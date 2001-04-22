When discussing scams and social engineering attacks, it's easy for security researchers and experts to present information in a way that implies the victims of these attacks should have known better. It's an attitude borne of biases that many engineers have - myself included - but it's unhelpful and counter-productive. And, as much as we may like to think we'd handle these situations so much better, that's just not true. Security experts - even those with professional experience in social engineering - are not immune to scams. As an example of this, I'd like to share the story of a scam I fell for recently.

The Call

In the early afternoon, after starting my day with an extremely tiring 2-hour meeting, I kicked back for a much-needed break before digging into some writing projects. However, my meditation was interrupted by my phone ringing. Which, in and of itself, was noteworthy - I use a complex web of forwarding numbers and obfuscation to avoid giving out a real phone number as much as possible, and the only people who have my real phone number rarely call me, especially during the day. I checked the caller ID, and it was my bank, Wells Fargo (I know, I know; trust me, they were not my first choice).

I answered, the guy said he was calling from Wells Fargo's Fraud Prevention Department, calling to verify some transactions. He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call. He rattled off three separate transactions, totalling close to a thousand US dollars, all of which were things I didn't recognize, in a city I've never been to, 1300 miles (2100km) from where I live. So, yeah, definitely fraudulent transactions. He said they'd cancel my debit card and send a new one, and verified the address on file - which he also already had, without me needing to provide it. I've had a bunch of these calls over the years, so nothing weird so far. I figured we were about finished with a very routine and normal fraud call, but it turned out we were just getting started.