I Fell For This Email Scam—And You Could Too
Even the most savvy among us can fall for a con and lose hundreds of dollars. I learned this first-hand when an imposter’s plea arrived in my inbox.
The email popped up on my screen at 6:45 a.m. on December 24 last year. I’d already been up for a couple of hours, working to deadline. It was from someone I know quite well: the minister of West Vancouver’s North Shore Unitarian Church, which my family attends.
“I need a favour from you,” the message said. “Email me as soon as you get my message.”
“Ahoy Ron,” I replied.
A friend was in the hospital battling cancer, he said, and he’d just learned she was scheduled for surgery that night. Could I possibly pick up some iTunes gift cards? “She needs the cards to download her favourite music and videos to boost her confidence on her next phase of surgery.” He’d do it himself, but he was tied up, he explained. “I will surely reimburse you as soon as I can.”
No one else in the house was up, so there was no one to run this by. But then, I probably wouldn’t have asked for a second opinion anyway. It didn’t really occur to me that this might be a scam.
“OK,” I emailed back.
“Thank you so much, Bruce,” my correspondent replied. Then he got down to business. I was to buy $300 of iTunes credit. (That is quite a lot of music, I thought.) “I need you to scratch the silver lining at the back of each card to reveal the redemption code, then take a snapshot and send them directly to Sharon’s email.” He gave the address.
“Let me know when you’ve sent it,” he wrote. “God bless.”
God bless? We’re Unitarians. Optimistic agnostics at best. The “G” word doesn’t come up much. Totally weird sign-off there. I assumed Ron’s mind was still on the dire circumstances of his friend Sharon, who was evidently a Christian.
“I can pick up the card around noon and engineer this by tonight,” I replied.
He was super grateful, he replied six minutes later, but that would be too late. “Can you please send them to her by noon so she could be able to use them before her surgery?”
This was awkward timing. But hey, what was my slight inconvenience against this woman’s cancer fight—on Christmas Eve, no less? I drove to the grocery store and purchased four gift cards. The clerk activated them at the till. At 9:30, I emailed pictures with the following message:
The codes on the cards below will buy you music via iTunes.
Everybody is pulling for you.
They tried to double-dip on this dupe
A busy Christmas Eve day then unfolded. I forgot all about this until, around 4:30 p.m., while waiting for takeout fish and chips, I checked my email. A follow-up message—one that contained some odd grammar—was sitting in my inbox.
“Sharon just emailed me now saying she got the cards. I want to really appreciate you for that. I’m sure it’s going to go a long way in her fight over cancer.”
But now there was a new development. Apparently, word of the gift cards had made its way around the cancer ward. Other patients were asking Ron for the same thing.
“Could you please get me additional $500 worth of iTunes gift cards right away? I will be paying you back $800. I’m so sorry for the inconvenience.”
This was a bridge too far. The personal friend was one thing, but random strangers on the ward?
I called Ron.
“Hey Bruce. What’s up?”
“Are we too late to help those other patients?” I asked.
Silence. Then: “Um, I don’t know what you’re talking about.”
“Those other patients on the ward who now also want music,” I said.
“Bruce.” A long beat. “It’s a scam. Somebody has been impersonating me. I put out a warning on Facebook.”
“I didn’t . . . see that.”
Why we let ourselves fall
Phishing, “the easiest and the most productive attack vector used by criminals,” as one security consultant put it, is now so common it’s practically a demonstration sport at the fraudster Olympics. Indeed, reports of this exact scam I’ve just described can be found on the Internet in five seconds. But it never occurred to me to check. The question is, Why?
Near the end of the film The Sixth Sense, director M. Night Shyamalan springs his trap. And you go: Wait. Bruce Willis is . . . dead? I remember feeling stung. Disoriented. And yet, in retrospect, the evidence was there all along.
It was exactly the same experience when Ron—the real Ron, that is—said over the phone: “It’s a scam.” There was the sudden reframe, the forehead-smacking denouement.
That is the brain on a well-crafted fiction, says Vera Tobin, a cognitive scientist at Case Western Reserve University in Ohio and the author of Elements of Surprise: Our Mental Limits and the Satisfactions of Plot. The sympathies and attention of the “victim” are expertly manipulated by narrative sleight of hand.
The stakes start small. In my case, the initial contact was modest and believable. There were the shoe-shuffling apologies, the thanks in advance. From there, the story unfolded. Next thing I knew, I was putting on my jacket.
Scammers exploit thinking errors in the same way storytellers do. We are “cognitive misers,” says University of Toronto psychologist Keith Stanovich, taking mental shortcuts and jumping to conclusions wherever possible. That’s why Stanovich insists that gullibility isn’t a sign of low intelligence. It’s a sign of “low rationality,” which is different. The front brain never has a chance; the horse has already left the barn with that first snap judgment.
Scammers take advantage of other cognitive errors, too, like “optimism bias.” Most people think they’re a little bit charmed, a little luckier than average. We harbour a personal fable that things are likely to go well for us. The possibility that we’ve been hoodwinked just isn’t as “available” as a happy ending.
And then there’s “consistency bias,” which says people tend to act in accordance with whom they believe themselves to be. When I received the first email it spoke to my sense that I’m a nice guy, and here’s an opportunity to prove it. “You were on a goodwill mission,” said the cop at a North Shore RCMP detachment who dutifully took down my report. “And that kind of put blinders on you.”
Lastly, behavioural economists coined a term, “anchoring,” which psychologists also use—the act of relying too heavily on one piece of information. “It’s hard for people to set aside something they already know,” says Tobin. “And that, then, constrains our ability to reason.” The scammer had fixed in my mind the image of a cancer ward, and to make matters worse, I could see Sharon in my mind because I have been there—I was at my father’s bedside when he died of cancer.
All these factors together may incline scam victims to overlook what should be glaring red flags. My minister didn’t use my name in the first email. Then again, maybe he was in a hurry? (The scammer didn’t use my name because he didn’t have it. Until, with my response, I gave it to him.) And the grammatical errors from a person I knew to be fastidious with language? I chalked it up to stress. Basically, I read those emails through a filter that cleaned up the language and imputed only good motives.
Profile of a likely scam victim
If successful scams exploit these universal cognitive biases, why don’t all of us fall for them? Around 20 per cent of the population is especially vulnerable to scams, says Stephen Lea, a psychologist at the University of Exeter. And of the folks who receive phishing emails like mine, only around three per cent actually bite, according to a recent study by telecom giant Verizon. So we few, we sorry few, we band of schlemiels: What’s different about us?
There’s a widespread perception that scam victims are predominantly older folk. But that isn’t quite right. Millennials are actually scammed more than any other group, according to Federal Trade Commission data from the United States. But they lose less money than seniors because they have less. (Curiously, seniors are more likely to get scammed face-to-face. One theory is that older people are less likely to notice visual cues of insincerity.)
The stereotype that the lonely are sitting ducks is true. Lonely people are more likely to let scammers get their foot in the door; they open unsolicited mail and stay on the line with those bogus Canada Revenue Agency officers.
I’m not lonely nor a millennial. But I was randomly phished in a pool that is viewed as promising for scammers: a minister’s congregation. There’s evidence that con artists disproportionately target religious groups—although it’s less clear whether “people of faith” are actually more gullible to such scams. Most Unitarians, I’d venture, are of the “trust but verify” variety. And sure enough, I learned that no one else in my congregation was fooled. This scammer was lucky to have found me.
“Remember the time you almost bought a car with a lien on it?” my wife reminded. “Or the time you went to the Downtown Eastside to pay the guy who said he’d found your stolen camera his promised finder’s fee?” (He collected the fee up front, then disappeared into his apartment to “get the camera,” never to be seen again.) She started enumerating the scams she could remember; it took two hands.
Perhaps gullibility, as Stanford psychiatrist David Spiegel believes, is a “neural trait” in the way that hypnotizability is. (Brain scans of “very hypnotizable” people reveal distinct activity patterns, Spiegel found.) Whether that proves true, there are other character traits that we scam victims demonstrably share.
We are decisive. Okay, impulsive. Deficient “depth of processing” is another way to put it, and mine was abysmal in this case.
“Naive” or “trusting” could also apply, although social scientists prefer the descriptor “unsuspicious.” And we are “risk takers,” physically, financially and emotionally. Psychologist Stephen Lea found that self-reported risk takers were much more likely to be victims of scams.
You’d think ignorance would be a precondition of getting bilked. But weirdly, the opposite may be true. Sometimes the problem isn’t knowing too little but too much. One of Bernie Madoff’s victims was a psychiatrist named Stephen Greenspan, who lost about a third of his retirement savings to Madoff’s Ponzi scheme. Just two days before he learned he’d been hoodwinked, Greenspan had published a big authoritative tome, the fruit of decades of research in his area of expertise. It’s called The Annals of Gullibility: Why We Get Duped and How to Avoid It.
Overconfidence, it turns out, can produce a kind of unwarranted swagger, an almost comically obtuse misreading of events. The more we know, the less likely we are to second-guess our initial take on something.
I had actually been in the middle of editing some articles on how to avoid scams when the first email arrived. This should have made me be able to smell a ruse at 50 paces. But here’s the thing: while I had a solid general knowledge, I’d never encountered this particular scam. There was no Nigerian prince, no one claiming to be from the Canada Revenue Agency or Microsoft or Apple. It didn’t even involve money directly. Why would a crook want music? (The answer is, of course, that they don’t. The reason scammers ask for iTunes gift cards is simple: the codes are hard to trace. And, once they have them, they can resell them.)
“I’m afraid there’s nothing we can do,” said the agent from Visa’s fraud department after silently hearing out my whole story, back on shift after Christmas break.
“Because it’s not fraud,” he said. “When we dispute a charge, our claim is against the merchant. But the merchant didn’t do anything wrong here. You willingly purchased those gift certificates.”
Wait, what? I didn’t willingly purchase them. Or did I?
I was drawn to drama
What distinguishes fraud from all other crimes is that it demands cooperation from the victim, notes Lea. Or, in other words, the dupe is always complicit. But what could possibly be the payoff in getting robbed?
Maybe the answer is not so different from why we go to magic shows, or The Sixth Sense–style movies with whip-crack endings. It’s weirdly pleasurable to suspend our disbelief and then have the rug pulled out from under us. “That ‘aha’ moment,” says Tobin, “is something humans like a lot.” The tension and release, after being expertly led into jeopardy, is something I’ve probably been missing on the flat sea of midlife.
And of course, for a writer like myself, drama is its own kind of payoff. What did I get out of the whole ordeal? Well, I got a “moment”—a frisson of aliveness, a memory to distinguish this day from all others, forever. And, not least, a story.
Next, find out 12 password mistakes hackers hope you’ll make.