My Experience of Being Victim of an Authorised Push Payment Scam
Recently, I received a short sequence of calls on my mobile phone the last of which I answered. The caller purported to be from my bank’s fraud department and announced fraudulent activity having been detected on my account. Despite my initial resistance, the persuasiveness and assurance from the caller led me to believe that there had indeed been an attack on my phone and that I could loose everything from my bank account; this perceived risk made me panic and become susceptible to further manipulation. Eventually, I was made believe by a group of three callers that only by helping this “bank’s fraud department” the fraudsters could be tracked down.
This story is a summary of being scammed into what is called an Authorised Push Payment, a scam when you’re persuaded by a criminal to send money to some account in order to protect you from fraud (ironic). According to Guardian, “Bank transfer scammers steal £700,000 a day from UK victims”. So I am not the only victim. The purpose of this story is therapeutic for me on one side, writing up my understanding of what has happened. On the other, I would hope that sharing my experience can help others to be more prepared themselves through a story rather than a list of warnings from a bank.
With the benefit of hindsight, many of my actions below will appear incomprehensible to the reader, and even myself after the facts, in particular if taken in isolation; but they can be understood in the context of a progressing narrative with a gradual loss of critical thinking in fraudster induced panic situation. Therefore, I have added a “hindsight’s red flag” where, after the facts, it is clear what went wrong.
Fertile Ground
In general, I would consider myself as a logically thinking person with an analytic mindset. When it comes to solving difficult technical problems, I tend to remain calm and focussed, even under pressure from peers or management; In such difficult situations I simply try to detach myself from any emotions and proceed with the task at hand in a very methodical manner as rushing matters is not conducive to arriving at any solution. That works in for me when facing factual, technical problems.
Dealing with fraudsters on a phone is a different kettle of fish; not only is it about dealing with people and emotions, it is about handling a situation with vicious and trained adversaries. This is not what I was educated for and requires different skills. Throughout my life I had the luck and privilege to be living in a more protected environment; I had not encountered criminals, or at least not knowingly, and therefore do not know how to read these people. I was not even aware of scams beyond the emails such as wealthy prince who would like to shift millions or a lottery win.
There are additional factors that make a fertile ground for fraudsters. First, I was being at home alone that afternoon, working from home as many people do under the UK lock-down. This makes me more vulnerable as there is nobody around to raise an alert if something sounds strange, like getting all panicky on the phone. Second, it was a very hot day; I think about 28 °C (82°F) in my little home office of 2 by 2 meters. My brain was certainly not at its best. Third, I was immersed in intensive work, focusing on various streams in parallel, some that demands utter concentration, and online conversations with colleagues.
Last but not least, there is one aspect to my mind, and perhaps everybody’s mind: latent fears; they are not the best companions and often the root cause of problems. In this context, the fear I have to admit to and having harboured for the past years is my that of loosing savings for the school fees of my son which I keep on a savings account. Just a months days ago I thought to myself: what would I do if a criminal took that money? Since I could not bear the thought I have been checking my bank status quite regularly. Upon a threat of loosing that money I would be prepared to do nearly anything.
Hitting the nerve
For fraudsters it is perhaps all about statistics: they must be sampling phone numbers, and may partially be fed by lists from “suppliers” of personal data. I do not know how prepared they are for each call, e.g. name, address, other collateral data from social media or simply Google searches. Perhaps a 10 minute search would be enough to get the picture. But maybe, they just try.
In my case, I received a sequence of calls while being immersed in work. Usually I do not pick up if there is no name displayed from my Contacts; I do not pay attention to the number either. After several rejected calls, I thought it might be something important and I ought to take the call. The person on the other end of the call claimed to be from my bank’s fraud department, my account had been compromised, funds are being transferred and I needed to act now to prevent further damage. To me, the worst nightmare is unfolding and inadvertently my mind switches to panic mode where reason and critical thinking seem to be switched off.
Hindsight’s red flag: my bank, like any bank, would have called from a specific business number; only after the facts I have seen from the call logs that the numbers were different and not business numbers.
Hindsight’s red flag: whenever I notice that I am entering a panic mode, use some grounding techniques to calm down until my mind is back. There is no life at risk and a professional caller would wait.
Building trust
Initially, I had doubts about the legitimacy of the caller and asked questions about the organisation; they sounded professional and did produce some information that was correct. As a proof for my phone being hacked, they asked me to open a Google page and type in “my 1p address location” which brings up the location derived from my phone’s IP address. Indeed, the response was “Mountain View, California (US)” as the caller claimed the alleged fraud originated from there. Sounded plausible.
Hindsight’s red flag: the IP address returned by the Google search is generic and not specific to the device used. Only clicking on the link will reveal the IP address of the internet provider at their end.
To gain further trust, the caller asked me if I have recently been using any public WiFI hotspot and possibly an insecure internet connection. I said that I usually use WiFi only at home, but that I may have been connected to some other WiFi in the preceding weeks. The caller said, this might be the moment when my phone got hacked.
Since I still had my reservations, I was transferred to a “manager” who tried to reassure me that all is fine and I really need to act now. To proof that they are “real” I should ring a number from my land line. I did that and found it plausible that my bank’s fraud department would use a London number for direct office lines.
Hindsight’s red flag: banks these days can only be reached through their switchboard service with a single entry point.
With my mobile being free now, the person persuaded me to install an app on my phone called “AnyDesk” which allegedly allowed the fraudulent fraud department track down the intruder. I actually refused to have this software installed on my work computer, but accepted on my phone as it sounded something an IT or anti-fraud department would need to do in order to monitor TCP/IP traffic on my phone.
Hindsight’s red flag: banks would not ask installing software and instigate taking control of a device; it would have to work the other way round.
With the IP address smoke screen set, and the “AnyDesk” software installed, the scene was set for the next stage, transferring me to another specialist.
Striking a chord
The third person talked about fraudulent activity on my account; it was not a withdrawal, nor a purchase, but somebody got hold of my App credentials to masquerade as me and tried to transfer money from my account to a target account. She seemed to know information about my account which gave me further assurance that this might be genuine; perhaps using yet another reassurance technique, she said that I am not the only one but a whole group of customers who are affected and it was suspected that a bank employee has leaked my details to a fraud organisation for money.
Hindsight’s red flag: the reason the person knew about my account and branch was because they had now hijacked my banking app.
As a whole, the third person claimed that my whole account was affected and there is nearly nothing that can be done about it. I asked if I could go to the branch and set up my internet banking again. She said this was no use as the person is in the bank and the fraudsters control my App; so changing the credentials would not help. The only way out would be cooperation by laying a trap for the alleged fraudster. They would send money to my bank account to make sure there are enough funds; I would receive a confirmation by SMS.
Hindsight’s red flag: it did receive an SMS in the bank’s name in the message text saying that funds were transferred. The bank would not do that.
The trap would work as follows. I would have to make exactly the same bank transfers that were initially declined (and actually never existed). The real bank fraud department would call to verify the transfers whom I was instructed to say that all is fine (I should not to blow the operation, it is common practise and standard procedure). Once the transfer was verified, the alleged fraudster would be notified and try to withdraw the funds. At this point the police would be notified to catch the person.
Hindsight’s red flag: the amount of the alleged transfer the initial call was about is in the order of the savings; no coincidence once the fraudsters can see the accounts through the “AnyDesk” app.
Hindsight’s red flag: the bank would not involve customers in such an operation if it existed at all; they would not even need the customer to carry out these kind of transfers.
The plan was carried out; as somebody who always wants to be helpful and tends to follow the instruction of a recognised authority, I followed them like those of an IT help desk; all went fine for the real fraudsters. After three hours on the phone, the third person said that the funds were received on the alleged fraudster account and we need to wait for the trap to spring in action. She would call the next day to give me an update.
The aftermath
A few hours later, when the adrenalin level had dropped, I regained a clearer mind and immediately called the bank through the official channels in order to file a fraud alert. The next day, I followed up and provided more details on all numbers used. In addition, I filed a case with Action Fraud. The wheels are in motion and, as a victim, I do hope to recover the money lost; the fraudsters took the savings which were intended for the school fees for our son.
As a result I feel devastated and incredibly stupid and it will take a while to recover, mentally, emotionally and financially.
