My $5,150 phone call.

Hi. My name is Micah. I have a network security degree and I was just hacked. Oh and, “honey, do we know anyone in Tibet?”

It was a dark and stormy night when suddenly…. oh, wait. It was actually 9 A.M. on a sunny Arizona morning of 3/13/19 when my “bank” called me with no good news. “Mr. Vorst. We see that your account was recently charged in the state of Wisconsin. One charge was for $300 at Home Depot and the other charge for $100 at Lowes.”

Without thinking I immediately responded, “well that’s ridiculous. If you really knew me at all I hate Lowe’s with a passion (expecting the “USAA agent” to have known the Lowes/Vorst incident of 2016).

We would like to verify your account by sending you a six digit pin associated with your USAA account. Is the phone number we have on file a good place to accept text messages?

“It is” I said.

“098345” said I. Giving the scammer exactly what he needed to access my full online profile and account.

Without even suspecting, I had just given the last component of the “secure system” to my dear hacker friend who immediately started resetting account passwords, addresses, and security questions.

“It says here that there are a few charges from Zelle (similar to PayPal) that attempted to access your account. Did you make these purchases” said my friend — the professional-hacker.

“No, I don’t even know what a Zelle is” (still dont’. Don’t know, don’t care). At which point the “representative” asked if he could place me on a brief hold to investigate further.

I was in a fairly calm state. “Great!” I thought. My bank called me informing me of a wanna-be-hacker and they got nothing. I’ll go about my day checking emails and doing the usual work routine. After about five minutes the call was disconnected. “Shoot” I wish my phone would stop dropping calls, said I.

I called my bank, USAA, back. “Hello, Mr. Vorst? Yes, we don’t see that anyone from the fraud department called you this morning”.

Yep. That’s when I knew that the terrorists had won.

Apparently scammers are getting good. I mean sure, we tell our grandparents to stop trusting everyone that they talk to on the phone (I swear to you, Microsoft or Apple would never call you directly about a computer virus) but these scammers now a days study the banking systems in-depth.

Apparently, the scammer, I’ll name him Gregor MacGregor, was acting as the middle man. Based on the incident analysis, he may have already had my login credentials but was missing the last element. My phone. Instead of stealing or porting my phone he just informed me that he was going to hack my account (in not so many words) and that I would just need to give him the bank text number that would be sent shortly. Brilliant.

When all was said and done it took me a good four hours to work with my bank to identify the mess Gregor made and to restore order to my otherwise routine day.

Hackers come in all shapes and sizes. Some can be aggressive and bully you into cooperation and others can “help” you recover as a victim. As my bank recommended (and the reason for this blog) they will never contact you directly asking for personal information. Even if they do so it is advised to ask for the employee name, company, and employee ID and say you will call them back using the number located on the back of your banking card.

Thankfully, my funds are restored (sorry Taylor, Robert, and the Tibet Bank). I was able to meet the entire fraud team at USAA (throughout the course of the day) who were great, and realized that no matter how well one is trained in not trusting others (network security degree people!) it can be a simple slip of the tongue that helps good ol’ Gregor get paid.

Advice: if your bank calls you hang up and call them back using the number located on the back of the bank card.

6 thoughts on “My $5,150 phone call.”

  1. This is great advice! So sorry you had to go thru that… thanks for turning it
    Into a “positive” by sharing the experience and helping to educate others. It’s crazy how quickly/ expertly some hackers can present themselves and truely sound legit. Have had a similar experience recently and it’s hard not feel rude for suspecting others/ wanting to verify something… I need to remind myself that anyone who is working with secure info will understand a hesitant client/ customer might want to do a double check.

    1. Good point! Anyone who works with Personally identifiable information (PII) has (hopefully) been trained to be perfectly fine with someone calling them back.

  2. Wow! That is crazy. Did it come up as USAAin your caller id too? I have gotten 3 calls from them this week and when I call back they say they don’t know why someone called.

  3. Thanks for sharing this! I just read on a Facebook post about a woman who fell for the very same scam. A lot of people find it unbelievable, but with my limited knowledge of cyber security and human nature in general, I can see how anybody could go for this. It seems like every bank has it’s own practice for contacting customers in the event of fraud, so there’s a lot of misinformation and misunderstanding for how a scam like this could work. I’m just glad that you and the other person I read about shared this experience so if I or someone close to me ever gets a phone call like this we will know what to do.

    1. Great point, Tara. I think that a lot of folks are being hit with these scams. My hope with this blog is to provide enough info so someone else doesn’t have to go through what I’ve experienced!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.