“We have to catch the fraudsters in the act,” “John” insisted.
Was John himself the fraudster?
In retrospect, John was obviously the fraudster. I should have known.
But he had me so panicked that it took me an hour to figure that out. By that time, he had infiltrated my computer and was en route to wrecking my finances.
The race was on to stop the cybersteal.
This all took place the other day. Two weeks earlier I had written an article about how I momentarily was almost fooled by an online scammer, about the steps to make sure it didn’t happen again. And yet here I was again: tricked more thoroughly this time.
I want to share what happened — and what I learned in the process — so it doesn’t happen to more people. Even if you’re not as dumb as I am when it comes to clicking on malware.
The scam began, of course, with an email: a request to send someone $1,499 through PayPal.
The email looked like all the other such emails I receive from PayPal, down to the graphics and point sizes.
The request was obviously a scam: I didn’t recognize the name of the requester, and I don’t send people that amount, which appeared to fall below a line of fraud detection. I Googled the requester’s name: It belongs to a federal magistrate.
“Don’t recognize this request?” the email asked, the way it always does. It offered a phone number to call for help.
I dialed the number. A man with a thick Indian accent answered. He identified himself as a PayPal employee. He said he’d look into the request.
He told me that “fraudsters” had hacked my account. New requests were already coming in, he said.
Indeed, more $1,499 requests kept coming in from unrecognized names like Gary Golkiewicz (another federal jurist, it turns out) and Tori Towns.
I asked the employee his name. He said “John Thomas.” He said he could help. He put me on hold several times to check with a “supervisor,” then returned with new instruction. He urged me to stay calm. I was having trouble understanding him; that didn’t help.
“John” emailed me a link to click on. In retrospect, I can’t believe I clicked on it. I trusted him. I looked at the email from “payPal”: the sender address was indeed “service@paypal.com<service@paypal.com>.” I guess I thought I was shrewd for checking, since often scammers do give themselves away by having a different address appear between the brackets.
I ended up downloading and opening the program John sent me. He told me then to open up PayPal. I did. The screen was dark.
I panicked again. He assured me they were “fixing” the “problem” and catching the “fraudsters.”
Then he asked me about the bank account linked to the PayPal account. I followed directions (I know; imbecilic) and opened that account. The screen went dark again.
It came back on. John said he was transferring some money to my PayPal account as part of fixing the problem. Yes, I did start to wonder if he was the fraudster.
“You have my name,” John said. “You have my number. Look at the email. It’s from PayPal.”
The call was coming up on an hour. Work deadlines passed; sundown was approaching.
A recorded female voice burst onto the call in the 59th minute. “61,” it said. Seconds later it said, “31.” Then “1” — and the call dropped.
I frantically redialed John. He picked up. He sounded confused when I described the female voice.
He then asked me to look at my screen. It showed the nearest locations to my home where cryptocurrency could be purchased. He told me I need to visit my bank branch to pick up some money he would send there, withdraw the money, then go to the Orchard Street crypto outlet — because “we have to catch the fraudsters in action.”
Go to the bank? Now even I smelled a rotten fish.
I wasn’t sure what to do next. Luckily, I’m married to Carole, who was walking by the room I was in. I told her “John” wanted me to go to the bank to withdraw money he was sending.
I had “John” on speakerphone.
“We want a transcript of this call,” Carole told him.
“We do not do that,” John replied.
“It’s a scam,” Carole told me. “Hang up.”
By now it dawned on me how fully I’d been conned.
And I had to work fast to stop my accounts from being raided.
I reached a cybercrime expert at the Connecticut FBI, which works to stanch the estimated $1.2 billion cyberscammers pilfer a year from Nutmeg State victims alone.
He told me to contact PayPal — but not to contact any phone number on any emails, for danger of getting scammed all over again. Look up the number on PayPal’s website, he instructed. (And if money does disappear form your accounts, he advised, immediately report it to this internet crime complaint center link on the FBI website so agents can act promptly to track down scammers before they cover their money-transaction trail.)
Thank goodness for that advice.
I called the real PayPal security rep. When I told her about clicking on the remote program, she informed me I had certainly been hacked. “We never do remote,” she said.
I told her about how realistic the email looked, down to the email address. She said people need to click on “reply” now to see the true email address and reveal different addresses underlying an alias.
Then she told me the good news: They didn’t get my phone. We immediately updated the PayPal password, which required confirmation on my phone. Then she told me to work fast to do the same with bank accounts (which I did).
She mentioned “the fraudsters” twice. Oh no.
“The real fraudsters used that word,” I told her.
She knew that: She said the scammers submit false claims to PayPal, then call to report them, so they can copy the script that real PayPal security aides use with customers. The same way they imitate the true PayPal emails. (More advice from PayPal appears at the bottom of this story.)
And, she advised, keep your computer turned off. Even though I had trashed the specific malware program, the scammers had certainly planted much more malware. Take the machine to an expert to remove all of it, she advised.
Phew. My account balances were safe. The original fake email was gone from my Gmail trash, so they’d been in there, too. As relief set in, so did shame. I can’t believe I was such an idiot.
On Sunday I spent four hours visiting the upper story of a Meriden mini-strip mall so that the tech expert I trust most — Shyqyri “Iri” Hysesani, who formerly had a shop on New Haven’s Whitney Avenue — could wipe my compromised machine clean. He installed new protections as well. It wasn’t the first time I counted my blessings for knowing Iri. (Note: His new Meriden shop is called All About Tech.)
I kept replaying the scam in my head — the telltale signs I ignored, the cleverness of the fraudsters, the role they may have sought to have me play (move already stolen money into bitcoin). I felt ashamed of being a dupe. But given how relentless these scams have become, I felt it important to share the details with people.
Carole told me about a case in Hong Kong revealed this month in which scammers used AI to create pretend potential partners who fooled a financial company in video conference calls into sending them $25 million. So I’m not the only mark in the cyber sea. That helped me feel better. A little. It also reflected what perilous web waters we all navigate every day.
Tips From Pay Pal
PayPal’s corporate department emailed suggestions and links with more info for avoiding getting scammed by PayPal imposters:
- It’s important that users be especially vigilant if they receive an urgent request from someone they don’t know or to whom they don’t owe any money. Overall, it’s best not to exchange payments with people who you don’t know.
- We will never ask customers for certain personal information, their PayPal password, SMS verification codes, or financial details by email, text message, or over the phone.
- If customers receive a suspicious invoice or money request, they should not call any listed phone numbers, reply, open links, or download attachments. They should also not pay the request or send any money to unknown individuals.
- Whenever someone suspects they are the target of a potential scam or they have had an unauthorized or unsatisfactory transaction, we always recommend that they contact Customer Support directly. Our dedicated support teams are always available to help look into a matter and provide available options.
- If a customer called a fraudulent phone number, clicked on a scam link, or shared any personal or password information, they should contact Customer Service as well as their financial institutions immediately. They should also change their passwords immediately.
- We recommend contacting Customer Support directly through our website or app, and not from other sources or search engine results.
- Customers can forward any suspicious messages to phishing@paypal.com and our dedicated security team will review the information and take action as needed.
- Customers may also contact law enforcement to report any scams, and we can assist in the investigation if asked.
- Of note, we offer customers peace of mind through PayPal Purchase Protection, which differentiates us from other payment apps and covers eligible transactions, including in cases of attempted scams involving goods and services. Eligible payments are covered by our purchase protection, meaning that customers may be covered if the transaction doesn’t go as expected. More info: PayPal Purchase Protection
- Protecting Yourself from Fraudulent Payment or Money Requests
- Simple Steps to Avoid the Most Common Scam
- What are common scams and how do I spot them?
- PayPal security center
- Learn about fraud
- BBB Institute for Marketplace Trust Partners with PayPal
- AARP Announces PayPal and Venmo Become First Peer-to-Peer Payment Platforms to Adopt BankSafe Program