After building up his side business and Instagram following over a few years, Tim takes the leap to run his business full time. When he sees a testimonial video from an Instagram friend boasting of her successful cryptocurrency investment, he decides to make a small investment with extra cash from his booming sales. He is, in turn, asked to make his own testimonial. Before he knows what has happened, his account has been hijacked and a hacker is using the video to steal money from his friends.
[00:00:00] Bob: This week on The Perfect Scam.
[00:00:03] Tim Nugent: This is not me. This is somebody impersonating me, and then, you know, panic sets in. Facebook and Instagram has pretty much been zero help. It's just been a nightmare.
[00:00:11] Eva Velasquez: A single fraudulent event has these tentacles, there can be many, many victims reached just due to that single account takeover. I really do think 2022, is going to be the year of hacked social media accounts, there’s going to be a long tail on this fraud.
[00:00:29] Bob: Welcome back to The Perfect Scam. I'm your host Bob Sullivan. Maybe you've dabbled in Twitter or Instagram or Facebook; you have only a handful of connections. You can't imagine why anyone would try to steal your account to hack in. But today's story will send you scurrying to improve your passwords on all those accounts because we're going to hear from a man who's account was hijacked and being used by the hacker to steal money from his friends. And you'll hear from an expert who will warn you about all the other dreadful scary things a criminal can do by impersonating you on social media. But first, let's meet Tim Nugent. He lives outside Philly, and like many Americans, he was pretty fed up with his office job, so a couple of years ago he starts to dabble in a side hustle, and well after a few years, the side hustle become much more than a passion project. It becomes a life preserver.
[00:01:31] Tim Nugent: Yeah, so I worked a uh, company for about 3½ years and then we actually got bought out by a big company, so, you know, they ended up laying off, I think like 40 something people, so I took it as a sign, you know, to go fulltime with my uh, small, I have a few small businesses, and yeah, I just was like, you know what, let's go for it. Let's, let's get things moving.
[00:01:55] Bob: So tell me about this um, this small business that you're running.
[00:01:59] Tim Nugent: Yeah, so um, I run a hardware merchandise company. I do licensed and a few unlicensed, you know, shirts for movies. I do original art. I collab with other artists. You know, I, I do a hot sauce as well. We've since then kind of separated the two, but uh, we've done some licensed hot sauce with uh, horror hosts such a Joe Bob Briggs, we've used a lot of um, professional wrestlers from the WWE and GCW which is very cool.
[00:02:27] Bob: What do you mean by horror?
[00:02:28] Tim Nugent: So, you know, like horror movies for example, you know, Friday the 13th, the Silent Night, Deadly Night, Chuckie, any sort of stuff like that we would either uh buy licenses or do original art and um, yeah, put out merchandise; t-shirts, sweatshirts, you know, et cetera.
[00:02:46] Bob: So, so t-shirts depicting scenes from the film or characters from the film.
[00:02:50] Tim Nugent: Yeah, or original art. You know, one of my big things was um, collaborating with different artists in the community showcasing the work, and kind of getting their name out there which was one of the benefits of doing it as well. Um, we did a, me and my buddy who uh, he does licensed art and puts out new movies or old titles on VHS, 'cause there's a big cult. You know how vinyl has made a big comeback, well now, VHS has kind of been making a comeback.
[00:03:18] Bob: Most of the people who buy Tim's merchandise find him via Instagram. Images of the original art can sometimes go viral. He wasn't getting rich, but he had built up this modest business and his Instagram follower account rather nicely.
[00:03:34] Tim Nugent: I built it from 2014 to '15 until you know, present with uh, almost 14,000 followers and a huge following and a lot of customers.
[00:03:43] Bob: So Tim makes merchandise for horror movie buffs, and makes hot sauce. Oh, and he also has a taco truck that he brings to breweries on weekends.
[00:03:53] Bob: I, I've got to say as someone who frequents breweries and loves taco trucks outside breweries, um, you're, you, you're a hardworking guy.
[00:04:01] Tim Nugent: Yeah, I've always just kind of been motivated to you know being an entrepreneur and having my own businesses, so between the, the merchandise, the tacos, and the hot sauce, that was kind of, well my little side hustles I was doing. But um, yeah, it's a lot of work.
[00:04:13] Bob: And so, okay, so you're, you’re doing this and you're getting some momentum. I mean if you have, you know 10, 15 thousand Instagram followers, people obviously like what you do. It sounds like you weren't quite ready to take the leap, but then um, you know the fulltime job kind of nudged you over the edge. Is that right?
[00:04:28] Tim Nugent: Yeah, exactly.
[00:04:30] Bob: But how scary was that step to take?
[00:04:32] Tim Nugent: Yeah, it was definitely scary, you know. But everything was kind of pointing in that direction. Things were moving. I was doing, you know, anywhere from 50 to 250 orders, you know, a week. Sometimes I was putting stuff out every Friday or every other Friday, and it was becoming you know, just a lot of work and a lot of time to pack all these packages and to do this art. So I was kind of like, yeah, let's, let's go for it, you know. It's time. I think I'll be able to support myself doing it, and that's why I kind of made the leap, it just kind of felt like it was time.
[00:05:05] Bob: Instagram is absolutely essential to the leap he's taking.
[00:05:09] Bob: Okay, so how important is an Instagram account to a business like that?
[00:05:13] Tim Nugent: Oh, well, to be honest, it's, it's pretty much everything. It was how I was doing all of my promoting, how I was advertising, you know, new things or new lines that I was dropping coming out. Yeah, it was pretty much everything. Um, I mean my Etsy page does have, you know, I think I was over 2500 sales, and up to 400 reviews, mostly five stars, so that, that helps, but to be honest, yeah, all the promotion and all of the traffic was coming from that, from that account.
[00:05:46] Bob: I mean this might not be as obvious as it probably is to you to people listening, uh but, but ev--, everything you're doing is visual, so Instagram is the perfect place, maybe even the only place for you to sell things like this, right?
[00:05:59] Tim Nugent: Oh yeah, absolutely, and I'm not, you know, there is a lot of us out there, and most of the companies that are doing you know this merchandise and stuff are very supportive of each other and not very competitive which is very cool. And um, yeah, this is how a lot of us uh, make our living.
[00:06:14] Bob: Right about this time, as Tim is browsing Instagram for fun, he spots a post by a friend about an investment in cryptocurrency. Crypto, like bitcoin, have been in the news a lot lately. Tim has heard the stories. He has even invested a little in cryptocurrency before. But this post is different. It offers a chance to get in on the development of a new coin and promises fast money.
[00:06:42] Bob: So tell me ab out the post.
[00:06:43] Tim Nugent: So, the post was from um, an internet friend/old coworker, but it was essentially saying that they made an investment to this company, got their money back fast and, you know, I thought I was talking to that person the whole time, obviously because they had posted the video of themselves explaining what they did and how they invested. So that's kind of how I made the leap initially.
[00:07:07] Bob: The video she posts includes evidence of the money she's made; pictures of her bank account balance claiming to show she's turned a profit within just a few days.
[00:07:16] Bob: What specifically was she offering? Was she offering help with setting up a crypto account or what, what was...
[00:07:22] Tim Nugent: Yes, she was essentially like, you know, through this program, um, you know if you invest, you know, X amount of dollars you can get it back in, you know, anywhere from 1 to 3 days. You can get back this much. So say you send a thousand, they were offering, you know, like 5000 back or something like that.
[00:07:39] Bob: What was your first reaction to the ad?
[00:07:41] Tim Nugent: Um, I was like, you know, I had some extra money that I got back, and I was just like, you know, let me make a little bit more of an investment, this sounds, to me it sounded fine because, like I said, of the X, you know, so much uh evidence and just, you know, physically seeing your friend with a video saying that you know, this is all they had to do, and bing, bang, boom. But um, yeah, that's kind of, that's kind of what attracted me to this situation.
[00:08:05] Bob: And Tim already in risk-taking mode decides to go for it.
[00:08:11] Bob: Uh, did you take the plunge, you know, five minutes later? Did you think about it for a week?
[00:08:15] Tim Nugent: I made the plunge the same day.
[00:08:18] Bob: And, and so, tell, tell me, describe to me what you did to take the plunge. What did you do?
[00:08:23] Tim Nugent: So essentially um, you know, they would say, just send it to uh this Zelle account. This is uh, someone who's involved in the program. And it was like a random name. And essentially how it went was, you know I had, you know maybe I sent a thousand to start, and they were like, oh no, I sent 500 to start, and then they were like, "Oh, uh, you need to send another thousand for this." And then I was like, "Uh okay."
[00:08:48] Bob: At this point, Tim is starting to wonder about these additional requests for money, but after sending them out $3,000, his contact at the firm says there's just one more step before he can start seeing a profit. He has to make a video endorsing the project. A video like the one his friend made.
[00:09:08] Tim Nugent: Yeah, I essentially said the same thing she did.
[00:09:11] Bob: Here is the audio from that video.
[00:09:13] Tim in video: I just got done shopping big, 'cause I made an investment through (beep) and get your money quick. You get it fast. It's as simple as that. Make it happen.
[00:09:24] Bob: He's beginning to get uneasy about the money, and about the video. But they promise he'll soon start getting some cash back. But first, they just have to verify a few other things about Tim, mainly about his Instagram account.
[00:09:40] Tim Nugent: They'll have you change the email associated with your account, because they'll be like, oh, we need to verify your account to make sure that you either didn't like buy your followers or do this or do that. I don't know, I don't remember exactly what they said.
[00:09:54] Bob: The next day or so is a bit of a blur for Tim. He isn't quite sure why, but he starts getting some strange messages from customers.
[00:10:02] Tim Nugent: A lot of customers would, you know, be like you know, I thought you were, I thought you sold merchandise. What's with all this bitcoin stuff, and all this, all this mumbo jumbo?
[00:10:11] Bob: These are private messages from friends and customers with more questions. But he hadn't sent his followers anything. It slowly becomes clear that someone is impersonating him on Instagram, and that someone has control of his account. Whoever it is, they're writing posts and private messages pretending to be him soliciting money from his contacts and the whole situation is now spinning out of control.
[00:10:37] Tim Nugent: Yeah, I tried to start making posts and reaching out to people that you know, this wasn't me. This is not me. This is somebody impersonating me, and then, you know, panic sets in.
[00:10:46] Bob: At this point, the woman who set him up with the program won't answer any messages. He realizes she's probably a hack victim too. By then, nobody from the crypto company will write back, and he begins to realize he'll probably never get any of his money back. But more important, he can't access his 14,000 followers. Instead, the criminals are using his account and his video to try to scam his customers. And he can't stop them. Instead, he can only wait and watch as messages come in from other victims.
[00:11:24] Tim Nugent: My one friend got scammed for, for $4500 and you know, that might have been all the money he had.
[00:11:29] Bob: I, I can't imagine what kind of panic that was.
[00:11:31] Tim Nugent: Oh, it was absolutely awful, you know, it was starting, it, it feels like I straight up got my identity stolen, and I guess I did to an extent.
[00:11:39] Bob: Time is now frantically trying to get in touch with Instagram, and its owner, Facebook, to regain control of his account, or at least to get it shut down, but no luck. He says the company was unresponsive.
[00:11:51] Tim Nugent: The feeling was absolutely horrible just knowing that you know, there's not a ton that you can do, and you know, Facebook and Instagram has pretty much been zero help. They're borderline, you can't even contact them without issues like this. There's no really customer service or help center or anything. So it's just been a nightmare, it's been an absolute mess.
[00:12:09] Bob: Meanwhile the imposters keep dreaming up even more terrible ways to use Tim's Instagram account for crime.
[00:12:15] Tim Nugent: These people are ruthless, and yeah, one person told me a story like you know, they did it because they thought the return would be quick and they had medical bills to pay for because they had just gotten out of the hospital. Like this guy does not care about anybody or anybody's story. It's, it's absolutely insane.
[00:12:31] Bob: And on top of all the guilt he felt, these criminals keep on using his account to commit crimes against his customers. The incident has been devastating to his fledging business. Tim told reporter Joseph Cox at Vice Media which first reported the Instagram hack that, "It's borderline ruining my reputation and business."
[00:12:52] Bob: Is there some way for you to quantify the loss in sales because, you know, you've essentially lost your main platform for connecting with customers. You've gone from taking say a couple hundred orders a week to, to what?
[00:13:05] Tim Nugent: Um, I think since the account's been hacked, I have maybe had 30 orders. And that's in, yeah, in a whole month.
[00:13:16] Bob: Oh, dear God, they basically killed your business.
[00:13:18] Tim Nugent: Yeah, basically killed my business.
[00:13:24] Bob: Eva Velasquez is CEO of The Identity Theft Resource Center. It has a free hotline that offers advice to victims of identity theft. About six months ago, her organization sent out a warning that it was suddenly getting a flood of calls about social media hacks, particularly Instagram hacks. So she's heard plenty of stories like Tim's.
[00:13:47] Eva Velasquez: It's a very familiar sounding story if I'm being honest, because these are just like the calls that we've been getting into the call center for months now. Hacked Instagram, particularly Instagram but all social media accounts has, has been one of the number one issues that we've been hearing about.
[00:14:07] Bob: You warned the world a few months ago about an increased in hacked Instagram accounts. It was a very timely warning, um, but I think for a lot of people a natural question is, you know, this is just pictures of my cat and what I ate for dinner. Why would anyone want to hack my Instagram account? How could that be valuable?
[00:14:22] Eva Velasquez: Oh my goodness, I, and I think that's part of why it's become such a lucrative opportunity for the fraudsters, because we aren't placing the appropriate level of value on it, and it is not necessarily the content that you've provided. It's your followers. It's your professional network.
[00:14:41] Bob: When a criminal steals your account, they steal your network. They then can trade on your reputation, on your trust relationships, and they're off to the races. Even if you have just a couple of connections, the crime can spin wider and wider like a spiderweb, very quickly. Eva tells anyone who will listen about what she calls the chain of victimization.
[00:15:07] Eva Velasquez: This is where you are looking at a single event, a single fraudulent event that has these tentacles and you are, unfortunately, many individuals are victimized due to that singular first event. So it just keeps moving on. I took over Eva's Instagram account was taken over, Bob is my follower, Bob then thinks he's talking to Eva and provides information that is enough information to allow his account to be taken over, and now we'll just say, "Jim," and now Jim, one of Bob's followers, the same thing continues to happen. I don't even know Jim. Jim wasn't one of my followers, but because there's this chain effect, there can be many, many victims reached just due to that single account takeover.
[00:15:57] Bob: That's just a crazy, and if you let your mind wander for a minute, you can imagine this grows very quickly to thousands upon thousands of potential victims, right?
[00:16:06] Eva Velasquez: It's, it's really disturbing, and I think that's exactly what is happening now.
[00:16:10] Bob: Social media account takeover crimes can be so much more disturbing than you've ever imagined. One crime I've reported on recently, a man who was genuinely sick and needed a kidney transplant had his account hijacked, and the impersonator sent a message to the followers saying an organ donor match was found, but he needed to raise money fast to get the surgery. The followers, thinking they were helping a friend, donated to the fake fundraiser. But there are even more awful imposter crimes happening.
[00:16:42] Eva Velasquez: Again, this is really like a smorgasbord for the thieves and, and depending on how they want to monetize it. One of the other ones that was very disturbing to us, and it can come in the form of a spoof where an account is created to look like the legitimate account holders, but it, their legitimate account hasn't been taken over, or it can come in the form of a takeover, especially prevalent with young, attractive, college-aged women where they will then start making promises of explicit content, and start directing people to other accounts like an OnlyFans account, say, hey, if you want to see my explicit content, go over here. And they begin collecting money, credit card information, you know, from a form of payment to see that explicit content, which doesn't exist by the way, and not only do we then have that chain of victimization, so you have these other followers who are victimized, you have the reputational damage to these young women who then have to go to explain to their, you know, their universities, to their parents, to their boyfriends or husbands, or whoever they're in a relationship with, hey, that's not me. I, I don't post explicit content.
[00:17:53] Bob: How awful, though, what a terrible thing to go through.
[00:17:57] Eva Velasquez: Again, it's the tentacles. It's this layer upon layer of victimization for the individual victim, and then the chain of victimization all occurring at the same time.
[00:18:06] Bob: These kinds of crimes are unfortunately picking up steam because criminals have found them to be profitable.
[00:18:13] Eva Velasquez: We get about 15,000 individuals contacting our contact center directly every year, and we’ve had thousands of people calling us over the last couple of months with these types of issues. I really do think 2022, this is going to be the year of hacked social media accounts, and we’re going to have, there’s going to be a long tail on this fraud.
[00:18:36] Bob: "At the root of the problem is misplaced trust," Eva says.
[00:18:40] Eva Velasquez: So we see followers, people that we know on either Instagram, or, you know Facebook, pick a platform, and we think, oh, I know that person. You don’t necessarily know that person, but if that’s the only way you’ve interacted with them and they reach out to you, you are now going to have this elevated level of trust in anything that they tell you. So having your account taken over so that your friends and followers can be exploited is really the main reason that this is happening. That’s the end goal of these scammers. And if you think about it, once it’s done one time, now you’ve opened up those followers, we can take over their accounts, and the chain of victimization just keeps going.
[00:19:23] Bob: Her advice, don't trust digital interactions, even if they appear to be from people you know.
[00:19:31] Eva Velasquez: Really whatever type of digital interaction we’re talking about, you have to a--, adopt what cybersecurity experts call a zero-trust mindset. It, and it goes against our nature, but really that’s one of the best things that you can do, is remind yourself every time you’re engaging that I don’t actually know who I’m talking to. This is not the same as a face-to-face interaction. It just isn’t. And I’m not saying that it’s less valid or doesn’t have positive benefits, or any of those things; I’m simply saying that you cannot trust that you know who you are talking to until you verify. So regardless of the number of times you’ve talked to them, how close they are in your personal network, any of those things, if it’s a new kind of engagement, a text message, a direct message coming in, even a phone call, you need to mentally adopt that policy and say, I cannot trust until I verify that I’m actually talking to that person. And to give you a, a concrete example of that, let’s say you get a, a direct message on your Instagram account claiming to be one of your friends, and it just seems a little off. Like maybe they’re using language they don’t normally use. Maybe they’re, they always capitalize “I” and they aren’t this time when they’re typing or vice versa. Pay attention to those cues. That is your brain noticing something is amiss and get in touch with that person through another method. Don’t continue to have the conversation on direct message until you verify, no, that actually is you.
[00:21:15] Bob: And if you are a victim of an account takeover, what are you supposed to do?
[00:21:20] Bob: So you're in the middle of a crisis. Uh, what, what are the steps people should take?
[00:21:23] Eva Velasquez: We always advice people to go ahead and contact the platform directly and, and make sure that you do that first thing because you do want to have a record of that, and you want to make sure that you get that complaint into them. Again, it’s wildly inconsistent when they’re going to address it, but you want to make sure that happens. I would also tell you to disengage with the scammer because they could talk you into doing things that are not in your own best interest like making a video, like sharing other credentials. I would disengage from that platform altogether until you get the issue resolved. Then I’m going to recommend that you change your passwords on your other accounts, is, your other social media accounts, or any account where you were reusing that password. I know people aren’t necessarily going to admit, oh yeah, I use the same password for, you know, my email and my bank account, but we know that you sometimes do. So no judgment here, just advice.
[00:22:21] Bob: And just how do you get back into that hacked account? Well, that's not very clear.
[00:22:28] Bob: It just seems uh, incredibly frustrating that you know this, someone using your account for an ongoing crime, and you can't even reach someone to, to get it stopped.
[00:22:37] Eva Velasquez: Well, and unfortunately, it's the, the squeaky wheel gets the oil or the, the kind of the, the presence, because I have seen individuals have called us and when they are able to get in touch with say the media and have their individual story highlighted, they will often get moved to the front of the line.
[00:22:57] Bob: Well what does Instagram say or do in these cases?
[00:23:01] Eva Velasquez: You know, it is really hit or miss, and organizationally, we would like to see all of these online platforms, uh, provide better customer service and, and better fraud redress, so we are really pushing them to provide better solutions because we hear from people all the time that say, I have reported this, but it's kind of gone out into the ethers. I haven't even heard back that my, my complaint or my issue has been received. And the only way to get in touch with many of these platforms is digitally. You cannot pick up the phone and call someone, and that just does not work in addressing fraud. So we're really encouraging these, these organizations to please take this seriously and, and step up their game in providing better resources to individuals who've had their accounts taken over.
[00:23:51] Bob: I should point out that we reached out to Facebook for the story, but the company did not respond to our request. One really important piece of advice from Eva, if you've been hacked, stop communicating with the criminal. Offers to give you back access to your account say in exchange for making a hostage style endorsement video, are just a lie. The criminal might say...
[00:24:16] Eva Velasquez: ..."give me an endorsement video and I'll, I'll give you access to your account. I'll, I'll let you have it back." Believe me, it doesn't happen, and now you have this video out there that you, you can't claw back. And the other thing that we're hearing from folks is that they, they will get after their account's taken over, they will then somehow get in touch, whether someone's, another friend reaches out to them and says, "Hey, uh, I know someone that can restore access to your account, they just need to get a little bit more information from you." So they end up quote unquote hiring this person to get access restored to their account, but they end up sharing other account credentials in the process. And then not only do they have like say their Instagram account, may be now it’s their bank account or their PayPal account or some other financial account that has also been taken over by the fraudster.
[00:25:09] Bob: Tim is still feeling the effects of his account takeover. As we recorded this podcast, he still hasn't been able to wrestle back control of the account. "The cut from ID theft crimes is often very deep," Eva says.
[00:25:25] Eva Velasquez: My, my heart just goes out to him. I mean we hear these stories every day, and it, you know, I'm, I'm going to go on a tangent here, Bob, but just for any of the business leaders or decisionmakers who are listening to this, this is a, you know, case in point, that this is not a victimless crime. So many people think that financial crimes, that identity crimes, and even, to a degree, a lot of cybercrimes are victimless crimes, and that people, ah, your bank will take care of you, or your insurance will cover it, or you know in--, insert excuse here. And it’s just not true, because even if he is somehow made financially whole, think about the emotional consequences, and, and the time that he has spent and the, the, you know the impact on his business that could also have an impact say on his subcontractors, on his employees, on you know, again, I go to that chain of victimization. And that's, that’s one of those very, it’s thematic in financial crimes. It’s often not just one individual or one issue. It really takes over a lot of different aspects of your life and your business.
[00:26:40] Bob: Tim, he's still trying to pick up the pieces.
[00:26:44] Bob: I am so sorry. That just sounds like such a nightmare.
[00:26:47] Tim Nugent: Yeah, it's been, it hasn't been great, but um, like I said, I'm trying to push forward and just you know not give up on trying to get the account back. I just would wish, you know, they would at least take a, you know, take it down or something to protect people. But...
[00:27:03] Bob: I know it's, you're still in the middle of this thing, so this isn't the best time to ask you this question, but it's always a good time to ask it, but just, just before we get into the, the smaller details, in a large way, what would you tell somebody else who runs a small business and uses a social media as a platform? Do, do you have any advice for folks like that?
[00:27:22] Tim Nugent: Oh yeah, basically, if anybody, um, comes to you with an investment or uh, asking for money in any sort of way, just, you know, automatically assume it, it's a scam or if somebody, you know, that wants to harm you or your account. This is something that I wasn't, you know, very aware of going into it, and even if it's somebody that you know or something, immediately ask for the um, the selfie or call. How about a phone call, right? A phone call could have probably solved the whole thing. But you know unfortunately in today's age, and I'm, you know, a part of that, texting or you know videos or this or that, and the other thing, are, you know, become the new normal, so I would recommend anybody asking you for money or claiming to be somebody that you know, make sure that you physically talk to them or physically see them.
[00:28:07] Bob: He feels so strongly about making sure other people hear this warning that he's decided to go public with his story.
[00:28:15] Tim Nugent: One of the biggest reasons I agreed to come on here was just to kind of, you know, make it known and make people aware that, you know, this is going on every day, and that people on a personal level and on a business level are being affected, so, you know, just it's all that spreading awareness and, you know, warning people and making sure that you know, everybody is safe, especially on--, online and on social media right now.
[00:28:41] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Thank you to our team of scambusters; Executive Producer, Julie Getz; Researcher, Haley Nelson; Associate Producer, Annalea Embree; and of course, our Audio Engineer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.
END OF TRANSCRIPT
How to listen and subscribe to AARP's podcasts
Are you new to podcasts? Learn how to subscribe to AARP Podcasts on any device.