The Case of the Apple Gift Cards

We talk about all the scams and attacks out there, and many of us kinda laugh them off. "Who would fall for that?" "Gee, I'd mess with the scammers." "Let them try that on ME!"

It Was a January Afternoon

It was 2020 and I was in Denver for a customer visit onsite at the company I was working for. We had an "all day" presentation/conference for this customer, as part of our renewal process for them. I was in this meeting when my phone rang. It was my wife. I let it go to VM because I was in a meeting, and while I was waiting for her voicemail to transcribe I texted: "in a meeting, is this an emergency?"

Then I saw the VM transcript. It was something like this:

I'm at the drug store and I need to get some gift cards for work. Which credit card should I be using?

Now I'm a cybersecurity professional. That question should have raised alarm bells for me. I should have asked questions as well.

Why do you need to get gift cards?

What are they for?

Why you?

When do you need them by?

But what I texted back was this:

I recommend the green card.

Five minutes later I get the following text messages:

I got hacked

Can you call me?

I'm sorry.

I also answered a call on my cell. They can't get anything from that can they? Also emailed from my personal laptop through remote connection, could my computer be infected?

This is probably a good time to point out that we're an Android household - with the exception of my work laptop the only apples in the house at the time were Granny Smiths and Galas.

Reconstructing What Happened

I made my excuses and called my wife. She was very anxious on the phone, and extremely apologetic. I felt like a schmuck because this is part of my job, and I couldn't even protect my family from falling prey to this sort of scam. Here's the story of what had happened.

My wife had gotten an email that seemed legitimate as all heck from one of her coworkers asking her to quickly get her ten iTunes gift cards at $100 each for what seemed like a legitimate (if poorly planned) reason. The coworker she was supposedly contacted by was someone who would be responsible for this sort of thing under normal circumstances, and this wasn't the first "last minute" request my wife had gotten from this coworker.

My wife had been at an off-site event all day, so when she got the email she couldn't just walk over and discuss things with her coworker, so she was diligent and went to the local drug store to purchase these cards, first calling me to figure out which credit card to use.

She then proceeded to buy the cards. The cashier (Mark, per the receipt) asked her if she was sure she wanted to buy them, and informed her that because of scams and other policies these cards were nonrefundable, and the sale would be final. Undeterred, she bought them.

My wife emailed her coworker who asked her to send her copies of the numbers/barcodes from the cards, and then someone called her "on behalf of" that coworker looking to speed up the process. It was at this point that she realized what was going on and sent me the "I got hacked" texts. She hadn't shared the card numbers with anyone as of yet.

Have I Told You My Wife Is Smart?

So there she was, with $1000 in gift cards that she couldn't return, but she didn't give the scammers the codes that would allow them to drain the cards of value. She figured it out before the real damage was done, though she didn't see it that way.

While we talked on the phone I told her how impressed I was that she realized what was going on before giving the numbers to the scammers, and how good that was. But she was still shaken up. She was nervous that her phone and laptop could have been infected or corrupted by the scammers. She felt violated. She felt she let me down. I'm not sure she realized how much I felt I left her down when I got her initial voicemail.

We quickly discussed the fact that having a bunch of iTunes gift cards wasn't a horrible thing. For one, we had family members who would appreciate those as birthday and Christmas gifts. For two, my company was about to do our annual company kickoff, and had some give-away gifts yet to come up with. It was really a "no harm done, happily ever after" situation for us, since we could afford to float the cost of the cards for a while.

I also helped her understand that she wasn't "hacked" in a computer sense - no malware was installed on her phone or laptop, her phone hadn't been cloned, and her accounts hadn't been taken over by anybody. I helped her gather some data to share with her IT team and left it to them to sort out what had happened - probably a business email compromise (BEC) of that coworker that would need to be resolved.

But Did We Learn Anything?

I'd like to think we did. For one, when I catch myself rolling my eyes at the description of a scam I remind myself how close we came to falling for one of them, and I'm a privacy/cybersecurity paranoid, remember? We got this close to falling for it because I was busy, and didn't think it through. Same for my wife, initially. But given enough time to think about it she came to recognize what was going on, and that made the difference. Be careful about your complacency, scammers have spent a lot more time thinking about their scam than you have thinking about how you'll identify it.

But there were other things as well worth remembering from the episode:

1. Take time to ask questions. Who, what, why, when, where, and how were important to learn about in grade school, and they're still important to use.
2. Validate "urgent" requests through another means. If you got it by email, validate it with a phone call. If you got it via text confirm it via email. The important thing is to use some other communications method than the one you were contacted via. It is significantly harder for scammers to control multiple legit communications channels than just controlling one.
3. You can fall for some of the steps in the scam but still save yourself from harm if you figure it out before the end. Buying gift cards isn't necessarily bad, but turning over the value certainly is. The scam isn't usually over with the first step, so keep your wits about you.
4. Scams don't necessarily involve malware or cybersecurity breaches.
5. Near misses like this are traumatic. They're not a time for blame, they're a time for support. There will be guilt, and possibly anger. Remember that these scams are aimed at people (not computers) for these very reasons - we often don't think as well when our emotions are front and center.

For me, personally, the most important thing I learned is that when my wife calls to ask which credit card to use I need to take that call and pay attention to it carefully, customer meeting or not. 😄