My Scam Story
It was one of those muggy, sultry days in Phoenix. Summer monsoon storm clouds hung in the air. It was about 5 in the afternoon, and I was cooking dinner.
The phone rang. Caller ID said the call was from Bank of America. The man on the other end requested to speak to my husband.
The caller stated that there had been some unauthorized in-person charges on Hubby’s credit card from somewhere in Oregon. We questioned this, as the card was in his possession and we were, of course, nowhere remotely near Oregon. He said it was done on an old-style magnetic credit card, and that this was one of the reasons the transactions were flagged. Hubby out of curiosity at one point looked at his email to see if there were any notifications from BOA. There weren’t. When we queried him regarding that, he said that because the transactions were instantaneously declined, an automated email was not generated. He also said that there had been an attempt to transfer money from the account using a technology called Zelle. The amount was ostensibly for $3500. At this point Hubby turned the call over to me. I hadn’t really been paying much attention to the conversation, devoting myself instead to the dinner on the stove. The caller said I needed to Zelle Hubby the money, since I already had Zelle set up.
Zelle is a method, established by a consortium of banks, whereby people could transfer money to one another with only an email address. Knowing the other person’s account number was no longer necessary. It’s used to reimburse others for expenses–half a restaurant tab, for example. It can also be used to pay for goods, such as concert tickets, etc, but Zelle is careful to state that this should only be done with those you know well, because once the payment’s been made, it’s basically like mailing cash.
It was a 2hr long ordeal. I had to log into my bank account, then initiate a Zelle transfer. They sent a couple of codes to me, which I provided. Never was I asked for any sensitive account information. He said that he was closing Hubby’s card and sending him one in an expedited fashion, which he should receive in a day or two. He also stated that he would waive the fee for doing that. At the culmination, the transfer did not go through, and I was instructed via email to call a specific Bank of America number to confirm I really wanted to make the transfer. I would also find out later my online account had been locked. As the night wore on, I became increasingly suspicious that this had been an elaborate scam. At 6 A.M. the next morning, I was on the phone with Bank of America, requesting that the transfer be permanently halted.
I am a professional in cyber security. So how could I have fallen for this? It’s a question that’s still haunting me. I admit to FEELING VERY MUCH LIKE a DEER IN THE HEADLIGHTS as a result of the series of events, given how close the scammer actually came to pulling this off, and it would’ve been my fault had it occurred.
So what happened? Why did a veteran professional like myself nearly get scammed?
There are a lot of contributory factors, but I’ll outline some of the most obvious.
1) The medium. It’s one thing to get an email. Reading it over, if one does so carefully, and especially if one looks at email headers, it’s possible to net a great deal of information about the message’s origins and therefore its probable legitimacy or lack thereof. With the telephone, it’s relatively easy to spoof a number so that it appears to be coming from a well-known business–Bank of America, in this case. Since there are no accompanying headers, the only identifying information is what the caller ID provides, and one’s tendency is to trust its veracity.
The other thing about an email is that one has time to think about it and study its contents. When on the phone, there’s a person on the other end, sounding sincere, imparting urgency. Combine that with only a few stressors, ie, hunger, fatigue, noise, and the element of surprise at having received such a call–and the victim is at a clear disadvantage. We’re taught not to hang up on folks–that it’s rude. We hear a person on the other end, sounding sincerely interested in helping, and therefore we want to expedite that.
2) A lack of comfort with the technology being used. I had used Zelle exactly once to receive money I was owed. I’d certainly never used it to send money, and so was somewhat unfamiliar with how it all worked. Thus, it wasn’t technology with which I was facile. If someone is familiar with something, it’s pretty easy to say, “yeah, that makes sense” or “no, that bird doesn’t fly and that dog doesn’t hunt.” It’s a lot harder when something isn’t that well understood.
3) I ignored so so many warning bells! Again, I think points 1 and 2 above somewhat explain that, but I can remember thinking throughout the call that something just was not right. At one point I started pushing back some, but his insistence that this needed to be taken care of quickly–a typical ploy of these ne’er-do-wells–rather short-circuited that. It’s for these reasons that I believe phone and in-person scams to be so very dangerous.
So what’s my advice?
1) If you get a phone call from a business, even if the number appears correct, don’t answer. Call the business back on a number obtained from their website or from correspondence you’ve previously received. One of the scammer’s ploys to try to prevent this is to tell you that it will only slow down the handling of the matter. Do it anyway!
2) Innocuous though codes may seem, simply don’t give them out. Legitimate businesses won’t request them.
3) Listen to those warning bells! If you feel something’s wrong, hang up, or, if it’s an in-person scammer, simply slam the door.
The thing about Zelle is, it’s basically cash. If you send it to someone, and they turn out to be a scammer, you’re pretty much screwed. The protections that apply to credit card transactions don’t apply to those initiated using Zelle. Why BOA chose to stop the transfer, I’m still uncertain, though I do think they have at least some interest in protecting their customers, if only to keep them banking there, and I am forever in their debt.
The problem with Zelle is that it’s basically turned on for all customers by default whose banks support it. So if a customer’s account is compromised, or they provide the right codes to a scammer, it takes very little time for the money to disappear, and the chances of getting it back are often somewhere between zip and nil. Indeed, many people have lost money through Zelle without ever having used it. Bob Sullivan’s “Red Tape Chronicles” make interesting reading should you wish to learn more.
Red Tape Chronicles Archives
There is more to being a victim than loss of funds. There’s a loss of feeling safe, a loss of confidence in oneself, a loss of trust in the basic things that you once thought provided protection and safety, i.e., your phone. We’re now getting a huge volume of unsolicited and probable scam phone calls, likely as a result of these thugs sharing our number. A phone used to be viewed as a lifeline–an instrument enabling us to reach out to someone when we needed help. Now, it seems, it’s yet another in a seemingly infinite number of ways of becoming a victim.
It’s easy for those on the sidelines to say, “how could that person be so stupid as to fall for that scam?” I find myself asking it of myself. I will never again, though, ask it of someone else. I feel certain that this will make me a better security professional as well as a better human being. I will eventually recover, though I will never be the same. And I will redouble my efforts to prevent others from becoming victims. I pray this site will help others not to be tricked by these fraudsters, or I pray they’ll find support here if they do.
Comments
My Scam Story — No Comments
HTML tags allowed in your comment: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>