Hoaxed: A cybercrime real-life story to learn from

During my 30 years’ career with the Federal Bureau of Investigation (FBI), I led investigations dealing with cybercrime, realising that there was one thing that seemed to be a common element among all my assignments: many good, smart people became unwitting victims. 

…and I took every incident personally. 

The ugly truth of being a cybercrime victim

Even though I am no longer with the FBI, one mantra I have imparted over the past decade is that a majority of all cybercrime victimisations start with a phishing email, and a recent news report about a phishing incident broke my heart.

This particular story begins when a Tennessee woman (let’s call her ‘Lady X’) received an email purporting to be from her so-called ‘anti-virus’ company. The email stated that she was being billed USD 299.99 to renew her yearly subscription – something she didn’t want or request. But since it came from a company that Lady X knew (and inherently trusted), she felt it prudent to respond. 

Upon calling a 1-800 number provided in the email, so to resolve any subscription concerns or issues, Lady X spoke to a so-called ‘representative’ (a cybercriminal), who explained that she had indeed been billed and he would gladly refund her the money, but in order for the refund to process, she needed to download a programme onto her computer to provide access to a refund form.

As soon as Lady X installed the programme, the cybercriminal informed her to enter USD 300.00 into the form. Immediately upon entering the requested amount, two extra zeros were automatically entered and a new amount of USD 30,000.00 was displayed as the amount to be ‘refunded’ to Lady X.

The fake representative accused Lady X of purposely trying to trick the company to pay her a larger refund. Although Lady X was lied that the system initiated a transfer to her in the amount of USD 30,000.00, she was informed that these funds needed to be returned immediately to avoid penalties. At this point, the cybercriminal announced the victim that the only option to remedy her ‘error’ was to initiate a wire transfer from her bank.

As she was completing the wire transfer back to his company, the cybercriminal obtained control of Lady X’s computer and printer, and via the remote system access, he printed out the wire transfer request and had her take it to her bank to repay the company for her alleged mistake.

Consequences and results

The next morning, Lady X’s bank account showed a negative USD 30,000.00 balance. When the cybercriminal could not give her an explanation, Lady X went to the bank to get an accurate balance. The bank confirmed there was only USD532.00 in her account; the remainder of the original funds was gone. 

As if this was not enough, the cybercriminal called the flustered victim, mentioning that the wire transfer did not go through, so to do the refund, she needed to purchase USD 10,000.00 in gift cards. Regrettably, she followed his instructions, later realising that he took also control over her home alarm system and computer camera. Lady X reported the incident to the police, cancelled her credit cards, and discontinued contact with the man. 

Before you open your next email… read this

I have seen this happen thousands of times during my FBI career; as a learning point, in one of my Cybercrime Prevention lectures, I discuss the following four truths to cybercrime:

Truth one – Nobody expects to be a victim.

Truth two – Once the cybercriminals steal your money, the chances of a full recovery are slim to none. If the money is out of your bank account or already used as gift cards, neither the bank nor the credit card company are responsible for helping get the money back.

Truth three – The chances of law enforcement bringing cybercriminals to justice is challenging at best. In this particular case, the digital clues consist of email accounts and a 1-800 number; both are difficult to trace back to the actual fraudster. Following the money will lead to foreign bank accounts, which can take months/years to obtain the records, so the money and the criminal will be long gone. 

Truth four – A majority of cybercrime incidents could have been prevented without spending money on products and services or even having a technical background, but by simply empowering the target with a couple of key pieces of information and no-cost preventive action plans.

Cybercrime is real, and the problem is growing exponentially. It is happening to real people every day. Maybe you would never have fallen for this scam, but what about your parents? Or your grandparents, loved ones, children or even co-workers? 

In my book, ‘The Secret to CyberSecurity’, I cover this type of invisible crime in two specific chapters: Elder Scams and Phishing. Here are some tips to share with everyone because no one needs to be the next cybercrime victim: 

• email is the main attack vector – cybercriminals will send you an email that seems to come from someone you know and trust;  think before you click and act; 

• never call a phone number in an email, always find another way to reach the company. And always be in doubt about the validity of an email;  never let anyone have remote access to your computer for any reason; 

•  if you are tricked into purchasing gift cards on your credit card, it’s the same thing as giving the cybercriminal cash: you cannot get it back; 

• implement two-factor authentication on all your email, social media, and finance platforms; 

• report all suspicious emails to the FBI at WWW.IC3.GOV.

This editorial is part of the The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Scott Augenbaum

Scott joined the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee. In 1994, he became a Special Agent and worked in domestic terrorism, white-collar, and hate crimes as well in computer crime investigations. In October 2003, Scott was promoted to Supervisory Special Agent in the Cyber Division, Cyber Crime Fraud Unit. Since retiring from the FBI in early 2018, Scott shares his knowledge by consulting with individuals, groups, and businesses of all sizes. If you are interested in booking Scott or learning more, reach out to him through his website or by writing to wayne@waynehalper.com.