First-person account of someone who fell for a scam, that started as a fake Amazon service rep and ended with a fake CIA agent, and lost $50,000 cash. And this is not a naive or stupid person.
The details are fascinating. And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.
It happened to Cory Doctorow.
EDITED TO ADD (2/23): More scams, these involving timeshares.
Clive Robinson • February 21, 2024 8:45 AM
@ Bruce,
Re : Not all…
“And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.”
For it to work, you have to have levers that can be pulled.
Certain people either don’t have levers or the scammers pull the wrong levers.
In the first case generally they lack empathy for others. In the second case pulling the wrong levers could get the scammers into a whole world of hurt.
The reason this woman got scammed goes back to a saying of an old time con artist, who effectively said,
“You can not con an honest person”
The point is modern scammers have realised that if they can make a normal person start thinking they are going to be treated as a criminal fight or flight kicks in. As the person can not fight then the only option is flight… At which point all the scammers have to do is nudge you to get you to “walk the tracks” they have laid down.
Thus if you disrupt this the scammers can run into all sorts of problems and are most likely to go for “fruit that hangs lower”.
To start off with though the one thing I would expect all people who have been on this blog awhile to know by now is,
“Never speak to the police when they just appear”
Because they almost never have any interest in helping you, except if they can use you in some way to further their career objectives.
Secondly as I’ve indicated before always always ring off the phone, and if you can go use another phone to make check calls[1].
And always “slow the process down” scammers normally are running on a clock for various reasons.
Also insist on a “meet in person” at the bank etc. The CCTV in banks these days tends to be good resolution and scammers know this thus will probably be “no show”.
But the best first line of defence in this modern mobile world is “Don’t pick up” on numbers you don’t know,
“Flick them to voice mail”
It’s funny how the number of “nuisance calls” drops off.
Back in the olden days ot POTS landlines I had an answer phone on it that had the “loud speaker” mode turned on. Friends/family knew that they could just say hi and if I was there I’d just pick up on hearing their voice.
Whilst this can be done with mobile phones most phone service providers don’t make it available, which is a shame because it would cut spamming etc down by a lot.
[1] To stop variations on the “line hold” trick going back to the old POTS days. Dial a number you know to be good if you can not get through to that person ring another number you know to be good. When you speak to the person you know to be good ask them to get the “general number” for the place the alleged law officer is calling from and get them to contact it and get the alleged officers “direct dial” land line. If they match the number you were given by the alleged law officer there is a small chance they may be legitimate.
JMM • February 21, 2024 8:55 AM
There was a case published recently on the CBC about a guy that was scammed his entire retirement savings, ~680k (CAD). I see more and more articles about this and it’s getting so bad it’s terrifying https://www.cbc.ca/news/canada/manitoba/wire-transfer-fraud-peter-squire-winnipeg-1.7116347
Robin • February 21, 2024 10:09 AM
In both cases, the victim engaged with the person who called them. Always say thank you, I’ll call you back straightaway. Hang up, then find and call the correct number for the bank/credit union/whatever and ask for the anti-fraud department.
Of course panic disrupts the rational thought process.
Chelloveck • February 21, 2024 10:31 AM
What @Robin said. Feel free to borrow Chelloveck’s three-step scam abatement process:
Paulo Marques • February 21, 2024 11:56 AM
The story reaches the right conclusion: the scam is believable because the risk assessment is that American authorities can make your life miserable more quickly, more thoroughly, for less reason, and with less oversight than any scam artist, for your own safety.
Psuedoanonymous Coward • February 21, 2024 12:44 PM
It happened to Cory Doctorow.
People keep saying this, but his case was more-or-less a standard-ish credit card scam; it’s not a movie theater plot ending up with $50,000 in cash in a suitcase.
Everyone is also assuming the suitcase person’s story is nonfiction. Are we 100% sure?
MK • February 21, 2024 1:32 PM
I’m generally pretty good at hanging up on scam callers. But they are getting better. I recently got a call that someone was trying to get a Discover card in my name. Perp knew my name, address, last 4 of my SSN, phone (that was before they called). I told them it was fradulent and the tried to transfer me to the Consumer Fraud Protection Bureau. That’s when I disconnected. Later the same day I got a similar call for another card at another bank. If you are not paying attention and get 10-15 calls like this a day it’s possible to slip up.
Quentin Jones • February 21, 2024 3:56 PM
Sorry to disagree but the lady fooled by the scam must be a fool.
Clive Robinson • February 21, 2024 5:16 PM
@ Quentin Jones,
Re : You are likely a good target.
“… the lady fooled by the scam must be a fool.”
It’s that sort of rigid mentality that scammers look for in people. Because it makes them,
1, So much easier to scam.
2, They are less likely to report being scammed.
It also marks you out as being more likely to be “right wing leaning” and an “authoritarian follower”, even if you think you are just being a troll.
Look up what “emotional intelligence” is you might learn something about yourself, but probably are too rigid in outlook to take it onboard,
https://www.simplypsychology.org/emotional-intelligence.html
lurker • February 21, 2024 6:59 PM
Scams are made easier by businesses that have become so big they can’t deal with their customers anymore, they do it through third-party outsourced services. So their customers become trained to use and believe third-party outsourced services.
Cory Doctorow mentioned Zelle, and so did our host @Bruce, twice,
‘https://www.schneier.com/blog/archives/2022/03/fraud-on-zelle.html
and
‘https://www.schneier.com/blog/archives/2024/01/zelle-is-using-my-name-and-voice-without-my-consent.html
sitaram • February 21, 2024 8:51 PM
@Paulo Marques — that tracks.
The first thing I thought after skimming the article was “this can never happen in India”. I mean, technically it can, but it takes a lot of time, and none of the AML enforcement mechanisms are that fast — we’re talking weeks or more of effort.
Inefficiency has some benefits, it would appear 🙂
Bob • February 22, 2024 2:25 PM
The Stoic school of thought would suggest to feel the distress and fear of the situation, to assess them, and to respond to the situation in a way that rationally has the best chance of leading you to joy.
There’s a bit of a misconception around stoicism that it involves not feeling your feelings or otherwise ignoring them. It’s actually quite the opposite, it’s a school of thought that can help an individual in a situation like this, and I do believe it’s distinct from psychopathy. At least I hope so.
Cyber Hodza • February 22, 2024 5:18 PM
@Clive – what you are doing is highly irresponsible- giving enough rope for people to hang them selves with while the world is spinning out of control
Stan Leyendo Swiffner • February 22, 2024 6:38 PM
Clive, usually (yet only lately), I am tending do disagree with you. However, not this time.
I like what you seemed to explain about the nudge towards “F1 or F2” (or “rest and digest” or “hibern8”) …type of things.
I’m not really familiar with that exact scenario, but I am familiar with some similar scenarios that seem to match what you described.
Sometimes I describe that as something accidental or intentional attempts to “radicalise” (us|them|me|you|others|it|unknowns|etc).
Thanks for contributing that kind of helpful insight. I hope you and echo successfully avoid the awkwardness of being in the pseudomedia pseudospotlight of perhaps being noticed as guestbook regulars.
Sincerely, Leyendo
lurker • February 22, 2024 7:46 PM
@Moderator
Stan Leyendo Swiffner https://www.schneier.com/blog/archives/2024/02/details-of-a-phone-scam.html/#comment-432721 appears to be advertising a service.
TheAnarchistBanker • February 22, 2024 7:52 PM
I think the best defense, in a true hacking spirit, is thinking nothing is secure and no mind is secure against social engineering. When someone manages to ring some bells and whistles into you’r Pavlovian mind then they just got in. It all depends on the effort/cost those putting you on as a target are willing to take. Event those on power can be hacked. I’m always reminded by the story of a Portuguese, Alves dos Reis [1] who managed to print money using its social engineering skills, to the point of shaking the Portuguese monetary system. A nice read if you have the time.
Winter • February 22, 2024 10:56 PM
Re: “And if you think it couldn’t happen to you, think again. Given the right set of circumstances, it can.”
I once read an interview with a guy who had presented hundreds of scams in a TV program series (the real hustle? Sorry no link).
When asked asked how a typical mark looked he answered along the lines
I see one every morning when I look in the mirror.
He explained that the one thing he learned from these hundreds of scams was that he too could fall for a scam.
Dude • February 23, 2024 10:43 AM
1) Are we even sure her story is true? This just as easily be an attempt at attention, fame, etc. (Jussie Smollett, anyone?)
2) @Quentin Jones is likely correct. This is such an outlandish and obvious scam that, if true, does indeed indicate she’s a fool…or whatever we call those easily duped by this unsophisticated ruse.
3) @Clive: making it political w.r.t. Quentin Jones is unnecessary and unhelpful… and even untrue (e.g., young people fall prey to scams more than older people. Older people tend to lean more right.) “For years now, the Better Business Bureau’s survey research has shown that younger adults lose money to swindlers much more often than the older people you may think of as the stereotypical victims. The Federal Trade Commission reports similar figures, with 44 percent of people ages 20 to 29 losing money to fraud, more than double the 20 percent of people ages 70 to 79.” –NYT
Dude • February 23, 2024 10:48 AM
[Edit to my above comment: I mean “he” not “she.”]
Winter • February 23, 2024 10:53 AM
@Dude
This is such an outlandish and obvious scam that, if true, does indeed indicate she’s a fool…or whatever we call those easily duped by this unsophisticated ruse.
Do you have a family? A 2yo son? No? Then you do not know what fear is.
Otherwise, all scams are obvious in hindsight.
Ray Vang • February 23, 2024 3:14 PM
Robin, re: “Always say thank you, I’ll call you back straightaway.”
“Always” is not quite right, because “straightaway” is dangerous on a landline. Scammers have been known to send fake dialtones, such that the “outgoing call” is actually still the incoming call from earlier. It’s important that the phone’s been continuously hung up for a while; I don’t know what the exact length of time should be, but 10 minutes is a common recommendation.
Remember that if a fraud department is calling you, it’s not really that urgent anymore (until you want to use the relevant account). Almost all situations people think of as “urgent” aren’t worth quite the level of panic they inspire. Like the “grandchild in jail” scam: if they’re really in jail, they’re basically safe, and taking a few hours to verify things will merely inconvenience them.
Disagreeing with Bruce, I do consider it quite naïve for someone to give personal information to a caller whose identity has not been verified.
Ray Vang • February 23, 2024 4:58 PM
<
blockquote>More scams, these involving timeshares.
<
blockquote>
Timeshares and scams have always gone hand-in-hand. Once, while on a vacation to Florida, my parents fell for one. Some promoters said they’d give us a free cordless phone if we listened to their pitch. We all (3 of us being young children) sat around for an hour, then left with a boxed phone. After driving back to Canada, we plugged it in, and it didn’t work! We never got it working, and certainly weren’t gonna make the 48-hour round-trip to exchange it (assuming any of them worked).
But I hear some people get taken in for more than a little wasted time. Timeshare promoters have always ranked somewhat below used car dealerships in terms of trustworthiness.
Dude • February 23, 2024 5:39 PM
@Winter
Not only do I have a family, but my kids are adults now. When you’re a little older, you’ll (hopefully) understand. See how easy assuming is? I’ve also been at the hot end of a firearm before, too. Please, tell me more about fear.
Clive Robinson • February 23, 2024 6:02 PM
@ Dude, Winter,
Re : Psychology not Politics.
“making it political”
Sorry know I was not making it political. The “right-wing” wind set of “Authoritarians” and Authoritarian followers” is well established as a research area in psychology. As such it has actually little relevance to political colour but it has a great deal to do with behaviours. Part of this mindset in “authoritarian followers” is a rigidity of behaviour. There are even jokes made about it with,
“When the leader shouted jump, he did not even ask ‘how high?'”
The fact is that such unquestioning behaviour makes someone a very easy target for con artists. Further their rigidity prevents them admitting that they were conned as it shows “weakness” which is despised in authoritarian followers.
But as you brought it up this mind set has little or nothing to do with age you will find lots of authoritarian followers with a right-wing often thuggish out look on life amongst teenagers and younger, after all who do you think fill the ranks of gangs and such like?
The thuggishness is an easily visible expression of showing strength and place in the hierarchy you often find it in the old style military organisations that use brutality and corruption as hierarchical status indicators.
Such military units usually are poor in conflict and have very high casualty rates, as the basic idea is,
“Overwhelm the cannons with heaps of bodies.”
So each of the fallen ordered in enables the next to fall to get that little bit closer… Back in WWI this tactic was the cause of such high death rates and no ground gained.
Winter • February 24, 2024 5:04 AM
@dude
See how easy assuming is?
Indeed, as you showed no empathy for a panicking parent, I made assumptions. I chose the more charitable assumption. You now show me that was the wrong option.
Clive Robinson • February 24, 2024 8:29 AM
@ Winter, Dude,
As I’ve already explained, the fear is different depending on where you are.
When you are at the point of threat you have a choice of “fight or flight” men are slightly more predisposed to “fight” than women for various long embedded psychological reasons, women less so.
However when you are remote from the point of threat being forced to be an observer you have no choice of “fight or flight” because you have nothing to fight.
This significantly changes the dynamics.
@ Dude,
“I’ve also been at the hot end of a firearm before, too.”
What am I supposed to assume from that statement? So rather than guess I’ll ask,
Who or what were you shooting at?
What a school grade level knowledge of physics should tell you, is the hot end of the active part of a firearm is where the “powder” burns. It’s also why the “cooking off” effect happens, when semi and full automatic weapons have heated up and an auto loaded round in the breach goes off due to the heat in the breach being above the primer or powder ignition point, such is what happens with exothermic reactions in thermally constrained spaces.
Dude • February 25, 2024 2:29 PM
@Clive,
Ah, sorry. The “hot end of a firearm” is slang for being in front of the muzzle (i.e., in the line of fire) as opposed to the “cold end” (i.e., the one holding the gun is on the cold end) in a conflict. Contrary to what “a school grade level knowledge of physics should tell you,” what a grown-up level knowledge of actual firearms use should tell you is that the barrel and muzzle become untouchably hot after just a round or two is fired (thus hot end) whereas the grip (necessarily) remains unaffected.
@Winter,
“…a panicking parent”? Her parenthood status had little to do with it. She got duped by a ridiculous con that took place over a long enough time frame…literally from morning to evening…for any initial panic subside and be replaced with a modicum of rational thought. Or, quite possibly, she made this whole story up. But you chose to start with the ad homimen.
@All,
It’s worth reading the comments section of her article on The Cut.
echo • February 25, 2024 6:49 PM
Tut. Boys fighting again…
Clive Robinson • February 25, 2024 9:39 PM
@ Dude,
“… is slang for being in…”
In the UK we would say amongst many others “the business end” or “the wrong end of the wicket” or “sticky end of the wicket”.
Euphemisms are cultural and generally don’t make sense outside it, and “like as not” often don’t make sense in the culture they are from either. For instance in the UK we have “10 foot pole” which at least makes some sense when you know how far fleas can jump. We also have “the 5h1ty end of the stick” for which there are many unconvincing guesses.
But calling a cold bitter winter wind a “lazy wind” gets most people untill they know the full quote,
“Its a lazy wind, that rather than go around you just cuts straight through.”
The point though was about “assumption” being dangerous these days with an international audience, thus best avoided.
In the UK for instance when I was young most children had not just seen guns in real life, they had actually used one for “plinking” or going after small game[1]. Most fairly quickly lost interest in them as lets be honest making holes in paper targets and tin cans can get boring fairly quickly. However for various political reasons, guns are nolonger seen as what they are “tools” but are now “status symbols” for “power” especially by the police these days. Which is why the use of guns in gang culture has sky rocketed. The trouble though is they mostly don’t know how to use them and clean/maintain them or often how to load them correctly. With the result many others get hurt or endangered[2].
[1] Long before I was technically old enough the local farmer had taught me how to use a 12bore for killing pigeons and rabbits on mass. Not long after that a relative taught me how to take out rabbits with a .22 long case (this was prior to NATO 556 rounds) rifle with scope and moderator. At fourteen I had a .22 air gun that I went after not just rabbit and pigeon “for the pot” but grey squirrels as well for the bounty on their tails, with the rest of the squirrel going to the local stable / hunt dogs.
[2] One ludicrous thing I’ve seen… Some years ago I was in hospital with lungs full of blood clots and high risk of them breaking up and ending up lodged in my brain or heart. There was a kid brought in post-op who had been shot in gang violence in a bed close by me. Many of the patients including the kid were in oxygen tents or on breathing assistance from oxygen masks etc. The levels of free oxygen in the room air was high enough that fire precautions were very much in place. Yet two police officers were in the room to protect the kid with not just side arms but semi-autos… As I said to a nurse if they fired a single round the chances were we’d all go up in smoke, thankfully not long after that the kid got shifted elsewhere and the police went with him.
JonKnowsNothing • February 26, 2024 1:45 AM
@Clive, @ Dude, All
re: “the 5h1ty end of the stick”
I’m good with any of the above, the metaphor works with all of them however I do like Spongium best as it has a more curious imagery.
Instead of asking the person in the stall next to you to “hand me some TP”, it’s
===
1)
https://en.wikipedia.org/wiki/Tanning#History
htt ps://en.wikip edia.org/wiki/History_of_hide_materials
2)
ht tps://en.w ikipedi a.org/wiki/Xylospongium
3)
ht tps:/ /en. wikipedia.org/wiki/Shit_stick
Clive Robinson • February 26, 2024 6:31 AM
@ JonKnowsNothing, Dude, All
re: “the 5h1ty end of the stick”
“Option 3: A similar item to Option 2 but without the sponge part.”
But did not Pliny talk of using a gooses neck?
Certainly a 14th Century French gent with a monastic habit not only thought so but described the qualities of using a live goose,
https://knowledgenuts.com/why-you-should-wipe-yourself-with-a-gooses-neck/
Anonymous • March 15, 2024 7:12 AM
So the knowledgeable ego of Mr Doctorow, who seems to think it’s cute to post 10+ posts in rapid succession on a microblogging platform, was convinced to hand over his CC number?
Cannot empathize.
Chris Drake • March 16, 2024 2:32 AM
Does nobody understand the law? It’s a companies job to make the most profit possible for shareholders. It’s NOT their job to protect customers against fraud.
So long as THEY don’t lose money (and for banks – they never do) it’s all good. It’s in THEIR BEST INTEREST to make sure that the customer or the merchant wears any losses they cannot recover.
Or to be totally blunt: they’re blocked from doing anything more to prevent you losing your money, because it makes it more likely that they won’t be able to avoid the loss themselves (if their security fails, they’re portly to blame. If they have garbage security – the blame ends up being all your fault).
Clive Robinson • March 16, 2024 1:44 PM
@ Chris Drake
Re : One for the left in me one law for the right…
“Does nobody understand the law? It’s a companies job to make the most profit possible for shareholders. It’s NOT their job to protect customers against fraud.”
It depends on where you live but as a normal rule of thumb criminal law including theft, fraud, and impeding justice, trumps civil and corporate law.
So if a corporate body is made aware of theft or fraud and actively choses not to follow criminal procedure requirements then the officers of the company can find themselves on the wrong end of not just charges of impeding justice, but malfeasance charges.
Occasionally LEA’s even in the home of Capitalism is King can not look away and have to act at which point people can end up in orange jump suits,
“The jury found Mr. Sullivan guilty on one count of obstructing the F.T.C.’s investigation and one count of misprision, or acting to conceal a felony from authorities.”
Some how Mr Sullivan who was the CISO of Uber avoided jail. If it had been you or I from some little no name corporate organisation then the chances would have been “max tarrif” of 8&3 years respectively on the charges, and our chance of seeing natural Day Light significantly curtailed for quite some time.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Fazal Majid • February 21, 2024 8:07 AM
In Doctorow’s case, the most likely culprits are the credit bureaus, whose criminally negligent lack of security only gets light slaps on the wrist.