Whirr2007-11-14
I just didn't see it.

I adore magic tricks, and when I was eight I had a book of Scarf Illusions and Coin Palms from which I used to practice*. I also had any number of pre-packaged "Tricks to Astonish and Amuse your Friends", like the fake nickel that squirted water, or the specially prepared deck of playing cards. I also had a "thumb tip"--a flesh-colored plastic sleeve that fit over your thumb. Designed for close-up magic, you pretend to shove a dollar bill into your left fist (while secretly pushing the money into your "thumb tip", instead). Then you open your fist and "Hey, Presto!", no more dollar, just a large plastic sleeve crammed onto the tip of your right thumb.

This particular prop was only vaguely flesh colored, and it stuck out like a vaguely flesh colored thumb--it looked abundantly obvious. The instructions acknowledged this, however, and explained that people wouldn't be looking for it if they were paying attention to something else. You didn't even have to be especially sneaky about wearing the thing--people simply wouldn't see it. Indeed, I watched a friend of mine wield one once. He folded a ten dollar bill in half, and when unfolded it was a one dollar bill! He let me examine his (professional quality) thumb tip afterward, and it was just as awkward and ugly as the one I had as a kid. I just didn't notice it during the trick. He told me that in the 19th century magicians would use a large silver thimble, instead--about as far from flesh colored as one can get, but if they didn't know to look for it, people just didn't see it.

I bring this up because I spent $526.52 online today. I did this by logging onto a Russian web site and giving all of my credit card details to a total stranger. In other words, I got phished.

I got an email from my bank, asking me to fill out a customer survey. I don't usually like to waste my time in that particular manner, but as it happens I have rather strong opinions about the people who work at my bank (I like them a lot) and about my bank's online interface (it is shockingly bad). So I clicked the link provided, which claimed to go to a reasonable-sounding url, but actually went to some site in Russia, on which someone had hacked together a rough approximation of my bank's website and a small survey. I filled it out, giving high marks to the employees. I also wrote a strongly-worded paragraph in the "Other Comments" field expressing my dissatisfaction with the bank's website.

I didn't notice that at the top of the survey it said, "As a gesture of thanks for your time in filling out this survey, $100 will be deposited into your account". I'd like to think that if I'd noticed that up front, I would have thought, "What the hell?" and paid more attention. However, after I completed the survey, I got a new pages that said "As a gesture of thanks for your time in filling out this survey, $100 will be deposited into your account, so please enter your credit card number and ATM code". Which I... did. I filled it out. I vaguely wondered whether I'd been picked at random, or if they were give out hundreds to everyone, but really didn't give it much thought. It wasn't even greed at work, really, although I didn't mind getting an extra hundred bucks.

And then I closed the window, and completely forgot about the whole thing. I forgot about it so completely, in fact, that when I got a call an hour later asking whether I had authorized the withdrawal at $438.38 from my account, I assumed that my card had been stolen--the fact that I'd just supplied all of my banking details an hour earlier didn't even cross my mind (at this point they blocked my card).

Afterwards, I logged on to my banks hideous online interface, and it had a huge "WARNING: If you get an email saying 'Fill out this survey and give us you account details' IT IS A TRAP and DO NOT DO IT!" That was when I finally realized what I'd done. I called the number they provided, and the extremely patient Kristen told me that there had been a second charge, as well, but that they would credit the full amount back to my account. Because they are awesome.

So. I'm still a bit in shock at having almost lost half a grand (I just got paid on Friday, otherwise I wouldn't have had anything to lose). Part of me, however, is impressed as always with the magic trick. I logged on later, after I knew about the trick, and it could not be more obvious. The CSS was lousy, so various things were misaligned. The domain that I had actually visited (clearly visible in my browser) was " http://stopbestmement.com", which A) is not the url of my bank, and B) is the url of some company in Russia. None of the links at the "survey" site worked--they all led back to the same page. For that matter, in the text of the survey itself, some of the letters where in Russian! And why on earth would they need my ATM pin number? No one could possibly fall for something so dumb! It's the exact feeling of watching someone do a magic trick that you've already seen--"Well, look, the mirror is smudged, those cables he's hanging from are huge, and that thing on his thumb is enormous! How could anyone ever fall for that?!"

What makes it worse is that I'm hardly a clueless AOL newbie from 1996. Not only do I know all about phishing, but I have a habit of regularly examining phishing sites! I frequently get email from "Bank of America" or "Capital One" asking for my account information, and when I do I always follow the links. I do this to laugh at the clumsy attempt the con men have made to sucker some poor fool into typing in his credit card number. And yet, when I got an email just like that with my own bank's logo, what do I do? And I should make it clear that this attempt was in no way slicker or more clever than the others I've seen. It had decent grammar and spelling (except for the Russian characters!!) but that was about it.

Now, this is no excuse for me, but I do find it (slightly) illustrative of the lack of skill we as a culture have at doing business on the internet. For example, if this had been a real-life scam, it would have been held in a run-down house that was nowhere near my bank's normal address, with a hand-made sign nailed up over the door, slightly crooked. A guy with a fishy accent would be pressing me for account details, and I would have fled (or perhaps just laughed).

Crooked hand-made signs might have been acceptable for businesses in the 1700's, but they seem shockingly unprofessional now. No one would take such a bank seriously. It would be immediately obvious that one wasn't dealing with a bank but, rather, a con. This is not yet true on the internet, though. Poorly designed, inaccessible CSS / HTML is par for the course. Links that lead nowhere aren't terribly uncommon, even on professional sites, and every so often there are weird bugs that produce strange (possibly even Russian) characters in the middle of the page. Not that this is much of an excuse, mind you, just an observation that my bank's online interface is not very good.

Then, too, it's a fine example of the brain's excellence at making sense from nonsense. In re-reading this entry, I've noticed any number of egregious typos: "of" where I meant "in", "their" where I meant "they're" and the occasional word that's missing entirely. Sometimes I only caught these on the second reading, though, because my brain is so good at processing and fixing these kinds of errors. This was also (apparently) true about the errors in HTML that made the fake bank page look so badly designed. I saw them the first time around, but since I wasn't looking for them I didn't notice them. At all. Even the bits in Russian.

Finally, it is a classic con. It's not very clever or very well done, but it has a long history and part of me is a little bit glad that it's still around. It's an honest sort of intellect vs. intellect crime and, if you're smart enough, the criminals have no hold over you. In fact, there's even a risk that the crook will get conned, if her victim is crafty enough! This might have happened in a crowded street in 1630, or a bustling market in 1490. In a way, that's pretty cool. I say this, mind you, with the understanding that I'll be getting my money back--otherwise I'd likely have an entirely different take on the whole thing!







* Come to think of it, that may be where I learned that men should always be dressed in a nice jacket, with silk handkerchief and pocket watch.

Comments