Newsletter Social Engineering Vishing

He Held Her Hostage with His Words

Bonus Scam of the Month 

On Father’s Day, 2021, Jaime Bardacke, a licensed clinical social worker in San Fransisco, received a phone call from a man who identified himself as Lt. Timothy Reid of the San Mateo County Sheriff’s Office. Initially, Bardacke was not surprised by the call. She had dealt with legal issues involving her clients before.

The lieutenant claimed that Bardacke failed to testify in court after signing a subpoena. As a result, there was a warrant for Bardacke’s arrest for contempt of court. She was naturally alarmed, worried that this warrant could affect the status of her professional license.

Reid told her to come to the sheriff’s office in Redwood City to prove that her signature on the subpoena had been forged. First, though, she would need to post a $6,000 bail. He claimed that he would return the bail money to her after she proved the signature on the subpoena was fraudulent.

When she tried to put the brakes on the conversation and call a lawyer friend, Reid told her that she was not allowed to get off the phone because she was considered “a flight risk.” In fact, she was not to communicate with anyone about the matter because the judge issued a gag order about her case. He told her that if she talked to another police officer about the issue, she would be taken into custody for 72 hours before the warrant would be lifted. She was not to call the police or go to the police station until she posted bail.

Alarm bells were ringing in Bardacke’s head, but the lieutenant moved fast, turning up the heat, piling consequence on consequence. He claimed to be trying to help her.

The rhythm of fear and urgency that Reid drummed up in Bardacke compelled her to comply with a series of increasingly traumatic and invasive commands. He kept her on the phone for hours, running around town to purchase gift cards to cover her bail. Ultimately, she spent $6,000 on gift cards, read the numbers and pins to Reid over the phone, and then disposed of the used cards by dropping them in a mailbox.

By 11:00 PM, Bardacke thought the nightmare was over, but Reid wasn’t finished yet. He informed her that she would be subject to a strip search and a cavity search when she arrived at the station. There were no female officers on duty, so he would perform the search himself. Hearing her panicked reaction, he again offered to help by permitting her to film herself and send a video to him at a .gov address. She tried to comply, but her shaking hands made it impossible to complete the recording.

Surrendering to this long day of indignities, she decided to let him perform the search. When she arrived at the address he had given her in Redwood City, she found no police station there. The windows were dark in this everyday office building. She tried to call him back, but he didn’t answer. That’s when she knew she’d been scammed.

Social Engineering and Impersonation

“Lieutenant Reid” used social engineering to manipulate Bardacke into compliance. Impersonating a police officer, he played to her fears, threatened serious consequences, kept her on the line, and claimed to offer help.

Bardacke is not alone. According to the Federal Trade Commission, imposter scams are surging. Between January and June 2021, the agency received more than half a million reports of imposter scams. Most of these scams started with a phone call. In the second quarter of this year, they have already received a quarter-million reports of imposter scams, more than twice the number reported at the same time in 2020. The top payment method for these scams is gift cards or reloading cards because they are easy to purchase and offer few consumer protections.

Bardacke and other licensed professionals in the San Fransisco area were likely targeted because their personal data was publicly available on a registry of professional licenses. Scammers use the personal information they find online to build an illusion of authenticity in their attempts. Any personal information posted publicly online can be turned into fodder for a scam.

Protect Yourself

  • Avoid posting personal information in online public spaces.
  • Adjust your privacy controls and audience on sites like Facebook to limit who has access to your information. 
  • Avoid posting personal details about yourself, your family, and your activities. 
  • Don’t post your private phone number or email address in public spaces. 
  • Be wary of callers making urgent demands or offering opportunities that seem too good to be true. 
  • Never answer questions on an unexpected call, email, or text with sensitive information such as bank account numbers, your social security number, or your login credentials.
  • Don’t be afraid to hang up on a suspicious caller. 
  • Always verify the authenticity of the caller and their claim by using known contact information. Hang up and double-check, even if the caller or sender claims you’ll face consequences if you do. Such claims are sure signals that you’re talking to a scammer. 
  • Report all suspicious calls, texts, and emails to the office of information security at infosec@wustl.edu. 

Read, Listen, Learn