When Bank of America put Hank Molenaar on hold recently, it told the Houston resident there would be a long wait time and he could press 1 to get a call back instead. But before the bank called, criminals called, impersonating the bank, and stole his money via Zelle. It was a Perfect Scam. And the vulnerability that was exploited? It was poor customer service.
There’s a new, disturbing trend I’ve spotted and it’s time to ring the alarm bell. It’s hard work to hack into a bank and steal money. It’s much easier to enlist real consumers as allies to do it for you. Theft via scam is on the rise, overtaking traditional identity theft / credential hacking, according to a recent report by Javelin Research & Strategy. Criminals are enlisting the help of account holders and other consumers with all manner of creative cover stories and impersonation schemes — the kind of stories I tell at AARP’s The Perfect Scam podcast. Financial institutions and retail outlets have laid the groundwork for this shift through years of neglectful treatment. When it comes time to make a trust choice — as a consumer, do you trust your bank or the person on the phone telling you a bank insider is stealing your cash? — all these years of mistreatment are forcing victims into the arms of criminals.
That’s what Diane Clements told me during a heart-wrenching interview for The Perfect Scam, a podcast I host. Diane and her husband, Tom, are both retired professors. They worked their whole lives to build a humble $600,000 nest egg that would fund their retirement. But when Diane’s computer went ballistic on her recently, and a message popped up telling her to “call Microsoft,” she followed the instructions. Soon, an operator on the other end of the line told her that all her bank accounts were hacked. It was an inside job! And they wanted Diane’s help catching the bad guys. Diane was already struggling — her breast cancer would soon return, requiring aggressive treatment, and that only increased the frantic nature of these communications with “bank” security officials. During the next three months, after near daily conversations with a set of online criminals, Diane and Tom slowly moved every penny of that $600,000 into accounts controlled by the criminals, all the while thinking they were helping catch a bank insider committing a crime.
I know it can be hard to understand how these crimes occur, but when you hear Diane tell her story, it makes sense (click here to listen ). The thing that really touched me deeply was the stark contrast Diane experienced when talking with the criminals vs. talking to her bankers during the episode. The criminals sounded kind, empathetic, thoughtful — while workers at her local bank were downright mean. One even accused her of lying about having cancer during the episode.
“They (were) really mean. They’re rude. They are not helpful to me. Nobody reaches out to me and says, Dianne, I’m concerned about you. Everybody saw me as a perpetrator, not as a victim. I still struggle with that,” Diane told me. “The contrast between them and the banks was stark. And the dissonance that caused me took its toll, because I could not understand how the banks could be so indifferent. So uncaring. Or so cavalier.”
When the day came that someone at a financial institution needed to intervene on behalf of a consumer in distress, Diane’s bank just couldn’t do that. When a criminal told her to distrust workers at the bank, that was an easy story to sell. Years of neglect had set her up for a confrontational exchange, and that’s what she had.
You can’t mistreat people for years and then suddenly ask them to trust you. Trust is won over a long stretch of time, through hundreds of interactions large and small. I see companies erode trust every day. I just looked at my phone while writing this piece and saw an email from Uber with the subject line: WARNING! It was a marketing pitch. Think about all the communications you receive that include trigger words like “verify” or “transaction,” all focus-grouped to make you click because you *think* it’s an important message about security — when it’s just an ad. One day, when Uber really needs me to read a communication from them, I’ll probably ignore it. Or worse.
If Diane had felt some positive vibes from her bank, and if someone there had taken the time to really talk with her, she might still have that $600,000. And this scenario plays out over and over again at retailers and financial institutions across the country. For some reason, corporations have adopted the habit of treating their customers like potential criminals. In doing so, they’ve opened the door wide for the real criminals.
This is the message I delivered at a talk I gave recently to Navy Federal Credit Union employees about online scams. We’ve given lip service for years to the idea that we should enlist consumers to help with cybersecurity. We want them to forward phishing emails they get. We want them to read our happy bulletins explaining the latest scams. It hasn’t worked. We need to do much more than that. We need to make sure that consumers are on our side. We need to make sure consumers trust us. We need their hearts and minds. Criminals are enrolling consumers as accomplices, making the job of hackers so much easier. To combat this, smart companies will invest in long-term consumer trust, deputizing their shoppers and account holders as agents who can spot scams, but more important, trust them enough to come to them when something feels wrong.
Back to Hank Molenaar. The real reason that scam worked? Bank of America was going to put him on hold for 40 minutes. That gave criminals a big window of time to call him back first, impersonating the bank. Poor customer service was the security vulnerability. Imagine if Diane *knew* that she could send an email or place a phone call to a kind company representative who would answer her questions as quickly as the criminals did. The bank would have had a fighting chance, anyway. Good customer service is good security.
Corporations spend billions of dollars on expensive software and experts designed to thwart sophisticated digital attacks. That’s fine, but criminals are just sending manipulated consumers into the front door to steal money for them. Some of that cybersecurity money should be spent investing in customer service instead. When your consumers trust a random caller claiming to be from the IRS more than they trust you, cybersecurity is only one of the problems you have.
I know it’s poor form to repeat myself, but this message needs to come through — Javelin recently found that more money was lost to scams (“consumer-assisted crime”) than to credential hacking. This is a trend with staying power. Ignore it at your peril.
I’ve spent my career wearing two hats: as a cybersecurity reporter, and as a consumer reporter. Often, editors were confused that I insisted on covering both beats, as on the surface, they can seem quite different. Why should I care about the latest buffer overflow *and* unfair overdraft fees? Now, you know why. They are two sides of the same coin. And everyone should care about both.