Ok, since folks are asking (@kattiidenberg @andresmh), I'll tell you how it went down.

I was AFK for the day, driving my parents to the house they're about to move into, so I could help with logistics.

Vulnerability 1: I was distracted with emotionally heavy stuff.

Vulnerability 2: I was on my phone, not my laptop.

At a gas stop, I checked my phone and saw an email from an address at my home institution saying that an alumna was giving away a piano & we should reach out to her if interested

Vulnerability #3: I recently built a new music studio in my house, and I really would love to have a piano, so there was a strong emotional hook

I reached out to the "alumna" immediately and she said I could have the piano, but I had to get it ASAP because she was clearing out her storage rental.

Vulnerability #4: ticking clock.

The alumna told me that the piano had been a gift to her late husband, who recently passed away

Vulnerability #5: her tragedy made me not bug her for details.

Vulnerability #6: Because the originating email was from my home institution I had greater trust for the sender (believed it was a colleague)

Anyway, I called my wife and said "Guess what, we're getting a free piano. Can you please reach out to the shipping company and take care of it, because I'm on the road"

Vulnerability #7: I represented this as a done deal from a trusted source to my wife, so she did less due diligence than she would have otherwise.

My wife reached out to the shippers and they told her we'd have to pay for transporting the piano, which seemed only fair.

The shipping company had a slick looking website. They had a phone number, and a guy named "Roger" was accessible by both phone and email. They offered us three different shipping options, from 2 weeks (lower cost) to 2 days (higher cost). We chose the one in the middle.

Vulnerability #8: Between professional website, responsive email, and human on phone, there were enough points of presence to seem like a real operation.

So I gave the green light to my wife, who paid for shipping. Unbeknownst to me (she says she told me, but like I say, I was AFK and distracted), she paid via Zelle, not credit card. The name on the Zelle account didn't match Roger or the shipping co name.

I would probably have flagged this if it was me paying, but she didn't.

So immediately after we paid the "shipping company," they sent us an email with a tracking number. We entered it on their slick-looking website and it said that the package had been shipped. Which was verified independently by an email sent by Roger.

Vulnerability #10: Despite all my expertise on the subject, I still believed that an arbitrary shipping number yielding a legible result on a slick website meant that there was a business behind it.

(We were sooooo excited to get this piano)

Roger reached out to my wife the next day and said that the package had been held up. Apparently, something that large couldn't be shipped w/o insurance. We'd need to pay for that, though it would be fully refundable. He could set it up for us. The insurance would be $1500 (twice the cost of shipping).

This made zero sense. It immediately dawned on us that we were getting scammed.

Back at my laptop & no longer AFK, I did a whois lookup on the shipping site. The URL was registered THIS MONTH.