The Anatomy of a Scam: The Shoebox Incident

Everyone's talking about the woman who put $50,000 in a shoebox and handed it to scammers and how they would never fall for that scam. It would shock you how many everyday people have embarrassing scam stories.

As an ethical hacker, I can't help you once the scam is over, but I can help you Spot The Scam upfront and shut it down before it gets serious.

Let’s go through the anatomy of a scam, we’ll call this The Shoebox Incident.

1. Spoofing Customer Service:

We’ve seen a major increase in attacks starting with a phone call in the last few years. It’s easy to make the caller ID say anything with spoofing technology you can download on the App Store. Spoofing takes less than 30 seconds to set up and costs about a dollar per call. When hacking, we often pretend to be someone trying to help you, to encourage you to give up sensitive info about yourself, your account, your money, etc. Notice that the attacker was a polite woman to start off this scam, not mean and cruel but helpful. Mimicking real customer support interactions when loss prevention calls.

2. Building Authority with Sensitive Details:

Many people believe that their sensitive personal info like the last 4 digits of their social security number, date of birth, home address, etc are private. In reality, data brokerage sites sell access to most of this data, and anything that can’t be found with a quick google search can be found in data breach repositories.

Just because someone has your sensitive personal data, it does not mean they are who they say they are.

3. Urgency and Fear:

We then see the attacker leverage urgency and fear — “your identity has been stolen and you have been linked to a crime”. This is currently a common scam tactic happening over phone call attacks. Sometimes it hits people to their face, other times it will hit a sibling/grandparent on behalf of a person in their life, requesting bail money for their sister/child/nephew/grandchild, etc.

The second you notice urgency and fear in use, that’s a sign to hang up and tell a trusted person what you just heard before taking any action.

4. Blaming Your Behavior:

Attackers want to build shame around the scam fast so they often reference actions you could have taken recently to build embarrassment, blame your behavior, and ensure victims stay quiet out of shame.

Examples include:

• have you used public WiFi?
• have you used an adult site?
• have you looked up a medical problem online?
• have you purchased from a website you don't know well?

They’re hoping the shame the victim feels leads them to avoid sharing about the scam so they don’t get a 2nd opinion and shut it down (and so the scam doesn’t get talked about and more people fall for it over time).

Please note: the sextortion “adult site” related scams are such a disaster that they’ve been linked to mental health crises and self harm increase in people all over the world. And in almost every single case the attacker is not telling the truth, it's exceedingly rare that an attacker actually does have video of you and 9.9 times out of 10 they just lie to build shame. Report the message as spam and move on with your day.

Also, this attacker’s claim that "most identity theft issues arise after using public WiFi" is not accurate — that’s a lie, too.

5. Demanding Your Silence

If a person ever tells you that you can’t tell anyone what’s happening to you — can’t tell your spouse, family, friends, police, etc. You’re in the middle of a scam. Stop communicating with the scammer immediately. Go see a trusted family/friend/community member to tell them what you’re privately dealing with.

6. Building (Fake) Trust

Attackers will often attempt to build empathy/trust with their victims. They may ask for bank account info and then say “don’t share those details with anyone”, they may ask for a password and then remind you “to never share a password”. The attacker is mimicking a defender here.

In pentests when hacking we often say “remember, don’t hand out your password” after requesting a password as “IT support”.

This feels like such a normal thing for a defender to say that sometimes it builds (fake) trust and empathy that the person on the line is truly there to help.

7. Further Building Credibility Through Spoofing

Let me be crystal clear — almost every phone number can be spoofed using software (and these tools are available on the App Store, and cheap).

The FTC phone number, Amazon Support, Geek Squad, Microsoft Support, your Bank: all of those phone numbers can be spoofed and the caller id will show their name.

Someone calling you from a number that appears to be the FTC is not a confirmation that they are who they say they are. Hang up and call the FTC using the number on their approved site, they’ll tell you it’s a scam.

8. Urgent Monitored Money Transfer

Attackers have many ways of receiving money: cash, bitcoin, wire transfer, Venmo/CashApp, etc and they often want to keep you on the line to ensure you follow through with the arrangement and can’t run the scheme past someone else while you think it through.

Examples of this attack language include:

• “You are being investigated for a crime, stay on the line during the cash transfer so we can monitor”
• “Your nephew needs a bail payment to be released, this is his only call, please transfer the money during the call to bail him out”
• “Your assets are frozen unless you process the IRS payment now during this call, otherwise you’ll need to go through a lengthy trial to reclaim your assets"

9. Swapping Money Types

Attackers often claim to need your money in exchange for a different type of money. For example, they may “accidentally” Venmo you $500, and ask you to send it back, effectively stealing your money and cleaning the money they sent you from a stolen credit card.

They may ask for cash and claim they’ll “cut you a check” to make up for the cash you gave them. This is a scam tactic. It happens in identity theft, marketplace selling/buying, money apps, and more.

That’s a wrap on today’s Spot the Scam: The Shoebox Incident. So many feel they would never fall for this, and as always I hope they're right!

Even if you feel you would never fall for a scam, consider the people in your life that you protect or support: are there any community members, family members, friends, children, colleagues, neighbors, or vulnerable folks you talk to that could fall for elements of this scam?

Communicate the details of the anatomy of common scams with the people who you chat with in your life so they can feel as confident as you that they would never fall for something like this!

--