Your Money: Fraud Watch
WHEN HACKERS ATTACKED ME
How I survived an onslaught on my accounts by cyberthieves
One day in late September, I woke up to an alarming text from my investment adviser, saying he had replied to the email I’d sent him. Problem was, I hadn’t sent him an email. Muttering expletives, I hurriedly checked online and saw that someone had logged in to my investment account and transferred out $4,000. I’d been hacked and robbed.
Up to then, I had felt safe from the scourges of phishing attacks and fraud, as I considered myself a savvy internet traveler. But it quickly became clear that cyberthieves were far more savvy than me. Within days, I was facing a full-on assault from online thieves.
Even before the $4,000 was stolen, I’d noticed unusual activity in my accounts. I had received fraud alerts on two credit cards within minutes, both of which I canceled.
Now, knowing the attack was real, I checked my online account at a large retail chain. Two smartphones were in the shopping cart, to be shipped to a sketchy mail drop point in Reisterstown, Maryland, a locale I’d never visited. My digital wallet had a Bancorp Bank credit card, which I hadn’t ordered. Did hackers have all my passwords?
Next, I discovered that my Amazon account had been locked due to suspicious activity. I hadn’t received any notifications from Amazon, so I called customer service. A smart representative advised me to check my email account and look at any filters that had been set up. As he suspected, hackers had blocked all emails from Amazon or my bank. This meant the hackers had not only my Amazon password but my email password too.
I suspected my computer might have malware, but two programs showed it was clean. My computer consultant mentioned that he’d once been hacked through his router, which he told me was the most vulnerable part of a home network, so I changed the router password and the Wi-Fi password too.
Next step was the time-consuming project of changing dozens of website passwords, one by one. When I opened my password manager and looked at the account data, I saw it had been accessed by two browsers that weren’t mine. Both were computers in Reisterstown.
It was a gut-wrenching feeling to realize that even as I was changing passwords, hackers could see what I was doing. I logged out the two alien browsers and changed the password so they couldn’t log back in.
Getting Amazon to unlock my account was an ordeal. Customer service referred me to two different departments, neither of which can be reached by phone, and my emails drew automated replies. A public relations manager at Amazon offered to fast-track my problem, and even then, getting my account back to normal took weeks. The Amazon PR manager declined an interview but said via email, “Amazon has systems in place to proactively protect customers and detect suspicious transactions. In the rare case where a customer had a bad experience, we go above and beyond to make things right.”
That may be true, but my experience suggests cyberthieves love the site. My hackers even sent me a legit-looking email from Amazon customer service, offering to help restore my account. It linked to a page that asked for my Social Security number. That’s when I realized the hackers were cleverly posing as Amazon to gain even more information.
It took dozens of hours and untold amounts of stress, but I was finally able to resolve all the hacking issues. Happily, my bank restored the $4,000. The main holdover from the hacking is a constant flood of phishing attempts: Within days, I was told I won 10 iPhones and a dozen Costco gift cards. Lucky me!
The hacking attempts have stopped for now. I still check my phone every morning for fraud alerts. I’ve tightened up my online hygiene. I can’t reverse the damage from the recent attack, but I hope to be better prepared the next time it happens. And it will.
Rob Tannenbaum is a journalist who has written for The New York Times, The Wall Street Journal, The Washington Post, Blender, GQ and many other publications.
Use What I Learned to Fight Back
→ Turn on automatic software and app updates on your computers and phones, so you always have the most current fraud-blocking tools.
→ Use two-factor authentication (2FA) for logins whenever you can. It requires you to enter a newly generated code sent to your phone before you can gain access to an account.
→ Of course, you should have unique, elaborate passwords, but you should also use a password manager, such as 1Password, Bitwarden, LastPass or Dashlane, to keep them protected and to sync the information on all your devices.
→ Freeze your credit at Equifax, Experian and TransUnion to prevent someone from opening a credit card in your name.
→ If you have an iPhone, turn on the “find my iPhone” option, which enables Activation Lock and helps secure your Apple identity.
→ Create a dedicated email address you use only for financial services and not for work or personal email.
Have questions related to scams? Call the AARP Fraud Watch Network helpline toll-free at 877-908-3360. For the latest fraud news and advice, go to aarp.org/fraudwatch.