Support the fact-based journalism you rely on with a donation to Marketplace today. Give Now!
How scammers hijack their victims’ brains
May 9, 2024

How scammers hijack their victims’ brains

HTML EMBED:
COPY
Whether they’re stealing $80,000 or $500, criminals often use elaborate "social engineering" schemes to persuade people to act. Staying safe means first understanding the tactics of manipulation.

Today’s episode of “Marketplace Tech” is all about financial scams: how they work, what kinds of technology scammers use and how to spot a scam before you fall victim to one.

Marketplace’s Lily Jamali spoke with Selena Larson, staff threat researcher at Proofpoint, and together they listened as real scam victims shared their experiences.

The first story came from a woman named Shannon in Minnesota. We’re not using her last name to protect her identity. Shannon said she was at work on a typical Tuesday last fall when she received a call from a person claiming to be a local sheriff’s deputy. Here’s what she said:

The sheriff’s deputy says that I was an expert witness for a federal court case that happened the day before and I did not show up. He said that I had a subpoena order to come as the expert witness and I was a no-show, which is a federal felony. And he mentioned the judge, so I looked up the judge, and sure enough that is the federal judge for that county. Everything’s following suit as I’m looking it up. And I’m like, OK, this is the county sheriff’s phone number, this is the judge, this is the deputy sheriff, this is real. They said at this point, you have these federal felonies and that I can either get off the phone at this point and seek legal counsel, and at that point I will be immediately incarcerated and they will have to seek legal counsel with my lawyer and no longer with me, or I can pay these bail bonds. At that point, the bonds were $50,000. Also, there was a gag order and a must-maintain-contact order, so I had to maintain contact with them the whole time.”

And that’s just the beginning of Shannon’s story. The rest includes threats of jail time, lies about handwriting tests and another $30,000 so-called bond payment. In the end, Shannon lost more than $80,000 in the scheme.

So how did the scammers pull it off? And how can we protect ourselves in the future?

The following is an edited transcript of Jamali’s conversation with Larson and the stories from scam victims.

Lily Jamali: Let’s talk about the technology and information scammers have access to for a minute. Shannon said that she Googled the number that appeared on her phone from what turned out to be a scammer. How are fraudsters able to spoof phone numbers or identities of public officials?

Selena Larson: Yeah, unfortunately, phone number spoofing is a common technique that’s used by scammers. Basically, it makes it look like the call is coming from a government agency, someone in your same area code, a specific individual that you know the phone number of. There are tools that let people designate what phone number they want to actually appear on a caller ID. So, the [Federal Communications Commission] and other U.S. government organizations have put out advisories essentially about this technique that’s unfortunately common when we’re talking about phone scams. And scammers often research both the target and the people that they’re impersonating to create scripts that would be more effective to the individual. So not only are they spoofing the phone number, but they also have information and a conversation that might lend additional authenticity to whoever they’re pretending to be.

Jamali: Let’s return to Shannon’s story for a couple of minutes. What we heard from her earlier is just the beginning of her story, as I mentioned. Let’s bring her back to tell us how her story ended.

Shannon: The next morning, the scammers called. They said we are so sorry to tell you this, but there is a federal marshal who came and with that federal marshal, we have come to an agreement that there is one more bond that needs to be rectified for you to come in, so that we don’t have any more trouble with the federal government and with these federal felonies. And I’m like, I am completely wiped out, there’s no way. Obviously, I didn’t sleep the whole night, I’m exhausted, I could barely eat. And at one point, my husband just takes the phone and he just starts going livid. And all of a sudden it was like Rumpelstiltskin, and behind these AI-generated voices that sounded like people from here, these voices from across the world come on. And they start mocking us, laughing at us, saying how they got $80,000 from us and just make a mess of us. And they don’t get off the phone until we hang up.

Jamali: So, this is just a piece of Shannon’s entire experience. In her interview with us, she said the scammers overwhelmed her with information and legal terminology. They told her that she would get her bond money back once the subpoena issue was resolved. And crucially, they instructed her to send her payments through a cryptocurrency kiosk at the grocery store, which she was told would be received by the U.S. Department of Treasury. So, with all of that in mind and having heard these pieces of her story, what are some of the red flags that you notice that we can learn from?

Larson: So starting off, pretending to be someone with authority, especially the government, and using scare tactics to convince people that they are authentic. Scammers will say things like “Don’t tell anyone” and “Stay on the line with me” to maintain these sort of high levels of stress and isolate the victim so that they will be more likely to make bad decisions. Directing her to a cryptocurrency kiosk is a huge red flag. I think that that’s something that you see a lot of times with these scams, and of course, that would never happen with legitimate government organizations. She also mentioned that they were talking about a lot of legalese and saying information and using seemingly legitimate pieces of information and government-speak to try and further convince her of this lie. Again, that’s a very common technique. Overwhelming someone with information that is hard for them to immediately fact check without doing a significant amount of research. And that’s why they want to keep you on the line. That’s why they say, “You have to keep talking to us, and you can’t tell anyone that this is happening to you.” Because if you have the time to think about something and research it yourself or for Shannon to talk to her husband, someone else can say, “Hey, maybe this isn’t correct. Let’s talk about this. Let’s think through this.” So it’s definitely part of the scammers’ toolbox.

Jamali: Shannon says she thinks the scammers may have been using AI-generated voices. We can’t know for sure if that was true in her case, but is that something that scammers are using a lot these days as AI tools become more accessible?

Larson: Yeah. So there are voice modification tools that are broadly available right now for people to choose what to make their voice sound like. They might be used in things like reading scripts for advertising, or videos, even multiplayer video games, people kind of trolling each other with fake voices. But scammers use this technology to pretend to be someone else. Some of these tools say that they are AI-based, and some of them can imitate people like celebrities, politicians, podcast hosts, or really anyone that has enough training data — podcast host, for example. It does come down to whether there’s enough audio available of a person to be able to sort of effectively clone their voice for a prolonged conversation. And it’s also worth noting that AI can copy voices pretty convincingly now, but the scam itself will still be the same. So, the red flags will still be there. Weird instructions like “Send your cryptocurrency to the U.S. Department of Treasury via this kiosk” should still be a red flag, regardless of if you’re talking to an AI politician or a random stranger.

Jamali: So, in a sentence or two, what do you want people to know about these kinds of financial scams?

Larson: They are insidious and can really impact anyone, especially if you’re talking about these phone scams. It’s always best to hang up the phone and call the number that’s listed on the government agency or the sheriff’s department or the court information, really whoever is being spoofed. So even if it looks legitimate, you want to hang up and call that number that belongs to the legitimate authority or organization, and then contact them from there. If it is legitimate, then there will be a conversation and you can ensure that you’re talking to the right person.

Jamali: We heard from several people wanting to share their scam stories for this episode. Let’s take a listen to Haley from California. Haley was on her third day at a new job, and she was out on a run before work when she got an email from the president of her new company.

Haley: He says, “I’m in a meeting with a longtime client of mine, and I really want to show them our appreciation. Can you go to the store and get a gift card for me?” I work in crisis [pubic relations], so it’s not out of the ordinary for me to do tasks kind of early in the morning or late at night. And so, I literally ran to the store because I was already running. And he said, “Can you take a picture of the different gift cards that are there, and I’ll see which one I want to do?” And then he’s like, “OK, great. Let’s do Apple for $500.” And then he said, “Just send a picture of your receipt and we’ll reimburse you.” So I swiftly go to checkout. And he says, “Just scratch off the back and take a picture of the number.” And so I did that and the moment I sent the picture of the back of the card, I realized what I was doing. I was like, “What have I done?” The entire scam took place within the span of 15 minutes.

Jamali: I’ve heard from a colleague at the company where I work that they’ve heard from scammers pretending to be our CEO in a very similar scheme. What stands out to you?

Larson: Yeah, so this social engineering technique really pairs urgency with this desire to do good work or support and respond to positions of people in authority. Of course, with Haley, she just started the job. She wants to make sure that she’s responding very quickly and showing that she’s a good employee. And it’s understandable that that would be her reaction to something like that. I also want to point out here too that it’s interesting to me that she was on a run when she got this because oftentimes, we’ll receive these types of emails at times of day when we might not be on our guard 100%. With these gift card scams in particular, the financial payoff is usually significantly less than what we heard with Shannon, for example, and it takes the scammer less time and they can kind of cycle through more people. And the threat actors who are conducting these types of scams might also be involved in things like Shannon’s story, or ransomware, or other types of extortion, which can lead to very serious financial as well as mental health consequences.

Jamali: People who have been victims of scams so often feel really ashamed. Maybe they never tell anyone. They don’t tell family or friends what happened because they’re scared of being judged. How do you think victims should react in the aftermath of a scam?

Larson: Well, first, I do have to give tremendous kudos to Shannon and Hayley for sharing their stories. I think it takes a tremendous amount of courage to not only admit that this happened to you, but to talk about it in a public setting because the shame is there. I’ve talked to many, many people who have been scammed, and they feel the same way a victim of a real crime would feel. However, in this case they feel like it’s their fault. I think part of that is because of the way that people react to it. People say things like “Well, you should have known better,” and that’s the wrong reaction. Anyone can fall for social engineering if it’s tailored to them. It’s just a matter of being presented with it at the right time with the right potential consequences with the correct convincing conversation. And I think that feeling bad and feeling ashamed is very, very common, and I don’t fault anyone for feeling that way. But I really encourage people to at least report it to the authorities. And I also encourage people to talk about it with friends and family because the more that we talk about this, the more we can sort of reduce the stigma of being a victim of a cybercrime and make it OK to talk about. And the more people are aware of it, the less that this will happen, and we can actually prevent future people from experiencing similar crimes.

More on this

An essay in New York magazine’s “The Cut” went viral online earlier this year, when financial advice columnist Charlotte Cowles detailed how she herself fell victim to a financial scam and lost $50,000.

In a lot of ways, her story is similar to Shannon’s. Cowles wrote that she got a call one morning that her phone identified as coming from Amazon.

A fake Amazon worker, along with men posing as agents from the Federal Trade Commission and the CIA, spun a story of identity theft, telling Cowles that her Amazon and bank accounts had been hacked, her data stolen, and as a result, her name had been tied to drug trafficking and violent crimes. They told her there were arrest warrants for her in several states across the country.

The only way to stay safe and out of trouble, the scammers said, was to remain on the phone, keep herself isolated and hand over the majority of her savings for safekeeping.

Of course, none of this tangled mess was true, but what is true is that Cowles eventually put $50,000 cash in a shoebox and handed it to a stranger.

The story lit up X, the former Twitter, as users shared jokes and criticism aimed at a financial writer, of all people, who fell for a massive scam.

But as Selena Larson pointed out in our conversation, anyone can fall for social engineering if it’s tailored to them. So maybe instead of asking, “How could anyone fall for a scam?” maybe the better question is, “If it happened to them, how can I make sure it doesn’t happen to me?”

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Daisy Palacios Senior Producer
Daniel Shin Producer
Jesús Alvarado Associate Producer
Rosie Hughes Assistant Producer