Disengage, Then Verify: The Lesson From a Viral Personal Finance Column

Proving there is still hope for Western civilization, occasionally a piece of long-form journalism goes viral—and people read the whole thing. That happened mid-February, when it seemed at least half the Internet’s denizens gobbled up a long, first-person essay by The Cut personal finance columnist Charlotte Cowles, who confessed to being scammed out of $50,000 in cash last Halloween. The Internet being the Internet, there is a brewing debate over whether the story is real. Some skeptics point to the lack of details on simple points like her bank’s procedure for withdrawing that much cash and what paperwork and reporting was involved. Others flag the seeming implausibility of the whole story. I will leave the broader credibility debate to the rest of the Internet, but when you know how scammers work and which tools they have at their disposal, the basic outline of the story isn’t far removed from others ordinary folks have suffered from for years. Whether or not there is some artistic license, the essay displays the human psychology that makes these cons work.

If you haven’t read it yet, the TL;DR^[i] is this: Last Halloween, Cowles received a call from a woman purporting to be an Amazon customer service rep who had flagged some suspicious activity on her account. About $8,000 of laptop and tablet purchases. The rep claimed they were from Cowles’ business account. When she said she didn’t have a business account, the rep said there must be some identity theft and would she mind being transferred to an FTC agent Amazon was working with to combat such fraud. Sure. Then the supposed FTC agent came on the line, asked her to confirm some personal information—including the last four digits of her Social Security number—and then bombarded her with scary details of identity theft. Not only were there nearly two dozen money-laundering bank accounts in her name, he said, but she was wanted for drug trafficking in two states. He told her to tell no one, then transferred her to a purported CIA agent who, over several hours, convinced her she and her family were in danger, she couldn’t alert a lawyer without ruining her chances of clearing her name, and she needed to hand a year’s worth of living expenses in cash to a stranger so that the CIA could establish a financial lifeline for her after her accounts were frozen.

Judging from the comments on the article page and an associated Reddit chain, a lot of people think this is too far-fetched. I suspect this thinking is because the article gives the impression Cowles was targeted personally and deliberately, as if the scammers found her, set out learning everything about her, and then pounced. There are a lot of comments along the lines of, why would these guys go after a celebrated personal finance columnist? Shouldn’t they know she is more likely than the average bear to sniff them out? There is also the implication that personal targeting is why the scammers had numerous details including her Social Security number, home address and son’s name.

But here is the thing: While scammers may not ordinarily have this level of detail, it is far from impossible. The sad, maddening truth is that stolen personal details are so common they sell for very little money on the dark web. Or so I hear from experts on podcasts—I have never been on the dark web. But what happens is this stuff gets stolen in data breaches (e.g., the Equifax hack from several years back) then sold in huge batches. So it is entirely possible the scammers bought a batch of names/addresses/mobile numbers/Social Security numbers, loaded them into some sort of scammers’ customer relationship management tool, and started auto-dialing. Those basic details could have been used to gain her confidence on the Amazon call, and then once she was transferred to the fake FTC and CIA agents, her essay notes they spent hours on the phone—oodles of time to trawl her search results and social media for the more intimate details. Such a scam may have been real-time Internet research—not advance targeting.

Regardless, the root error here was falling for the Amazon call, because that functioned as a sort of screening system. It seems like a way to weed out the people with no chance of falling for the scam—the timewasters. Someone who gets through the entire script, no questions asked, is more likely to be credulous enough to fall for the more sinister things that come later. When their skeptical instincts kick in at a later point, as Cowles says hers did, they will probably be in too panicked and emotional a state to act on them.

You can see this tension building as the story unfolds. As it relates, she was calm and rational on the Amazon call. More skeptical on the FTC call, with real-time attempts to fact-check what the agent was telling her, but also increasingly emotional. Then even more skepticism on the CIA call, but emotional and worn down by the long interrogation. When she expressed skepticism, the fake agent trotted out more personal details to scare her with.

So, how do you protect yourself? One, just know—take it as a given—that your personal information is out there and available to some very bad people for very little money. Simply knowing this will make you skeptical of every caller, which is a good way to be. Two, don’t put personal details about yourself or your family on social media. Three, don’t engage fraud detection representatives who call you. Tell them, politely if you like, that you appreciate the alert and you are concerned they might be a scammer so you are going to hang up and call the published corporate number and reach their department that way. If they are legit, they will tell you they totally understand and to have a nice day. If they are scammers, they will press and tell you there isn’t time and that you really just need to trust them.

Several months back, I was scared I was caught up in something similar. I had woken up to a text message purporting to be from my credit card provider about a suspicious charge. I clicked on it and saw the fraud department’s number was hot linked, so I tapped it and called. A nice lady answered and I explained what happened and she said yes, I see, it is here on our screen too, can I just confirm some details, what are the last four digits of your Social Security number? And then my suspicion kicked in. I told her, wait a minute, I’m sorry, but it is 5 AM and I am still quite tired and have broken my own rules and shouldn’t have just tapped on a number in a text message and that all my anti-fraud alarm bells were going off. She laughed and said she completely understood. I told her I was going to hang up and call back on the number on the back of my credit card. She told me she thought that was a good idea and to have a good morning. So I hung up, called the correct number … and was soon back on the line with that same lady. All good.

Anyway, that isn’t a brag—it is to show you that if you tell customer service reps you are concerned they might be a scammer, and they are actual customer service reps, you won’t be offending them. They will be totally cool and helpful. This trick will work whether they are claiming to be from your bank, an online service you use, or any other company. Because the people in these lines of work are fully aware of fraud and want you to be safe just as much as you want to be safe. So if you make it a blanket policy in your life not to engage with unsolicited calls of this nature, you don’t have to make snap decisions over whether they sound nice and credible. You can just say, sorry, I have a rule, I hang up now. Only the bad actors will get huffy.

I guess I could also tell you all the standard red flags in the rest of the scam, such as, the government will never just ask for cash in a shoe box or tell you not to get a lawyer if you are wanted in two states, and that the CIA doesn’t enforce domestic law, but these are the sorts of things that everyone already knows—and can easily forget when under severe emotional duress. And, here again, I will note there are questions about whether this story unfolded exactly as the essay recants. I can neither prove nor disprove that and don’t see the point in trying. The key is this: Scammers know how the brain works and know fatigue and stress can create a mental fog that shuts off people’s reasoning skills no matter how rational they might otherwise be. Maybe, just maybe, people with zero neurotic tendencies wouldn’t crumble in this situation. But these people are also the likeliest to hang up on the fake Amazon rep, bringing us full circle.

So protect yourself. Don’t be afraid to be a little mean to cold callers who tell tales of your compromised identity. Presume they are all bad and let the good ones be a surprise you get when you disengage from the call and independently verify—not the other way around.