I like to think I’m pretty knowledgeable when it comes to online scams. I know that I shouldn’t click on weird links or give out my personal information and that people can call and impersonate my bank. I also work for an organization that is extremely proactive when it comes to cybersecurity. And I even worked for a bank, so if you had asked me two weeks ago I would have said I knew what to look for.
Yet last week, I suddenly found myself the victim of an extremely sophisticated cybercrime. I feel incredibly embarrassed and stupid—the feeling of embarrassment was overwhelming—but I do feel that the only way to regain some sense of agency is to share what happened in hopes that it will not happen to others.
It started with an SMS from what I thought was my bank saying someone was trying to set up a payment to a new payee. The text message said I should call the number provided if this isn’t me. It looked perfectly legitimate and I had no reason to doubt it as it came from a number I had received verification messages from before. (I later found out that this is called “Spoofing”.)
I called the number and the first thing I heard was a message saying the bank was a scam hotline and there might be a slight delay in answering my call due to the increase in cybersecurity breaches. The recorded message and music was exactly like my bank’s.
Shortly after, I spoke to someone who sounded like a bank employee. He had me look at my account to see if there were any other suspicious transactions – there weren’t – and after doing some checks and putting me on hold to talk to the “technical experts”, he determined that I looked like me. was infected with a virus.
Related: SMS scams on the rise despite success in blocking fake phone calls
This was incredibly worrisome as we have a mortgage offset account, so the fear came to my mind that a substantial amount of money would be at risk. The man I spoke to said it would be fine as we stopped it just in time. But he explained that we would have to change my BSB and account number as it was a major violation.
A “case manager” was then assigned to me to make sure everything was fine with my accounts. Again, I received a text message with the woman’s name and e-mail address to the number from which I received the verification codes.
After more than half an hour of going through this process – which I now understand is part of the process of gaining my trust – he told me that I needed to transfer some money to the account manager to complete everything and that amount would be refunded. would be randomly generated.
At this point I countered and said that didn’t sound right and he explained very kindly and empathetically that he understood, that this was just part of the process and that it would soon be resolved and all the stress would be gone. with. The “randomly generated” number was around $22,000. I was extremely worried about doing this and said that much, but it still puts me at ease. “How can we send you a message from the same SMS number?” said. “Fundamentally impossible”. He explained that after making the transfer, the new account will be set up and everything will be resolved. I would get a confirmation SMS and everything would be back to normal.
I did too. And I thanked him for his help.
When the SMS did not come, I immediately got nervous and called the bank and there I learned that it was a scam. A very detailed, very professional, very sophisticated scam.
I reported it to the bank within 30 minutes. They told me the investigation would take six to eight weeks and there was no guarantee that I would get my money back.
I felt physically sick. I can’t remember a time in my life when I felt so ashamed for being so naive. Playing it in my mind, I can clearly see the points where I needed to understand what was going on, but everything – messages, advice, friendly conversations – all blinded me to the signals and went against my instincts.
It’s hard for me to write this and reread it, because I know that if I were reading this about someone else, part of me would be thinking, What the heck. Fake.
I spent the next day in tears, scolding myself for being so stupid, wishing I had done things differently. I told a few close friends but begged them not to tell anyone because I was so embarrassed and ashamed of what I had done.
I still feel it, but what I realized is that I am the victim of a crime and I am not going to help myself or anyone else by saying nothing.
I reported the fraud to the bank but they gave me no guarantee that my money would be refunded. The police simply directed me to the bank; and filing a fraud monitoring report with the ACCC doesn’t seem to prompt any action either. All I can hope for is that I can at least help others by sharing my story.