Anatomy of a scam: Yes, it can happen to you

Everyone’s heard by now that no one is immune from being scammed, but most people who haven’t been scammed don’t believe it.

Believe it. It can happen to you. A friend (no, it’s not me) today is sharing her scam story. It’s a great illustration of how anyone can get sucked in. 

Being scammed is a violation. Not only does it involve losing money and messing up your finances and accounts, possibly for years, but it’s humiliating. Victims are embarrassed and are often shamed by friends, family and strangers.

Ann (not her real name) doesn’t want to be identified. I understand how she feels. I was scammed five years ago (more on that later).

Consider her, though, your friend or neighbor. If you don’t know Ann, you know someone just like her. She’s in her 50s, has an advanced degree, and holds an impressive professional position in Manchester. She manages a three-generation household, is savvy with digital technology, and didn’t fall off the turnip truck yesterday. 

The silver lining to her story is that she got back the $3,000-plus she was scammed out of, which is rare.

It will take a lot longer for her to recover from the emotional and psychological damage. She also knows now that her Social Security number, driver’s license information, and other identification is out there. She’s still not safe.

She is sharing her story at my urging, so that people can truly see what it looks like to be scammed. As you read it, don’t judge, rather consider how this could happen to you.

a colorful bird hanging from a fishing hook

The Bait

Several weeks ago, Ann’s Facebook page was hacked. There was a new profile picture, one that she hadn’t put on there.

She changed the photo back and changed her password. She went into her account settings to see what to do if she was hacked, and was satisfied she’d taken care of it.

Two weeks later, her Instagram account disappeared. She couldn’t log in and it didn’t recognize her email address.

Ann went into account settings, which brought her to the Meta account center. Meta is the social media company that includes Instagram and Facebook. The page had a customer service phone number.

She called the number, figuring it would be easier and faster. [Chances are if she’d emailed, texted or chatted, she still would have wound up on the phone, with the same result.]

The man who answered told her she’d reached the Meta help center. “We’re here to help,” he told her.

He said it looked like the hacker was in control of everything on her phone. 

He asked her if she did mobile banking. Yes, she did. He asked her how much was in her bank accounts, she wasn’t sure – her husband is the one who rides herd over family finances. She guessed maybe $2,000, since their mortgage and home equity line payment were both coming due the next week.

The man on the phone had her download an app, AnyDesk, so she could share her screen.

Ann began to text her husband, who was playing golf with friends.

“What are you doing?” the help center man asked.

“Texting my husband,” Ann said.

He told her to stop. “The hackers are in your phone,” he said. “They can see anything you do.”

a large wooden horse statue sitting on top of a dirt field
Trojan horse scam begins with a seemingly legitimate process.

What happened here?

Ann got hacked and couldn’t access her Instagram account, and went to the help center, saw a customer service phone number and called it.

Most people would do the same thing.

Ann now believes that the “help center” was false. At the time, though, it was linked to her accounts. She had no reason not to trust it. Any one of us would do the same thing.

This happened on a Friday morning. As it played out over the next hours and days, Ann repeatedly told people, “But I called THEM.” That’s a logical place your brain goes – hackers reach out to you, you don’t call them. If you’re voluntarily calling a number that seems legitimate, you’re safe.

Sharing a screen is another red flag. When the man on the phone told her the hackers could see everything on her phone, he was right. She just didn’t realize he was referring to himself. [None of my pointing out red flags is to criticize anything Ann did. Rather, it’s to emphasize to readers what they should look out for.]

Ann was used to sharing her screen. At her workplace, they do it all the time with IT. She thought she was sharing it with the Meta help desk. 

I administer a couple of websites and have shared my screen with the help desk at Go Daddy and other places. I can see how easy it is to assume this is OK.

In the scam world, Ann’s experience, from the minute her accounts were hacked, through the phone call with the “help desk,” is called a Trojan horse. It’s a seemingly legitimate process that draws in an unsuspecting victim.

The Scam

After the scammer – let’s call him that instead of “the help desk” – told Ann the hacker could see everything on her phone. “Only do what I tell you,” he said.

He even told her not to contact her bank, because they’d make it a “big deal” and it could freeze up her accounts. It was the end of the month and Ann and her husband, let’s call him Dave, had mortgage, home equity, and other bills automatically coming out. Their paychecks would both be automatically deposited soon. She couldn’t afford to have her bank accounts frozen. 

The scammer led her into her Venmo account. They would transfer the money out of her bank accounts, buying bitcoin or cryptocurrency, in order to protect the money from the scammer.

Venmo allows someone with a personal profile (not a business profile), to transfer a maximum of $5,000 a week to cryptocurrency. The person who holds the profile is required to provide their Social Security number and go through an ID verification process to do it.

He had her transfer money from her checking account to Venmo in two increments. Venmo has a $1,500 limit on adding money to a Venmo account from a bank, so he stopped when they got to that amount.

He had her change the billing and email addresses, and then used the money to buy cryptocurrency, which he then transferred to another account. 

The process involved her verifying her identity by uploading her driver’s license, then taking a selfie, and submitting that. Anyone who has an account with the IRS is familiar with this process, which many financial institutions have started using in the past year or so, usually through IDme.

The scammer and Ann moved on to her PayPal account, where they went through the same process, transferring money out of a bank account. They transferred two increments of $990, but a third payment, for $250, was declined.

“He realized he’d emptied out my checking account,” Ann said.

The scammer bought cryptocurrency, but they hit a snag when it came to the ID verification needed to transfer it to the other account. The ID wouldn’t verify. The scammer tried multiple times with no success.

At some point, the scammer also had her download something called META Mask. “I assume I’m talking to Meta,” Ann said. “This sounds like a protection thing they provide.” It turns out, though, it was another app for converting money to cryptocurrency.

When the crypto couldn’t be transferred, they figured out that even though Ann’s name was on the PayPal account, the account was officially in her husband, Dave’s, name.

The scammer urged Ann to call her husband immediately, and said he would call her back. But Dave was on the golf course and wasn’t picking up.

When the scammer called back after Ann tried to reach Dave, he got increasingly agitated.

“Where is your husband? When will he get home?” he asked Ann.

Finally, Ann managed a three-way call between herself, the scammer and an unhappy Dave. But the reception wasn’t great, and Dave couldn’t do the ID verification.

The day, one meant to be a relaxing one at her camp in western New Hampshire, had turned into an exhausting and anxiety-filled ordeal.

“I was on the phone with them for several hours,” she said.

The scammer told her he’d call back at 10 a.m. the next morning, a Saturday. Dave, who was celebrating his birthday in a yearly tradition with friends, had another golf outing planned. His tee time was 10 a.m.

When Dave got back to the camp Friday, shortly after the three-way call failed, Ann texted the number she’d been on the phone with all day, telling them her husband was home and they could do the ID verification. She got no response.

Dave was not happy about the situation and couldn’t understand why his long-planned weekend was being interrupted by this issue. He didn’t realize that Friday night that it was a scam.

Ann told him it was serious, her ID had been stolen.

“What I didn’t realize is that I was giving it away,” she told me.

person holding white samsung galaxys 4

What happened?

When the scammer told Ann not to call her bank, or when he began buying crypto and transferring it, you may have thought “Red flag!”

You are right. That doesn’t mean Ann – or you in the moment – would recognize it.

Scammers know what they’re doing. Everything has a sense of urgency. Bad things will happen if you don’t do what they say RIGHT NOW. They don’t give you time to think. 

What do most of us know about crypto? Or hacking? We think we’re talking to a trusted source that is helping us and who does know about it. 

Ann believed she’d called a legitimate number, right from Meta’s help center page.

Ann, like most of us, lives an honest life. She would never scam or steal. It’s hard to get your head around the fact, in the urgency of the moment, that someone who has built a façade of trust is doing it to you.

“I called THEM,” she repeated to me several times. “I’m the one who called them, not the other way around. I found a phone number on their help center and called them. I said this 20 times (that Friday night to Dave and his golf friends).”

When Ann first texted Dave, the scammer told her not to. Dave was only brought into it when it was clear the scammer needed his ID verification. Ann was told not to talk to her bank.

The sense of urgency, the quick buildup of false trust, and isolation from anyone who can give you perspective, are classic con ploys. Those tactics are used in many scams and fraudulent behavior. Remember, “con” is short for “confidence.” They gain your confidence to take your money, your identification – sometimes, your life.

The ploys of rushing, false trust and isolation are common in coercive control situations that lead to domestic abuse and violence.

Scammers play on their victim’s inherent honesty and trust. They make them feel that the scammer knows best and disaster will happen if they don’t do what the scammer says. RIGHT NOW. 

This ploy is particularly effective on women, industry and mental health experts have found. Women are socialized to be more polite, trusting and inclined to acquiesce to male authority, particularly if it’s aggressive. They question their instincts, or give in to an aggressive man rushing them to make a decision because it’s easier than resisting.

It’s not women’s fault, it’s not that they aren’t as “smart” or as “mentally strong” as men. It’s an effect of our paternalistic society that tells women they must be polite, not push back and not follow their instincts.

This isn’t me making stuff up, it’s supported by studies and research of scams and domestic abuse.

I’m not saying Ann’s case has anything to do with domestic abuse – it doesn’t – but it used tactics that are proven to trick and hurt women in many different types of situations.

Ann is no pushover, yet hours on the phone with an aggressive, urgent man who she thought worked for the Meta help center pushed all those buttons. 

The Fallout

The next morning, Ann tried to call and text the scammer to see if they could change the time of the ID verification. When she got no answer, she followed Dave to the golf course so they could take the 10 a.m. ID verification call and he could still make his 10 a.m. tee time.

When Dave went to pay his greens fee, his card was declined because their checking account was zeroed out.

Ann called the number, again that she’d been dealing with for hours the day before. The scammer had given her a couple of numbers. She tried both. Neither was in service. On her phone, she went to look for the Meta help center where she’d initially gotten the information. That didn’t exist either.

Of course, when 10 a.m. came, the phone didn’t ring.

Ann realized, with crushing horror, that she’d been scammed.

Ann and Dave had lost more than $1,000 that had been used to buy crypto through her Venmo account, then transferred out of the account. Around $2,000 in their PayPal account was also tied up in crypto, but not transferred.

“If the name on the PayPal account was mine, I would have transferred all my money to them,” she said.

The scammer had Ann and Dave’s bank account and PayPal information. They had Ann’s Venmo information, driver’s license information and Social Security number.

She and Dave took Monday off from work to deal with the fallout.

At their bank on Monday, Ann felt she wasn’t getting through to the customer service rep who sat down with them, that the young woman didn’t understand the full extent of the damage. All of their information was compromised. They had major bills coming out of their accounts that week, and the paychecks going in. Would they lose more money? Would they have huge overdrafts? The possible consequences could be ongoing financial disaster, but they felt they weren’t making progress explaining that.

Ann knows the bank manager socially. For two decades, every time Ann has visited the bank, she makes sure to say hi to her friend. That morning, her shame and humiliation kept her from seeking out her friend. She didn’t want to be seen, and didn’t want her friend to know what had happened.

But she also felt they weren’t getting anywhere with the customer service rep. Ann swallowed her pride.

Once her friend became involved, damage control began. The bank manager changed all their account numbers and information.

Of course, the continuing fallout includes the fact that Ann and Dave have to change all the account information on their automatic payments and direct deposits.

“It’s going to take months to clear up,” Ann said.

What happened?

One thing Ann is particularly embarrassed about is that during the hours-long session with the scammer that Friday, she got a fraud alert text from her bank when the $250 withdrawal wouldn’t go through, asking her if she wanted to put a freeze on her account. She answered “no.”

“Because I called THEM. I didn’t think I was being defrauded,” she said.

Scammers will send a text, email or call. But as consumers, like Ann, get more savvy, they do more phishing. This means creating situations in which you don’t realize that you’re interacting with a scammer. 

Ann’s Facebook and Instagram account was hacked, so she went to what she thought was the Meta help center. 

The whole time she was dealing with it, her brain told her that it was legit. “I called THEM.”

When I was scammed five years ago, it started with a legitimate Survey Monkey quiz that my employer required the staff to take. When I completed that quiz, another popped up secret shopping. Secret shopping has always intrigued me (at least it used to), so I took the quiz. At the end, it asked if I’d be interested in being a secret shopper. I said yes.

A couple weeks later, I got a text following up. And so started a humiliating several days that cost me $1,400 that I did not get back.

Scammers’ initial entry is often something you trust. As an honest person, you are tuned to believe other people are too (even if you’re a cynical journalist). Scammers know this. The fact that the point of entry is legitimate, or seemed to be, sticks in your head. You tell yourself it’s not a scam because it came from a legitimate source.

With me it started with a quiz my employer required me to take.

In Ann’s case, her accounts were hacked to the point that a fake help center page was set up. 

She called them.  They didn’t call her. 

person holding black android smartphone

Getting the Money Back

Ann was lucky. She was able to recover her money. Most scam victims don’t.

Because the scammers had created a false account with her name, Venmo took responsibility. It wasn’t without a lot of anxiety on Ann’s part, however.

The Venmo rep wanted Ann to verify her identity, the same way the scammer had. 

“Oh my god, this is what the hacker had me do,” she told the rep.

The Venmo rep said she understood, but that’s what they had to do to verify her identity.

Ann said that’s also what the hacker told her.

She did it, because otherwise the money in the account would remain frozen. But she didn’t tell Dave until after the money was back in their bank account.

There was a slight difference with the legitimate Venmo process. The rep had her hold her driver’s license next to her face in the selfie. They also said it may take 24 hours to process.

When Ann got an email the next day saying the money in Venmo was no longer frozen, with a link, her first thought was “Is this part of the scam?”

Ann has removed her bank accounts, as well as debit cards, from her Venmo account. She advises others to never attach a bank account to Venmo, just debit cards. She doesn’t even have her debit card attached. When she needs to use Venmo, she attaches a debit card, uses it, then unattaches it. 

She’s seriously considering getting rid of Venmo, despite the fact that she used it constantly before the scam.

PayPal also returned the $2,000 that had been converted to crypto, because the scammers hadn’t been able to complete the process and transfer it, thanks to the account being in Dave’s name.

Ann still is stunned by what would’ve happened if her name had been on the account, or Dave had been around to do the ID verification.

After PayPal unfroze the money, Ann initially couldn’t transfer it back into their bank accounts. Again, she wondered if it was part of the scam. Then she remembered the scammers had had her do it in increments of less than $1,000. When she did that, it worked.

As you can see, part of the fallout is that Ann now doesn’t know who or what she can trust. That’s good in some ways, but it adds a lot of anxiety to life and to doing everyday transactions.

Ann went onto the three credit reporting agencies – Transunion, Equifax and Experian – and put a freeze on her credit reports. That means no one can get credit or a loan in her name, which requires a hard credit pull from the lender.

Account holders can unfreeze their credit report when they are applying for credit, then refreeze it after. This does not have a negative impact on your credit score, and protects anyone who’s been a victim of identity theft. Those who haven’t been can also do it.

Be sure when you do it, you are going to a legitimate website. The best way is through the Federal Trade Commission or the Consumer Financial Protection Bureau page on the topic.

The FTC also has a page on what to do if your identity is stolen and how to recover from it.

With her Social Security number stolen, Ann will never be able to rest easy. Someone out there has this vital information that can be used in all sorts of ways.

Ann reported the scam to the FTC. She also reported it to her local police department. They initially suggested that she report it to the department in the town where her camp is, since that’s where she was when she spent hours on the phone with the scammers. But that town doesn’t have a police department. Her hometown department took the report.

These days, with cellphones and the likelihood a scammer is not even in your state, local police departments should be less rigid about taking a report, and just take it if it’s the location of the person’s official address.

The police report likely won’t result in an arrest. But it’s necessary because banks and money-sharing platforms may require it to resolve issues with your accounts. 

Reporting with law enforcement also puts it on the record. Most (but not all) of New Hampshire’s law enforcement agencies report to the FBI, which compiles statistics on scams and fraud. I’ve written about it more in-depth in the past, where I break down types of scams and list the red flags.

In New Hampshire you can also report a scam to the New Hampshire Department of Justice Consumer Complaint Division.

a bunch of red flags flying in the air

It’s Not About Victim Greed or Stupidity

In hindsight, the red flags that resulted in Ann and Dave coming within a fraction of losing $3,000-plus are obvious. But when you’re in the thick of it, they’re not as easy to see. 

Ann is lucky she got her money back. When I was scammed, I didn’t. And it was only through the good graces of my local bank and their familiarity with the scam that I wasn’t charged with fraud for depositing the fake check the scammers overnighted me and had me deposit to buy the gift cards. I was then required to give the gift card information to the scammers. They said I had to do it all within 24 hours or it wouldn’t work.

The money I lost was intended for my mortgage, car payment and other monthly bills. I was living paycheck-to-paycheck at the time, and losing it put me behind for more than a year and caused some serious financial problems.

There’s a false narrative that people who fall for scams are “greedy.” 

When I was scammed, it was because I was intrigued by the secret shopper bait. It looked like it came from a legitimate source.

Ann was scammed because she was trying to resolve a social media hack. 

A friend’s daughter was scammed out of thousands of dollars after she got a text that she thought was from her bank, saying there was an issue with an account.

People will say, “If it looks too good to be true, it is.” That’s true. But it’s not the only guideline to avoid a scam. In the cases I just mentioned, that wasn’t even part of the equation.

Once someone is scammed, shame and humiliation, as well as the abuse from people who believe they’re too smart to be scammed, keep them from speaking up.

After nearly 40 years in the newspaper business, I’m pretty much immune to abuse, so I’ve been public in the past with my experience. It doesn’t mean though, that nearly six years later, I still don’t cringe at how I got duped.

I give Ann a lot of credit for speaking up. Don’t think you can’t be the next Ann, because you can.

How to Avoid a Scam

Facebook has a page about “Facebook scams,” but even that page reverts to familiar themes that focus on money. It does not warn users about scams that present themselves as Facebook or Meta, which would be useful information.

The page does have good advice about how to keep accounts secure. But if Ann had read that page when she was trying to figure out how to get her Instagram account back, or when her Facebook page was initially hacked, it likely wouldn’t have made a difference.

Ann went into what she thought was a legitimate Meta help center page linked to her account.

It would be helpful if legitimate businesses that are used as facades for scams would keep their users up to date. Many don’t. My scam involved buying gift cards from Walmart. Afterward, I suggested to a Walmart rep that their customer service people should ask, when someone buys multiple gift cards for a large amount of money, if someone asked them to do it. He said the information is on their website. That isn’t good enough. I’m not sure if their policy has changed since then, but it didn’t escape me at the time that Walmart makes a lot of money from this scam. I legitimately spent $1,400 on gift cards that they get to keep.

I’ve been told that some businesses, like CVS, do ask customers if someone asked them to buy a gift card. Bravo to any business that takes that simple step.

I’m not sure why Meta doesn’t put at the very top of its scam page that scammers posing as the Meta help center may hack your account. That information doesn’t appear anywhere on its scam page that I can see. I’d think it would be the lead.

If anything hinky goes on with one of your social media accounts, check out the FTC page on how to avoid scams. The FBI has one as well.

There are some basic things to keep in mind in all your online interactions.

In April, I talked to Shirley Bhotto, from St. Mary’s Bank, about the most recent scams and the banks’ consumer education push on the topic. 

Here are some of the red flags and how they were used in Ann’s case. Keep in mind they can be used in different ways. Use these as absolutes, no matter what the situation.:

  • Talk to your bank. Ann’s scammer told her not to talk to her bank, implying her accounts would be frozen and it would be a hassle. Keep in mind though, that your bank is the primary protector of your money. When a scammer tells a victim not to contact their bank, “They’re being told to lie,” Bhutto said. “We have to keep saying [to victims] ‘We’re the ones who are here, we are here to protect you.”
  • The fear factor. Ann’s scammer immediately hyped up the anxiety by telling her the hacker had access to everything on her phone. Bhutto said victims are told they have to act RIGHT NOW or something bad will happen to their money or account. Bhutto stressed that nothing bad will happen if you slow down, don’t give in and check with the bank. 
  • The shame factor. Bhutto said that customers think they’ll be judged or are too embarrassed to tell their bank they’ve been scammed. She said, again, your bank is there to help. “We’ve seen it all,” she said. [If the person you initially talk to at your bank doesn’t seem to get how serious the issue was, as with Ann’s case, swallow your pride and ask for a supervisor who does get it.]
  • Sharing information. Ann shared more information than she should’ve, even if the source had been legitimate. This isn’t a knock on Ann, she was manipulated by someone skilled at doing it. Bhutto warns that you should never share PIN, online banking user ID/password, or any other access method with anyone, including joint owners or anyone claiming to be your bank. NEVER share a computer or phone screen. NEVER download an app at the request of someone on the phone “even if they threaten you, say you’ll lose money or go to jail,” Bhutto said.

St. Mary’s Bank has an excellent page on how to avoid scams, and it’s frequently updated with the latest scams the bank sees in its customer base. The page includes screenshots of what fake checks, fake texts and other scamming tools look like.

Above: Example of a spoof text from St. Mary’s Bank.

You Can Be Scammed

Scams are not about a greedy and naïve person falling for easy money. They don’t just happen to old people. I laughed when I read that there’s a bill in the Massachusetts Legislature that seeks to freeze accounts of anyone over 60 who is making a large withdrawal. Give me a break! I was younger than 60 when I was scammed. So is Ann. My friend’s daughter who lost thousands in a fake bank text scam is in her 20s.

Scammers are sophisticated cons who trick you into thinking they’re legitimate. They access your anxieties, fears, and do it in ways that seem so familiar that you don’t know it’s happening until you’ve lost money. It doesn’t matter what your age is, how educated you are, what you do for a living or anything else.

Ann’s psychological recovery is going to take a while. As I said, I still feel the pain of being scammed years ago.

Being scammed is a violation. It’s personal and invasive. Ann was on the phone with the scammer for hours as he bullied and manipulated her. After that, she had to go through the guilt of also putting her husband’s accounts, and everything they’d worked for, at risk. There was also the humiliation of dealing with her bank. And then there’s the judgment of friends and family.

One footnote.

When she was dealing with the aftermath, she Googled something to do with Venmo fraud and called the number on a website that came up. The man who answered told her she needed to download AnyDesk, and share her screen.

“Oh no, I’m not falling for that one,” she told the guy. “Goodbye, sir.” Then she hung up.