By Larry Magid
A slightly shorter version of this post appeared in the Mercury News
I was impacted by a scam this week that didn’t cost me money or expose my data, but did take an enormous emotional toll, including 20 minutes of terror.
Writing this column a day later, I’m still anxious and, frankly, a little embarrassed that I believed the scammer on the phone when he said he had kidnapped my wife.
As a long-time tech journalist and founder and CEO of an online safety organization, I know a lot about phone and online scams and have written and spoken extensively on the subject. But this call felt real to me and threatened to separate me not from money but from someone, who, along with my children, means more to me than anything in the world. Being an “expert” didn’t make me immune to the social engineering that led me to believe the threat was real.
Fear and deception threw me off balance
After the incident I spoke with security and law enforcement experts who, in a sense, reassured me that my response was appropriate given the circumstances. The person on the phone was very good at his craft. As you’ll see from the description that follows, he used fear and deception to throw me off balance and convince me that the threat might be real. Ultimately he didn’t succeed at his goal of separating me from my money but the emotional toll was and still is perhaps even more damaging than a financial loss.
It began Tuesday morning when my wife drove to San Francisco to visit a friend – something she rarely does. Most days she and I are together at home or she’s somewhere nearby. Even before the call, I was slightly nervous because the last time she drove to San Francisco, she was side swiped by another car.
At 12:37 PM, my cell phone rang with a caller ID that, at first glance, looked like it was my wife. I now know it wasn’t exactly her number, but it was the same area code and prefix and the same last number. But at the time I thought it was her number.
What I heard was a crying woman who was obviously extremely upset. Because it came from what I thought was her phone, I assumed it was my wife. I repeatedly asked what the matter was but I couldn’t understand her answer. All I could imagine was that something horrible must have happened.
Then a man came on the phone, identifying himself as a police officer. I asked what the matter was and he said that he needed to verify who he was talking with before he could disclose it. I would normally refuse such a request without more information from him but I was desperate for an answer so I gave him my name and my wife’s name. He then admitted that he wasn’t a police officer, but a member of a drug cartel and that he had my wife with him in San Francisco. I’m not sure how he knew she was in San Francisco. Maybe I said something about her location or maybe not. I wasn’t exactly thinking clearly.
A security expert I spoke with later explained his technique. Start with fear, follow with an authority figure to gain my trust and then pivot to the threat. As much as I pride myself on critical thinking skills, it worked with me.
Even though it occurred to me this could be a “virtual kidnapping” there was enough information to cause me to worry that it could also be the real thing and that’s how I reacted. Either way, I knew I was dealing with a criminal so, while I had him on my cell phone, I put him on speaker and dialed 911 from my desk phone. I didn’t say anything to the 911 operator, but knew that they would hang on and listen to the call.
At one point he told me that she will be OK as long as I bring $5,000 to a Walmart parking lot in San Jose. He didn’t specify what would happen if I didn’t bring the money but implied he might hurt her or worse if I failed to comply. I found out later that the 911 operator put my local police on the line so they heard nearly the entire call, including the ransom demand and the threat.
He told me not to contact anyone and asked me if I was alone. I said I was and, of course, didn’t tell him about the 911 call. But, at one point the 911 operator asked me for my wife’s phone number which I whispered into the desk phone. The scammer must have heard me because he asked who I was talking to. I denied I was speaking to anyone and just said I was talking to myself because I was nervous. The nervous part was true.
He then asked me to get into my car. I didn’t, but kept him on the phone for as long as I could. The expert I later consulted said that the car request was to initiate the compliance process. Once you follow one instruction, you are more likely to complete the process and pay the ransom.
We spoke for just over 11 minutes and he finally hung up on me, probably because he realized I was not going to comply. I still wasn’t sure whether it was a scam and I wasn’t taking any chances. Besides, emotionally, I believed it. The combination of the crying woman who sounded like she could have been my wife, the fact that the call came from what appeared to be her phone and his knowing she was in San Francisco along with his story was all I needed to go to some very dark places. To say I was scared is an understatement.
After he hung up, I turned my attention to the 911 operator on the other phone. My wife and I are both able to use Google Maps to track each other so I told the operator my wife was at Embarcadero 4 complex in San Francisco and verified her phone number. The operator told me that a police car was pulling up in front of my house and that I should go speak with him.
The officer reassured me that it was likely a scam but he took it seriously and told me to call my wife but there was no answer. He and I spoke for a while and then I called again and, this time, she answered the phone. She was fine and never in danger. We hung up so I could finish my conversation with and thank the police officer.
I later found out that the police had texted my wife asking them to call so they knew she was OK and that they contacted San Francisco police to dispatch an officer to look for her. My wife spoke with the police officer who listened to the 911 call who told her the person was very convincing.
After I calmed down, I did a reverse lookup on the caller ID number and while I’ll never know who the caller was, the number was issued by a phone carrier known for spam and scam calls. I don’t know whether the similarity between the number and my wife’s real number was coincidental or deliberate (there are ways to find people’s phone number), but it was at first convincing despite my knowledge that numbers can be spoofed. I also did some research on virtual kidnapping and found an FBI website that described the nearly identical tactics used on me.
What to do if it happens to you
I hope this never happens to you or, if it does, your loved one is nearby or easily reachable. But, the National Institutes of Mental Health advises people to “request to speak to the victim directly” and, “If the callers don’t let you speak to the victim, ask them to describe the victim or the vehicle the victim drives, if applicable.”
The site also advises people to “attempt to call, text, or contact the alleged victim via social media or “try to call the alleged kidnap victim from another phone.” I didn’t do that because both my phones were in use and I truly believed the call was coming from my wife’s phone.
There’s a lot more online advice on how to handle virtual kidnapping. I knew some of it but had I known this exact scenario I might have just hung up the phone but maybe I wouldn’t have. Knowledge is power but emotions can be even more powerful.