How Anne Got Phished and What We Should Learn from Her Experience

by James Wallace Harris, 2/2/24

My friend Anne called me the other day terribly upset. Her bank had just called her to say her account had been hacked. She was worried that her computer was the tool of the hackers and wanted me to look at it. Anne was freaked out and called me because I’m her computer guy.

The first thing I asked her was, “How do you know it was the bank who called you?” She said the bank’s name and phone number came up on her phone. I told her she needed to call her bank and confirm that. I told her the bad guys can pretend to be anyone. Anne said she would do that immediately.

When I didn’t hear from her for a couple of hours, I called her. A man answered. I didn’t think it was her husband but asked for Anne. A woman got on the line I didn’t know. I again asked for Anne. She said she was Anne. I was suspicious, so I asked this time giving Anne’s full name. She said, “Yes, that’s me.” I said, “No, you’re not.” and hung up.

I couldn’t call Anne, but I thought a text might get through. I texted “Call me right now.” The real Anne called me. I told her what happened. She said she’d been on the phone with her bank for hours and she had been phished. They stole $3500. I told her she needed to call her phone company immediately. “Tell them your calls are being redirected.” A couple of hours later, she called back to say her forwarding had been set to another number and the phone company had turned that off. Anne said the phone company couldn’t help her anymore and would notify their security people, but it would take a few days.

My guess is the phishers had gotten ahold of hacked data from Anne’s bank, so they knew a lot about her, enough to convince them they were the bank. The phishers then conned Anne into giving them more information. Then they rigged her phone so they would get her calls. That would allow them to confirm any transfer requests. That’s very clever.

Anne knew she had been duped, and it made her feel stupid. Anne is no dummy. She has two undergraduate and two master’s degrees. But we want to trust people, especially banks. We trust banks with our money, so we want to believe they’re dependable.

Anne brought over her laptop for me to check. It didn’t seem to have any malware or viruses, but Google would not work using Chrome. I couldn’t change anything on the computer because an IT department had it locked down. I don’t know if that was a coincidence that Google stopped working, or if the phishers had somehow jammed Chrome and Google without needing administrative rights. They wouldn’t have needed to hack her computer to steal the money, but it might have helped them by keeping Anne from searching for help.

Anne was still upset, frequently crying, and embarrassed by this event. Her bank had immediately replaced the money, but Anne was still afraid something else was going to happen. She’s so afraid that she’s changed banks and doing everything she can to protect herself. She cried off and on for days. At first, she didn’t want me to tell anyone because she was embarrassed about being conned. But I said she should tell everyone she knew to help other people avoid getting phished too. That’s when she said I could blog about her.

Now I’m worried. I’m thinking about all the things people should do to protect their identity and money. Once I started thinking about it, I realized the problem is immense. What should I do to be more proactive? We generally think of “identity thief” in terms of people, but phishers also steal the identity of banks. Solving phishing would require perfect identification of people and corporations. But since nearly everything happens online today, it’s easy to spoof both kinds of identity.

An antivirus program won’t protect you from this kind of theft, although the best ones try. Norton has a nice tips page, “How to protect against phishing: 18 tips for spotting a scam.” Its focus is on phishing emails because that’s what their software can deal with, but you also need to consider phone calls or even people coming to your door.

There are also all kinds of anti-fraud services for credit cards, but I don’t know enough about them yet. AARP has a whole website devoted to “Scams & Fraud.” It even has an article, “Bank Impersonation Is the Most Common Text Scam.” It makes me want to join AARP, but I wonder about trusting a company that has so many ads and popups.

Remember the old days when you had to go to the bank in person? And the bank was a big, impressive building? The digital world is both insubstantial and so damn shady. Since I read a lot of science fiction, I think of what the future might bring to solve phishing and identity theft.

The core problem is verification of identity. Right now, thieves can be you with a username and password. Hell, my iPhone needs facial identification before it will talk to me, so why don’t banks want better verification? You’d think banks would want two or three kinds of biometric proof of your identity before they transfer any of your money. But then, how do you verify your bank is your bank?

Another thing that worries me is the number of companies that have my credit card on file, or my bank account routing number. I hear about big companies getting hacked all the time. Maybe there should be a law against storing such financial information, or even personal information. It would be a pain in the ass if I had to fill out all my information every time I ordered an ebook from Amazon, but it might be worth it. PayPal is one solution to hide credit card information.

Just a bit of searching the internet on how to protect myself from fraud reveals it could be a subject worthy of a college major. Right now, banks and stores cover digital theft, but will that always be true? Insurance companies that insure homes are going out of business in some states because of too many natural disasters. Some retail chains are closing stores in areas where there’s too much “shrinkage” in their inventories. So, I can imagine banks going bankrupt or refusing some types of customers.

Right now, banks are making more money by laying off human tellers and using online systems. They probably save enough money downsizing buildings to web servers even with the cost of covering phishing theft. But at some point, they will decide that the cost is too high. I think the reason many people want to elect Donald Trump again is because they secretly want more of a police state. They’re tired of all the crime and cons. One way to solve it is to use computers and the internet. Americans never wanted national identity cards, but what will they think of being chipped like a dog? Things could get very weird in the future. If we really knew the absolute identity of every person and their location, it would solve a lot of crimes, but what would it mean to personal freedom?

Anne just called me. She’s learning. She got a phishing attempt in her email. She called to see if I thought it was the bank phishers. I didn’t think so. I told her that The International Guild of Phishers kept a dummies list on the Dark Web to share with each other.

At least she laughed at that.

JWH