Danger: Don't Fall for the Phony 'AppleCare' Scam
It happened to this financial writer, who says it could happen to you
As a freelancer who often writes about personal finances and careers, I like to think I’m above average in my knowledge of things related to money. But I felt pretty foolish when, in a vulnerable moment, I recently gave scammers direct access to my bank account. I fell for the phony ‘AppleCare’ scam and I hope my story about the experience keeps you from doing the same.
I was fortunate to lose only $500, which is pretty common for this racket. The $500 came in the form of Google Play cards (Google Play is the app store for Android phones) I was asked to purchase by a caller who said he was a “tech support specialist” from AppleCare (technical support for Apple devices, though he wasn't really such a person).
Scams Involving Google Play Cards and Tech 'Support'
He brazenly told me he needed my help to catch hackers with IP addresses from China and Russia who had compromised my account. Actually, these phishing con artists immediately remove the cash value from the Google Play card, making the card worthless to you.
I’ve since learned that neither Apple (nor Microsoft) will ever call a customer. But many people don’t know that.
"This is AppleCare. Your account may have been compromised," I remember hearing the caller say.
This “tech support” scheme was the second most common phone scam in the first half of 2019, following Social Security fraud. And according to the Federal Trade Commission (FTC), personal losses related to gift card purchases totaled $53 million through September 2018. That’s up from $20 million for the entire year of 2015. And it represents only those cases that have been reported.
Although my out-of-pocket loss came to just $500, the opportunity cost was at least 10 times that because of the hours I had to devote to cleaning up the mess I’d made which I could’ve spent earning freelance money.
How I Became a Victim of This Scam
Here’s my scam story:
It was the day after returning from a two-week trip to Uganda. I’d traveled for 24 hours and was catching up on work after sleeping nine hours straight. I’d just wrapped up a conference call when the phone rang. It was an 800-number and I reflexively answered since the conference call also had an 800-prefix.
“This is AppleCare. Your account may have been compromised,” I remember hearing the caller say. “We’re seeing IP addresses from China and Russia accessing it.”
My mind flashed back to seeing a notification about my iCloud account that I’d chosen to ignore while on the road. I told the “AppleCare” man about it, and said I’d been traveling in Africa. I was asked if I’d used any unsafe networks while abroad. I knew I had at least once, despite a warning the hotel network might be unsecured.
I believed I’d enabled the hack through my carelessness. As I started to berate myself aloud, the caller told me not to be so hard on myself. He would stay with me and install provisions to prevent this from happening again, he said, comfortingly.
The first step was walking through my computer’s settings to turn off my history and cookies and turn on the firewall. Next, I was to hand over control of my laptop so the caller could check it out. I did.
'How Do I Know YOU Are Who You Say You Are?'
At one point, I asked, “Well how do I know YOU are who you say you are?” He invited me to double-check the number he was calling from against the AppleCare website. I couldn’t be bothered. I just wanted to get this mess fixed and finished. Chances are if I had checked, I’d actually have found the number (not realizing it was bogus). Phone scammers have become skilled at making legitimate numbers appear in your phone ID.
As the caller steered my computer, we started to talk. He confirmed he was calling from India. Offshore tech support is the norm these days, so I didn’t think anything of it.
We entered a site designed to look like it came from the U.S. government. I remember being surprised that Apple was working so intimately with the government, but the site looked legit. So, I kept going.
“Only 10 more minutes,” I was promised.
Our next destination was something called the “Coinbase” site, which I was told would register me in the government system and install a protective shield against future invasions. (Coinbase is actually a digital currency exchange for cryptocurriences like bitcoin.) I just had to scan in my driver’s license as well as my Social Security number, although that number was masked.
Us. Vs. Them
The scammer had artfully turned this into an “us vs. them” affair and I was in it for the long haul.
I observed his cursor moving around inside my bank account (which I had logged into for him) and when I questioned why multiple payments of $1,000 each were going to a “Ronnald,” I was shown other screens to demonstrate the money was still in my account and that the actual “transaction” was $0.
Again, he said, this was part of trapping the hackers.
The scammer showed me he’d put $300 into my account and said I’d need to purchase Google Play cards — ideally three in $100 denominations. He called up the item on Amazon to show me what they looked like.
It was hot. I was tired. I would do anything to make it all end. And so…
I drove to the nearest store I thought would carry $100 Google Play cards — a Rite Aid — and followed my caller’s instructions to keep my phone in the car so no one could detect us talking. The Google Cards were there, and I paid using the debit card for the account where I’d witnessed the caller adding $300. Back in the car, I read him the 16-digits over the phone and the PIN.
The Digit Problem
I couldn’t tell if one of the digits was the letter O or a zero and said since he was the expert, he could figure that out. While driving home, the scammer told me he’d guessed wrong and the cards wouldn’t work. I’d have to find another store with $100 Google Play cards, he said, adding that $50 cards would also work.
But his time, he told me, we’d need $500 in Google Play cards. He told me he’d put the $500 into my account to pay for them.
At the next store, a CVS, fortune stepped in. Although I went to the register with $500 worth of Google Play cards, only $200 could be validated because of a problem on the store’s side.
Now going on hour three with my friend from “AppleCare,” I drove home. Once there, I again read the caller the numbers for the Google Play cards. I was instructed to log into my bank account again and then received a message that it had been frozen because of suspicious activity.
The Bank Staffer's Question
The “AppleCare technician” advised me to call the bank and assure them I had made the transactions. I did, and someone at the bank asked me three questions including: Are you willing to confirm this transaction if you will never get the money back? I paused for a long time, and finally said, “Yes.”
Next, I followed my caller’s instructions to buy two Target gift cards totaling $1,000, and I went to the nearest store to do so. But when I went to the register, neither my debit card nor credit card would work.
When I returned to the car, the voice on the phone sounded different. Suddenly, I was told to get gift cards totaling $500, and not to go to the same register as before. I went back, my cards still wouldn’t work and got back in the car.
“I can’t do this anymore,” I told the caller. He said to call the number on the back of my card and to keep him on the line so he could hear what I said.
'Hang Up. Now.'
This time, I was speaking with the credit card department. The bank official asked if someone was with me. I explained he was on my other phone and the banker said, “Hang up. Now.”
I did, and “AppleCare” called me back. Twice. And then texted me.
I took my devices to the Apple store to be checked for malware and contamination. The tech there cleaned my computer and we changed all my critical usernames and passwords.
The next morning, I went to my bank to start changing my account numbers. We reversed a $400 bitcoin purchase that had been made through the Coinbase account. The bank also agreed to reverse two charges that had been made for Amazon purchases — one for $30 and then a second for $45.
I’ve since learned that retailers are training their employees to be alert to customers like me. And my banker said she deals with cases like mine several times a month.
These days, I’m monitoring my accounts regularly, setting fraud alerts and becoming more vigilant.
“Don’t beat yourself up,” the real Apple service person told me. “My father works in IT and he’s been taken twice.”
How to Avoid Becoming a Victim of These Scams
A few tips based on my experience:
- If someone you don’t know asks you to make a payment by a gift card, it’s a scam.
- Never give control of your computer to someone who calls you unsolicited or who has sent you an email.
- Don’t enter personal information into a site that’s handed back and forth with a stranger.
- And finally, if you are victimized unwittingly in such a scheme, contact your bank and the gift card issuer immediately. Also report it to the FTC.