I can't help but admire the sophistication of the scam. Can we derive some general rules from the encounter which might help protect us from similar scams? Possibly. Many of these scams rely upon placing the victim in a state of compliance through pattern interruption. Very few people are familiar with the experience of having been defrauded. The shock of that happening, and thus not knowing what is the correct procedure to follow, allows a scammer to lead the victim through what feels like a reasonable set of actions. It's only afterwards, and in hindsight, that one becomes aware of the tells that at the time feel a little odd but are obfuscated by the overall unfamiliarity of the situation. Take Ownership Of Time Everyone seems to have their own rhythm by which they assess and react to the world. (OODA Loop is one paradigm). These scams, from street scams to more sophisticated phishing scams, seem to exploit this and hurry the victim through the narrative to achieve the goal. To counter this, if one feels 'hurried', one could choose to interrupt. If a set of instructions seems to be coming too quickly, why not break the rhythm. Tell them you're overwhelmed and ask them to call back. Allow yourself to think about the situation logically. Five minutes won't make much difference Take Ownership Of The Narrative In the scam that Andy Welch describes, despite the various 'convincers' that the scammer provided - i.e. they know his various details - the scammer requires him to type his PIN into the phone to 'perform a PIN block'. Welch even says that he'd never heard of that. In all communications from the bank about cards, we are told never to give away a PIN even to bank employees. Being placed into a state of compliance creates a power relationship between the victim and the scammer. The victim is being led by the supposedly more knowledgeable and experienced bank employee. In this narrative, the defrauded card owner is awaiting instructions from the bank employee; it's a presupposed relationship. What if one were to invert that relationship? Your goals are, supposedly, both the same: to deactivate the card. If you take charge of the process yourself, what does that do to the narrative the scammer is trying to weave? What if you ask them to confirm your details during the 'security questions' phase of the call? What if you give them instructions about what you would like them to do with your account? What if you instruct them to cancel the card? Or tell them you have disabled it yourself by snapping it in half? Take Ownership Of Decisions In a state of compliance, following instructions - even ones that seems reasonable - places one in a rhythm whereby further instructions are more likely to be followed even if they are perhaps less reasonable. Eliciting a few agreements with simple questions sets us up to agree to something like typing in a PIN on a phone keypad. To slow things down, one could break at every decision point. Ask for explanations about why such an action is required. Perhaps one could achieve the same results in a different way? Trust Your Instincts Somewhat related to taking ownership of time, there were several instances where Mr Welch felt something was wrong. A call on a land line he had only given out to a few people, having never heard of Visa Card Services, the small spend at The Apple Store, having never heard of a telephone keypad PIN block. At each of these points, the scammer is relying on your state of shocked compliance and the narrative construct to smooth over your instincts and move you on to the next action they require. Questions are fine. The more you ask, the less opportunity there is for the journey of the scam to be a smooth one. The worst a cranky, non-compliant, self-motivated and curious defrauded customer will achieve on a genuine call from the bank's fraud department is the polite respect of the fraud officer in question. In contrast, that attitude would more likely rattle a scammer and their easiest option is to drop the scam. There are plenty more fish in the sea. Do these seem useful generalisations? Are there others?
The scammer can easily respond to any questions from the victim with "Sir, if you don't cooperate, we can't help you." They may even be able to convince the victim that not cooperating will result in liability for the fraudulent charges. Any defense against a scam really depends on the victim being knowledgeable enough to know exactly when the scammer is lying, which pretty much entails being more knowledgeable about today's financial systems than the scammer is, which is unlikely due to the sheer complexity involved. The scammer has all day to study these things, it's essentially their job, and they may have even been previously employed as the real officials they're impersonating. It's unreasonable to expect the average person to have this level of expertise. Really the only defense against such scams is to avoid these systems entirely, (they're insecure by nature), which again for most people is more trouble than it's worth.