04 September 2015
We're all human: How I got scammed and how you can avoid it
It's not just naive grandparents getting scammed. It happened to me, and it can happen to you. It's embarrassing to me, but not too embarrassing to share it with you.
After I complained to PayPal on Twitter about an issue with my account, a PayPal representative (or, someone I thought to be a PayPal representative; more on this later) contacted me to help resolve the problem. Many companies are very conscious of their online brand and will take to social media to resolve problems. I've done this dozens of times with other companies so it wasn't at all surprising to me for them to contact me (in fact, just hours after this occurred, the legitimate PayPal help account contacted me for the same reason).
As you can already anticipate, the Twitter user who contacted me was not legitimate. Here's how it went down.
1. The "PayPal" representative asked for the email address associated with my account.
2. The "PayPal" representative "verified" my account by sending a code to my cell phone (you can already see how this is going down, can't you?!). It came from the same number that previous PayPal text messages have come so it must be legit, right? Of course it was legit...
3. I confirmed the code back to him. (Oh, wait. No I didn't. He has my email, he clicked a link to reset my password, and now he has my password reset code!)
Of course, I was suspicious about what happened, especially because he stopped communicating with me, but I hadn't thought the process through entirely. I'm not stupid enough to give someone my password, but I willingly gave away the password reset code because (without realizing it was a password reset code at the time) I felt assured that I was being verified with the code to my phone. So I asked my wife to keep an eye on the account just in case. In hindsight, though, it seems so obvious.
In fact, today we found an unauthorized transaction (fortunately, only one; which is being investigated and will hopefully be reversed). Account details and password have been reset. PayPal is aware of the scammer; his Twitter account has been suspended.
But many more people will continue to fall victim to these scams. I know some of you are reading this and thinking "I'm smart! That could never happen to me!" If I was reading it, I'd probably think that too. But it can happen to you. It's hard to be vigilant 24/7. We're all human and sometimes we do stupid things. I didn't take the simple step of verifying the "PayPal" account (in hindsight, even I have a difficult time imagining how I simply took this for granted). The best I can do is own up to it so someone else can learn from my mistake.