How I got scammed

🌈 Abstract

The article discusses the author's experience with being the victim of a phone phishing scam, where a fraudster pretending to be from the author's bank tricked them into revealing their credit card information, leading to over $8,000 in fraudulent charges. The article explores the various factors that contributed to the author's vulnerability, including the use of outsourced fraud detection services by the bank, the timing of the scam, and the author's own expertise in fraud and social engineering. The article also discusses the potential for AI-powered customer service systems to further condition customers to be susceptible to phishing attacks.

🙋 Q&A

[01] The author's experience with the phone phishing scam

1. What happened to the author that led to them being the victim of a phone phishing scam?

• The author was tricked by a phone phisher pretending to be from their bank, who convinced the author to hand over their credit card number
• This led to over $8,000 in fraudulent charges before the author realized what had happened
• The fraudster then tried to scam the author again a week later

2. What factors contributed to the author's vulnerability to the scam?

• The author had just used a pair of "dodgy ATMs" while on vacation in New Orleans
• The author was in a hurry and distracted due to the chaos at the airport from the grounding of the Boeing 737 Max planes
• The author's bank used a "slightly crappy outsource/out-of-hours fraud center" that the author had previously had sub-par experiences with

3. How did the author eventually realize they had been scammed?

• The author realized the fraudster had asked for the last 7 digits of the credit card, rather than just the last 4 digits as the bank's representative would have
• This made the author realize they had given the fraudster the entire credit card number

[02] The author's expertise in fraud and social engineering

1. What experience does the author have with fraud and social engineering?

• The author is writing a series of novels about this type of scam
• The author regularly attends the "social engineering" competitions at the Defcon conference, where hackers try to con merchants into giving up information

2. How did the author's expertise contribute to their vulnerability in this case?

• Despite the author's knowledge of fraud and social engineering tactics, they were still successfully conned by the phone phisher
• The author notes that "I'd been conned" and that they "knew I could be conned"

[03] The potential impact of AI-powered customer service on phishing vulnerability

1. How does the author believe AI-powered customer service could make customers more vulnerable to phishing?

• As fraud reporting and contacting is increasingly outsourced to AI, customers will be conditioned to dealing with semi-automated systems that make mistakes, force repetition, and ask irrelevant questions
• This will make customers more accepting of the types of behaviors exhibited by the phone phisher, enhancing the phisher's plausibility

2. What historical example does the author provide to illustrate this concern?

• The author cites the UK banks' "Verified By Visa" system, which required customers to re-enter parts of their password on a third-party site, training customers to be susceptible to phishing attacks

[04] The author's recommendations for mitigating this type of scam

1. What steps did the author take to address the issue with their own bank?

• The author spoke with the head of risk management at their credit union about the scam
• They discussed ways the credit union could better train their after-hours fraud staff to recognize these types of calls
• The author also provided feedback on improving the bank's phone menu system to better direct customers

2. What broader recommendation does the author make for companies to avoid creating vulnerabilities?

• The author states that "companies can't close all the holes, they can stop creating new ones" when it comes to Swiss-cheese security vulnerabilities
• The author suggests that companies should avoid training customers to accept the types of behaviors exhibited by scammers, as this can enhance the plausibility of phishing attacks