The viral shoebox scam story: What security managers can learn

The shoebox scam story has taken over the internet as of last week. The Cut Financial columnist and New York Times business columnist, Charlotte Cowles bravely shared the riveting details of her scam story that ended with her handing over a shoebox with $50,000 cash to a stranger. This headline, along with the impressive storytelling, has caught national attention with Cowles making appearances on CBC News and CNN.

Photo by UnSplash+ and Getty Images

When she checked her account, no orders were found. The agent claimed it was on “business accounts” using her name. 

The call escalated, with her eventually being passed on to someone posing to be from the Federal Trade Commissioner Service and then someone claiming to be from the CIA. Both fake government workers told her that she was wanted in multiple states for drug-related and money-laundering crimes and that there were 22 bank accounts, nine vehicles, and four properties registered to her name. 

The victim attempted to verify this information and the fraudsters replied with pictures of government badges, government ID numbers, and the last four digits of her Social Security Number. The “CIA Agent” eventually told her they would need to shut down her current SSN and bank accounts so they could track down the identity thief. In the meantime, she would need to take out $50,000 for living expenses and hand them over to a federal agent to keep safe. 

Pushed in an urgent and secretive manner by the fake CIA Agent, Cowles ended up running to her bank, taking out the cash, and meeting up with a stranger in an SUV outside her house to hand over the cash. When she attempted to get in touch with the agent after the handover, she realized what had happened. 

What we can learn

Trace it back to the fundamentals

To truly understand and combat scams like these, it’s essential to trace the problem back to its roots. This scam is intense, so it’s easy to get distracted by the story rather than the actual cause. 

The heart of this attack doesn’t lie in “phone scams” or answering an unknown call, which, yes, were the catalyst for this situation. When you look at the story, it all comes back to social engineering and human manipulation. That is what convinced Cowles that she was in so much danger that she needed to take steps immediately to fix the situation. 

Training your employees on phone scams and unknown caller IDs is important, but scammers will find another way to reach them once these are blocked. Instead, target the root of all scams by putting a major focus on social engineering in your security awareness training content. Employees must know the emotions, tactics, and tricks cyber criminals rely on to play out these large-sum scams. 

Start at the beginning with personal data

One of the keys to social engineering is to use personal information to trick victims. If a CIA agent has your SSN number, it must be a CIA agent, right? Additionally, parents and grandparents tend to go into panic mode if their family members are mentioned. Scammers know this trigger and will purposely find information like children’s age, school, and name to freak out their victims and push them to take reckless action. 

Although some information, like SIN numbers, are sold on the dark web, you can still work with your employees to protect this information as much as possible. Teach them about the impacts of oversharing on the internet, giving information out over the phone, and speaking without thinking in public. By targeting the first step of social engineering attacks, you can provide a thin barrier of protection to your employees. 

Teach typical manipulation techniques

Understanding the manipulation techniques employed by scammers is vital in recognizing and resisting their efforts. Three of the most common techniques were used in this viral story: isolation, fear, and urgency. 

The attackers isolated Cowles by telling her that “no one could know about this” or else she would put them in immediate danger. When she said she wanted to tell her husband or call a lawyer, they said that would implicate her as guilty. This isolation technique sucks the victim into the scam and makes them feel helpless. Attackers know this will lead to faster payments and no interventions from someone who had time to think twice about what was happening. 

Next is fear-mongering. Attackers use fear to make victims feel coerced to pay any amount of money possible to get the situation to go away. In this story, the “federal agents” made sure to let Cowles know that this situation was extremely dangerous, even asking her if she wanted to end the phone call and “put yourself and your family in danger”. Fear puts humans into a panic mode, where we are more likely to make rash decisions and do anything to make the panic go away. 

Lastly, is urgency. This scammer put a timeline of hours on Cowles for handing over $50,000. When she asked why she couldn’t come to his office in person, he stated it was too far and said, “We don’t have enough time. We need to act immediately.” Giving urgency takes away time to think, which encourages victims to make decisions they never would if they took a second to breathe.

As security managers, your training programs should equip individuals with the knowledge to identify these three strategies. By being able to identify these in the moment, they’ll be more likely to second guess the scam and take a second to rethink their actions. 

Give practice for social engineering

Allow your team members to practice reacting to the strategies of human manipulation. Describe situations, like this one we are talking about today, and ask what signs of manipulation they can spot:

• Where do you see manipulation strategies?
• Isolation?
• Fear?
• Urgency?
• How could you respond in this situation?
• Try using both situations that are scams and situations that aren’t. That way, employees are truly learning to spot scammers out of real-life situations. 
• Where and how could you take a pause?
• Encourage your team members to find ways to pause in these high-pressure situations. Could they say they need to use the washroom? Hang up and wait five minutes? Take three big deep breaths?
• How could you verify the caller? 
• The best way to verify the caller is to do your own research and call who they are claiming to be directly. Teach your employees that any phone number, even government phone numbers, can be spoofed. 
• What emergency contact could you reach out to in this situation?
• Lead an exercise where your employees name 1-3 people they can reach out to during isolating experiences, even where they are told not to tell anyone. 

Giving your employees a chance to practice these situations is the best way to prepare them for if they are ever faced with a situation like this in real life. Rather than handing them modules to complete, give them the tools and practice time they need. 

In conclusion, the recent scam story serves as a stark reminder that security awareness is not just about avoiding specific threats but understanding the underlying tactics used by scammers. By focusing on the fundamentals of social engineering and human manipulation, individuals can become better equipped to protect themselves and their personal information. Through comprehensive training, including tabletop exercises and practical tips, we can build a more resilient community that stands united against the ever-growing threat of online scams.