The email that went out at 8:06 a.m., Feb. 12 let Margaret Hansen’s friends, business contacts, cousins know she had been mugged in London, had no money and the police wouldn’t help her.
Even the American embassy had turned its back on her, for Pete’s sake.
Could those friends, contacts, etc., send her $1,950 so she could get home?
By 8:20 a.m. when Hansen got in to work at Love Travel in downtown Auburn, responses were pouring in from throughout the United States and across the world: “Need help?,” “Where should I send money?” and “Are you OK?”
Such an outpouring of affection and love touched Hansen deeply.
“I have to say that in the end I felt like George Bailey out of ‘It’s A Wonderful Life’,” Hansen said, “because all of these people were going ‘can we help you?’ and ‘what can we do for you?'”
Only problem — the woeful tale wasn’t true. Not a comma of it. No impromptu pop across the pond to London, no mugging, no cash crisis, no callous cops, no awful ambassadors.
Hansen had fallen victim to a clever phishing scam.
“It was something that the bad guys had made that looked very, very authentic,” Hansen said.
Here’s how it all went down.
On the night of Feb. 12, unable to sleep, Hansen got out of bed to attend to emails on her AOL account. One email directed her to “update your contacts.”
She clicked.
“A funny thing came up, and I thought ‘that’s not going anywhere,'” Hansen recalls. “Evidently, I had put in my password, so it went to somebody, well, who knows where. When I came to work in the morning, at about 8:20 my phone was lit up.”
The first caller was Sarah Miller, the City of Auburn’s emergency preparedness manager just down Main Street. A pithy, telling message: “You’ve been hacked! Change your password immediately!”
Hansen did, right away, but it was too late. The email had winged its way to everybody on the compromised Love Travel account.
“I heard from people I hadn’t heard from in 10 years, all over the place,” Hansen said. “Some people were laughing, some people were worried. Somebody actually called the office, called my mother at home and called the office back to see what was going on.”
Old neighbors, old business colleagues who had left the area, clients in Boston, Phoenix, Chicago called in.
“I had a former employee who told me, ‘I know you like to swim, if you start now, you’ll be home by summer,'” Hansen said. “A couple of them wanted to know if I’d got the money they’d sent that had Mickey Mouse or Art Linkletter on it. Another knew this wasn’t real, she said, because it would not have been enough money for me. ‘You’re not that cheap,’ she said.”
“I really spent the whole day Monday working on that, just saying that I was fine, but that I had made this grievous error. And on Tuesday my cousin from Norway called. She wanted to know if things were OK. I told her that if I’d been in London, I would have called her and said, ‘come on down.’
“There were some people ready to send the money, who asked, ‘where do I send it?’ I said ‘you don’t send it.’ One person wanted to see what the phishers would do if she clicked, and they gave her this address in London or some direction on how to do this there.”
Fortunately, Hansen’s friends were savvy — the bad guys got nothing, not even a brass farthing.
“They got no money. We’re on AOL. It is not embedded in our hard drive. We have to access AOL from the Internet, so all they could do is get in my email account. We don’t store any credit card information or any financial information on it,” Hansen said.
Is there a cautionary tale here?
“I don’t know,” Hansen said. “The email that I clicked looked very authentic. It looked like AOL saying, ‘update your contacts.’ But it wasn’t from them.”
Auburn Assistant Chief Bob Karnofski offered a bit of wisdom.
“What we would advise people is if there is a link that says you need to do something, back out of that link and go directly to the home page itself,” he said.
