Cartoon avatar of Charles Sprayberry
cspray.io

I got scammed: A Postmortem

I got hit by a scammer. The embarrassment is still pretty fresh and I feel mighty silly having to make this post. However, when something goes that badly I feel like a proper review of what happened should occur. That way you can properly address what went wrong and make sure it doesn't happen in the future. Fortunately I was able to limit the amount of damage, and we aren't in danger of missing bills or anything. Ultimately the amount that I lost is just enough to make this a painful lesson I won't soon forget but nothing I'm actually worried about.

The Scam

The scam itself wasn't anything special. It was a gift card scam. The attacker convinced me to buy a gift card and send them the codes through text messages by impersonating somebody I know. In hindsight the attack was blatantly obvious but there were a perfect storm of events that led to me believing the initial text at face value without critically analyzing what was happening before it was too late.

Perfect Storm

Quite frankly, the scam wasn't very good. There were a lot of obvious parts of the messages that made it clear they weren't legitimate, if I had just stopped to think about them. I have a strong belief had I not been in 1 or 2 of the circumstances below I would have caught this before it got to the point I was actually financially hit.

  • Did not have access to normal, out-of-band communication
  • Received messages while I was distracted with real life errands
  • Messages effectively played on my emotions and relationship with friends

Since this is a postmortem that's meant to help me figure out exactly what I did wrong to come up with effective solutions to prevent them in the future I'm going to dig into each one to talk about why I found myself in that situation.

Did not have access to normal, out-of-band communication

I work from home, between that and COVID I've spent a lot of time in the house my wife and I rent over the last 3 years. Normally I'd have access to my computer, would have messaged the person in our chat application, and that would have been the end of it. However, I was away from home and did not have immediate access to my PC. On top of that I had recently upgraded to a new phone but have not taken the time to swap all 2FA and chat applications over. One of the few remaining apps on my old phone was the same chat app I would need to speak to the real person being impersonated.

Received messages while I was distracted with real life errands

I was away from home when I received the messages taking care of some errands. On top of that I was having a serious conversation with my wife and there were a series of things we needed to get done on a fairly tight timeframe. In addition, some errands went a little sideways and caused plans to go off-course pretty significantly. All of that added up such that I never actually analyzed any of the text messages received. I was running on auto-pilot at that point and the goal was to Get Shit Done. I simply added this scammer's request on to the list of things I needed to slam through.

Messages effectively played on my emotions

This is the real big one. The person the scammer impersonated is a dear friend. They've done a lot for my wife and I. I can honestly say I would not be where I am without this person's support and friendship. I don't have a lot of "ride or die" friends but if this guy called me up and said he needed help burying the bodies I'm packing up and leaving tonight. When I saw his name in the message I went into an immediate, emotionally-charged response of "I need to help my friend". I never left that state until I had already satisfied the scammer's initial request and was able to sit and think without emotions clogging up my thoughts.

Going Forward

Although there were some challenges that helped the scammer's cause, what was happening was so obvious in hindsight. There were several red flags raised and my noticing any one of them would have prevented this from happening. However, I want a specific list of action items that will help ensure I'm better protected from this type of social engineering attack.

Quell Initial Emotional Response

My emotional response to the initial text message is largely what drove my actions after that. As I mentioned, I received a request, supposedly from a friend, that they needed my help. If you actually have my phone number to the point you can send me messages I'm gonna be inclined to help you, regardless of who you are. This being a dear friend exacerbated that emotional response.

However, there's no situation where a person needs money right now in the form of a gift card but aren't able to also talk to you over the phone, Facetime, in-person, whatever. Quelling my emotional response and allowing critical thought to take shape would have recognized this almost immediately as a scam. Unfortunately, this will be the hardest action item to complete and one that lasts a lifetime. While I want to think critically when faced with these situations I can't change my desire to help my friends, not sure if I'd want to regardless.

Fully Migrate Phones

If I had migrated all of my chat and 2FA apps from my old phone to my new phone I would have attempted to communicate with the person through a different channel and almost immediately would have recognized this as a scam. This action item is pretty easy, and I'm planning on finishing this the day this blog post is published.

Don't Blindly Complete Tasks

I was running on autopilot. The time for thinking was over, now's the time for action! That's good with the stuff that I had already spent a lot of time thinking about and was in the middle of executing. That isn't so good with new stuff not related to the stuff I just spent so much time thinking about! Even when I'm in autopilot mode I need to recognize when new tasks aren't in context, stop, and critically evaluate them.

Refresh My Security Readings

I have been lax on reading up on cybersecurity recently. Not reading those articles and reminding myself of the constant, steady stream of attacks, social engineering and technical, we're constantly under caused me to become complacent. I need to refresh my list of good security content to read and spend more time on a weekly basis reviewing that content to remind myself of the threats attacking us and ways to properly combat them.

Wrap Up

Taking a security conscious approach to my software and business operations is something I pride myself on. Having this happen has been deeply embarrassing. I've spent a lot of time since it happened replaying what went down and how I could have not made mistakes. I'm sure that I'll see this type of attack again, and others. Hopefully I'll be better prepared for the next time. I'm gonna leave you with a post that @brunty@brunty.social made on Mastodon.

<iframe src="https://brunty.social/@brunty/109834575451826226/embed" class="mastodon-embed" style="max-width: 100%; border: 0" width="400" height="300" allowfullscreen="allowfullscreen"></iframe>