Ethical hacker scams 60 Minutes staffer to show how easy digital theft is
When a 60 Minutes staffer got a call that appeared to be from correspondent Sharyn Alfonsi, she picked up.
A voice on the other end, generated by artificial intelligence to mimic Alfonsi's voice, asked for some help. Clips from television had been used to clone Alfonsi's voice. It took about five minutes.
"Elizabeth, sorry, I need my passport number because the Ukraine trip is on," the fake Alfonsi said. "Can you read that out to me?"
The woman behind the call was not Alfonsi, but Rachel Tobac, an ethical hacker and CEO of data protection firm Social Proof Security. Tobac, who advises companies and private citizens on their vulnerabilities, was hired by 60 Minutes to show how easy it is to use information found online to scam someone.
Alfonsi is a public figure whose voice is out there in many recordings, but Tobac said anybody can be spoofed.
"Oftentimes attackers will go after people, they don't even know who these people are, but they just know this person has a relationship to this other person," she said. "And they can impersonate that person enough just by changing the pitch and the modulation of their voice that [someone will say], 'I believe that's my nephew and I need to really wire that money.'"
Tobac found Elizabeth's cellphone number on a business networking website, then used a spoofing tool to call her as Alfonsi. An AI-powered app mimicked Alfonsi's voice to dupe the 60 Minutes employee.
During an interview about digital theft, Tobac played back the recording for the 60 Minutes staffer and Alfonsi to share what she'd done.
"Oh, so I was hacked and I failed, failed the hacking," Elizabeth said.
Elizabeth is a tech-savvy millennial, but Tobac said anybody can be hacked.
"Anybody can fall for what Elizabeth fell for," Tobac said. "In fact, when I do that type of attack, every single time, the person falls for it."
Statistically, you are now more likely to be the victim of theft online than a physical break-in at home. A new FBI report reveals that Americans lost more than $10 billion last year to online scams and digital fraud. People in their 30s, who are among the most connected online, filed the most complaints.
Seniors, however, have lost the most money to scammers. Cyber con artists are using artificial intelligence, widely-available apps and social engineering to target parents and grandparents.
Susan Monahan, an 81-year-old tax preparer with an MBA, fell for a grandparent scam and was duped out of $9,000
"There was a young adult on the line saying, 'Grandma, I, I need your help,' in a frantic voice, scared, saying 'I was driving and suddenly there was a woman stopped in front of me. She's pregnant, and I hit her. And they're gonna take me to jail.' … And, 'Grandma, please don't call my mom and dad, because I don't want them to know,'" Monahan recalled.
A man pretending to be an attorney then got on the phone and walked Monahan through what she needed to do to keep her grandson out of jail. She rushed to a bank and withdrew cash. Minutes after Monahan got home with the money, a courier showed up to take it. A doorbell camera recorded Monahan on the phone with the scammer as she handed off the money.
"He says to move your butt 'cause they're on a deadline," she can be heard saying in the doorbell camera recording.
As soon as the courier left and the adrenaline left her body, Monahan was filled with the sick feeling that she'd been scammed.
Monahan is not alone. The Federal Trade Commission reports scams skyrocketed 70% during the pandemic when seniors, home alone, went online to shop or keep in touch with family.
While investigating, 60 Minutes spoke with Judy Attig and her husband Ron, a retired ironworker. Both were victims of the same grandparent scam as Monahan. They lost $7,600.
"Most hacks start with some sort of social engineering or human-based hacking because that's the easiest thing to do," Tobac said.
Hackers no longer need to infiltrate computers through a back door, Tobac said. Around 95% of hacks today happen after a user clicks on a text or a link or shares personal information over the phone.
Retired scientist Steve Savage lost $14,000 after he opened a fake email purportedly from the Geek Squad. The charge listed in the email was higher than Savage expected, so he called the listed customer service number in the email. A scammer picked up and posed as a Geek Squad representative.
Ester Maestre, a retired nurse, was scammed, too.
"My iPad gave me a big, big sound, like a house alarm," she said. "It says, 'security, security, call this number.' My heart started pumping."
Maestre called the number, thinking she'd reached tech support. She was told her account had been hacked and they were going to transfer her to Chase bank. The fake bank employee told her she needed to immediately take out $11,000 to prevent it from being stolen. Maestre was instructed to deposit the money into a new account at a bitcoin machine, which she did.
None of the money has been recovered.
"I'm the one that pulled the money out of the bank, so I won't be reimbursed," Maestre said. "Nothing. Zero."
For every Maestre, Savage, Attig and Monahan who share what happened, there are many more who don't. Scott Pirrello, a deputy district attorney in San Diego who investigates elder fraud, said studies show that only one in every 20 seniors report a scam after being duped.
"The scariest part of these scams is that these victims have no recourse," Pirello said. "They're left bewildered."
FBI statement:
The FBI is proud of the work accomplished through the Elder Justice Task Force and the brave victims willing to speak out. Help us protect our seniors by reporting elder fraud incidents to ic3.gov.
This story was reported by: Sharyn Alfonsi, Oriana Zill and Emily Gordon