First of all, the Macdonald-Laurier Institute just published an updated version of my previous article on rising university tuition costs. Thanks to helpful feedback to that earlier post, I was inspired to dig into data from Ontario’s Sunshine List and, as a result, discovered a much more likely explanation for the (inflation-adjusted) doubling of the true costs of a Canadian university education in just 17 years.
Do check it out.
Today’s post will be noticeably different from anything else I’ve done here. It’s a one-off, but I think it’ll be worth your time. The target of my fury and disgust will be vicious and uncaring criminals. And, no, I’m not talking about federal civil servants (at least not this time).
In fact, this post will be a public service announcement about identity theft. But it’s also about how private companies are sometimes sufficiently incentivised to excel at tasks governments couldn’t dream of mastering.
Some of you might not know what I do for a living during those brief moments when I’m not slaving over posts for The Audit. Scary but true: among other things, I’m a Linux and cloud server administrator. In that particular capacity I’m constantly thinking about defending my infrastructure from hackers, scammers, and thieves. I’ve even taught the subject through multiple books and online courses.
Which is to say that I know a thing or two about digital security. So much, in fact, that I should be immune to identity theft attacks. Also scary but true: it turns out that, in fact, I’m not immune to identity theft attacks.
It all began when I was recently contacted by someone claiming to work in the fraud detection department of my credit card provider. I was told that warning flags had been raised over a couple of suspicious transactions using my card.
The visible caller identity information matched with what I’d expect from that company and I was receiving legitimate emails and text messages from the company in real-time throughout the call. Even the terrible on-hold music was the same as usual. In addition, the “agent” seemed to already have a lot of information about me and didn’t ask for many of the things you’d expect from scammers. The caller did an excellent job adopting the right serious-but-helpful attitude.
I was fairly alert from the start and looking for signs of trouble - and it’s not like I’m not already familiar with the standard trouble signs. But this guy was playing 4-d chess with me and was at least a few steps ahead. I even innocently threw him a complication that he couldn’t possibly have seen coming and he smoothly adjusted on-the-fly.
To further distract me, the scammer gave me a verification number. He told me to refuse to engage with any subsequent calls where the agent didn’t successfully confirm the number. Now I realize that he was just trying to prevent the real agents from intervening in his fraud.
But instead of cancelling my card, the guy was actually busy trying to put as many charges on it as possible. During the course of the call itself, the card was used to add to an Apple Pay account and to purchase ride shares through bolt.eu.
And it would have been much worse had the scammer’s methodology not included one or two flaws.
What was actually going on
The most obvious “tell” that I missed was the long periods I was left on hold. A legitimate agent later told me that they’re paid bonuses for calls that are concluded more quickly. Nothing would ever last three hours!
What was really going on during those holds? The scammer was actually making calls to the real credit card fraud department and providing little bits of information I’d given him to authenticate using my identity. Apparently, whenever they asked him a question he couldn’t answer, he hung up and came back on line with me. When he got whatever he needed, he’d start a new call with the fraud team. The time he had to spend waiting on hold each time was the cause of my own extended hold sessions.
But his plans weren’t quite good enough. The legitimate agents later told me that the scammer’s voice and accent hadn’t matched their on-file authentication heuristics for me, which triggered a full shut-down of my account. For privacy reasons, I hate biometric authentication tools like voice identification, but I acknowledge that this time it saved me a lot of anguish. It could have gone a lot worse.
What I should have done
How could I have done a better job defending myself? As an agent later told me, you should ideally never engage in any call from anyone claiming to be from a financial institution. Instead, tell them that you’ll call them back immediately using the number listed on the institution’s website (or in the phone book, if you can find one of those). At most, you can ask for a case number to make it a bit easier to connect.
Having to initiate a new call from scratch will waste some time, but it’s worth it. And a real financial institution will never be insulted.
After all the dust had settled, neither I nor my credit card company had lost a single dollar. Their fraud detection system worked well and it left me deeply impressed. But it was close.
My husband used to watch "Scammer Payback" on youtube, and that's where we learned most of the tricks they use. Very happy your fraudster didn't get anything from you!