Hi. My name is Micah. I have a network security degree and I was just hacked. Oh and, “honey, do we know anyone in Tibet?”
It was a dark and stormy night when suddenly…. oh, wait. It was actually 9 A.M. on a sunny Arizona morning of 3/13/19 when my “bank” called me with no good news. “Mr. Vorst. We see that your account was recently charged in the state of Wisconsin. One charge was for $300 at Home Depot and the other charge for $100 at Lowes.”
Without thinking I immediately responded, “well that’s ridiculous. If you really knew me at all I hate Lowe’s with a passion (expecting the “USAA agent” to have known the Lowes/Vorst incident of 2016).
We would like to verify your account by sending you a six digit pin associated with your USAA account. Is the phone number we have on file a good place to accept text messages?
“It is” I said.
“098345” said I. Giving the scammer exactly what he needed to access my full online profile and account.
Without even suspecting, I had just given the last component of the “secure system” to my dear hacker friend who immediately started resetting account passwords, addresses, and security questions.
“It says here that there are a few charges from Zelle (similar to PayPal) that attempted to access your account. Did you make these purchases” said my friend — the professional-hacker.
“No, I don’t even know what a Zelle is” (still dont’. Don’t know, don’t care). At which point the “representative” asked if he could place me on a brief hold to investigate further.
I was in a fairly calm state. “Great!” I thought. My bank called me informing me of a wanna-be-hacker and they got nothing. I’ll go about my day checking emails and doing the usual work routine. After about five minutes the call was disconnected. “Shoot” I wish my phone would stop dropping calls, said I.
I called my bank, USAA, back. “Hello, Mr. Vorst? Yes, we don’t see that anyone from the fraud department called you this morning”.
Yep. That’s when I knew that the terrorists had won.
Apparently scammers are getting good. I mean sure, we tell our grandparents to stop trusting everyone that they talk to on the phone (I swear to you, Microsoft or Apple would never call you directly about a computer virus) but these scammers now a days study the banking systems in-depth.
Apparently, the scammer, I’ll name him Gregor MacGregor, was acting as the middle man. Based on the incident analysis, he may have already had my login credentials but was missing the last element. My phone. Instead of stealing or porting my phone he just informed me that he was going to hack my account (in not so many words) and that I would just need to give him the bank text number that would be sent shortly. Brilliant.
When all was said and done it took me a good four hours to work with my bank to identify the mess Gregor made and to restore order to my otherwise routine day.
Hackers come in all shapes and sizes. Some can be aggressive and bully you into cooperation and others can “help” you recover as a victim. As my bank recommended (and the reason for this blog) they will never contact you directly asking for personal information. Even if they do so it is advised to ask for the employee name, company, and employee ID and say you will call them back using the number located on the back of your banking card.
Thankfully, my funds are restored (sorry Taylor, Robert, and the Tibet Bank). I was able to meet the entire fraud team at USAA (throughout the course of the day) who were great, and realized that no matter how well one is trained in not trusting others (network security degree people!) it can be a simple slip of the tongue that helps good ol’ Gregor get paid.
Advice: if your bank calls you hang up and call them back using the number located on the back of the bank card.