Even the best of us can fall prey to scams.
When we imagine victims of online fraud, we often picture the less tech-savvy among us. I sure never imagined myself as a likely victim, given my years of professional experience in network and data security. That was my day job before this 17-year writing gig.
But the truth is, scams are becoming increasingly sophisticated, and no one is immune -- even a seasoned tech enthusiast like me.
A slight lapse in judgment, a perfectly timed call, just the right sprinkling of seemingly authentic company assets, and just like that, I was duped. Let me take you through my unfortunate encounter with a phishing scam that left my digital wallet quite a bit lighter, and my wisdom much heavier.
Don't let this happen to you.
The crystal-clear signs I shrugged off
There were plenty of signs that something was fishy with this call. Let me count the ways:
- My phone flagged the incoming call as a "likely scam."
- The caller identified himself as a fraud-prevention staffer with Coinbase Global (COIN -1.16%). After the fact, I know that this company never calls you up to discuss security concerns or trading fraud -- every issue starts with an email. I should have known.
- The caller texted me a link and asked me to click on it. The domain was relinkcoinbase.com, which clearly isn't a real Coinbase asset.
- So I clicked the link in my desktop computer's web browser, but that wasn't good enough. The so-called Coinbase staffer asked me to do it from my phone instead. Red flags everywhere. Why didn't I catch on yet?
- Soon, I got an email from Coinbase to confirm my login attempt. The subject was more than a hint: "Coinbase Support: Please verify your email -- WE WILL NOT CALL YOU ABOUT THIS ISSUE." I didn't take the hint. Instead, the inclusion of real Coinbase email made me trust this shady process more.
- Next, it was up to me to cancel a bunch of supposedly fraudulent crypto transactions entered in Germany. Why wasn't I notified when they happened, how did that scammer get past Coinbase's fortress of login requirements, and why can't Coinbase just cancel them on my behalf? Those were three good reasons to stop this nonsense right away.
- OK, fine. I logged in to Coinbase via the relinkcoinbase.com hub. It was time to "cancel" a number of "fraudulent transactions" to Germany. Click, click, click. Cancel, cancel, cancel. Separate two-factor authentications for every step of the way. I took that as a sign of Coinbase's tight security, not as an indication that I was working with a scammer.
And then, after a bunch of these "Cancel transaction" clicks on a site totally not named Coinbase.com, the support tech just hung up. That's weird. Let me check up on my Coinbase wallet real quick.
That's when I found out that I wasn't canceling fraudulent transactions at all. Instead, I was meticulously approving the actual fraud in real time, click by click. All my Bitcoin (BTC 0.69%), Ethereum (ETH 0.10%), Litecoin (LTC -2.57%), and Polkadot (DOT 0.23%) was gone, leaving a few of my smaller altcoin holdings on the bottom of the barrel. Every successful two-factor authentication meant one less cryptocurrency in my Coinbase portfolio.
I had fallen for a classic phishing scam.
Why did I fall for this scam?
Again, there were tons of signs that something was wrong. I found reasons to ignore them all:
- The scam detection system my phone uses isn't perfect. Some perfectly legitimate calls are mistakenly flagged, and I was waiting for a completely unrelated but important call from a medical services provider. So let's pick it up and see.
- Over the past couple of years, Bank of America (BAC -0.37%) and American Express (AXP -0.79%) really did call me to straighten out real fraud concerns over the phone. If top-notch banks and credit card processors can do it, why not a cryptocurrency trading exchange?
- Directing people to a third-party site isn't always a scam, right? I'm sure I've seen similar things before. No big deal.
- The request to use my phone instead of my desktop browser sent suspicious tingles down my spine. I don't have a good excuse for this one. Maybe I just wanted to get this inconvenient fraud check over with and get on with my regular work instead. What's the worst that could happen?
- "We will not call you about the issue," said the subject of a real Coinbase email with a login-related security code. But you're on the phone with me right now -- what's wrong with this picture? This was admittedly not my finest moment. If you ever get to this point, pay close attention to the email and hang up on the scammer.
- By this point, it looks like I just swallowed the whole scam, hook, line, and sinker. I thought the constant authentication steps were inconvenient, and so was the entire step-by-step cancellation process, but I was all in and didn't even think about quitting anymore. It felt like the final step of a necessary process, and I was supposed to be protecting my crypto assets with these actions.
Silver linings from a dark cloud
Embarrassing as it is to admit, even with years of experience in dealing with technology, scams, and cybersecurity, I fell for a meticulously crafted ruse. But there are a couple of silver linings.
First, this crypto account held less than 3% of my long-term investments. The loss is large enough to be painful, but I'll be just fine.
More importantly, this has been a profound lesson in vigilance, skepticism, and the importance of never letting your guard down in the digital world.
We live in an increasingly digital age where scams are getting more intricate, more elaborate, and more convincing over time. Criminals are learning how to improve their scams all the time, and the rest of us can't match their constant practice. My tale is a stark reminder that scammers are working ceaselessly to find new victims. They adapt to new circumstances, devise new traps, and target everyone, regardless of their tech savviness. And sometimes, the crooks get lucky.
But we can adapt, too. You and I can stay educated, remain skeptical, and consistently verify the links and online actions we're asked to use. Even in this case, I was able to learn from my mistakes and report the fraudulent activity to Coinbase, to the FBI, and to the Commodity Futures Trading Commission. You can't cancel a Bitcoin transaction, because the permanent nature of its encrypted transaction ledger is an unbreakable rule of the blockchain platform. But I could certainly take steps to regain control of my accounts, change all my passwords, and keep a keener eye out for future trouble.
It's essential to remember that scam detection isn't a one-time process; it's a continual practice of security and caution.
In sharing this story, I hope to save others from the same pitfall. Always remember, if something feels off, it probably is. Question everything. Pay heed to the red flags. Run Whois checks on fishy links before you click on them -- in this case, I would have found that relinkcoinbase.com is based in Russia, Belgium, and Ukraine. Coinbase.com is managed from California. Like I said, I'm a big nerd and should have known better. A Whois check takes just a few seconds.
Let my hard-earned experience serve as a stark reminder: Stay vigilant, stay safe, and most importantly, remember that if the stakes involve your hard-earned assets, it's better to be overly cautious than a little bit too trusting.