Scammed!
A Financial Adventure
I cannot remember what I was doing Wednesday at my desktop Mac. I panicked when windows popped up claiming my machine was compromised with every virus that had been in the news for a decade. This is an embarrassing story, but every Mac user should read it because we have become complacent while the Windows folks fought off the barbarians.
Red Flag #1: The pop-up went full screen with a fake banner across the top, a cartoon imitation of the banner always present on my Mac screen.
I am able to smell the first hint of phishing in an email, so I considered myself proof from fraud. Wrong. I let this first hint go by unchallenged. The fact that I had no cursor panicked me. Had my head been screwed on properly, I would have pressed the ESC key to reduce that window, and if that failed, I should have turned off the computer by the button on its back.
Red Flag #2: The pop-up windows claimed my computer was infected by a list of all the most popular viruses.
If this were a genuine warning, the software would know which virus. Instead, one of the windows urged me to call the Apple fraud department at +1-888-431-1609.
Red Flag #3: If Apple has a fraud department, you don’t get them by a direct phone call.
Try it, you’ll see. I blithely called the number. My fraud detector was asleep. After a few ringbacks, a woman answered. She spoke English difficult to understand and too fast for me to grasp. So after some back and forth, I gathered that she was handling my fraud case and her people were on the problem now.
Red Flag #4: She asked me what Apple device I was on.
If here people were working on the problem, why didn’t she already know this?
Red Flag #5: She told me to shut off my computer, but was unclear about what that meant.
Had I been awake, I would have realized that she was unfamiliar with Macs. An Apple employee in the fraud section unfamiliar with the Mac?!
While they were working on the problem, she suggested I check some accounts with my iPad after determining that I had one. I checked my Visa account, my Amazon account (her suggestion), and two bank accounts. But I found no suspicious activity. She suggested I call my bank’s fraud department to find out if there has been any unusual transactions not visible to me. She told me that hackers can hide their actions from being seen on the usual screens.
Red Flag #6: Now it’s a hack and not a virus?
I told her my bank’s name. She identified herself and offered to put me through to the bank’s fraud department. She claimed to be Christine Miller and my case ID was MS2859-05. She put me through to the bank on a secure phone line, 425-553-0406, so the hackers could not capture what is being said. After a few ringbacks, the phone was picked up by Dean Wilson, LB1169, of the bank’s fraud division, or so he said.
Red Flag #7: Really? This clueless woman has the phone number of my bank’s fraud department at her fingertips?
I have been a customer of that bank for at least 16 years, but I have seen only one phone number to call for everything. Moreover, the fraud department is not one of the options the robot on that line understands. Does my bank even have a fraud department? I am truly embarrassed that I had not yet caught on to the fraud.
After hearing my story, Mr. Wilson put me on hold for a minute and returned with the information that there is a $9,800 transaction to buy bitcoin. Wilson asked if anyone else has access to that account. I replied only my wife, so I brought her into my study to ask her. Wilson asked her, but she could not hear him because my iPhone sends audio out to my hearing aids. But we worked it out: I asked her Wilson’s questions and she confirmed that she did not initiate any such transaction. He heard both of us through the iPhone microphone.
Red Flag #8: I should have recognized the amount of the transaction, just under the $10,000 limit over which the bank must report the transaction to some Federal Authority.
He said the good news is that he can call the branch to cancel the transaction. He asked me which branch I deal with. I told him where it is. He answered by giving me the address of a different nearby branch, I corrected him, and then he gave me the correct address.
Red Flag #9: Call the branch about a transaction? The bank’s ledgers are maintained by a central office on the other side of New Hampshire, not at each branch.
Apparently, he called but it turned out that he cannot cancel it, because the bank claims they sent me a text message for confirmation and received an affirmative answer. He also said there was some suspicion that there was a bank employee enabling the false transaction.
Red Flag #10: The bank asks for confirmation of a large transaction by text message? I don’t think so.
I have moved money to the US Treasury to buy bonds and T-bills. Confirmation for these transactions was by email asking whether I initiated the transaction: if I did, do nothing; if not, call the bank immediately.
Red Flag #11: Another con technique – warn against trusting anyone who might have independent information.
It got weirder and I got stupider, but not fatally. By this time, I was heavily invested emotionally in the process, so it was easy for Wilson to proceed to the next stage. At this point, I had plentiful evidence that it was all a fraud. To continue, I had to ignore at least 11 red flags! Your count may be different.
After consulting his senior manager, he came back with an alternate scheme for canceling the transaction. It depended on the concept of a "double transaction", which I had never heard of. The idea is to create a new transaction identical to the bad one. The banking system will void both transactions when it tries to settle.
Red Flag #12: The oldest dishonest con technique in the book: consult senior management.
To set up the double transaction, I must create a transaction by buying bitcoin for the exact same amount. He told me you can buy bitcoin at a the machine that takes only cash. So the program became for me to go to the bank, withdraw $9,800 in cash, and go to the nearest bitcoin machine to make the double transaction. Wilson warned me not to tell anyone about this whole process because if the hackers find out, and who knows what they are listening in on, things could get very bad.
Red Flag #13: Another classic con technique: tell no one about it.
So I hung up and went to the bank. My instructions were to call Wilson when I am outside the bank so he can guide me and listen in on what happens. It took several tries to reach him. The first two or three, I got a recorded voice saying it cannot connect. It was not the usual Verizon voice I hear when the number is invalid or disconnected. That recorded voice was strange.
Red Flag #14: Another technique to keep absolute control?
In retrospect, I am pretty sure this was to fend off any caller until Wilson is ready to take the call from me. Finally, Wilson answered and coached me that, if the teller wants to know what the money is for, I should make up a story about buying a car from a neighbor or some such.
Red Flag #15: If what I am doing is OK, why the secrecy?
I got the cash without difficulty or even much confirmation of my identity. Wilson then pointed me to a bitcoin machine in a convenience store a few miles away. After hanging up, I went to the store. When I found the machine, I called Wilson, as instructed, so he could guide me through the transaction. He warned me not to let anyone help me or warn me off.
Red Flag #16: If the transaction is legitimate, why not accept help?
Sure enough, a friendly employee came over to help, warning me that the machine has been used for scams. So this was why to not accept help. The machine was difficult to use because both the software and hardware engineering are poor. I failed utterly to use it, but Wilson came up with another plan from his senior manager to cancel the transaction. He told me the FTC can cancel any transaction.
Wilson told me that to make this happen, I must send the cash to the FTC office in California. He said he would guide me to do this when I got home where I can prepare a package for UPS. On my way home, I got a text message: "No signature Overnight" and an address in San Jose CA. This was the address that I was to send the cash to via overnight UPS. According to aerial photographs (thank you Apple Maps), the address is a Mac-mansion in a typical Silicon Valley housing development. I do not publish the address because it may be for a real person who is not part of the scam.
Red Flag #17: Being asked to send cash in emergency mode to a suspicious address.
That was the last red flag. I had a discussion with Meredith about the whole thing. We decided to quit because the symptoms of fraud were way too strong and we had no independent confirmation of any of the facts, especially not of the bitcoin transaction. We recalled that we both had endured, while surfing Safari on our iPads, screen takeovers analogous to the one on my Mac. End of adventure.
I did not call Wilson as I was supposed to, and I stopped doing anything more about the project. Wilson tried to call me, but I blocked his calls. He tried to call from another number, and I blocked it also. I have returned the cash to our bank account and have changed important passwords. There is no sign of any damage to my computing or financial accounts. Publishing this essay is the final step in cleaning up after an adrenalin-filled adventure that I pulled out of just in time. I have named names and their identifiers because I believe they are all fake.
There is one thing that still puzzles me. Why such an elaborate scheme to net a mere $9,800? Was this actually a hoax to get a good laugh? Was it an experiment by scammers to see how far they could go? Was this some test by a bad actor for devious purposes?
Looking back over the experience, I can see that all the classic red flags were there. How could I, a fan of Sherlock Holmes and Nero Wolfe, have ignored so many hints? I hope to recover some self-respect by publishing this report with the expectation that it will help someone avoid going too far.
Hi George,
Firstly thank you for detailing this - it's embarssing to be hoodwinked - and often people won't admit to it - which leaves a wide field of ignorance for the scammers - so thank you.
My go: my wife and I went down a similar rabbit-hole. I like to think I am quite saavy, and "aware" - but we got caught on (If I recall right) either Christmas eve or New Years eve (off guard) - banks obviously mostly closed (helplessness) - and a call saying there has been suspicious activity on your account which is on-going (create a sense of urgency) - I questioned the legitamacy - she said verify the number (I googled it, it was indeed our banks fraud line - by now I know it was spoofed)... it was masterful manipulation. However, I remembered the golden rule that banks won't ask for your details - so when the "verification check" needed card details I woke up - and gave incorrect numbers - interestingly she was working towards more data gathering and had noted the false numbers - but said, "yes the verification has all gone through fine" - so I knew then it was a scam - it wouldn't have verified. So as we were chilling we kept her on line making up more and more stupid "information" for as long as possible - ended up being quite entertaining to see how much time we could waste (and save someone else a call!).
BTW "Influence et manipulation" - ROBERT CIALDINI is a great read.
Unless the described actions are fiction to elaborate a possible narrative, you played with their fire on your turf and should probably have your mouse confiscated until you write 6 x 10^23 times on the chalk board: "I will not play with that fire, again."