Unbeknownst to us (because we had no internet access), within a few hours hackers got into Seth's email accounts and his Gmail password let them to his passwords saved in Chrome. (Delete those Chrome passwords, friends!) According to savvy friends, there was probably a breach in the security of that guest house wifi somewhere along the information transfer chain, and the bad guys were able to access and copy the data on Seth's phone, including his passwords.
Four days later we returned to cell phone contact with the outside world. We had messages from a couple of friends who alerted us that they'd gotten bogus looking e-mails from Seth. One message asked a friend to wire us $40,000. I promise, if I need money from you, I'll do you the courtesy of calling. 😂
For a couple of hours, that's all it looked like. But then we began to realize the hackers had gotten in much deeper. In fact, they were surprisingly aggressive.
Eventually, we discovered all of these incursions:
- They got into my Yahoo and Gmail accounts also.
- They bought some gift cards from walmart.com using our online account and credit card. The gift cards were mailed to Arizona.
- They cashed in our Marriott points for gift cards which were also mailed to Arizona.
- They got into some stock holding accounts of ours and managed to sell some stock, but didn't manage to transfer the money out of our account. Thank heavens!
- In another stock holding account, they didn't initiate any transfers, but they did add their own bank account information so that they could transfer money out of the account to themselves. Mercifully, we stopped them before that happened.
- We didn't see any initial evidence that they'd gotten into our primary bank accounts, but we did eventually realize that they'd gotten into an old account at a bank that we thought we'd closed (there's been no money in it for years) and took control of that account. They must also have gotten into our active bank accounts because they learned our current bank account numbers. They then initiated micro transfers from our active account into the account we thought was closed--most likely as a precursor to trying to pull significant amounts of money out.
And while they did all of these things, they'd programmed our e-mail accounts to send all of the messages related to these transactions directly to the trash, so we couldn't easily see what was happening. (They didn't empty the trash however!) And they had about four days to work on all of this without any interruptions from us because we had no internet access.
Now, picture us trying to investigate this and manage all of this damage and change every password we've ever had from a little town in the Himalayas where we only have cell phones with us--and the cell phones only work there on Nepalese SIM cards. We can't prove our identity to any of these banks using the standard system of a numerical code texted to our phones . . . because our phones don't have their American SIM cards installed . . . because our American SIM cards will not work in the Himalayas! Oh, and we're about 10 hours off of Pacific time, so we're doing it all in the middle of the night.
To make it even more ridiculous, the hackers were accessing our accounts from IP addresses in Los Angeles, San Diego and Utah, while we were trying to get control of the accounts from Nepal. Who looks suspicious? At least two times, the Chase Visa fraud employees thought I wasn't me and refused to talk with me.
The good news for us, however, was that the hackers didn't change any of our e-mail passwords. If they'd done that and frozen us out of our e-mail accounts, we would have been in a much worse predicament. About three days after we learned about the hacking, Seth and I were both using our phones and within 30 seconds of each other we got messages from Google that someone was trying to re-set our Google passwords. The hackers were trying to wrest control from us in real time! Mercifully, it was daytime for us in Kathmandu and we were able to shut them down right away.
It has been a week since we realized we were hacked, and we think we have been finally able to get everything under control . . . except that we need Chase to send us a new credit card and they sent it by slow mail rather than fast mail so it missed us at our hotel in Dubai. We're hoping the card will make it to Seth's parents' house in South Africa this coming week while we visit them. But I have been supremely unimpressed with Chase's customer service in this adventure.
This experience has been a huge pain, but at least these bad guys didn't steal huge amounts of money from us, as they were obviously setting themselves up to do. Victory for us!
Wow! So sorry. Send me the address in Arizona if you want me to pay them a visit. By the way, if you ever do need $40, I got ya, but if you really do need $40,000, I’m probably not the person you should call.
ReplyDeleteSerious. Glad you guys were on it.
ReplyDeleteOh my gosh...this sounds completely nightmarish! All from the saved passwords in Chrome that we all have? Is that how they got into everything? SCARY.
ReplyDeleteYES! If they can get your Gmail password then they can see all of your passwords. Now we know.
ReplyDelete