I Almost Fell for This Online Scam. Why Even Tech Pros Can Be Taken

It started with a phone call, as many online scams do.

The voice on the other end said he was a sergeant with the sheriff’s office where I used to live. I’d been summoned to testify before a grand jury but had failed to appear, he said. Now a warrant was about to be issued for my arrest.

This, I explained, was clearly a mistake. I’d received no summons. In fact, I hadn’t lived at that address for more than five years.

With AI-assisted cyberattacks on the rise, it’s essential to know how exposed your organization really is. Here’s how – get a comprehensive risk score in just 5 days.

Sergeant Brian said not to worry, that this was a “courtesy call” before the warrant was issued. If I wanted to avoid having to explain my lack of appearance in front of the judge, I could post a “surety bond” for $1,500 cash and clear up the matter later at my local precinct. He then passed me on to Shift Supervisor Dave for instructions on how and where to pay.

The further I got into the conversation, the more my suspicions grew. So I started Googling. The penal code violations they cited were more or less accurate. The names they gave for the sergeant and supervisor were those of real cops in that district. Same for the judge whose order I’d supposedly violated. When I asked to see a copy of the summons I’d allegedly signed, Dave emailed me a PDF of an actual grand jury summons (though it turned out to be for a district in another state). It almost checked out.

The more I pushed back, the more insistent they became. After more than 40 minutes, I’d heard enough, disconnected, and immediately rang the real sheriff’s department. The woman who answered confirmed I was being scammed. I was welcome to file a police report, but, she added, it would be pointless. She urged me to contact the FBI. (See links, below.)

Thing is, I’ve been writing about online scams for the better part of three decades. I thought I had seen and heard them all. The fact that I believed this one for 15 minutes is pretty sobering.

Ultimately, nearly all scams target individuals, both sole proprietors like me and employees of multibillion-dollar companies. Once these attackers gain your trust, they will take you – or your employer – for as much as they can get, draining bank accounts; swiping personal, customer, and employee data; and damaging brand reputation and value.

[Read also: This reporter knows what it’s like to be targeted – here’s how to defend against ‘vishing’]

Just because you work in security and think you know all the tricks doesn’t mean you’re immune. The dirty little secret about online scams is that people who put themselves and their companies at the greatest risk are those who believe they’re too smart to be fooled.

Shoulda known better

There are plenty of people who should have known better but didn’t. Last February, author Cory Doctorow – who counts a financial thriller about cybersecurity among his many novels – wrote about being scammed out of $8,000 by con artists claiming to be from the fraud detection department of his bank.

I’ve been writing about online scams for the better part of three decades. I thought I had seen and heard them all. The fact that I believed this one for 15 minutes is pretty sobering.

Around the same time, Charlotte Cowls, financial advice columnist for The Cut, confessed that she lost $50,000 to scammers posing as employees of Amazon customer service, the FTC, and the CIA.

But they’re small potatoes compared to Shan Hanes, onetime CEO of Heartland Tri-State Bank in Elkhart, Kansas, who lost $47 million of the bank’s holdings to a fraudulent crypto investment scheme. In this case, both the former CEO and the bank’s shareholders were victims. The bank collapsed; Hanes was sentenced to 24 years in federal prison for embezzlement.

Crypto may have been part of the M.O. for my scammers as well. If I’d stayed on the line, “Dave” probably would have sent me to a crypto ATM, then asked me to deposit the money and transfer it to a pseudonymous bitcoin account, says Mason Wilder, research director for the Association of Certified Fraud Examiners.

[Read also: Boards and brand reputation – 7 cyber steps to boost investor and consumer confidence]

And if I’d been stupid enough to do that, the scammers would likely come after me again using a different scheme, upping the amount each time until there was nothing left to take, says Wilder. He adds that frauds targeting individuals are at an all-time high, especially “pig butchering scams” involving fake crypto investments, which can cost victims millions of dollars.

The Economist’s Sue-Lin Wong describes how these scams operate:

First the scammers build a sty, with fake social-media profiles. Then they pick the pig, by identifying a target; raise the pig, by spending weeks or months building trust; cut the pig, by tempting them to invest; and butcher the pig by squeezing “every last drop of juice” from them, their family and friends.

And, finally, leave their victims squealing.

Online scammers’ expanding toolbox

Thanks to internet “resources” like tool kits for wannabe scammers and even Fraud-as-a-Service (FaaS) for lazy cybercriminals, the defrauding rate is higher than ever. In 2024, U.S. consumers lost $12.5 billion to fraudsters – a 25 percent increase over the previous year – with nearly half of the losses going to investment scams. Given that many victims never report being scammed to the authorities, the actual losses are probably much higher.

Creating a network effect will encourage more people to speak up when they sense something is sketchy and allow them to get support from others.

“Technology has eliminated the barriers to entry for even sophisticated schemes,” says Wilder. “All you need is an internet connection to have a plethora of tools at your disposal.”

If the internet has made it exponentially easier to commit fraud, AI has made it that much harder to identify when you’re being scammed, by obliterating many of the usual red flags.

In the past, you might have received a call from someone trying to convince you that your computer is riddled with viruses, but their thick foreign accent and poor command of English might give them away. Today, AI can generate a script and a voice that sound like someone who lives in the town next to yours, says Wilder.

[Read also: What is cyber threat intelligence? A simplified guide for 2025]

With the rapid advances in deepfake technology, scammers can look and sound like someone you actually know. Just ask that unfortunate employee of British engineering firm Arup, who transferred $25 million to scammers in January 2024 during a video call featuring deep fakes of four company executives.

“Three seconds of a person’s voice is enough to spoof someone’s voice,” says Katalin Parti, associate professor of sociology at Virginia Tech, whose research focuses on cybercrime and online manipulation. “Any video or audio that’s available online can be misused by scammers.”

Curiosity kills

For both individuals and organizations, being acutely aware of the heightened potential for fraud is the best way to avoid being conned. Enterprises are taking heed; according to Cybersecurity Ventures, publishers of the Cybercrime magazine and podcast, the global security awareness training market will grow from $5.6 billion in 2023 to more than $10 billion in 2027.

Take nothing at face value, especially on the internet, advises Parti, and try to quell the temptation to click on something you know you shouldn’t. (In one infamous scam, North Korean threat actors posed as blockchain engineers, enticing other engineers to download malware thinking it was bots or software that would help them profit from the differences between cryptocurrency rates on various platforms.) If you are the unfortunate victim of a scam, be willing to swallow your pride and share your story with others so they can be more vigilant.

“We need a well-informed community that listens to each other and shares news about scams happening nearby,” she adds. “Creating a network effect will encourage more people to speak up when they sense something is sketchy and allow them to get support from others.”

In work settings, where the potential financial and reputational losses are much higher, employees need to take extra care to avoid exposing their company to scam attacks. Workers should be wary of urgent requests made at the last minute – for example, at 4:30 on a Friday afternoon – or those requiring changes in normal payment procedures, says Wilder. Organizations may want to revisit their wire transfer protocols and institute separation of duties, to prevent any single individual from authorizing payments above a certain dollar amount.

In addition to awareness training and periodic testing, enterprises should encourage employees to report unusual contact requests, dodgy emails, or suspicious video calls they receive to their supervisors. They should also avoid punishing employees who’ve been victimized, lest that prevent others from coming forward in the future.

[Read also: CISO success story – this guy found a cure for boring cybersecurity training and actually got employees to pay attention]

“But the best control is independent verification,” Wilder adds. “If you think you’re being scammed by a deepfake, hang up and call them back using contact information that you know to be correct.”

As AI is incorporated into more scammer tool kits, fraud schemes will become even more sophisticated and difficult to detect. Even tech-savvy people can be duped.

Remember: Just because you haven’t fallen yet for an online con doesn’t mean you never will. Trust me on that.

TO REPORT A CRIME OR LEARN MORE:

Check out these resources for more info on the most common forms of cyber crime and ways enterprises can fight back.

• If you are the victim of a cyber crime or suspect you may have been targeted – File a complaint as soon as possible with the Internet Crime Complaint Center (IC3). Run by the FBI, the IC3 is the central hub for reporting any and all cyber-enabled crime.
• To report an ongoing cyber crime or national security threat – File a report at tips.fbi.gov or contact your local FBI field office.
• Learn more about ransomware – Despite the temporary lull in 2023, ransomware attacks on the public and private sector are surging again. Here’s your “Raas Class: A Defensive Guide to Ransomware-as-a-Service Attacks.”
• Learn more about business email compromise (BEC), the more costly threat – Ransomware gets the headlines but BEC results in significantly higher financial losses for enterprises. Check out this BEC explainer for tips on how to spot it and defend against it.
• Learn more about phishing – This is one of the most infamous and pervasive forms of social engineering attacks and now harder to spot thanks to AI. Here’s our explainer on phishing types, risks, and prevention.
• To get ahead of the cyber threat – Consider becoming a
  “Private Sector Partner” with the FBI. You can learn how enterprises work with the FBI here.