Tales of a virtual kidnapper
A few weeks ago, I received a bizarre call to my mobile phone.
CallerID revealed that I was, in fact, calling myself.
Now, I must admit, I wasn’t terribly shocked. I’ve seen my mobile number display on callerID before; in fact, I’ve written about these types of spoofing efforts previously. But despite those things, I continue to be surprised to see my phone ring with my name listed as the caller.
Taking my own advice, I ignored the call.
Still taking my advice again, for the second and the third time, I ignored the call.
On the fourth attempt, I decided to answer, and very quickly mute the call and place on speaker. I figured the robotic voice would proclaim vigorously the horrors of allowing my car warranty to expire. Then, I’d hang up.
Only that’s not what happened.
The voice was quick and exact: “Do not hang up. I have control of your banking account.”
Really? No car warranty expiration, no promises of loan consolidation, just straight to holding my money hostage, a virtual kidnap of my financial resources – if nothing else, this was either a bold evil-doer or a run-of-the-mill scammer.
Having dealt with scammers and cyber-hucksters for many years, there were a few clues that suggested my caller was phishing around for a victim, that he hadn’t done anything.
The first hint was the spoofing of my mobile number. Due to the relative ease of accomplishing this and the lack of effective control of such efforts by many telecommunications providers, this was a basic attempt to conceal true identity. Though admittedly clever, seeing my number is highly-suggestive of a bulk-spoofing effort.
The second clue was the sense of urgency. As with email phishing attempts, the power of creating a sense of distress or crisis, grabs the potential victim.
The third item was the phrasing of the actual threat, “…control of your banking account.”
The comment is vague. Which account? What do you mean by control? Why warn me if you have access to my money?
I decided to play along, for research purposes of course.
I unmuted the call.
“What do you mean,” I offered.
“I have control of your banking account. Do not hang up. Do not attempt to call the police.”
“Which account, my checking account,” I responded.
“Yes, your checking account.”
“How did you get control of my checking account with The Bank of Alabama?” I shouted.
Now, let’s pause for a moment. The would-be evil-doer didn’t offer which type of banking account, I did. When I asked about my checking account, he confirmed. Next, I responded angrily, and provided the name of my bank, which by the way was something that I fabricated, there is no Bank of Alabama.
“Yes, I have control of your Bank of Alabama account.”
So at this point, I’m very confident that I’m dealing with an uninformed scammer, working from a basic script and employing some rudimentary social engineering skills. He frightened me and allowed me to fill in the blanks, due, as best he was aware, to my intense fear.
At this point, hanging up would have been satisfactory. However, I wanted to know why he hadn’t stolen my money yet, from the well-known Bank of Alabama.
But before I could fashion a response, the script continued: “You will purchase a $500 pre-paid debit card now. Do not call the police. Leave now and buy the card.”
OK, pump the brakes. This dude wants me to leave my house and buy a pre-paid debit card, yet he has ‘control’ of my checking account?
I admit, despite my confidence that this was a scam, I was a bit concerned about the instruction to leave. I wondered if I had underestimated the scammer and they were tracking my location, observing my movements from a distance.
“Yes, I responded, I will get the card. But I don’t have $500,” I countered.
“$250, if you get the card in 30 minutes. Do not hang up, get the card now.”
I made a lot of noise, cranked my vehicle and drove to a nearby fast-food restaurant parking lot. I exited my vehicle with phone pressed against my face, and entered the restaurant.
I told the anxious bad guy that I was at a store, had a card and was in line. He responded simply, “Good.”
Obviously they were not tracking my location. I almost hung up and ended the call. But, I saw an opportunity.
I made few noises, got near a small crowd of people for additional affect, and told him that I had the card.
He told me to give him the numbers and reveal the PIN code from the back of the card. Once he verified the card, he would release my checking account.
As I feigned appreciation on the phone, I wrote on a paper napkin the following:
This dude is trying to con me out of $250. Please ask him what he ordered.
I handed the note to the cashier, a person I’ve known for at least a decade. She smiled and reached for my phone.
The exchange was brilliant. She worked him over with a series of questions about his order and apologized for the wait.
He hung up. I ordered some food. He called back.
After a series of profanity-laced threats, I asked him if he wanted any extra ketchup.
I’m certainly not encouraging you to engage with scammers. However, pay attention to those little clues that give away a social engineer: sense of urgency, vague comments, using specifics that you offer. Unfortunately, many people fall victim to similar attacks. Perhaps the best advice is to avoid answering calls from yourself.
Be safe and watch out for evil-doers.