I was scammed

This is difficult to admit to, let describe, yet in retrospect, I feel I need to share this story.

I am not a cyber security expert, and I didn't stay at a Holiday Inn Express last night, but having been online since the 1980's, I have developed a pretty solid spidey-sense about the scams. And not just the plethora of the usual Nigerian princes and the online penis enhancement pills variety.

Yet, even with this armor, I was duped, and it cost me a few hundred dollars, but it taught me a lesson.

What Happened?

On Friday, I got an email from someone I knew well. A person I have been friends with for over 40 years. Someone I used to trade warez with back in my Atari 8-bit BBS days. Someone who helped me build my first IBM PC Clone (an 80286 with a whole megabyte of RAM, a 40 Meg HD (Seagate full height). Yeah, I am THAT old.

Anyhow, we keep in touch, but not as much as back in the day. I will refer to him as MD, but needless to say, he's been someone that I have known personally a long time.

The email came to two of my addresses, and it was from a new email address from this person. But it was a user ID that he has used the entire time I have known him (it is his first name, plus the numeric street address of his house that he still owns).

This made me think that he just moved to another service (his original email was his username@pacbell.net, about as old school as still rocking an AOL email address) and he just asked if I still was the person (my personal Gmail account, and a private domain, but a private domain that used to be hosted on Google Suite, that will be important later).

So, naturally, I just figured that he was trying to refresh his memory, and I responded in the positive that it was me (at both addresses).

No big deal, but then came the ask.

Before I go into details, this is a person that helped me afford one of the then new Atari ST computers by "loaning" me money using my guitar as collateral (circa 1985) so it is someone that I have long trusted, and I would do just about anything that he asked as long as it wasn't illegal. Or too illegal (we did do a lot of copyright violations back in the day).

The ask

After I responded that it was indeed me, his immediate response was relief, and that he needed my help, his niece's birthday was that day and he was having trouble with his credit card, and if I could just send her a (couple hundred dollar) Apple gift card with a sweet note from a doting uncle, he would get me the money shortly.

It was a (relatively) small amount of money, and really, I didn't think twice before agreeing to it.

I knew he was from a large-ish Mormon family, and that he was the odd-duck, a life-long bachelor, living in Silicon Valley, but I know that he would spend time with his extended family.

So, this all makes sense. Sort of.

I sent the card.

My logic:

• The email address was new (new provider, outlook.com), but it was the same formula as all the email I ever got from him
• The request wasn't for something out of character. A couple of hundo's for a niece to spend at the Apple store
• The request came from someone I had known a long time, and would just "trust"

Of course, the immediate response after the transaction was done (ok, within 30 minutes) was somthing akin to: "Hey, it turns out that it wasn't quite enough for what she wanted, can you send more money?"

My alarms started going off at this point, and I decided to pick up the phone and call this friend out of the blue.

Turns out that no, he hadn't tried to reach me, and his nieces are all married and don't need Apple widgets.

Fuck. I've been scammed.

Why this worked

I will admit that my first reactions were shame and anger. I was stewing all day on Saturday, and I swore I wasn't going to admit this to anyone, but this scammer was clever.

First: They clearly had access to my email history[1]. They were able to do pattern searching to find someone that I was friends with, but wasn't communicating often with. As I said, I have been friends with MD forever, but we often go a year or more in between emails and/or contact. They were clearly looking for such a tenuous, but strong connection.

And the fact that they picked Gmail, and my custom domain that was hosted by Google for 15 years meant that they probably had access to my google cache of data. I have been using strong passwords, and MFA since as soon as it was offered, I doubt they got access from the front, so I have to assume that there is a large breach that Google hasn't mentioned (at least to me) for them to go sifting through.

This was how they found a person to impersonate with such precision that my mere glancing at the email address would look right.

Second: they were insistent upon using Amazon to purchase the card, and not to go to Apple. I didn't question it, but on reflection, it seems purpose built for scamming.

Amazon processes the transaction practically instantly, and sends the card. Once that happens, there isn't anything that can be done to invalidate the card. Because I tried.

I used my personal AmEx card for the transaction (I carry no balance, and I pay it off every month) and usually AmEx is outstanding in their ability to claw back fraudulent charges, but in this case, because I did make the transaction, there was nothing to claw back.

Fucking efficient markets. But, I get it.

Third: Upon reflection, I suspect that this was largely driven via access to my data to sift thorugh, some clever AI agent coding, and it was able to thread the needle to bypass my smell detector. This is what is called "spear phishing"[2] that used to be only exercised on high value targets, because it required a lot of attention, as opposed to just spamming the fuck out of a lot of people to get a low probability response. AI tools just make this profitable to do for a few hundred dollars, and move on to the next target.

And that is scary, because the technology to do this is practically free, and the ROI is phenomenal. What used to require a lot of research and thus only worth doing for high-value people (corporate officers for example) is now achievable to target schlubs like me.

Final Thoughts

I still feel like an idiot. No, this isn't going to materially affect me, but my pride is dinged.

1 - Or his, but until about 5 years ago, he had an old pacbell.net account until they shut the service down, and he created a gmail account, so I suspect it was my repository

2 - That link: https://www.cisco.com/site/us/en/learn/topics/security/what-is-spear-phishing.html is from my employer, and frankly, it is damn good. I HIGHLY recommend you read it.