Maggie's Farm

We are a commune of inquiring, skeptical, politically centrist, capitalist, anglophile, traditionalist New England Yankee humans, humanoids, and animals with many interests beyond and above politics. Each of us has had a high-school education (or GED), but all had ADD so didn't pay attention very well, especially the dogs. Each one of us does "try my best to be just like I am," and none of us enjoys working for others, including for Maggie, from whom we receive neither a nickel nor a dime. Freedom from nags, cranks, government, do-gooders, control-freaks and idiots is all that we ask for.

Our Recent Essays Behind the Front Page

Much Sorry with Delays
Birth, Death and All That Stuff in Between
How to Honor Labor Day, Every Day
My Yom Kippur Miracle (Repost from 2010)
Good intro to fly casting
Peach update, with pie
NYC update
Easy for you to say: To the elites on mass immigration
For NYC on 9/11, Sailors' Snug Harbor
Pickled Peaches
Water Shoes
Labor Costs in U.S.
Your "identity"
Good news about The Great Courses
Uses of Hot Pepper Jelly/Sauce, Chutneys, and Jams
A Saturday Drive to Litchfield County, CT
How to Pick a Kayak
Civilized: Fruit forks and knives
Loads of kayaking on Cape Cod
Psychology Experiments' Questionable Results

Categories


All categories

Quicksearch

Links

Blog Administration

Open login screen

RSS Readers

Add to Google

Subscribe with Bloglines

Monday, November 7. 2022

Some Useful Advice

Recently, I've had a number of bad events occur.  Supposedly, these things happen in threes, and I'm hoping that's how it goes.  I won't share the first two event details.  Needless to say they are both very upsetting and expensive events.  The third event was VERY expensive.  And very avoidable.


What made it particularly galling was how it happened to me, someone who is ridiculously careful online because among the roles of previous jobs I've held, one has been the management of online privacy and data.  Compelling partner companies to take extra effort, steps or other precautions to protect user data and information.   


If your company is like mine, you take tests each year to identify several different forms of potential identity capture.  Phishing, Spearphishing, downloading Trojan horses, etc.  There are many ways to do it, and I'm familiar with all of them.  I've always passed these tests with flying colors, and I've even caught several transgressors over the years.


Before I tell my own, very humbling, story, let me say this kind of event is not just an issue of being online.  My stepmother is not as adept online as I am, so does not engage the internet to nearly the degree I do.  Yet several years ago she was scammed out of several thousand dollars in attempting to do something good for her grandchild - so she thought.  Unfortunately, she (much like I am about to detail) missed one or two key details in her situation, and fell victim to a con over the phone.  Anyone can be a victim.

My situation involved an online trading account.  It was not a particularly small one, but not my 401(k) either.  It is a side trading account where I 'have fun' from time to time.  Well, the story goes like this.


I know better than to click links in emails, or follow any email directions that lead me to strange sites.  I'm also very prudent about typing in URLs when I want to visit sites of this sort.  It's (usually) the best way to securely get to where you want to go.  I won't bookmark very often, because bookmarks and other information can be stolen.  I don't keep passwords hidden on my computer, and I am very careful about my password choices.  These are all important details.


Criminals, however, look for moments of weakness and exploit them.  So you can be doing everything right, and there can still be a problem and you must be aware at each step along the way. 


For this particular account, I hadn't signed on in a few months.  So I felt I should visit it, check in on it, and see what was happening.  I typed in the URL and signed in, and was met with a message that "your account has been blocked due to identification of a new device."  This is not uncommon.  New devices won't have the same identifying information that previous devices do, and as a security measure, it's a good one to have.  So I contacted their help desk. 


I was asked if I had my two factor authentication ready and I did.  Now many online accounts will also require ID in the form of a picture ID (driver's license will do) followed by a picture of yourself from an online camera.  Again, good precautions.


I went through each step, sharing the Driver's License, then snapping the picture, and finally getting an email asking if I was asking to unblock my account.  Each step was one I was familiar with, but this was where I made a critical error.


I was asked for my two-factor authentication to be provided to the help desk chat.  I provided it.  I waited several seconds, then was told that I could enter my account, but to sign off and sign on again, again - a perfectly normal procedure.


The problem was, when I signed back on and opened my email, I was met with a message that I'd transferred all the money in the account to a wire account. 


 I freaked out, quickly signed on to my now seemingly unblocked account and indeed - it was empty.  I contacted the help desk and walked through the procedures and that's when I noticed my error.  Well, really 2 errors.


When I'd typed in the URL, I must have made a small typing error and gone to a fake site which pretended to be my account.  The look, the design, the pop ups - everything was perfectly done.  I know this happened, because once I determined what had happened, I tried the URL again and did several variations of error until I got it - if you type in the name a particular way, there is a very quick, almost unnoticeable, transfer to another website an if you don't pay attention closely, you'd miss it.  That was my first error. 


That alone did not doom me.  I've visited this site several times since as I shared information with the DA, Police, and the real online site.  It is a very craftily designed site, and I give the criminals credit.  If they put this much effort into real work, they'd be successful.  I shared, with the online site, several ideas to help prevent something like this happening again.  2 or 3 simple ideas that won't take much to implement.  For example, while I received an email notification that I had transferred the money - why didn't I receive one asking IF I WANTED TO TRANSFER THE MONEY?  I can point fingers at their failure(s) all day long, but ultimately the failure was mine and mine alone.


My failure was sharing the two factor identification IN THE HELP CHAT.  It was here that they were enabled to actually enter my account.  I'd managed to unlock it.  But for them.  I knew better, but for some reason that I can't put my finger on, I didn't stop there and think "hm...that's weird...why do they need this?"  To me, it just seemed logical.


I can't describe the feelings I've had since them.  Mixtures of shame, humiliation, fear that they could have done more - or may do more - if I am not more careful.  But the monetary damage alone is significant.  Not backbreaking, not small.  Just large enough to give me pause and rationalize that "at least I have my health". 


It's a strange thing to say, but it's true.  Because right now I'm dealing with family members who do not have their health, and face far, far worse financial situations as a result. 


I've never been one, because of my background in online data and privacy, to make fun of people who fall for scams.  I'll share advice, provide a level of sympathy, and now can even experience a level of empathy with others who go through an experience like this.  It's not easy.


Several hours after it happened, I called my stepmother and told her what happened to reassure her that even so-called 'experts' can be had.  I felt it was meaningful because her experience had shaken her to the core - as my own had to me - and struck at her confidence, just as it had struck at mine.


For what it's worth, the online account firm is doing an investigation, and so is the District Attorney (who recommended I also notify the FBI Cybersecurity division).  So I'm not sitting down on this.  I will be realistic.  I won't get the money back, and it was a valuable, if expensive, lesson to learn.


On a personal note, one of my recent personal 'crusades' is to push back against 'experts'.  "Expert" is a term used far too loosely these days.  In fact, I've spoken at several industry events where I have been called an "expert" on this very area.  As a friend of mine said as I detailed the events "Bulldog, you geek out about this stuff...if you can fall for it, it shows how good the criminals are getting."  Well, no.  Maybe it's just that we all have moments of weakness that we need to guard against.  As my cousin (who has been speaking as an "expert" in his field for several years) asked my son "What does it take to be an 'expert'?"  Well, the answer is simple.  Just have a few people recognize that you know your stuff in whatever you're talking about, get invited to write or speak on it, and suddenly you'll be a recognized "expert".  So I am an "expert" on this stuff, but reality is the term means absolutely nothing.  It's a nice thing to be called, but doesn't make you immune to error.


A last thing I'll share.  Over the past few nights, I've had disturbing dreams of someone trying to break into my house.  I woke up from one, after experiencing some sleep paralysis, with a loud yell, literally willing myself up and shaking off the paralysis.  I know what's causing it, and I'll have to work through this period and get myself to a better mental place.  Sharing my experience with others has been helpful.  I know I'm not alone - and I hope that my experience and advice can help others. 

Posted by Bulldog in Education, Hot News & Misc. Short Subjects, The Culture, "Culture," Pop Culture and Recreation at 16:08 | Comments (11) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

We have all made mistakes.

Always good idea to let others know.
#1 BD on 2022-11-07 16:22 (Reply)
Wow. Sorry that happened to you. Thanks for sharing though, because that is some valuable information for the rest of us.

In the early days of the internet, I got scammed following an add that appeared on a site that I trusted. I stupidly wired cash for the purchase of cameras. I was very ignorant about wire transfers. Luckily it was not a lot of cash, but it was enough to learn my lesson.
#2 B. Hammer on 2022-11-07 16:45 (Reply)
I worked with computers from 1964 until I retired in 1999. I worked in every facet of it and dealt with many kinds of security. My advice to anyone is do not trust the internet period. The design of it has always been to facilitate the use by big companies/users and to make money. Security was never a primary goal and it only gets worse. They could change the programming language and make minor changes in hardware and prevent 99% of the misuse and scams but they won't do that. I do zero banking on line, pay no bills on line and delete almost all emails without a second thought. I will admit I have finally started using Amazon and I fully expect that will be the route of entry if I am ever scammed.

In fact I have had four different ATM cards for decades now and I just this year finally began using them as a debit card. I have hesitated because debit card rules leave you the holder out to dry if they are misused.
#3 OneGuy on 2022-11-07 17:09 (Reply)
I second your view that fraud could be greatly reduced were that a priority of the powers that be.

Bulldog doesn't spell it out, but the URL of this impersonation website was evidently very similar to the genuine URL. Or it sounded the same if he was using voice recognition. This is a well-known foundation for running these kinds of website impersonation scams.

I ask the following question of those who believe the FBI is working to protect us from such scams.

When you find a scam website research how long it's been on the internet. If it's new, then maybe the internet police haven't yet shut it down. But if you check you will find many (most?) fraud sites have been operating for years.

On some level you must know that's true. If such complex scam sites were reliably and rapidly shut down, they wouldn't exist. The effort and investment wouldn't be worth the return. Or at least they wouldn't exist using URLs of well-known financial websites.
#3.1 OldDude on 2022-11-08 11:14 (Reply)
Why are you so sure you won't get your money back? If the account was at a US bank or brokerage firm, they will do a fraud investigation and if/when they find you were the victim of an online fraud they will repay your account. I had something similar a few years ago when some criminal stole checks out of the mailbox and went on a check writing spree to the tune of tens of thousands of dollars taken from of my account. I contaced local police and the bank and within about a month the bank had completed its investigation and covered the fraud loss. Best of all, about a year later the local DA called me in to testify against the criminals, which I did, and they were tried and convicted. Anyway, don't give up hope of the bank/broker reimbursing you for your fraud loss.
#4 Will on 2022-11-07 17:23 (Reply)
Condolences, Bulldog. It was a VERY skillful, layered attack. I wouldn't be too hard on yourself. My (retired IT guy) heart goes out to you.
#5 Frankns on 2022-11-07 18:01 (Reply)
I just experienced this scare myself, with the attending feelings of being violated, and a couple of dreams last night that reflected the extreme discomfort, and then found out this morning that my account had not actually been violated. I don't know what actually happened to prevent it. I do pay my few bills online and I hope that my bank accounts will remain secure, but I guess we all need to learn how to navigate this new way of doing business. It's now really new anymore is it? Bulldog, if you are able to give us more information about this, please do!
#6 LP on 2022-11-07 18:13 (Reply)
Please, anyone a victim of this or other technology facilitated frauds, report it as well to the Internet Crime Complaint Center at www.ic3.gov, the FBI's 'library' or national database for any internet fraud. Any sworn law enforcement doing investigations may access the complaints to build on their investigations.
#7 Deb Deem on 2022-11-07 19:02 (Reply)
Very sorry that this happened to you Bulldog, and thank you very much for sharing the account of the experience. I hope the investigation results in the recovery of funds but I think the odds are pretty long, as I guess you do. We all fall victim to our own routines, and it doesn't take much for a deft hand to derail the train of thought.

I got an emergency email from a colleague once asking me to wire funds, a pretty standard Yahoo email account hack. But the story was convincing, very skillfully mined from information gleaned from (I'm guessing) other emails in his account. What I do is highly specialized. He was a specialist in drilling rig blowout prevention equipment. His message said that he was stuck on a rig offshore, working a job, and had a family emergency at home and needed someone to have his back. Like I said: Anyone concocting this detailed a story, cold, using a driller's lexicon just from reading his emails, had some intelligence and talent.

Anyway, the imitation didn't sound quite right, so I started conversationally reminiscing on detaileds about equipment and rigs that we had worked on together, which got some vague and stalling responses, while I called his office. It turned out he was there in Houston, conducting a training course. So I told him his account had been hacked, and that he would probably be getting a call from just about everybody he had ever corresponded with. I had some other colleagues with shared acquaintance who got the scam note as well.

Bottom line, when the Spidey Sense starts tingling at the edge of your awareness one needs to pay attention. If you're online, stop what your doing and start thinking it through.
#8 Aggie on 2022-11-08 00:18 (Reply)
I worked as an EE for about 40 years so while I'm no IT or information security expert, I am a bit more savvy than the average casual user. Yet, a couple of years ago I got caught in a phishing scam-- of the most simpleminded kind. I got an email purportedly from my email hosting provider (AOL dba Verizon) asking me to log in to read about some changes I needed to make in my email server settings. I was fool enough to follow the link in the email, so they had my login. The only bad outcome was that several people in my email list got bogus messages from "me". Apparently the phishermen were youngsters or inexperienced because the fake emails just asked the person to contact me-- they did not try to perpetrate a scam on them, so once I changed my login all was well except for some embarrassment.

Bottom line, be careful out there, people. BTW I recommend "Bitwarden" as a very nice password management program. It can generate nonsense-string passwords of any length and stores them encrypted in their "cloud", not on your machine. I use it all the time now. (I won't tell you about the time I used the same password everywhere until LinkedIn got hacked and I had to frantically change them all...)
#9 Hairless Joe on 2022-11-08 09:23 (Reply)
I'm sorry that happened to you, it is one of my nightmares that I'll be having more frequently now (thanks for that!). I have some questions about some things you said though. First, why do you not use bookmarks? Wouldn't that prevent the possible URL typing error?
We store passwords on our computers, assuming they are safe as long as we have control of the machine itself. Is that hopelessly naive?
Thanks in advance for any advice.
#10 b k on 2022-11-09 17:45 (Reply)

Add Comment
(Your e-mail will not show in your comment)

By commenting on this site you agree to the site rules listed here. Email
addresses will not be displayed and will only be used for email notifications.

Quick reference guide: [i] italics [/i], [b] bold [/b], [u] underline [/u],
[url] (web address) [/url]. More tips here.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed
 
 
A Chris Southern Consulting website.