It started with a pop-up window on an old Windows PC indicating there was a problem with the computer.  The user needed to contact Microsoft support via an 800 number for assitance to resolve the error.  Innocent enough, right? That single popup message kicked off a harrowing multi-hour odyssey during which an acquaintance of mine was fleeced of thousands of dollars as they drove around the Toronto suburbs on the phone with a scammer buying pre-paid gift cards.  But how did this happen?  How does an otherwise intelligent and rational person end up in this situation?  

Phone scams like this are incredbly common - according to the Canadian anti-fraud center there have been over 12k cases of reported fraud so far this year, and over 100k reported in 2021.  And these scams are profitable - as of March of this year Canadians have lost over $125 million dollars in 2022 alone.  The numbers south of the border are even worse - according to TrueCaller, 59.4 million Americans fell victim to scam calls in 2021 for a total loss of over $29 billion dollars.

In the case of my friend, the scammers used a wide range of tatics to create a sense of emergency and stress.  When they called the supposed "Microsoft" support number that was displayed on the screen they started off by informing them that the computer had been compromised by "hackers".  This alone would make most users scared, but the scammers went one step further - they told the user that not only was the PC compromised, but all of their devices - cell phone, home phone, you name it.  They couldn't trust anything or anyone for help because the "hackers" controlled the devices.  If they didn't solve this problem right away the damage would get worse - with controll of their devices the hackers would soon start draining bank accounts and do other nefarious things.  The only way to solve the problem was to work with them to disinfect the computers by installing "security software" - only after that was done would they be safe from the hacker threat.

Of couse this "security software" cost money, and the scammer informed them that because the "hackers" were already inside all of their devices, they couldn't use any standard payment methods for payment.  The only way to pay for the "software" was to use prepaid gift cards.  The hacker then asked the user for their home address and proceeded to give them turn by turn directions to the nearest Shoppers Drug Mart location to obtain said gift cards.  And not only one Shoppers - when the first one didn't have enough cards to cover the cost of the software they directed them to two more locations.  In the end, they had them buy $5000 worth of prepaid gift cards and provide the numbers them to cover the cost of the "software".

Near the end of this ordeal, my acquaintances fiancee came home and quickly realized something wasn't right.  They hung up the phone on the scammer, who then kept calling back, insisting to the victim that they couldn't trust anyone, including their fiancee.  Luckly this didn't work - with an outsider (the fiancee) now in the picture it was easy for my acquaintance to take a step back and realize the whole thing was a scam.  The shame and embarasement of being taken advantage of started to set in.  

Alan Castel, a UCLA psychology professor, summed up how scammers succeed in getting people to fall for these scams perfectly - “Grifters are amateur psychologists.  They understand that people respond to social influences, especially to authority.  They know people don’t use all their cognitive resources when they’re stressed. They know that if you can rush people, scare people, they’ll become hyper-focused on trying to solve a problem. Fraudsters create a powerful situation that induces compliance.

Barclays’ chief behavioural scientist Dr Pete Brooks further explains why scams like this work so well - "Psychologically, we tend to make poor decisions when we’re forced to act quickly – our reflective brains are much better at trying to think through an issue or problem. But we tend to make a lot of our decisions – about 95% of the decisions we make on a day-to-day basis – without reflecting on them. So, if a scammer can get you to make an instinctive gut reaction to something, the more they’re using that fast neural network to get you to do something instinctively rather than pausing. And that’s why you see a lot of the messages around fraud being about pausing and thinking, even though it’s really difficult."

Dr Brooks further explains that "authority bias can make you panic, because you feel like you’re being told something from someone at a trusted organisation – and we like to feel like we can trust people in authority, so that can be played upon.

With the psychological data in mind, it's clear the scammers ran a perfect playbook on my acquaintance - they preceved from the start that the person they called was authority figure (Microsoft), then the scammers created a sense of danger and urgency (the hackers are everywhere!), and finally made it timesenstive - if you don't solve this now they will take all your money. By hitting all these key points they suspended the victims ability to think rationally and pure instinct kicked in.  All logical thought went out the window.

So what can we do to stop scams like this?  Education is the key.   As IT professionals we need to remind our friends and family that these types of scams exist, and when in doubt, even a little bit, try to contact someone else for a "gut-check" before going forward.  Inform them that legitimate organizations (Microsoft, the RCMP, the CRA, etc) don't take "gift cards" as payment and that if they are ever asked to pay with one it's a major red flag.  The other important thing to remember is to not blame the victim - it's easy to get angry at someone for falling victim to a scam and losing money, but you need to remember these are professional scammers who know all too well how to manipluate their victims.

Finally, if you or someone you know have fall victim of this or any other type of scam make sure you report it to your local police and the Canadian Anti-Fraud centre as soon as possible.  Stay vigilant and stay safe.