One afternoon in December 2019, Kathleen Langer, an elderly grandmother who lives by herself in Crossville, Tenn., got a phone call from a person who said he worked in the refund department of her computer manufacturer. The reason for the call, he explained, was to process a refund the company owed Langer for antivirus and anti-hacking protection that had been sold to her and was now being discontinued. Langer, who has a warm and kind voice, couldn’t remember purchasing the plan in question, but at her age, she didn’t quite trust her memory. She had no reason to doubt the caller, who spoke with an Indian accent and said his name was Roger.
He asked her to turn on her computer and led her through a series of steps so that he could access it remotely. When Langer asked why this was necessary, he said he needed to remove his company’s software from her machine. Because the protection was being terminated, he told her, leaving the software on the computer would cause it to crash.
After he gained access to her desktop, using the program TeamViewer, the caller asked Langer to log into her bank to accept the refund, $399, which he was going to transfer into her account. “Because of a technical issue with our system, we won’t be able to refund your money on your credit card or mail you a check,” he said. Langer made a couple of unsuccessful attempts to log in. She didn’t do online banking too often and couldn’t remember her user name.
Frustrated, the caller opened her bank’s internet banking registration form on her computer screen, created a new user name and password for her and asked her to fill out the required details — including her address, Social Security number and birth date. When she typed this last part in, the caller noticed she had turned 80 just weeks earlier and wished her a belated happy birthday. “Thank you!” she replied.
After submitting the form, he tried to log into Langer’s account but failed, because Langer’s bank — like most banks — activates a newly created user ID only after verifying it by speaking to the customer who has requested it. The caller asked Langer if she could go to her bank to resolve the issue. “How far is the bank from your house?” he asked.
A few blocks away, Langer answered. Because it was late afternoon, however, she wasn’t sure if it would be open when she got there. The caller noted that the bank didn’t close until 4:30, which meant she still had 45 minutes. “He was very insistent,” Langer told me recently. On her computer screen, the caller typed out what he wanted her to say at the bank. “Don’t tell them anything about the refund,” he said. She was to say that she needed to log in to check her statements and pay bills.
Langer couldn’t recall, when we spoke, if she drove to the bank or not. But later that afternoon, she rang the number the caller had given her and told him she had been unable to get to the bank in time. He advised her to go back the next morning. By now, Langer was beginning to have doubts about the caller. She told him she wouldn’t answer the phone if he contacted her again.
“Do you care about your computer?” he asked. He then uploaded a program onto her computer called Lock My PC and locked its screen with a password she couldn’t see. When she complained, he got belligerent. “You can call the police, the F.B.I., the C.I.A.,” he told her. “If you want to use your computer as you were doing, you need to go ahead as I was telling you or else you will lose your computer and your money.” When he finally hung up, after reiterating that he would call the following day, Langer felt shaken.
Minutes later, her phone rang again. This caller introduced himself as Jim Browning. “The guy who is trying to convince you to sign into your online banking is after one thing alone, and that is he wants to steal your money,” he said.
Langer was mystified that this new caller, who had what seemed to be a strong Irish accent, knew about the conversations she had just had. “Are you sure you are not with this group?” she asked.
He replied that the same scammers had targeted him, too. But when they were trying to connect remotely to his computer, as they had done with hers, he had managed to secure access to theirs. For weeks, that remote connection had allowed him to eavesdrop on and record calls like those with Langer, in addition to capturing a visual record of the activity on a scammer’s computer screen.
“I’m going to give you the password to unlock your PC because they use the same password every time,” he said. “If you type 4-5-2-1, you’ll unlock it.”
Langer keyed in the digits.
“OK! It came back on!” she said, relieved.
For most people, calls like the one Langer received are a source of annoyance or anxiety. According to the F.B.I.’s Internet Crime Complaint Center, the total losses reported to it by scam victims increased to $3.5 billion in 2019 from $1.4 billion in 2017. Last year, the app Truecaller commissioned the Harris Poll to survey roughly 2,000 American adults and found that 22 percent of the respondents said they had lost money to a phone scam in the past 12 months; Truecaller projects that as many as 56 million Americans may have been victimized this way, losing nearly $20 billion...