The following was not easy for me to write, prideful as I am. Much of what I post on these pages is tongue-in-cheek, but I assure you that I’m not joking about any of the embarrassing facts I’m about to lay out for your consideration. I’m willing to do this in the hope that I might spare someone else some anguish.
I like to think that I’m a fairly intelligent guy. I mean, I have a graduate degree from an actual bricks-and-mortar university. I stay up to date on the latest tech news, for the most part, including black hat activities. I’m hip to phishing schemes; I know the value of two-factor authentication, and I regularly block spam callers and filter out spam emails. I’ve been an IT professional in one form or another for decades.
So, why is it that we found ourselves in our bank’s offices yesterday, asking them to freeze our checking and savings accounts, and to create new ones?
Short answer: I’m an idiot.
Longer answer: I’m a total complete clueless idiot.
OK, in the interest of possibly saving someone else from making the same stupid mistake I did, here’s what happened.
It started with an emailed notice from PayPal that some unknown-to-me guy was requesting funds. I didn’t know the guy; I didn’t recognize the email address associated with the request. There was a link in the email to click on to either approve or deny the request. Well, I’m much too smart to fall for that, so instead I logged into my PayPal account, saw the transaction request, and clicked on the “cancel” link. That should have been the end of it…no worries about losing money to a fraudulent request.
I should have left it at that.
But — being the beneficent guy I believe myself to be, I saw the message on the PayPal transaction that said “if you don’t know this person, call xxx-xxx-xxxx to report it” and I thought, “OK, I should report this idiot to PayPal and possibly make sure he doesn’t try to pull this crap on anyone else.” So I called that number.
Someone with what appeared to me to be an Indian accent answered the phone, which didn’t surprise me at all. Is there any major tech company in the world which doesn’t use a call center based in Bangalore or Mumbai or whatever?
Before you could say Namaste, main yahaan aapaka baink khaata saaph karane mein aapakee madad karane ke lie hoon, an alleged PayPal tech was logged into my desktop computer (“No…don’t use your iPad; use your computer! Is very important!”), installing LogMeIn software and walking me through an arcane liturgy of commands and confirmation codes and…well, a login to our online bank account.
Were there red flags? Only an Olympics opening ceremony’s worth. Did I heed them? Is there a photo of Donald Trump in the dictionary next to the entry for “humility”?
The “tech support” guy told me that while I may have canceled the transaction in PayPal, there was still an active order that was going to hit our checking account in a day or two, and we needed to take steps to get that order refunded. I know…who would fall for something so lame as that?
The way we would do that is to transfer $100* into our account and that would then be followed by a second transfer of the remaining balance of the alleged fake transaction. That $100* transfer would be effected when I typed “$100.00” into a form that popped up on my monitor, which I dutifully did. The instant I typed $100.00 a message popped up saying that $10,000.00* had been transferred into our account. I hadn’t even pressed the enter key.
At this point, the tech guy went ballistic. “What did you do!?” I tried to explain that I did not type “$10,000” and I did not hit the “Enter” button, but he’s all like “This is YOUR mistake and we have to fix it or I’m going to lose my job. You need to go to the bank right now and fix your mistake!” It was all very dramatic…and I was finally getting a bit skeptical of the whole process…especially when he gave me a script to tell the bank personnel exactly how and why the transfer for the refund of the “erroneous” funds was to be made. “Just tell them the reason is personal, and that you are sending it to me, a friend whom you’ve know for more than ten years. Otherwise, they’ll lock down your account and you won’t be able to do anything.”
I quickly logged into our bank account via the bank’s app and, sure enough, there was a $10,000* transfer into our checking account. This was starting to get real.
At this point, Debbie had begun to listen to my side of the conversation, and she was much more perceptive, skeptical, and intelligent than me. She insisted that we should contact PayPal again before going to the bank, so I put the “tech guy” on hold. Debbie observed that the phone number I had called was not the same one that shows up on PayPal’s website for reporting suspicious activity (she has something of a photographic memory when it comes to numbers).
I grudgingly agreed that her suggestion made sense, so she called PayPal and eventually got to speak to a real person. We explained our situation, and his response was along the lines of well, you’ll be OK just as long as you didn’t actually call that number, which is totally bogus. And if, heaven forbid, you did call that number, you’re still OK as long as you didn’t, like, access your bank account or anything so foolish as that.
And that’s how we soon found ourselves in the office of a bank employee**, sheepishly explaining how I got our mule in an ant bed, and asking for their help. By the time you read this, we will have basically started a new life, in a financial sense. We’re thankful that we didn’t lose any money to this scam.
We do have a slew of new passwords for various potentially compromised apps and accounts. And, more than likely, recurring nightmares about what might have happened…and it’s hard not to consider what might still happen…did we really plug all the holes?
If you’re wondering exactly how this scam works, once we got to the bank and looked at our accounts in detail, the transfer into our checking account actually came out of our savings account. If we hadn’t noticed that, and if we’d completely fallen for the scam, the “refund” of the “erroneous” transfer would have been our own $10K*, not someone else’s. And that money would have been irretrievably lost.
So, there it is…my mea culpa. I did mostly all the right things — I didn’t click a link in an email; I didn’t call a phone number in a suspicious notification. I went to the official website to deal with the initial fraudulent transaction. And I still got burned…or, more honestly, I laid my hand on a glowing stovetop.
It’s entirely my fault for not being more skeptical and perceptive, but I humbly suggest that PayPal could take some steps to shore up their anti-phishing measures. Take a look at the screen capture of what showed up in my PayPal account for the fraudulent transaction:
The text highlighted in yellow was in quotes, which I assume should have tipped me off that it wasn’t “PayPal Official.” (It was, in fact, something that the phishers put in the comments section of their fraudulent request for money; it was bait that I hit like an eight pound bass.) I can’t help wondering if in this increasingly AI-surveilled world PayPal could recognize and flag something like this as suspicious, for the benefit of dweebs like me. By the way, I have no idea who Donald Pugh is, or if he even exists, but I’m sure he has no clue that his name was used for this purpose. I don’t blame Donald, although I wish I could.
*Dollar amounts have been changed to protect…something. Not sure what, but the actual amounts aren’t really important (except to us).
**The silver lining to this affair is that we realized (not for the first time, BTW) the value of doing business with a local bank whose branch office is literally within walking distance of our house. I’m sure that every bank takes issues like this very seriously, and will do everything in their power to address them, but being able to sit across the desk from a concerned bank employee who has the power to get the ball rolling immediately meant the world to us. So, we’re extremely grateful to them for making the light at the end of the tunnel a real and comforting thing rather than the flames of a bonfire made from our funds.