Aram Sinnreich
I just got successfully phished for the first time in 31 years of internet use. I'm mortified, but also fascinated by the unique combination of factors that contributed to my successful hoodwinkery. #LiveAndLearn
Jan 19, 2023 at 3:54pmWeb
Show threadAram SinnreichJan 19, 2023

Ok, since folks are asking (@kattiidenberg @andresmh), I'll tell you how it went down.

I was AFK for the day, driving my parents to the house they're about to move into, so I could help with logistics.

Vulnerability 1: I was distracted with emotionally heavy stuff.

Vulnerability 2: I was on my phone, not my laptop.

At a gas stop, I checked my phone and saw an email from an address at my home institution saying that an alumna was giving away a piano & we should reach out to her if interested

Show threadAram SinnreichJan 19, 2023

Vulnerability #3: I recently built a new music studio in my house, and I really would love to have a piano, so there was a strong emotional hook

I reached out to the "alumna" immediately and she said I could have the piano, but I had to get it ASAP because she was clearing out her storage rental.

Vulnerability #4: ticking clock.

The alumna told me that the piano had been a gift to her late husband, who recently passed away

Vulnerability #5: her tragedy made me not bug her for details.

Show threadAram SinnreichJan 19, 2023

Vulnerability #6: Because the originating email was from my home institution I had greater trust for the sender (believed it was a colleague)

Anyway, I called my wife and said "Guess what, we're getting a free piano. Can you please reach out to the shipping company and take care of it, because I'm on the road"

Vulnerability #7: I represented this as a done deal from a trusted source to my wife, so she did less due diligence than she would have otherwise.

Show threadAram SinnreichJan 19, 2023

My wife reached out to the shippers and they told her we'd have to pay for transporting the piano, which seemed only fair.

The shipping company had a slick looking website. They had a phone number, and a guy named "Roger" was accessible by both phone and email. They offered us three different shipping options, from 2 weeks (lower cost) to 2 days (higher cost). We chose the one in the middle.

Show threadAram SinnreichJan 19, 2023

Vulnerability #8: Between professional website, responsive email, and human on phone, there were enough points of presence to seem like a real operation.

So I gave the green light to my wife, who paid for shipping. Unbeknownst to me (she says she told me, but like I say, I was AFK and distracted), she paid via Zelle, not credit card. The name on the Zelle account didn't match Roger or the shipping co name.

I would probably have flagged this if it was me paying, but she didn't.

Show threadAram SinnreichJan 19, 2023
Vulnerability #9: The amount of existing trust between me and my wife, and the fact that we were each handling part of the operation, caused her to over-trust my referral, and caused me to over-trust her methods of payment. Basically, we both thought the other person was doing more due diligence than we were. Because, generally speaking, we're pretty cautious about this stuff and we've never been successfully scammed before.
Show threadAram SinnreichJan 19, 2023

So immediately after we paid the "shipping company," they sent us an email with a tracking number. We entered it on their slick-looking website and it said that the package had been shipped. Which was verified independently by an email sent by Roger.

Vulnerability #10: Despite all my expertise on the subject, I still believed that an arbitrary shipping number yielding a legible result on a slick website meant that there was a business behind it.

(We were sooooo excited to get this piano)

Show threadAram SinnreichJan 19, 2023

Roger reached out to my wife the next day and said that the package had been held up. Apparently, something that large couldn't be shipped w/o insurance. We'd need to pay for that, though it would be fully refundable. He could set it up for us. The insurance would be $1500 (twice the cost of shipping).

This made zero sense. It immediately dawned on us that we were getting scammed.

Back at my laptop & no longer AFK, I did a whois lookup on the shipping site. The URL was registered THIS MONTH.

Show threadAram SinnreichJan 19, 2023

I notified the bank. My wife notified the police. I notified university IT about the phishing from the university email account. I notified the university attorneys about the scam.

Roger is still emailing and calling us. The "insurance company" he wants us to use has a very slick website. I did a whois lookup on the URL. It was also registered less than a month ago.

I feel thankful that we twigged to it as quickly as we did, and sorry for everyone else in "Roger's" orbit who didn't.

Show threadAram SinnreichJan 19, 2023

p.s. The guy at the bank said something very interesting to me while I was reporting the fraud.

He said something along the lines of "wow, the Russians are really gunning for us, huh." He sees a lot of this. The source, when identifiable, is usually the same.

Someone else I know had 3 fraudulent checks written from their checking account yesterday. Now they have to close the account and open a new one.

Wondering whether this is how Putin is bankrolling the next phase of the Ukraine genocide.

Show threadAram SinnreichJan 19, 2023

Update: Someone from the "insurance company" named "Ronald David" just sent us an email (from "Roger's" account, LOL).

It says: "find below the insurance contact information and i have attached a copy of my drivers license for your security and record purpose"

Included: a photo of an expired NJ license matching "Roger's" first/last names.

I shit you not, the face of the authentic Roger is the saddest visage I have ever gazed upon.

Show threadAram SinnreichJan 19, 2023
Anyway, if you want to help defray the costs associated with our imaginary piano, please buy some vinyl of our new album: https://duniaandaram.bandcamp.com/album/bedfellows
Bedfellows, by Dunia and Aram

11 track album

Dunia and Aram
Show threadAram SinnreichJan 19, 2023

p.p.s.:

Vulnerability #11: The "alumna" sent PHOTOS of the imaginary piano. Several. Boy, oh, boy, did I want this thing in my new studio.

Looking back, it was obviously way too good to be true.

Show threadAram SinnreichJan 19, 2023
If only I had taken 1 minute to do a reverse image lookup on Google: https://www.merriammusic.com/product/used-steinway-model-a/
Used Steinway - Model A - 2014 - Merriam Music - Toronto's Top Piano Store & Music School

This particular Steinway A had just a single owner, and for but 3 years. Circumstances necessitated a sale, and Merriam Pianos is proud to offer this pristine example to the market at more than a 30% savings over the cost of a new.  

Merriam Music - Toronto's Top Piano Store & Music School
Show threadBrett Glass - WY7BGJan 19, 2023
@aramsinn โ€œReverse image lookup?โ€
Show threadKevinJan 19, 2023
@brettglass @aramsinn drag and drop an image into google and you can see where else it was posted.
Show threadBrett Glass - WY7BGJan 19, 2023
@KevinLikesMaps @aramsinn Ah; I see. So, itโ€™s not really a โ€œreverseโ€ search; just an image search.
Show threadKevinJan 19, 2023
@brettglass @aramsinn Yes, correct but I suppose I understood it as "instead of searching Google to find an image, I am reversing the process." :)
Show threadSpicewallaJan 19, 2023

@aramsinn

Makes you wonder what data breach they got that NJ license from.

That's one reason I will never, ever send a scan of my license to a website to "verify" my identity ยญโ€” not to paypal, not to facebook, nobody.

Even if the website is legit, there is zero accountability if they are breached. All the risk of their security failures is carried by the little guy.

Show threadAram SinnreichJan 19, 2023
@Spicewalla soooo true
Show threadoddlettersJan 19, 2023
@aramsinn _wow_ that is wild???? and also a very nice piano??????
Show threadAram SinnreichJan 19, 2023
@oddletters yah I didn't realize how nice until it was too late (just glanced from phone)
Show threadGiovanna MascheroniJan 19, 2023
@aramsinn a colleague had a similar, although less articulated, story. A friend called and said he has shipped a book to his home address. A few hours later he received a scam text message on his phone asking a small amount to receive his shipment. He assumed it was related to his friend's gift and paid
Show threadTHOMnottomJan 19, 2023

@aramsinn That sucks. Honestly, a number of attempts I've been hit with might have landed if the scammers had spent some more time on web design/email layout.

And yes, the dumb luck that you just happened to want what they offered can't be overstated. The only time I clicked on a phishing test at work was after being told about a free lunch and then getting an email about sandwich choices. ๐Ÿคฆ

Show threadAram SinnreichJan 19, 2023
@thomnottom lol. Sandwich choice = your kryptonite
Show threadTHOMnottomJan 19, 2023
@aramsinn
Show threadKat TiidenbergJan 19, 2023
@aramsinn @andresmh oh, yeah, that sounds alarmingly clever and easy to fall for
Show threadTim Ellis ๐ŸฆJan 19, 2023
@aramsinn Wow, that is a weirdly specific scam!
Show threadAram SinnreichJan 19, 2023
@The_Tim Yep. There were even photos of the imaginary piano.
Show threadAlex@rtnVFRmedia Suffolk UKJan 19, 2023

@aramsinn @The_Tim

what seems a bit worrying is whoever did it clearly knew you were both a musician (OK its on your website and Uni records) but also that you might have enough spare space to keep a grand piano (I've got relatives who are musical and have quite a large house but even so can only fit in an upright)

Show threadAram SinnreichJan 19, 2023
@vfrmedia @The_Tim good point. Eek.
Show threadTHOMnottomJan 19, 2023
@aramsinn Oh no! Hopefully nothing too serious. Here's a good Reply All to make you feel better. https://gimletmedia.com/shows/reply-all/rnhoww/
#97 What Kind Of Idiot Gets Phished?

This week, Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers.

Gimlet
Show threadAram SinnreichJan 19, 2023
@thomnottom No, we only got to Stage 1 (a few hundred bucks). They're trying to Stage 2 us right now (a few thousand) but we're not going for it.
Show threadThe Owl of MinervaJan 19, 2023
@aramsinn @thomnottom
To feel better you need to write a concerto for imaginary piano.
Show threadAram SinnreichJan 19, 2023
@mysterydasein @thomnottom OMG I love that idea. @dunia, we have an album name for one of our next projects.
Show threadMykola ๐Ÿ‡บ๐Ÿ‡ฆJan 19, 2023
@mysterydasein This is brilliant :D @aramsinn @thomnottom
Show threadKat TiidenbergJan 19, 2023
@aramsinn so how did they get you? What were the signs and tactics of truthiness?
Show threadaptlyundecidedJan 19, 2023

@aramsinn Thanks for sharing this stuff. I feel like regular posts about the 'meta' of defrauding people is one of the best ways to protect folks, and I appreciate you for making us all stronger.

Also, I wonder if it could be proven that this was a gov-op from a foreign body could they be sued or held financially accountable in some way?

Show threadAram SinnreichJan 19, 2023

@aptlyndecided You're welcome, that's why I'm sharing my embarrassing story in public.

As to the second question, I'd be much more interested in holding Putin accountable for his war atrocities than getting him to reimburse me for a couple hundreds bucks from a phishing scam.

Show threadaptlyundecidedJan 19, 2023

@aramsinn

True, and even if they did manage to achieve 20 million successful scams of $500 each, that'd be 10 billion, which over a few years of payback, would probably be virtually invisible on their budget, and on top of that be offloaded to their citizens ๐Ÿ˜ž Or worse other countries through more advanced fraud efforts.

Show threadEric SnyderJan 19, 2023
@aramsinn
Show threadEric SnyderJan 19, 2023
@aramsinn same here, earlier this week. I still feel really stupid.
Show threadAram SinnreichJan 19, 2023
@hariseldon Sorry to hear it. Hope they didn't squeeze too much out of you.
Show threadEric SnyderJan 20, 2023
@aramsinn No I fell for one of my company's internal phishing tests. First time that has ever happened. It only cost me my pride.
Show threadNancy WhiteJan 19, 2023
@aramsinn I probably come out on the short end of things sometimes, but my rule is to never engage with incoming. I have to start the chain of unfortunate events on my own initiative.
Show threadbarryzeeJan 19, 2023
@aramsinn Thanks for sharing. It's a cautionary tale for all of us that even if we're experienced and on our guard, the bad guys are getting more sophisticated and things can happen.
Show threadBeeksJan 19, 2023
@aramsinn zelle is the biggest red flag tbh. I know my own bank uses it but the only time I ever see it talked about is when it is used by scammers.
Show threadAram SinnreichJan 19, 2023
@Beeks yup, for sure
Show threadEddJan 19, 2023
@aramsinn thanks for sharing. Just ges to show, no-one is scam-proof, only scam-resistant, and only by sharing can we make the scammers lives harder :/
Show threadJoshua RoachJan 20, 2023
@aramsinn Amazing Story! Thanks for sharing. I might use this for some trainings if thatโ€™s alright with you?
Show threadAram SinnreichJan 20, 2023
@joshua sure. It's public.
Show threadSecHobbitJan 20, 2023
@aramsinn wow, very much appreciate your breakdown of the vuln flags. This has been very educational. Thank you!
Show threadTerry Boon (moved)Jan 22, 2023
@aramsinn Sorry to hear about the scam but interesting write-up, thank you for sharing!