of identification/authentication.
What is scary is that if someone can manipulate such as high profile individual's account, then can certainly do it for a typical consumer.
Here is the article and info: