It all started with a phone call around 10.30am on a Tuesday from an unknown mobile number. I was working on the computer at home and usually don’t answer phone calls from people I don’t know. For some reason, I decided to stop what I was doing and answer that call.
That was the first mistake of a series of others I would make over the next four hours, during which I was the victim of a wishingor voice phishing campaign. By the end of the ordeal, I had transferred almost 5,000 euros (EUR) in funds from my bank account and in Bitcoin to the scammers. My bank was able to cancel most of the transfers; however, I lost €1,000 (EUR) that I had sent to the attackers’ Bitcoin wallet.
Experts say it doesn’t matter how much experience you have in knowing the tactics attackers use or experience spotting scams. The key to attackers’ success is something older than technology, as it lies in the manipulation of what makes us human: our emotions.
“Because we’re so technology-centric, we forget that these scam tactics are actually old — even older than Internet scams — and very proven,” says Richard Werner, cybersecurity consultant at Trend Micro. “They work with emotions. When they put us in the right mood and trigger anger or fear, we forget all the advice. In these cases, we lose common sense, and that’s where [attackers] Take us.”
As a result, even a cybersecurity expert can fall for a scam, as Werner himself, a 20-year IT cybersecurity veteran, did. A phishing email with a Windows support-themed message arrived in his email just as he was struggling with the operating system malfunctioning on his computer. Luckily, it was a phishing training exercise from a source inside his company, and not a high-stakes one.
But as someone who has written phishing exercises for employee training, Werner knows that everyone from IT to HR has a trigger that makes them susceptible to a scam under the right circumstances.
Red flags
The scam that tripped me up was one of the most common vishing setups today spreading throughout the world. Even though there were warning signs everywhere, I still stayed on the phone with the attackers for more than three hours and let them manipulate me.
“When it comes to spotting tell-tale signs that people are being scammed via a voice call, the main question to ask is whether this is a usual method through which they would be contacted, if the person on the other end of the line asks invite them to do something out of the ordinary, is there a sense of urgency and does this trigger a strong emotional reaction?” says Javvad Malik, leading security awareness advocate at security firm KnowBe4. “If so, then it is very likely a scam.”
My scam had all these characteristics from the beginning. When I answered the call, an automated message told me that my national identity card (I reside in Portugal) was used for criminal activity and that there was an arrest warrant against me. If I wanted more information I should press 1. According to Werner this should have been the first signal to hang up.
“Everything that has to do with technology can’t be trusted,” Malik says. In this case, an automatic message should have notified me. Alarmed and intrigued by the claim that I might be imminently arrested, I took the bait.
I was transferred to a man who identified himself as Marco Jose, an officer of the Portuguese GNR (Republican National Guard) in Lisbon. He gave me what he claimed was his personal identification number and then told me that my identity had been used in connection with money laundering and drug trafficking. I dutifully answered his questions, forgoing information about myself because I thought I was speaking to an officer of the law.
The set up
Marco goes on to say that the police raided a house in Lisbon and found documents relating to numerous bank accounts opened in my name. He also said that the police found an abandoned car that had been rented in my name connected to the case, for which he provided a case number.
As I wrote down what he said, questions flew through my mind and mental alarm bells went off. Even though I logically recognized that her story was full of holes, at that point my emotions were flying the plane.
The very fact that the police had contacted me by phone should have made me hang up. If they were really interested in me as a suspect, they would have come to talk to me in person, as a friend and former GNR officer later told me
In fact, if someone is contacted by someone claiming to be law enforcement, the best thing to do is say you will call back and hang up. Look for the agency’s contact information (and don’t rely on the number provided by the caller), Werner advises.
Instead, I let Marco continue talking, too quickly for me to interrupt him. He said that even though he knew I was innocent, in the eyes of the law I was involved in criminal activity because my name and passport were used to commit it.
I could clear my name by talking to your colleague about the international authorities handling the case and trying to catch the criminals, but only if I assist in the investigation in the way you have instructed me to and if I follow your instructions carefully. I let Marco transfer the call to Dobra Volska, who she claimed to work for the International Court of Justice.
This is where I took another wrong step, as this type of coercion should have alerted me that something was wrong. But my fear had gotten the better of me, and I panicked at the thought of losing all my assets even to the modest sum of money I had in my two bank accounts. So I continued.
The closest
Marco took care of the setup, while Dobra was the closest.
Dobra’s job was to point out that in 45 minutes – she was very specific – the authorities would seize all bank accounts in my name associated with the alleged crimes, but that action would also affect my legitimate accounts. To protect my “hard-earned” funds, she offered to create a “secure digital vault” for all my assets. I was assured that the government would monitor the vault only long enough to seize the accounts and that my money would be returned to me immediately thereafter.
Over the next few hours, I did everything this woman told me to do, including sharing my laptop screen, making bank transfers, and downloading various applications, including an app called MoonPay to buy Bitcoin. I transferred cryptocurrency to a wallet controlled by criminals.
This urgency is yet another clue that I was scammed, as KnowBe4’s Malik says, but I was too frantic to recognize it.
“The scam ends by instilling a sense of urgency,” Malik says. “It requires the victim to act immediately and, in doing so, can create a sense of tunnel vision from which it becomes increasingly difficult for the victim to escape.”
This tunnel vision makes the victim unable to escape the situation, even if they desperately want to, Werner says. I kept asking Dobra to wait, that I needed to think; she reiterated that we didn’t have time, that we needed to act immediately and that my accounts would be seized if I didn’t do as she said.
Twice I asked for verification that he was who he said he was. Both times he made me hang up and his “colleague” called me from the actual number of the International Court of Justice in The Hague: clearly the phone number had been spoofed. As I continued to ask questions and take time to think, Dobra’s voice began to grow louder and more insistent. At one point she made a series of threats against me so vehement that I burst into tears.
“If the person on the phone doesn’t understand that you need time to verify who they are or to think about it, then that’s a red flag,” warns Werner. “Anyone well-intentioned will say, ‘Take your time, go to the next police station, call your bank,’” and he’ll give you time before taking any further action.
Isolate the victim
Dobra also warned me not to tell anyone, not even friends or loved ones, what was happening because this could somehow implicate them in the crimes I had allegedly committed. Even worse, they might be involved in the scam.
I texted my longtime boyfriend during this ordeal but didn’t provide any details. I just said I was a victim of identity theft and it was turning into a nightmare. When Dobra warned me not to talk to anyone, I stopped texting him. She later noted that if I had told her what was happening, she would have told me to hang up immediately.
If I had followed my instincts and kept talking to my boyfriend, I might have escaped the scam without losing any money, Werner says.
“In the midst of an attack, the important thing is to get out of the situation immediately,” he says. “Whatever you say, they will have an answer. So if you can, you should stop the situation, get out of it and try to get someone you trust involved.”
No shame in being made fun of
Many parts of my story are similar to the hours-long vishing ordeal recently trapped New York Times reporter Charlotte Cowles, where he ended up placing $50,000 in cash in the back seat of a Mercedes driven by one of the criminals.
She writes about the heartbreaking shame she felt afterward at being deceived, something I also experienced in the days following the scam. I spent a couple of days berating myself for doing something so stupid when I should have known better. After sharing my story with friends and acquaintances, I now know that there are many victims.
Werner had words of comfort for anyone who has fallen into vishing or another type of cyber criminal scam.
“Don’t be ashamed of what happened,” he says. “These [cybercriminals] they are very organised. They know exactly how you would behave on the other side and how you would behave to get out of the situation.”
The key tip for anyone from cybersecurity professionals to people who have never heard of it wishing — is to try to avoid committing from the start, so that scammers’ psychological games can’t be used against you, experts say. If someone receives a call that seems suspicious or even confusing, ask a few questions before answering or believing the caller’s story.
Training people to spot all the red flags I ignored can help them avoid falling prey to compromises, as can advising them to immediately contact someone on a company security team if they receive a suspicious phone call or encounter unexpected online activity.
“It is important that employees are provided with simple and reliable ways to report any suspicious phone calls or other activity so that security teams can be involved where necessary,” says Malik.