Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

I Never Thought I Could Be Scammed ... Until I Was

I was a victim of a cybercrime. Here’s what to do if you’re next


spinner image Illustration of hook grabbing rope in water
Chris Gash

I was at my desk checking email and saw a fraud alert from PayPal. I skimmed the message below the familiar logo: “Here’s your invoice. Due on receipt. $1069.69.”

Hmm. I hovered my cursor over the sender’s address to see if it matched the display name. It appeared authentic: Service@PayPal.com. Still, I knew not to click through the email itself and instead logged directly onto my PayPal account. There it was — an invoice from a company I’d never heard of.

My heart began racing, and in my adrenaline-fueled panic, I made a huge mistake. I returned to the email (which I now trusted was real), saw the line that said, “Don’t recognize this invoice?” and called the phone number for reporting fraudulent charges that was listed underneath.

That’s when the trap was sprung.

The man who answered my call said he’d help me after verifying my identity. Like the perfect mark, I dutifully gave him my email address, along with the code PayPal then texted to my mobile phone.

“Someone in Miami is trying to purchase an iPhone with your PayPal account,” he said. “Your financial information and credit cards have all been compromised.”

Suddenly, I realized what I’d done. I’d called the number on an unsolicited email, and the man I was talking to was a crook trying to finish the scam by drawing more information from me.

I hung up and tried to log back in to PayPal, but the scammer had already changed my password, using the code I’d just provided. Requesting another code to my phone, I was able to access my account. By then, he had sent 26 more invoices to PayPal for bogus services totaling over $20,000.

With shaking hands, I called the customer service number on PayPal’s website and reached a representative. He promptly locked down my account, emailed password reset links, confirmed my contact information and walked me through canceling each fraudulent payment request.

Luckily, I’d acted quickly and reached a real agent in time. Had I hesitated, the scammer could have changed the mobile number associated with my account and locked me out while he approved the bogus charges. I would have had to work through PayPal, my bank and my credit card company to try to recoup my money.

Aside from my bruised ego and rattled nerves, I was unscathed. My money hadn’t left my account and, after a brief investigation of the original invoice, PayPal closed the case in my favor.

What To Do If You’re Scammed

  • Immediately call and report the scam to the appropriate bank, credit card company or website. Always get the number from your bank card or the website, never from an email, text or search results, which can be fake.
  • Contact one of the three credit bureaus — Equifax, Experian or TransUnion — to add a fraud alert and help prevent identity theft (an alert to one will alert the others).
  • Update your password and verify your personal information.

Precautions for All

  • In the future, use two-factor or multifactor authentication to log in to all accounts.
  • And set up real-time notifications for any financial account activity.

Until this, I’d prided myself on being wise to phishing scams. I know to check a sender’s email address and not to click links. I delete all texts from unknown numbers and go directly to the source whenever I’m notified of problems on my accounts. But this criminal tricked me into responding by alerting me to his own fraudulent activity. Combined with spoofing the sender’s domain to appear as a trusted source, this was a whole new level of deception.

Darius Kingsley, head of consumer banking practices at Chase Bank, says scammers are always evolving their tactics, even using AI (artificial intelligence) to replicate the voice of a loved one in trouble who needs money immediately. “They can also spoof a contact’s phone number so it looks like a friend or family member is calling you, making the scam more believable,” he says.

McAfee’s Global Scam Message Study, released late last year, revealed the sophistication and volume of scams as significantly better and larger than anticipated. A key finding: People receive an average of nearly 12 fake messages or scams daily, via email, text or social media.

Roma Majumder, senior vice president of product and design at McAfee, says scam artists wait for any opportunity, and when we take security shortcuts for speed or convenience, they take advantage. She explains that access to advanced technology has made it even easier for cybercriminals. However, companies are also using that technology to try to stay ahead.

For example, Scott Knapp, director of worldwide buyer risk prevention for Amazon, says a passkey — a newer two-factor authentication method — is more secure than a password. It creates an encrypted connection between a website or app and your device using the same biometrics you’d use to unlock your device, such as a fingerprint or face ID.

Those I spoke with emphasized the importance of staying vigilant, using available tools to protect your devices and transactions, and reporting all fraudulent activity. Companies like theirs are working with telecoms and web-hosting providers to outsmart cybercriminals.

“Last year, we took down over 40,000 phishing websites and over 10,000 fraudulent phone numbers,” Knapp says. “So reporting can make a very real difference.”

 

                                  More Members Only Access

 

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?