Some weeks ago, a vacuous scammer temporarily commanded my mother’s WhatsApp account. He picked the wrong son’s mother to swindle; naturally, I found him for a phone interview (it wasn’t hard).
But I’ll come back to that. First, let me explain how the scam works so you can be wary of the signs.
As with so many a ruse in our hyper-technological era, this one starts with apparent correspondence from a trusted friend or family member. In my mother’s case, she got a text from her oldest sister.
“Hi! How are you?” it said.
Normal enough so far.
“I need a small favor if you can.”
“Sure, what’s up?” my mom wrote back.
Next comes the peripeteia.
“I just sent a wrong message to your direct number by accident. If it’s not too much trouble, can you return it to me here?”
In this context — this column that started with scams as its premise — it might be obvious there’s something suspicious at play. When my mom got a text from her sister in the middle of a Zoom conference, though, she wasn’t inclined to mull over the details and quickly forwarded the message in question.
But, of course, it wasn’t my aunt. And the “wrong message” contained a recovery code to activate my mother’s WhatsApp on a new device. Within seconds of sending the message, mom was locked out, and the scammer was at liberty to impersonate her much as he had my aunt.
WhatsApp is designed with sophisticated encryption protocol to protect users from attacks on their data (except by its parent company, Facebook, but I can’t get into that here). But the app also features facile functionality than can easily get you in trouble.
To access a WhatsApp account, one needs only the corresponding phone number, which is easy to come by. When users want to launch their accounts on a new device, they type in their phone number and wait for a text supplying an activation code. The idea is that only appropriate users have access to their phones, and so typing in the code verifies their identities.
To steal the account, however, fraudsters need only to know your phone number and then ask for the code you get. These louts don’t have any impressive hacking ability, nor even must they research targets. They’re undeserving of the honorific “white collar criminals.”
They just roll the dice with hundreds of potential victims and wait for some to act hastily.
Once they’ve got your account they’ve also got your contact list and can begin the process anew texting all your friends and family and asking for verification codes. As you can imagine, the network of appropriated WhatsApp accounts grows exponentially. And eventually, when they suspect someone is especially gullible, they’ll ask for money transfers.
To save myself some time, I texted my “mom” on WhatsApp after my real mom, despondent and exasperated, called to apprise me of the situation.
“You might get a message from me on WhatsApp, but it’s not me,” she said. “Don’t engage.”
Come on ma, don’t you know me better?
“Hey, how’s it going?” I wrote to my unsuspecting scammer.
“Good thanks. I need a small favor if you can.” I guess these people operate from a script.
“Sure, no problem, I’m happy to help!” I shot back.
I can only imagine my scammer’s glee at having found such a credulous victim.
At this point, I’ll skip ahead through about two hours of conversation. Every time the scammer had WhatsApp send me a code, I eagerly sent it along — always one digit off. He tried as many times as WhatApp allowed him, growing more frustrated with each failed attempt. “Is this guy so witless he really can’t send the right numbers?” I like to think the witless scammer wondered.
When the verification code texts didn’t work, he cut to the chase and asked for $1,400. I was oh so happy to oblige.
“OK, I sent it with Zelle,” I told him. “I just rounded up to $1,500. Do something special for yourself with the extra $100.”
When the money didn’t arrive he feigned panic.
“I’m really worried cuz I really need to resolve this problem.”
If I’d actually thought I was texting my mother, that message would have undone the ploy. My mom, the consummate logophile, would die before writing “cuz.”
After drawing out my victim’s conniption a bit longer, I got bored with him and dropped the hammer.
“Hey you retromingent vermin, I know you’re not my mom you moron. Thanks for giving me enough time to trace your IP address; the feds are on their way.”
Not my best work. Having traced his IP address was an unimaginative threat, but I’d expended my creativity over hours stringing him along. And if you’ve followed my writing carefully, you’ll know “retromingent” is my default insult — purloined from the great, and often abrasive, Ben Bradlee.
I expected a quick conclusion to the evening’s escapade. Probably some snide remarks, maybe a flurry of reciprocated insults. I got nothing, and that was more insulting than any insult could have been. Hadn’t I hurt his feelings?
“No response?” I wrote him. “No clever repartee? No shrewd retort?”
His demure response: “Nope. Nothing.”
He was actually afraid — I couldn’t believe it. I egged him on some more without response until my phone started ringing with a WhatsApp call.
“I know you couldn’t get my IP address, right?” he said. “You can’t find me, you don’t know where I am.”
I was flabbergasted — that he’d called me in fright, sure — but mostly at his very obvious southern accent. Where was this guy actually? I’d expected (based on poor English in his texts and the prevailing trend among scammers) that he was in another country. He could have been down the street for all I know.
“Is this what you do?” I asked him. “I mean, does this really work? Is it your job?”
“I’m just doing what I have to to take care of my family, man,” he said.
“OK, well how much do you normally make in a day?”
“I mean, it depends, but maybe $30,000 to $40,000.”
He said something else after that, something about how he’s just given the phone numbers by his boss and he doesn’t mean anything personal against the people he texts. I was still fixated on $40,000 in a day.
Maybe he was lying, although I’m not sure why he would except perhaps to cushion his pride. But I think the figure could check out. He thought I’d sent him $1,500. If that’s his average ask, it would only take about 27 people to reach a $40,000 quota. My mom has hundreds of WhatsApp contacts, and who knows how many other people this guy impersonates in a day.
After helping my mom recover her account, I tried calling WhatsApp to learn more about scams on their platform. Facebook has long been known as a fraudster’s paradise. The company has done too little, too late to prevent frequent cons, and it seems they don’t want to talk about it. It’s prohibitively difficult to reach a real person, and all of my correspondence went unanswered.
At least on WhatsApp there’s an easy preventive measure to avoid my mother’s plight, though it’s not engaged by default, nor sufficiently advertised. In account settings, enable two-step verification. After choosing a pin, WhatsApp will require more than just a texted verification code to permit account activation on a new device.
And if still you suspect suspicious activity — with respect to your WhatsApp account, Facebook profile or anything else — you know where to find me. I’ll happily take your scammer to task.
Have an idea for what Chatham business topics I should write about? Send me a note at dldolder@chathamnr.com or on Twitter @dldolder.