Criminals Cash In on Couple's Credit Card Points

(MUSIC INTRO)

[00:00:01] Bob: This week on The Perfect Scam.

[00:00:03] Jody: After the second bout of theft, we changed the credit card yet again, and thought it was resolved, and then we're not sure how they accessed the account the third time, but they went in and at that point cleaned out the points and it was over a thun--, hundred thousand points.

[00:00:23] Bob: Oh my God! Wow! They took everything.

[00:00:27] Jody: They took everything.

(MUSIC SEGUE)

[00:00:33] Bob: Welcome back to The Perfect Scam. I'm your host, Bob Sullivan.

(MUSIC SEGUE)

[00:00:38] Bob: For many families, travel is the only time they get to really spend quality time with each other. Getting away to somewhere different, somewhere exotic, or just somewhere relaxing away from all the distractions of daily life, just being together. Well that family time is precious. But let's face it, travel isn't cheap. So many of us put a lot of energy into piling up reward points, all year long with credit cards, with work travel so we can have that precious two-week trip. It can feel a lot like a game but points equal family time. And you might be surprised to learn that for criminals, points can equal money. Wait until you hear what Jody and her family went through recently when criminals found a way to, well, let's just say, to ruin the family vacation. But before we get to Jody's story, I just want to say she wrote to us at our email address, theperfectscampodcast@aarp.org. We love hearing from you. I love hearing from you, so if you have been the victim of a scam, or you just have a question, be like Jody; drop us a note. Okay, now on to Jody's story. As you can probably understand, she's concerned about her privacy so we're only going to use her first name.

[00:02:03] Jody: Okay, so my name is Jody, and I live in Las Vegas, Nevada, with my husband and my two sons. I have one son who's a sophomore, just finishing his second year of college, and another son just finishing middle school that'll be starting high school next year.

[00:02:20] Bob: That's a busy home right there.

[00:02:21] Jody: Exactly.

[00:02:23] Bob: How long have you been in Vegas?

[00:02:24] Jody: Um, all my adult life. I came out here to go to college and met my husband here, and then we never left.

[00:02:34] Bob: Jody says she and her family love living in the desert city.

[00:02:39] Jody: Well, I think it has the great combination of a very suburban environment once you get outside the city, a lot of great diversity. And then you have the excitement and the entertainment of the strip when you want to go enjoy those things.

[00:02:59] Bob: Um, I mean you have big acts, right? Like the Sphere brings U2 there all the time, right? So, have you...

[00:03:05] Jody: We saw U2. It was amazing.

[00:03:08] Bob: Oh, I'm sure. What is that, what is it like in that building?

[00:03:10] Jody: Well, one thing is how steep the stairs are going down. I was worried that I was going to um, take a fall and was taking them real slow. But the 360-video screen is amazing. And it was like no other concert experience we'd ever attended before.

[00:03:31] Bob: Jody and her family also love to leave Las Vegas.

[00:03:36] Jody: Well, my husband is very passionate about traveling, and he converted me of when we got married, and so that's one of the things we really like to spend our extra money on. And it's been amazing to be able to travel throughout the United States, um, overseas. And also, my husband loves maximizing the points and rewards through the hotels and the credit cards and the airline miles. And he has become a real master of using those to pay for a lot of these trips so that we can afford to continue traveling.

[00:04:18] Bob: Uh, and I really admire that. I mean I think we all have, you know that friend, I bet you are this friend for some people who just always seems to have these amazing deals and goes to these exotic places almost for free or close to it, and it's, I know it's a lot of work, but it's also we're all jealous that you do all the work to, to get those free trips. Uh, but before I talk to you about your points, I just wonder if there's some reason why, you know, travel is, is important to you.

[00:04:42] Jody: I think it's a great opportunity to spend time together as a family, otherwise, you know, we're busy, my kids are in school, both my husband and I work, and being on vacation is really that opportunity to spend family time together. And to, you know, see new exciting things.

[00:05:04] Bob: I think when you live in Vegas, I mean Vegas is kind of far from a lot of places, maybe other than Los Angeles, right, so you have to travel to, to see you know what the East Coast of America is like, right, to see fall foliage, to see those sorts of things. You want those experiences for your kids, right?

[00:05:20] Jody: Absolutely. And I know at school, they're just amazed at how well traveled our 13-year-old is.

[00:05:28] Bob: They are well traveled outside the US too.

[00:05:32] Jody: So probably our most exciting trip is that my husband was granted a sabbatical from work, and I was able to get time approved off from work as well, we were able to pull my youngest son out of school, and we went to Europe, we went to Germany, Austria, and Hungary, and it was just a once in a lifetime trip. And we used our hotel points and miles and we didn't pay for any of the airfare or the hotel, that was all done on points.

[00:06:07] Bob: Your whole family to Europe and you didn't pay any airfare or hotel.

[00:06:11] Jody: No. We used points for the whole thing.

[00:06:13] Bob: Wow. Okay, so I just want to make this clear for some people who might not sort of understand the, the point chasing world. You wouldn't be able to take these trips if you, you didn't have these points, right?

[00:06:23] Jody: That's absolutely true. And it can be complicated because each individual airline will have their own point or mile program, each hotel will have their own program, as well as credit cards having programs where you can convert the points you earn into airline miles or into points to stay at a hotel. So it's really understanding the programs and then how to maximize the points.

[00:06:52] Bob: Yeah, I mean it, it's a bit of a game, but it's much more than a game. I mean it's, it's a, it's about being able to take family trips.

[00:06:58] Jody: Absolutely.

[00:06:58] Bob: Okay. And so these points have a lot of value and that you have worked hard to accumulate them.

[00:07:03] Jody: Absolutely.

[00:07:05] Bob: So, if overnight they were to be taken from you, that would be quite a painful thing.

[00:07:09] Jody: Yes, and it's definitely loss of something that has a real monetary value.

[00:07:16] Bob: If overnight those points are taken from Jody's family, it would be painful. Well, the trouble begins with a single email and a stolen gift card.

[00:07:29] Jody: Right, so in December, my husband just happened to check the email account that he had set up to get notifications when our points had been redeemed and noticed that there was a redemption that he had not authorized to purchase an Apple gift card using the points.

[00:07:52] Bob: So he gets a warning, somebody's used, somebody's gotten a gift card from, with your points.

[00:07:57] Jody: Right. So not only can you use these points for travel, but you can also redeem them for gift cards online, which is not something we ever do personally. So he immediately called Chase's fraud department, after a lengthy conversation with them they assigned him a verbal password to his account. Someone had enough of his personal information that they were able to call Chase and impersonate my husband and gain access to the account.

[00:08:30] Bob: The criminals are able to cash in a few thousand points and get a gift card for a couple hundred dollars, but it's not that big a deal. Chase immediately restores the points and the fraud department issues them a new card, so Jody hopes that'll be the end of it. It is not.

[00:08:48] Jody: Before we even received the new credit card, my husband received a text saying that there is a purchase at Target, and this was an out-of-state Target, for a high dollar amount. Did you authorize this purchase? And so he was thinking this was more fraud, and when the text asked him to give him the code that you're going to receive on your text to verify your identity so that we can cancel this transaction, he went ahead and gave them the code.

[00:09:26] Bob: Hmm. And this was a straight credit card transactions, right?

[00:09:30] Jody: Right.

[00:09:30] Bob: It wasn't a points thing, okay, yeah.

[00:09:33] Jody: So then he not, shortly after that happened, he noticed that there was another redemption for more electronic gift cards out of the account with our points.

[00:09:44] Bob: Oh boy. So you haven't even gotten a new card yet, and now you realize that they're raiding your points.

[00:09:49] Jody: Exactly. So he called Chase fraud again, learned to his dismay that the text he responded to was very cleverly designed text, almost identical to other text messages he had received in the past from Chase, but definitely sent to him by a criminal, not Chase Bank.

[00:10:13] Bob: They were bypassing that two-factor authentication this way, right?

[00:10:16] Jody: Exactly, so.

[00:10:18] Bob: Oh no.

[00:10:19] Bob: The criminals needed to overcome the bank's two-factor authentication challenge, so they did that with a text message pretending to be the bank. Still, so far, the criminals have stolen a relatively small number of points and made a fraud purchase. Another call to the bank fixes that, but...

[00:10:37] Jody: So after the second bout of theft, we changed the credit card yet again, and thought it was resolved, and then we're not sure how they accessed the account the third time, but they went in and at that point cleaned out the points and it was over a thun--, hundred thousand points.

[00:10:57] Bob: Oh my God! Wow! They took everything.

[00:11:01] Jody: They took everything.

[00:11:03] Bob: Another new credit card doesn't fix the problem. And this time, the criminals manage to steal every last travel point in the family account.

[00:11:13] Bob: Just, for instance, what can you do with100,000 points?

[00:11:16] Jody: So, I mean that would have purchased plane tickets for our entire family, or those points could have been converted to hotel points and we could have stayed for a week at a hotel.

[00:11:31] Bob: So they didn't just steal a bunch of points, they stole a whole family vacation from you.

[00:11:36] Jody: Exactly.

[00:11:37] Bob: Wow. Okay, so what does it feel like to see a zero balance?

[00:11:41] Jody: Oh it was so frustrating because we had been trying to stop this fraud for several weeks now, and it seemed like no matter how many conversations we had with the bank's fraud department, they were still figuring out how to access our account.

[00:11:57] Bob: Okay, so now I mean where do you go from zero?

[00:12:01] Jody: So we were very fortunate that the bank agreed to reinstate all the points, but also very paranoid if they would be secure once we got the points restored to our account balance.

[00:12:16] Bob: Now why would you be paranoid?

[00:12:18] Jody: I can't imagine why, Bob. (chuckles)

[00:12:20] Bob: God, I can't imagine, yeah, so, okay so and they give you what a, a new credit card? I mean...

[00:12:26] Jody: Yeah, so we so we were on our fourth Chase credit card...

[00:12:29] Bob: So the banks assure them with this fourth credit card that everything is fine. But Jody and her husband decide to take an extra step to make sure their account is safe.

[00:12:41] Jody: When my husband received the points back, he made the decision to transfer the points over to my Chase account because he felt like it would be most, more secure and at that point, they had not accessed my account...

[00:12:57] Bob: Makes a ton of sense to me, but also, at this point I'm thinking, wow, this is a lot of trouble.

[00:13:02] Jody: It was, and we spent hours on the phone with Chase.

[00:13:07] Bob: Were you confident, 'cause also my brain goes right away to somewhere along the line here you're going to lose some points, right? Now were you confident you got everything back?

[00:13:14] Jody: We were lucky that we got everything back, also my husband was keeping very careful track of all the points and the redemptions at this time to make sure we did get everything back. And I wish I could tell you, Bob, that that was the end of the problems we had, but it wasn't.

[00:13:31] Bob: A few weeks go by, and then the criminals up the stakes.

[00:13:36] Jody: So things quiet down, and then in February, I received a phone call from the head of my company's IT department asking if I was trying to change my company email account password. I told him, no. He was pretty confident this must be some kind of fraud, just letting you know I did not approve the request, and so I didn't really think anything of it because in my role, you know, we deal with fraud in my job as well. I really thought trying to change my work email address might rela--, be related to someone trying to access direct deposit information for employees.

[00:14:23] Bob: Right, God, okay. So that's, so now the problem is much, much bigger.

[00:14:28] Bob: And then, the criminals make their big move.

[00:14:31] Jody: So I remember I was getting ready to take my son to an after-school appointment. As we are getting ready to walk out the door, I get this frantic call from my husband saying, "You must call Chase fraud department now before they close. Someone has gone into your account now and they're trying to redeem the points for a cash advance."

[00:15:00] Bob: Oh no.

[00:15:01] Jody: So they, I believe it was for $20,000, taking all the points out of the account.

[00:15:08] Bob: But, but somebody was trying to steal $20,000 essentially from you?

[00:15:11] Jody: Yes, for the value of our points.

[00:15:13] Bob: Oh my God.

[00:15:15] Bob: So Jody races to get Chase on the phone to prevent what could be a $20,000 theft.

[00:15:25] Jody: Oh, it was so stressful, Bob. And I remember my husband telling me just cancel our son's appointment, but I didn't want to. So I'm talking to Chase on the Bluetooth in my car as I'm driving him over there. Because again, the fraud department was going to close within an hour. If I didn't get a hold of them then, I would not be able to speak to anyone the following day.

[00:15:51] Bob: Oh God. And again, they know what they're doing, they know the timing that they choose for these things, right?

[00:15:56] Jody: Um-hmm. So we were very fortunate that Chase was able to stop the money redemption, since I guess that goes through more checks and balances than redeeming the gift cards.

[00:16:12] Bob: But as that transaction is blocked, the criminals don't give up.

[00:16:17] Jody: So they also redeemed a couple more electronic gift cards that we had to request the points back again as well as now making sure my account was also set up with the highest level of Chase security.

[00:16:34] Bob: So they, they couldn't get the big one from you but they still got a couple of other smaller transactions.

[00:16:40] Jody: Yep, they got a couple of other smaller transactions which again Chase doesn't have any way to redeem that money back as far as we know once it's already been taken off the gift card.

[00:17:22] Bob: And then, Jody assumes, the criminals got angry at her and decide to have a little fun at her family's expense.

[00:17:01] Jody: Then, on the same day, I think maybe this was retaliation because we stopped the cash transaction; we also got a fraud alert on a Delta American Express card completely unrelated to Chase Bank that someone was trying to purchase $11,000 of jewelry from a store in Pittsburgh, Pennsylvania using our account.

[00:17:27] Bob: Wow. Now you're thinking whoever this is, they have the run of my whole personal life, right?

[00:17:32] Jody: Exactly. I was worried about what don't they have access to.

[00:17:37] Bob: Yeah, of course.

[00:17:39] Jody: And they hacked our Amazon.com account.

[00:17:42] Bob: Oh my God! What did they do with that?

[00:17:43] Jody: So um, again, we were able to get the money back on our credit card, but they purchased a laptop, and also the funny part was they purchased a whole bunch of Cheetos. So I guess all the crime was making them hungry.

(laughter)

[00:18:03] Bob: I guess that's funny, although it's not really funny, is it?

[00:18:05] Jody: No.

[00:18:05] Bob: Oh my God. Ah, but, but also it sort of speaks to kind of how sophomoric this group must be, right, they're, yeah, I mean they, I think you're right. I think out of spite they tried this Pittsburgh thing, and then they, just to show you how funny they were, they bought Cheetos.

[00:18:23] Jody: Yes.

[00:18:24] Bob: So Jody has a lot more homework to do that night. And after all this back and forth with the fraud department, she has some opinions about what the criminals were really up to.

[00:18:35] Bob: Do, do you have a sense that it's easier for criminals to steal points than it is for them to make fraudulent credit card purchases?

[00:18:42] Jody: Absolutely. We did not know that much about points getting stolen until we went through this experience, but...

[00:18:50] Bob: Now you're an expert.

[00:18:51] Jody: Yeah, now I'm an expert, and we've learned that first of all, the criminals like these scams because people are not as vigilant about checking their credit card points as they may be about checking their actual credit card purchases.

[00:19:05] Bob: That makes sense to me. You know I think most people think of the points as a sort of bonus that's kind of sitting out there, you know, it's a, a nice surprise when you are thinking about using them once a year or something. So they can rely on consumers not being as vigilant.

[00:19:20] Jody: I do agree. And also, this fraud was coming from a third-party online vendor that Chase partners with, that allows their customers to purchase gift cards if they want to do that with their points. There were several instances where they did access our account, including when my points were stolen, where they never changed the password on our account or the email. So to this day, we do not know how they accessed the account a couple of the occasions where they got back into the account and fraudulently redeemed the points, and so I think this is a big issue for these banks and airlines and hotel chains that have these programs to provide better security for their customers.

[00:20:11] Bob: Jody mentioned several times that these hacks seem to happen at night which she thought was deliberate because they might not be detected until the following day, and also this whole string of incidents began during the busy holiday season.

[00:20:26] Jody: Yeah, so this is taking place in December still, and so when my husband called back the second time, now he was told it would take four to six weeks to get the points back, um, and apparently Chase Bank was being inundated with similar fraud from multiple customer accounts.

[00:20:50] Bob: Okay, well that doesn't sound good.

[00:20:51] Jody: No, um, and also, I think the holidays seem to be a prime time for scams.

[00:21:29] Bob: Yeah, of course, everybody's busy, yeah.

[00:21:01] Bob: Jody spent a lot of time reading about points theft online, which she now knows is more common than most people might think which is why she emailed us and was anxious to speak with us.

[00:21:14] Jody: I listen to the podcast, and I'd never heard an episode alerting people that having credit card points or hotel points or airline miles stolen is also something you need to be concerned about and monitor, and it's not just the points on your credit card that criminals can steal, they can also fraudulently redeem your airline and hotel miles. So you need to be checking all of these accounts if you are collecting and earning these points, because they do have a real dollar value to you as the consumer, but they also have a dollar value to criminals and they're very attractive to them to steal and find a way to monetize the points for um, criminal gain.

[00:22:08] Bob: Yeah, and I really do want to stress, again, these aren't points, these are, this is essentially money for your family vacation. These are hard-earned rewards that you've made sacrifices to pile up and someone's taking something very valuable from you.

[00:22:22] Jody: Absolutely. This is, you know, additional perks that you've earned from spending your money on your credit cards. Or for flying a particular airline or staying at a particular hotel chain. So things have calmed down fortunately. We have all our credit card points back. We have not had any more credit card points stolen, but there's always that worry or anticipation about when will we be targeted again.

[00:22:53] Bob: Jody and her family are understandably pretty paranoid now, but the good news is that after a lot of phone calls, they did get all their points back.

[00:23:04] Jody: We are very fortunate. I know there's a lot of victims that are out some real money, maybe lose all of the money they put aside for retirement, and to me, that is just heartbreaking, and I know we are so fortunate that we were able to get all of the Chase Ultimate Reward points back reinstated to our account. But I also think that may be why criminals like stealing the credit card points or airline points or hotel points because they know that a lot of these victims will get the points back if they notice the fraudulent activity and maybe they feel better about defrauding a bank or a big airline or a hotel chain.

[00:23:52] Bob: Yeah, that, that makes sense. It, it can feel like a victimless crime to them. Or, as you've suggested, other people might not know this.

[00:23:59] Jody: Right. May not even notice that they had the points and doesn't even get reported.

[00:24:06] Bob: So but, but there is a cost to this, isn't there for you?

[00:24:09] Jody: Oh there is, and I think there's a cost in general to our, you know, society with all these banks paying out hundreds and thousands of dollars in fraud.

[00:24:23] Bob: Tell me, help me feel what the cost was like for you and your husband.

[00:24:26] Jody: So I think for us personally, it was really just the frustration of having to deal with this, the countless hours on the phone with the fraud department, and then the need to constantly monitor all of our accounts, checking the email to make sure nothing had been redeemed fraudulently from an account that we had not already reported. It's just very time-consuming and exhausting.

[00:24:55] Bob: And frustrating and all those things for several months, but I think maybe the punchline is, you know, you still don't know what's going to happen next, right?

[00:25:03] Jody: No. And really, I think, unfortunately, it's gotten to the point now where it's not, will you be a victim of some kind of credit card fraud, but when will you be a victim of some type of credit card fraud.

[00:25:18] Bob: So what does Jody want listeners to take away from her story?

[00:25:23] Jody: Um, the first thing is that it's very important to make sure that you do set up notifications and alerts on these accounts that you have points in so that you are notified if something is redeemed from your point total. And to make sure that's an email that you are checking on a regular basis. Another thing we learned is it's important to set up a verbal password with your bank so that if someone calls and tries to impersonate you, if they don't know your verbal password, then they're not going to access your account. And using a common verbal password like your mother's maiden name, is publicly available information that a criminal can find out online so you need to pick something that they would never guess and as a result, if they do call the bank and try to impersonate you, they won't know your verbal password and the bank will deny them access to your account information. The other thing we did is made sure that we were not using common emails like Gmail, one of them that we had problems with was the email through the cox internet, and take those emails off our account, and now we're only using an email that my husband has access through his workplace where his workplace has added a lot of additional security. So we feel more comfortable using that email than an email we could have requested off the internet.

[00:26:56] Bob: It, you're not using a free email account for any of this stuff now.

[00:26:59] Jody: Exactly, we're using email that has additional cybersecurity.

[00:27:04] Bob: And this story has a very happy ending. Since Jody got all her points back...

[00:27:10] Bob: So where's your next vacation?

[00:27:13] Jody: So we are going to St. Kitts in two weeks.

[00:27:17] Bob: Oh my God, that's great. And you are going on points, I presume?

[00:27:20] Jody: And we're going on points. We're staying at the Park Hyatt, we are Hyatt Globalists, and we're also using points to pay for first class airfare to and from the Caribbean.

[00:27:32] Bob: Wow. Okay, well so I always try to look for a happy ending in my stories. Yours, this is the easiest happy ending I've been able to come with.

[00:27:40] Jody: Yeah, so the happy ending is us sitting on the deck of the pool, enjoying our vacation, and um, redeeming our points.

[00:27:52] Bob: While Jody's story, thankfully, has that happy ending, many stories involving ID theft do not. Some don't ever have an ending. So we wanted to talk with an expert about the larger issues that this story brings up. Here's Dan Lohrmann, Chief Information Security Officer for a cybersecurity company named Presidio. He's spent many years as the Chief Technology Officer for the State of Michigan too.

[00:28:17] Dan Lohrmann: At experiences seen in different people I've worked with and in different situations, all of them, when it all happens, you know, kind of an ongoing way, kind of again and again and again, it, it can be very, very, not just frustrating, but you know, devastating for, for a family and for couples.

[00:28:36] Bob: It's important to discuss the kinds of things criminals might be able to do if they access travel-related accounts. They can do much more than steal points, Dan warned us.

[00:28:47] Dan Lohrmann: When you start thinking about you know it could be any of the airlines, and you bring up that account, typically you're seeing personal information about flights, maybe upcoming flights, you know, potentially once you're in that account, it's not just about the miles, it's also about their travel. And there's, there's sensitive information in there, may--, maybe a TSA number in there, if they have access to that account they can see, you know the TSA-pre, your, your you know passport information could be in that account. Other information about email addresses, account information related to upcoming trips. You know, God forbid they would cancel flights potentially if they were able to get into that account. They could um, change or cancel flights possibly I'm, you know, depending on what kind of verification was needed, change addresses, possibly have refunds sent to a different address, those kinds of things.

[00:29:42] Bob: Well, just the idea that you said somebody could see that me and, and my whole family were going to go on a two-week vacation at some point in the future, that makes me feel really insecure.

[00:29:51] Dan Lohrmann: I would agree. And, and where you're going and when you're going, and what flights you're going to be on, and in fact, if someone did have your account information, and they didn't want to have a kind of reaction, you know, because obviously if somebody's, if all of the sudden the points are gone, if all of the sudden you thought you had 100,000 points, and they're now down to zero, people may react, but if somebody goes in there, I mean I would think they would react, right there, I'm going to go in and I'm going to get my, get my points back, etc., call Delta, call American or United or whatever and complain, but if for whatever reason they were able to get in there and just see the information and not change anything, you may not know that they had access to your account. They may be, you know, I hate to view it that way, but it's almost like cyberstalking, you know, they're able, they're in there looking at what your plans are, where you're going, what you're not you know what you're doing, what you're not doing.

[00:30:41] Bob: I, I think most people would find that even more unnerving than losing some points, in fact that somebody might, might be watching where they're going on, in an ongoing basis. That's, and I think that's, that's really disturbing to think about.

[00:30:53] Bob: To me, the most disturbing thing about Jody's story is that the criminals kept coming after the family's accounts for several months.

[00:31:04] Bob: It's one thing to, you know a fraudulent charge on your credit card or whatnot, you make a phone call, it's an annoying day, but it's over with. But this kept happening and happening and happening to them, and, and that's where, that just feels like next level to me, and you say you had some employees or, or other folks go through that.

[00:31:18] Dan Lohrmann: Yeah, and I think, I think the challenge of knowing when is it going to end.

[00:31:22] Bob: And then you just have this ongoing nightmare.

[00:31:25] Dan Lohrmann: Exactly.

[00:31:27] Bob: Even if, as a consumer, a criminal steals your rewards points just once, well those have a real monetary value, and we shouldn't minimize that part of things. But also...

[00:31:38] Bob: Yeah, and it's, in some ways it's more than the money, right? Because I mean money's money, but it, but for, for, it sounds like for you and I know for Jody, it was her family's ability to take vacations they wouldn't otherwise take.

[00:31:48] Dan Lohrmann: Absolutely. And if you take a long time to build up those points, it's, they're absolutely, you know a lot of investment in your time and in your travel, whether you get those through credit cards, or whether you get those through actually traveling, going you know mileage and, and building those up over, over the years, you're absolutely right, there's emotional attachment to your points. You know, you try and maximize you know open, you know different as, as, as Jody experienced, you know they, the uh, the challenge of, you know, how do you maximize the points with opening up a credit card and maybe getting the bonus points, having to spend $3000 or something along those lines to get the, the bonus miles flying. There's a, a wide variety of ways you can gain points, you know, we can get them via rental cars and, and other things, hotel stays. So yeah, you know, maximizing, going out of your way to ensure that when you travel that, okay, I remember, I am getting a rental car, do I have my sky miles points, do I have my, my account number in the both the, the auto rental, you know, the car rental and the hotel, etc., etc., etc., so absolutely, you know there's a lot of investment into that.

[00:32:57] Bob: The theft of rewards points demonstrates a broadening of cybercriminals attacks on consumers which we can count on going beyond credit and debit cards.

[00:33:07] Dan Lohrmann: I'll give you one example that jumped out at me in the last months. My wife posted something for sale on Facebook Marketplace. And I won't go into too many details, but I'll just, I will just say this that she got a lot of responses. One of the people that responded said, came back to her, you know responded via, you know, Facebook Messenger and said, "I don't, I want to make sure this is a legitimate thing." So people using security as the reason why they're ask, going to ask you to do something they're about to ask you to do. So a lot of times, you know for security reasons, let me make sure this is a legitimate thing. I don't want to drive to where you live, or I don't want to do XYZ. I want to make sure, so they're actually using security to kind of disarm you or make you, take you off guard. And they asked her, very similar to what happened in this story with Jody, is they asked her to, "I'm going to send you a text, and could you give me your, give me your cellphone," so basically going outside Messenger, going outside of Facebook, the normal process, "Give me your cellphone number. I want to text you something, and I want you to text the number back to me." So what they were doing is they were a) getting her phone number, and then but she's like, "No, I'm not going to do this." So she didn't do it, thank God, she came and talked to me. What they were trying to do was if they had some information about her, maybe they could have reset one of her accounts, they, you know, by, by typing in the code that was sent to her phone from some account they had of hers, they could have literally reset the password and gained access into that account. So very much the same kind of thing that happened in this scenario with points. So I mean those are the kinds of things that very sophisticated, new, new ways that you know you would not have expected to happen; it certainly wouldn't have happened I think a few years ago.

[00:34:57] Bob: Dan had a specific observation about rewards systems which he thinks makes them potentially more vulnerable than traditional bank accounts.

[00:35:07] Dan Lohrmann: One of my pet peeves and one of the things that I've talked about in the past is a lot of the uh airlines don't have multi-factor authentication on a lot of their points systems, they use just username and password. And I think that is a, a major vulnerability.

[00:35:24] Bob: And also, people just might not realize that points can be stolen, or that other parts of their digital lives might be vulnerable to criminals. That's precisely why we make The Perfect Scam.

[00:35:35] Bob: A victim who I interviewed recently made the point to me over and over, um, that you don't know what you don't know. And so these, these un--, unexpected scenarios come up, and if they're not familiar to you, uh you know then they're not far-fetched. And so you know a lot of this has to do with just being ready for, for anything that might happen, I suppose.

[00:35:55] Dan Lohrmann: Yeah, when I, when I worked at the National Security Agency back in the '80s and then you know in--, into the '90s, um, they, that was their, that was their tagline. You don't know what you don't know. I mean and that, and that line plays out so many ways in life. You really don't know what you don't know. And so, yeah, if something seems awkward, something seems out of the ordinary, stop, ask questions, go back and utilize the trusted resources that you have to, to double-check.

[00:36:23] Bob: I, I don't know about you, but you know I, it's hard enough to just keep all the basics secure and keep all the passwords updated. When my mind starts to wander to all the other ways, all, that I might be vulnerable to something, it feels pretty overwhelming.

[00:36:37] Dan Lohrmann: It is. It can be overwhelming, and I think, if, if people are feeling overwhelmed, you know I, I would just say, know who your trusted sources are, AARP certainly is one of those and you know has a great website for helping victims, and/or people who have questions. Where maybe that's a trusted friend who you know, in this case my wife was able to come to me and, and say, "Does this sound right to you that I would, you know be asked just to give them my cellphone number and then re--, reply back with the, whatever number was sent to me?" You know whatever it is, having people that you know and can go to for trusted information, another one is staysafeonline.org, that, it's a really good website, and staysafeonline.org is a, is a trusted source. If you've got questions, being, not being afraid to, to go to a trusted source, to ask a trusted friend, and to slow down. And if you have a question, if you think, if something just doesn't seem right, I would stop what you're doing and, and literally reach out to that organization in another way. So, you know your bank's not going to ever call you and say, "Hey, what's your bank account number?" Or, you know, "Tell me your pin or tell me your password on the phone." You have no idea who that person is. So if they're really saying, well this is an urgent request for malware or some other thing that you don't understand, call the bank yourself. Do it yourself. Use your own phone numbers that you know and trust and verify that it is a legitimate request.

[00:38:03] Bob: Long before Dan became a cybersecurity expert helping organizations defend themselves, he was an expert in another kind of defense, he was a college quarterback, and then he coached football. So he can't help but bring that experience into his job today.

[00:38:20] Dan Lohrmann: I love the analogy of football for, for in sports because football and cybersecurity and 'cause there's an attack and defense, an offense and a defense. And the offense is trying to obviously move the ball down the field and score in football, and the defense is trying to prevent that, and there's so many similarities, I mean there's like, you know there's audibles at the lines. We have to change the play, the defense did something different, so we have to do something different with our offense. And, and um, there's a strategy on both sides. The defense, of course, is trying to stop the offense. The offense is, is trying to uh, to move the ball down the field and score a touchdown. So I do think, you know, there's a lot of analogies in sports, football certainly being one of them, but boy, you have to build a game plan, you have to make adjustments during the game, and you have to be prepared for a wide variety of scenarios that could happen. And the better you prepare, the better you're organized, the better you, you practice, you know the better you're going to play in the game.

[00:39:15] Bob: You know it's funny, it's something that we've talked about on this podcast, but it, I think it's not necessarily something everyone thinks about, but it's okay to roleplay some of these scenarios with family members.

[00:39:25] Dan Lohrmann: Oh yeah. Oh yeah.

[00:39:25] Bob: Like talk to grandma and grandpa and say, you know, if I ever was overseas and arrested, I, I wouldn't write you a Facebook message, you know, and things like that. You use that kind of for preparation in roleplaying at companies, right?

[00:39:39] Dan Lohrmann: I think it's a great point. And I totally agree. And I think what I would really encourage people to think about is when they see these stories in the papers, and they, they pop up almost weekly, somebody's done something somewhere in the world, right, and it's, wow, that's a crazy story. You know, you know somebody who, you know virtual kidnapping or you know I, you know I'm stuck in a train. Don't tell my mom and dad. But wire me $10,000, you know, whatever it might be. You know utilize those in a, could that happen to us, you know ask, ask the questions. Ask your parents or ask your children, ask your friends. What would you do, I mean just even having the conversation's going to raise awareness. And some of these almost seem far-fetched, but these are real, true stories, and so if you have, you know, these things that are happening around you, utilize those moments to really help strengthen your security defense online and really, you know, talk about with the, you know those who you love and trust.

[00:40:33] Bob: Never one to avoid a forced metaphor: I'm sitting here wondering if you're, you know, if you're doing the travel fu thing and you're really good at accumulating points, is that like the flea flicker of consumer behavior. I, you know, I don't know.

[00:40:45] Dan Lohrmann: I'm not sure about that, but you know, maybe double reverse, I mean...

[00:40:50] Bob: That's what it is. That's what it is.

[00:40:51] Dan Lohrmann: So there, there are definitely uh, there are definitely, you know techniques, things online about how best to utilize points and the points you do have, um, how best to make sure you're getting the, the, you know the most flights and the most benefit out of those, and how to get more points. I mean those are all fun things to, to do and also, they're, it takes some effort and but I, I certainly love your idea of different scenarios, scenario planning. Yeah, we do that in sports, and we do that at work, we think about that in, in government. I, I do a lot of work around tabletop exercises, what if this were to happen, how would you respond? Preparing in advance, who would you need to contact? Who would you talk to? You know if a ransomware, that's a whole other topic for another day, but if a ransomware hit, you know if, if, if uh something happened, you know who all needs to be involved. How do you communicate that? You walk through those scenarios. Certainly, I think families could do that and think through some of these different scenarios and how they would respond.

[00:41:53] Bob: So, like in sports, practice makes perfect. But Dan also has some more specific advice for Perfect Scam listeners.

[00:42:02] Dan Lohrmann: Yeah, I mean I think there's some simple steps you can take to really make a difference and protect yourselves. I you know I; I tell people you know multi-factor authentication, MFA, is certainly one of them. Whenever you can, make sure you utilize that. A lot of people just use a username and password. A lot of people reuse the passwords. Of course, we don't want to um, encourage that. We encourage unique passwords, change your passwords, use unique passwords. But and probably I think equally or even more important is use MFA. So whether you have Gmail or Yahoo or you know Facebook or LinkedIn, many of these social media sites allow you for free, can't beat the price, to use multi-factor, MFA, which is like a password and another step. So if you go to a different laptop, or you go to a different, you know computer or something, on vacation, different home, somebody you know and you're logging in, it, it'll send a text to your mobile phone, to your smart phone, and/or maybe, you know, you can have a, a text sent to your Gmail account or whatever it might be. Those simple steps are really, really helpful in securing your online life. And so taking basic steps, making sure you don't use default passwords, use multi-factor authentication, change defaults, and then make sure that you update and patch your computers that you have the latest security software running it. Those simple steps can help a lot. We call that cyber hygiene, but uh those simple steps will provide you a, a layer of security and protection, and then, as we said many times, Bob, throughout this whole conversation, if something seems wrong, if something seems out of the ordinary, stop, go back to those trusted sources.

[00:43:44] Bob: For The Perfect Scam, I'm Bob Sullivan.

(MUSIC SEGUE)

[00:43:57] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Our email address at The Perfect Scam is: theperfectscampodcast@aarp.org, and we want to hear from you. If you've been the victim of a scam or you know someone who has, and you'd like us to tell their story, write to us. That address again is: theperfectscampodcast@aarp.org. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Becky Dodson; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

END OF TRANSCRIPT