{"id":11671,"date":"2023-01-18T16:24:16","date_gmt":"2023-01-18T22:24:16","guid":{"rendered":"https:\/\/ericsiegmund.com\/fireant\/?p=11671"},"modified":"2023-01-18T16:24:18","modified_gmt":"2023-01-18T22:24:18","slug":"phished-ped","status":"publish","type":"post","link":"https:\/\/ericsiegmund.com\/fireant\/2023\/01\/18\/phished-ped\/","title":{"rendered":"Phished & P***ed"},"content":{"rendered":"\n

The following was not easy for me to write, prideful as I am. Much of what I post on these pages is tongue-in-cheek, but I assure you that I’m not joking about any of the embarrassing facts I’m about to lay out for your consideration. I’m willing to do this in the hope that I might spare someone else some anguish.<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I like to think that I\u2019m a fairly intelligent guy. I mean, I have a graduate degree from an actual bricks-and-mortar university. I stay up to date on the latest tech news, for the most part, including black hat activities. I\u2019m hip to phishing schemes; I know the value of two-factor authentication, and I regularly block spam callers and filter out spam emails. I\u2019ve been an IT professional in one form or another for decades.<\/p>\n\n\n\n

So, why is it that we found ourselves in our bank\u2019s offices yesterday, asking them to freeze our checking and savings accounts, and to create new ones?<\/p>\n\n\n\n

Short answer: I\u2019m an idiot.<\/em><\/p>\n\n\n\n

Longer answer: I\u2019m a total complete clueless idiot.<\/em><\/p>\n\n\n\n

OK, in the interest of possibly saving someone else from making the same stupid mistake I did, here\u2019s what happened.<\/p>\n\n\n\n

It started with an emailed notice from PayPal that some unknown-to-me guy was requesting funds. I didn\u2019t know the guy; I didn\u2019t recognize the email address associated with the request. There was a link in the email to click on to either approve or deny the request. Well, I\u2019m much too smart to fall for that, so instead I logged into my PayPal account, saw the transaction request, and clicked on the \u201ccancel\u201d link. That should have been the end of it\u2026no worries about losing money to a fraudulent request.<\/p>\n\n\n\n

I should have left it at that.<\/p>\n\n\n\n

But \u2014 being the beneficent guy I believe myself to be, I saw the message on the PayPal transaction that said \u201cif you don\u2019t know this person, call xxx-xxx-xxxx to report it\u201d and I thought, \u201cOK, I should report this idiot to PayPal and possibly make sure he doesn\u2019t try to pull this crap on anyone else.\u201d So I called that number.<\/p>\n\n\n\n

Someone with what appeared to me to be an Indian accent answered the phone, which didn\u2019t surprise me at all. Is there any major tech company in the world which doesn\u2019t use a call center based in Bangalore or Mumbai or whatever?<\/p>\n\n\n\n

Before you could say Namaste, main yahaan aapaka baink khaata saaph karane mein aapakee madad karane ke lie hoon<\/em>, an alleged PayPal tech was logged into my desktop computer (\u201cNo\u2026don\u2019t use your iPad; use your computer! Is very important!\u201d), installing LogMeIn software and walking me through an arcane liturgy of commands and confirmation codes and\u2026well, a login to our online bank account.<\/p>\n\n\n\n

Were there red flags? Only an Olympics opening ceremony\u2019s worth. Did I heed them? Is there a photo of Donald Trump in the dictionary next to the entry for \u201chumility\u201d?<\/p>\n\n\n\n

The \u201ctech support\u201d guy told me that while I may have canceled the transaction in PayPal, there was still an active order that was going to hit our checking account in a day or two, and we needed to take steps to get that order refunded. I know\u2026who would fall for something so lame as that?<\/p>\n\n\n\n

The way we would do that is to transfer $100* into our account and that would then be followed by a second transfer of the remaining balance of the alleged fake transaction. That $100* transfer would be effected when I typed \u201c$100.00\u201d into a form that popped up on my monitor, which I dutifully did. The instant I typed $100.00<\/em> a message popped up saying that $10,000.00* had been transferred into our account.\u00a0I hadn’t even pressed the enter<\/em> key.<\/p>\n\n\n\n

At this point, the tech guy went ballistic. \u201cWhat did you do!?\u201d I tried to explain that I did not type \u201c$10,000\u201d and I did not hit the \u201cEnter\u201d button, but he\u2019s all like \u201cThis is YOUR mistake and we have to fix it or I\u2019m going to lose my job. You need to go to the bank right now and fix your mistake!\u201d It was all very dramatic\u2026and I was finally getting a bit skeptical of the whole process\u2026especially when he gave me a script to tell the bank personnel exactly how and why the transfer for the refund of the \u201cerroneous\u201d funds was to be made. \u201cJust tell them the reason is personal, and that you are sending it to me, a friend whom you\u2019ve know for more than ten years. Otherwise, they\u2019ll lock down your account and you won\u2019t be able to do anything.\u201d<\/p>\n\n\n\n

I quickly logged into our bank account via the bank’s app and, sure enough, there was a $10,000* transfer into our checking account. This was starting to get real.<\/p>\n\n\n\n

At this point, Debbie had begun to listen to my side of the conversation, and she was much more perceptive, skeptical, and intelligent than me. She insisted that we should contact PayPal again before going to the bank, so I put the \u201ctech guy\u201d on hold. Debbie observed that the phone number I had called was not the same one that shows up on PayPal\u2019s website for reporting suspicious activity (she has something of a photographic memory when it comes to numbers). <\/p>\n\n\n\n

I grudgingly agreed that her suggestion made sense, so she called PayPal and eventually got to speak to a real person. We explained our situation, and his response was along the lines of well, you\u2019ll be OK just as long as you didn\u2019t actually call that number, which is totally bogus. And if, heaven forbid, you did call that number, you\u2019re still OK as long as you didn\u2019t, like, access your bank account or anything so foolish as that<\/em>.<\/p>\n\n\n\n

Welp.<\/p>\n\n\n\n

And that\u2019s how we soon found ourselves in the office of a bank employee**, sheepishly explaining how I got our mule in an ant bed, and asking for their help. By the time you read this, we will have basically started a new life, in a financial sense. We’re thankful that we didn’t lose any money to this scam.<\/p>\n\n\n\n

We do have a slew of new passwords for various potentially compromised apps and accounts. And, more than likely, recurring nightmares about what might have happened\u2026and it’s hard not to consider what might still happen…did we really plug all the holes?\u00a0<\/p>\n\n\n\n

If you’re wondering exactly how this scam works, once we got to the bank and looked at our accounts in detail, the transfer into<\/em> our checking account actually came out<\/em> of our savings account. If we hadn’t noticed that, and if we’d completely fallen for the scam, the “refund” of the “erroneous” transfer would have been our own $10K*, not someone else’s. And that money would have been irretrievably lost.<\/p>\n\n\n\n

So, there it is\u2026my mea culpa<\/em>. I did mostly<\/em> all the right things \u2014 I didn\u2019t click a link in an email; I didn\u2019t call a phone number in a suspicious notification. I went to the official website to deal with the initial fraudulent transaction. And I still got burned…or, more honestly, I laid my hand on a glowing stovetop.<\/p>\n\n\n\n

It\u2019s entirely my fault for not being more skeptical and perceptive, but I humbly suggest that PayPal could take some steps to shore up their anti-phishing measures. Take a look at the screen capture of what showed up in my PayPal account for the fraudulent transaction:<\/p>\n\n\n\n

\"Screen
The highlighted text is what tripped me up.<\/figcaption><\/figure>\n\n\n\n

The text highlighted in yellow was in quotes, which I assume should have tipped me off that it wasn’t “PayPal Official.” (It was, in fact, something that the phishers put in the comments section of their fraudulent request for money; it was bait that I hit like an eight pound bass.) I can’t help wondering if in this increasingly AI-surveilled world PayPal could recognize and flag something like this as suspicious, for the benefit of dweebs like me. By the way, I have no idea who Donald Pugh is, or if he even exists, but I’m sure he has no clue that his name was used for this purpose. I don’t blame Donald, although I wish I could.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

*Dollar amounts have been changed to protect…something. Not sure what, but the actual amounts aren’t really important (except to us).<\/p>\n\n\n\n

**The silver lining to this affair is that we realized (not for the first time, BTW) the value of doing business with a local bank whose branch office is literally within walking distance of our house. I’m sure that every bank takes issues like this very seriously, and will do everything in their power to address them, but being able to sit across the desk from a concerned bank employee who has the power to get the ball rolling immediately<\/em> meant the world to us. So, we’re extremely grateful to them for making the light at the end of the tunnel a real and comforting thing rather than the flames of a bonfire made from our funds.<\/p>\n","protected":false},"excerpt":{"rendered":"

In which I realize once again that I was put on this earth as a cautionary tale.<\/p>\n","protected":false},"author":1,"featured_media":11682,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[50,9],"tags":[119,117,118],"class_list":["post-11671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-law","category-society-culture","tag-fraud","tag-phishing","tag-scam","entry"],"jetpack_featured_media_url":"https:\/\/ericsiegmund.com\/fireant\/wp-content\/uploads\/2023\/01\/phishing.jpg","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/posts\/11671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/comments?post=11671"}],"version-history":[{"count":19,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/posts\/11671\/revisions"}],"predecessor-version":[{"id":11691,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/posts\/11671\/revisions\/11691"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/media\/11682"}],"wp:attachment":[{"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/media?parent=11671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/categories?post=11671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericsiegmund.com\/fireant\/wp-json\/wp\/v2\/tags?post=11671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}