Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters. In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off.
Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.
“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.
Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.
After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”
“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'”
Hardaway said he was out of town when all this happened, and that thankfully his mom eventually grew exasperated and gave up trying to help the scammers.
“They told her they were sending an Uber to pick her up and that it was on its way,” Hardaway said. “I don’t know if the Uber ever got there. But my mom went over to the neighbor’s house and they saw it for what it was — a scam.”
Hardaway said he has since wiped her computer, reinstalled the operating system and changed her passwords. But he says the incident has left his mom rattled.
“She’s really second-guessing herself now,” Hardaway said. “She’s not computer-savvy, and just moved down here from Boston during COVID to be near us, but she’s living by herself and feeling isolated and vulnerable, and stuff like this doesn’t help.”
According to the Federal Bureau of Investigation (FBI), seniors are often targeted because they tend to be trusting and polite. More importantly, they also usually have financial savings, own a home, and have good credit—all of which make them attractive to scammers.
“Additionally, seniors may be less inclined to report fraud because they don’t know how, or they may be too ashamed of having been scammed,” the FBI warned in May. “They might also be concerned that their relatives will lose confidence in their abilities to manage their own financial affairs. And when an elderly victim does report a crime, they may be unable to supply detailed information to investigators.”
In 2021, more than 92,000 victims over the age of 60 reported losses of $1.7 billion to the FBI’s Internet Crime Complaint Center (IC3). The FBI says that represents a 74 percent increase in losses over losses reported in 2020.
The abuse of ride-sharing services to scam the elderly is not exactly new. Authorities in Tampa, Fla. say they’re investigating an incident from December 2021 where fraudsters who’d stolen $700,000 from elderly grandparents used Uber rides to pick up bundles of cash from their victims.
Consider everything you receive to be a scam! Call a family member immediately before responding to
anything. There needs to be a nationwide 800 number to call for any and all suspected fraud.
An 800 # for reporting fraud? I bet if you Google that there will be fraudsters who will gladly take your personal info when you call their already set up call center and start an “investigation”.
Hopefully the son reported it at https://reportfraud.ftc.gov/#/assistant
I agree, there should be an 800 number so non-computer savvy people can make reports as well.
That elderly women should have sent me that scam email, I would have taken care of it
Psh. Whatever.
My mom is 78, and this stuff scares me. She knows, but still tell her regularly to ignore any calls, emails, or texts claiming to be from a financial institution and asking for anything. I even enrolled her into Google’s Advanced Protection Program and also use those keys on her password manager.
My intent here is to help you not to insult you but Google security is awful and recently 27 apps were removed from the Play store that had escaped Google’s haha security and these were apps that can steal bank account information harmlessly disguised as keyboards messaging services and photo filters. I’ve done cyber security for 25 years and work for the feds for 20. Most secure email server is Yahoo and I know this because they caught a sex offender trying to set up an email account as part of my email account. They stopped it and told me they did so after I verified I had not authorized any other users. Google is a huge corporation and does not need all the power that they have but you can be sure if you have an issue with Google and you or your mom needs help you are not going to get any help from them and you certainly can’t cost them any loss of market share. This is a warning to help you not insult you. Because I caught Google and PayPal trying to double charge me for some fees on a video game that I was playing Google requested a copy of my ID and I told them to get bent. I’m in my late 50s so I would never give Google a copy of my .ID nor would I ever be willing to give PayPal a copy of my ID or any legal documents. The reason is is those types of things leave you wide open for identity theft and I have stopped three people from trying to steal my identity four times so I know enough. Reading the website Kimkommando will help u a lot. IC3 had a phone # years ago but it always went to voicemail & no reply given. We have to do our own research and protect ourselves as consumers.
“Most secure email server is Yahoo and I know this because they caught a sex offender trying to set up an email account as part of my email account.” #definitionofsecure
An issue here is that people of any age, caught off guard in any one of many ways could get caught in such a scam. Ageism that calls us, in general, to stereotype people of various ages and that, may in fact, add to the situation. Of course the real problem, is how impotent we – as humans appear to be in our organizations, our governments, and maybe the real issue is our collective desire to really stem the tide on this type of thing. Thank you Brian for keeping us informed.
Unless you have an elderly relative or contact that has fallen for (or nearly fallen for) this type of scam, you cannot believe the level of shame and worry it brings. It just takes the right set of circumstances (like in this example) to gain the trust of someone, who otherwise would have seen through the scam.
What an *amazing*, cough, cough, coincidence that this scam occurred at the *exact* time she was legit dealing with BB about an appliance installation.
That’s exactly what I was thinking – the scammers tapped into the BB appliance delivery chain communications somewhere.
There are many similar scams that can be pulled by timing it with some other real transaction.
They didn’t tap into anything. Nothing that sophisticated.
Somebody from BB just gave them the details.
Maybe, or as I’ve seen before multiple times when running large phishing tests, “lucky” timing happens. Years ago I sent one to over 10K people about expanding their email box limits, a number of people in that test had actually requested a larger mailbox recently and were waiting for details. I didn’t plan it, I didn’t get inside info, I just blasted it to a large enough org for a strong enough chance it might work.
It can be as simple as someone in the Email chain such as a delivery contractor getting malware that copies Emails to the bad guys.
Isn’t it just as likely she’s the endpoint herself?
That is very likely. Make some extra cash payments sent via Venmo for sending a report to ? on who is having appliance work done.
Simple game of numbers. Send the same appliance scam email to 100k people, and you have 100% odds at least one person is going to fit the target perfectly, if not multiple people.
Agreed! Something is going on at BB (intentional or not) … and it is beyond appliance delivery! Spent all day yesterday trying to help an elderly friend who got scammed into letting tech support remotely access her laptop. This came 2 days after taking her laptop to In-store tech support for assistance updating antivirus software. The tech said she needed to download the update but she would need to do it from home because there wasn’t enough “?” (Bandwidth, download speed, … not sure what he told her). He also downloaded an extension that would help her if she had problems… which we now know was the remote access program. A few days later she received a pop-up message that computer had been infected and she needed to call Microsoft and provided a number and extension. My friend actually googled the number first and it was the Microsoft tech support number, but the extension wasn’t listed. She called and that’s when they used the remote access link to “help” her. They “helped” her out of her entire life savings!
The scammer knew exactly what services she received and “conveniently” the remote access app was already on her laptop. Not a coincidence.
This gentleman has many videos of him turning the tables on this very scam.
https://www.youtube.com/c/KitbogaShow
There are you tubers doing pay back
Scammer payback
Trilogy Media. They are good to watch for knowing what to watch out for.
I was thinking of him too, as soon I have seen the title, people should watch his videos, they are funny and will help many understand how scammers think and how to avoid them. Show this to your parents, grandparents, friends…!
This is a common scam. Normally they say they need your banking info. They will transfer funds from another account of person being scammed. (Another reason not to have accounts linked to outside accounts)
I worked for a bank in identity theft. First thing is to change all passwords with all financial institutions.
Never have the same password for any other bank.
Also, any any account that has your credit card or bank attached to it should have a unique password.
I have seen accounts compromised through shopping apps, payment apps and pay apps.
They will transfer funds from ANOTHER person being scammed?? Im calling b.s on that. Once they’re given access to the marks computer, they get an simply change numbers around without actually moving any money around. They’ll blank out the screen and not let the victim see what’s happening. They’ll say they accidentally refunded too much money, and have the victim send back the difference in various ways, even freaking gift cards.
When the new company I worked for gave me a company email account I had to verify I read their list of do’s and don’t when using their email account. Email scam prevention was included. Maybe free email providers like Google should provide emails for 3 days and require the new email account user watches a 10 minute video on email scam prevention. After 3 days if the user hasn’t watched the video, Google sends out a warning.
After five days the email is blocked until the user watches the video. Many people with free email accounts don’t know what can and can’t be spoofed in an email.
“Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email”
I’ve tell and retell and retell anyone within earshot NEVER to respond to ANY communication regarding their accounts, whether that communicated come via email, social media, or a phone call. I tell them to instead check their online account for status first. Then, look up the published number of the account (or the number you have saved) and call them with any questions or to verify any information received.
I agree with an above post that this scam could happen to anyone, not just the aged. The timing was particularly unfortunate.
It’s embarrassing, but I fell for a similar scam by perps impersonating Comcast. Like your elderly lady, I’d been communicating with Comcast, so the call seemed reasonable. The perps used the same “incorrect amount” trick, and gained remote access to my computer, but I got wise before they got access to my credit card account. I’ve closed the credit card and reinstalled Windows, and am keeping the computer unplugged until I can do a complete wipe. Unfortunately, you cannot keep your age off the Internet if you want to vote, because it’s a public record.
Explain “gained access to my computer” for us please and how that went.
Just this week there was a local story in the Raleigh area of a woman who got scammed out of $23,000.00 in the exact same way. Call this number to dispute charge, remote admin software install, login to bank account, supposed accidental deposit, and appeals that they will lose their job and have children to support. The only difference was the email she received was concerning an iTunes charge that she never made. She fell for it and sent them money through Apple gift cards she sent them photos of and Bitcoin. When she finally questioned it all (after driving all over to get gift cards and being instructed on how to buy and send Bitcoin), her bank told her that they transferred the money from her savings account to her checking account to make her believe that they mistakenly over deposited when attempting to refund her.
The problem is these scammers are in Legit call centers over in India. The operate as a legal call center during the day bit at night they run the scams. The Indian government wont do anything because they are not scaming their citizens….. solution: NSA tracks the scams to exact location in India, When their running scams a Predator Drone sends missile. Problem solved
Mark Rober and Trinity Media sent some “biological warfare” to an Indian call center. It was epic 🙂
Not aaaall of them obviiiiiously? Is it not? It’s not just those few in Calcutta.
Those are however hilarious if they weren’t simulataneously so dastardly.
This is old news. Been happening since the 90s. Where have you all been?
The word is NO, I doNT CARE WHO OR WHAT DONT CALL THIS NUMBER,doNT EMAIL ,I doNT WANT TOO HEAR UOU AGAIN. I AM CALLING FCC With THE PHONE NUMBER YOU JUST CALLED FROM. THEY WILL TRACE IT Through ALL 20 TO 30 COMPUTERS..then they whine and try too get you to feel sorry for them. I can’t write what I tell them to go do.
Love it! Ur very smart! KUDOS 2 u!!!
They are unimpressed by threats more than not. You can’t win that way.
Just… hang up.
I have a relative who was regularly targeted by cold call scammers. I ended up doing the following to help her:
– Setup an Administrator Account on the laptop (only accessible by me)
– Setup a standard User account with all Installation privileges disabled, and use this as the normal account for my relative to log in with
– 2FA on all Email & Social media accounts
– Passwords were only stored by me
– No internet banking accounts, and notified the banks that they will never require this and will only be going in branch (this is not always possible as many people use Internet Banking)
– Disconnected her home phone
– Disconnected her home internet
– Used a small 5G wireless hub for internet directly connected to the laptop
– Changed her mobile phone number and advised her Telco that she is being targeted by scammers and they put a filter on it
@ Ed, Ron, etc: There Are 800 Phone Numbers for Reporting Fraud –
FTC: 1.877.382.4357
AARP Fraud Watch Network: 1.877.908.3360
Elder Fraud Abuse Hotline: 1.877.372.8311
AARP is also getting out the message that the way victims of fraud are treated needs to change. It is the Criminal’s Fault that Scams Happen — Not the victims! Just like we don’t expect robbery victims to hang their heads in shame, we need to stop being so disparaging of victims of fraud. Fraud can happen to anyone — regardless of age, education level and economic status. We keep telling people that they shouldn’t trust their phones, their email, their texts. And we all keep acting like that’s normal. Not being able to trust communications that you get on a device that you bought and paid for Is Not Okay. But we’re putting up with this sad state of affairs because the crooks keep finding loopholes and regulators and law enforcement keep playing whack-a-mole with tools that don’t help us enough to really stay safe.
Make sure a fraud report is made to the FBI Internet Crime Complaint Center, i.e. IC3
https://www.ic3.gov/ and specifically https://www.ic3.gov/Home/EF for Elder Fraud.
One thing that can help is to use a different e-mail alias for every on-line for every vendor and if you get an e-mail from a vendor, check to see if it is the same alias.
For example, I might have billyjack+2214nx@example.com when dealing with New Egg (the four digits are the 24 hour time of when I create the account and the initials which may be before or after are random or may be chosen based on the name of the entity. Then if I get something to billyjack@example.com instead of billyjack@2214nx@example.com, I know that it doesn’t come from New Egg.
I’m also in the process of doing a little better for financial institution e-mail. I have a new e-mail address that I will only use with banks, credit card companies, and anything similar. I don’t have everything on it yet, but I’m working on it. Then, if I get an e-mail from the bank or credit card company and it isn’t to that e-mail address instead of a publicly available e-mail address, I will be very, very, very suspicious. The username of the address is a string of numbers that have significance only to me and that has never been published anywhere — I did a web search on the number and about the only thing that comes up with is a variet of items for which that is the part number.
It would be a substantial improvement if people would use pgp keys to sign their e-mails. Then, for anything important, verify the key by other means to verify that it is theirs. Then, whenever you get an e-mail from them, you could have a good idea whether or not they were legitimate by checking the signature on the e-mail.
Even better would be if we had the ability to have two signatures on an e-mail. The first signature for the employee sending the e-mail and the second for the institution to sign as it is sent through their servers.
This is the hot tip.
Targeting the elderly… and immigrants / international students too! Chinese news media is chock full of instances where folks receive calls / text messages from “China’s Public Security Bureau” or the “Chinese embassy” accusing those folks their account(s) have been linked to illegal activities. Most won’t fall for this — but there’re always some who do — and these folks have grown up in fear and awe of Chinese government agencies – and would do as they were told – such as providing accounts and passwords – or even to wire funds to “police escrow accounts” to prove their innocence! Very sad that many have lost their life savings, their college tuition money…
The elderly and hard of understanding especially. The confusion helps build the confusion.
1 800 CALL FBI is setup for these kinds of questions. I once called to confirm a gov employee ID, person who answered was polite and got me an answer.
Easy number to remember. Yes, you can actually call the FBI.
@Ruddy – You sure that wasn’t Bobby Singer from Supernatural?
Lol I’m thinking it was Bobby Singer
“Just… don’t lie.” – Don Jr.
Ayy there’s some great inlightening videos on you tube from a scammer payback channel she should check it out might make her feel better and teach her
Ayy there’s some great inlightening videos on you tube from a scammer payback channel she should check it out might make her feel better and teach her.
A web page with advice for non techies
https://defensivecomputingchecklist.com/rulesoftheroad.php
Its short. The home page of that site has a section on where to report assorted things.
In July Best Buy said some customer accounts were “hacked”. This article has me wondering about the extent of the hacking of Best Buy. This article doesn’t state that the lady ordered her dishwasher from Best Buy, but maybe she did and is why she responded. I have a software subscription that renews through Best Buy yearly. A few days before Best Buy sent my renewal reminder, I received a renewal reminder about it that was not from Best Buy. I saw it as Phishing attempt and just sent to trash. So maybe Best Buy has had a larger hack than just “some accounts hacked”
You are all “security pro’s”, meaning you know more than 99.9% of what you need to stay safe and advise others. But, if you really are that good, you also know that you likely know about 0.1% of what you need to always stay safe. And, not being so sure that you will see a fraud coming, is what protects you and me. Why else read Brian’s and Bruce Schneider’s blogs and emails? It’s to get better, and improve our odds.
OTOH, most that are vulnerable and at most risk, +60 were taught and became great students. Passing and exceling meant you mastered a subject. “A-” meant 90-95% correct. Failing meant you would miss 30% of what you should have known–about any subject.
Back to our security question: If we are the experts that know more than most anyone, and still are somewhat comfortable that we only know a fraction of what we need to stay safe, now take those seniors and expose them to a new scam. They THINK that they should have to ability to detect that fraud and protect against it–which is precisely what makes them most vulnerable.
From helping support others for security and any technology issue, the best way to help is to change their mindset, so they ask and seek help what needed:
“Most experts today do NOT know than 1% of what they need to know, or is in their universe of knowledge. This is the best you can hope for today, and it will only get more complex and more to learn than you could ever master. So, stop trying to learn enough, or thinking you should be able to do so–you can’t, and it really is a futile and impossible task. Instead, become one of the experts that learn how to use others’ resources, on an as-needed basis. Learn how and when to search out experts that likely know what is needed, and what is a waste of time to learn. Learn to stay humble and a great seeker of truth, but only when you need it. Gain understanding, and stop trying to remember procedures and facts, which in a hypothetical ‘two weeks’, those facts are mostly obsolete. If it might be at a critical cost if you are right or wrong, even when you are sure you are right, that’s when you must force yourself to get a second opinion and a separate set of eyes.”
In this specific story, that second opinion in reading the situation, inadvertently saved her. No other help was available, or in this case, was needed.
LOL about reporting fraud to the FBI. In November I went personally to the FBI offices in Houston, Texas to report a widespread fraud being committed by Chinese scammers only to be told they weren’t accepting visitors >due to COVID” this was November 2021 not 2020 . The guard at the gate didn’t even want to know what the crime was. I could have been there reporting that I had just seen a young child being bundled into a car or that I just saw my neighbor load his truck up with explosive and head off to downtown. He was so ambivalent. In my experience the FBI are useless. NOTE* The very next morning I was watching live TV where the FBI had ignored the young female athletes of being sexually molested by their team doctor. The FBI ignored world famous celebrities so what chance did I have of them listening to me? or anyone for that matter…
Probably because you don’t understand what the FBI does. They aren’t local cops. Don’t just show up trying to report a local crime.
Even if you’re sure that the crime falls under federal justification, there is no such thing as a “walk in” like your local precinct police dept. Your best bet is to see local law enforcement and/or a criminal attorney who specializes in that crime and have it referred.
You can get a walk in sometimes at some offices. Covid times not so much.
Ricky Shiffer is that you?
The advice to just hang up is problematic. This is a crime in progress, the perp will move on to the next victim. If you see a mugging on the street, you could at least call 911. Law enforcement needs to step up with better response options.
I will stand out of $100 using eBay gift cards I was trying to purchase a car on the eBay motors and when they answered the phone they said give them my card numbers on the read them off you know the card numbers on the back of the card and by that time I did that the money was gone they called me two more times and sister that I go get some money that I don’t have it is horrible out here being a senior is is just untrustworthy now
If I get a phone call from my bank etc etc, I will happily accept it, but I will thank them for the information and tell them I will check my Internet bank for the message. NEVER trust the caller.
As for letting somebody take control over you device, i NEVER do that. One women in a restaurant wanted to borrow my phone to calculate how to split the bill, and she got a little pissed when I said no. Told her I have too many personal data on it, and my job requires me to not hand it over.
I offered to calculate in the head, or I could use the calculator, but she refused, being angry as she was.
For most people the phone is the master key, it has access to the mail account used for approving password changes, it is the MFA 2nd factor its is lots of stuff.
Yeah, the phone has become the 2FA device for many sensitive accounts.
There are NFC yk tokens that you can put on your keychain which stores OTP codes.
And if possible, for high security accounts, use a different email address that you’re not logged into for daily use.
Users can’t just choose to use YK. Companies/websites have to offer that option too. NONE of my banks, brokerage houses, healthcare providers, insurance companies does.
The companies don’t have to choose YK specifically. Any company that allows 2FA codes with a QR code or “authenticator app”. YK is just a hardware token that can store them securely instead of the phone’s app data which can be compromised easier with malware or someone borrowing the phone (as was described on the original post).
But yeah, 2FA using SMS is still the more common type and more sensitive financial websites need to adopt stronger MFA.
Scammers sent an Uber for her? I can’t stop laughing.