If you’re a fan of the Bravo network, you’ll know Andy Cohen as the host and producer of Watch What Happens Live with Andy Cohen, and producer of the popular Real Housewives franchise. But if you happened to tune into the Today Show on January 10th, 2024, you’d have seen him in a different role.
That morning he put on a “consumer advocate” hat, and went on Today to talk about how he’d been scammed out of a considerable amount of money. He wanted to warn viewers about how he was fooled, in the hope that perhaps they’d be less likely to fall for the same con game. We think that’s admirable – it can’t have been easy for him – so in support of his goal, we’re going to break down that scam for you in detail.
Scams Pit Pros Against Amateurs
It’s easy for the rest of us, in the great “Monday morning quarterback” tradition, to assume that people who fall for scams are gullible or did something stupid. That’s not usually the case. Sure, some scammers are clumsy and unsophisticated, but a lot of them are smoothly competent professionals. When professionals go head-to-head with amateurs (the rest of us), chances are that the professionals will win. It’s a numbers game for them: if they’re persistent in what they do, they know they’ll catch people in an unguarded moment.
That’s very much what happened in Cohen’s case. Through sheer coincidence, he’d lost his debit card the day before and reported it to his bank. When he received a phishing message the next day, claiming to be from his bank’s fraud prevention department, he made the natural assumption that it was related to his lost debit card. His guard was down.
Let’s be clear, here, Andy Cohen is no dummy. He’s had a successful career in the notoriously cutthroat entertainment business, where dreams die a lot more often than they come true. Gullible people get weeded out pretty quickly, in that game. As he pointed out in the Today Show interview, he’s usually the one warning his parents about this kind of scam. Like most readers of this blog, he’s a competent and reasonably well-informed consumer.
How Andy Cohen got Phished
The scam that took Cohen’s money started, as we said, with a phishing email claiming to be a fraud alert from his bank. Because he’d lost his debit card the previous day, he accepted this at face value. From there, things played out very much as the attackers would have wanted.
He Didn’t Check the Email Address
His first mistake, he says, was not verifying the email address. Most email clients show you who the sender is, rather than the actual email address (so it will say “Mom,” for example, not “momsemail@emailprovider.com”). You can see the underlying email address by hovering your mouse over it on a computer, or by long-pressing on your mobile device, but Cohen didn’t do that.
To be clear, attackers can sometimes spoof (fake) email addresses, but don’t always bother. So if the email came from “soundslikeyourbank@domain.com,” instead of “something@yourbank.com,” it’s a fake.
He Clicked On the Link
Andy’s second mistake was opening the link in the email they’d sent him. We harp on this a lot, here in the blog, but never open the link in an unsolicited text or email, even if you’re confident about the sender.
He Attempted to Log In
The link took him to a page that looked like his bank’s login, so he obligingly filled in his username and password. Unfortunately for him, given the outcome, it was probably a bogus site set up specifically to harvest those credentials. When he entered them, he gave the scammers the keys to his bank account. There’s also a possibility the link may have installed malware on his phone to harvest his credentials, then forwarded him to the real bank’s site. That part’s unclear.
They Asked Him to Sign Into His Apple ID
Up to this point, Cohen was under the impression that everything was legitimate, but then the site asked him for his Apple ID as well. That was when the penny dropped, and he realized that he was dealing with scammers. So he closed the tab, and assumed that he had nipped a potential scam in the bud.
Why Did the Scammers Ask for His Apple ID?
After we spoke of scammers earlier as practiced professionals, you may wonder why they’d do something as clumsy, at this point, as asking for their target’s Apple ID. Cohen recognized at this point that it was a scam, so wasn’t that a slip-up on their part?
Not necessarily. Remember, though Andy didn’t realize it at this point, they’d already gotten the login credentials for his bank account. Anything else they can get at this point is pure gravy, so why not try? An Apple ID is a very useful thing, if you can get it, because it gives the scammers access to the payment methods you’ve got saved in Apple Pay, your iCloud backups, your photos, and much more.
A lot of victims at this point are already mentally slotted into that “gotta fix my account” groove, and will give up their Apple ID unthinkingly. In this particular instance, it was a win-win proposition for the scammers because their success with the phishing attack triggered a second, damaging phase of the scam. This is relatively uncommon, and that’s what makes Cohen’s story so interesting.
A Telephone Scam Built on the Phishing Scam’s Success
Instead of taking their winnings from the phishing scam and moving on, Cohen’s scammers leveraged their successful phishing attack to follow up with a phone scam. The next day, he received a text claiming to be from his bank’s fraud alert system, letting him know that someone was trying to use his debit card for a purchase and asking if it was him. When he responds with a “No,” his phone rings and the Caller ID shows that the incoming call is from his bank.
It’s not his bank, of course, but the scammers. This is why they could afford to risk alerting potential victims by asking for their Apple ID: anyone who spotted it as a scam will, like Cohen, be predisposed to believe the incoming call from the bogus “fraud prevention department.” They’re actually leveraging the success of their previous scam in order to improve the odds for their follow-up.
Here’s how the rest of the scam went down.
The Scammers Sounded Legitimately Knowledgeable and Professional
The caller walked Andy through several previous transactions on his account, just as a legitimate bank employee would. It gave the call a strong air of legitimacy, because at this point he still didn’t realize that he’d given the scammers access to his bank account the night before. They knew stuff only his bank should know, right?
Also – and here we come back to professionalism – the woman on the other end of the phone was the very ideal of a dedicated, empathetic customer service rep during the whole hour they spent on the phone. At one point, as he explained about the phishing email the night before, the caller told him flatly (as a real bank employee would) “We would never ask for your Apple ID.”
“Whoever you are,” Cohen said, looking straight at the camera, “I hate you, but you’re very good at your job.”
They Asked Him to Read Back Codes
At this point, after building that comfortable client relationship with Cohen, the service rep told him she was going to send him three codes, and that she’d get him to read them back to her. This should have been a bright red flag, but, because this very helpful service rep had already put in so much time with him, he did as he was asked.
What really happened at this point is that the scammers had sent themselves three large wire transfers from Cohen’s account, and the codes – which legitimately came from his bank – were confirmation codes to authorize the transfers. With his help, the scammers had now bypassed the bank’s security measure for transfers involving large amounts of money.
They Asked Him to Input Codes on His Phone
As a final deft touch, the caller told him she’d give him a few numbers to enter into his phone. When he did, he saw a brief message (which, to give him credit, he had the presence of mind to screenshot) saying that he’d set up call forwarding.
The Aftermath of the Scam
About 30 minutes after that call, second-guessing the whole scenario now that he’d had time to think about it, Cohen reached out directly to his bank’s real fraud prevention department and left a message. The message said he’d get a call back within 30 minutes, but it never came. Why not? Because he’d set up call forwarding on his phone, and any phone calls, text alerts, or authentication messages from his bank were going directly to the scammers.
It wasn’t until the next day, when he was able to go to his bank in person, that he fully understood how thoroughly and professionally he’d been taken by the scammers. It’s very difficult to retrieve any money you’ve lost in the form of a wire transfer (that’s why criminals favor it), but the case is currently being investigated by the NYPD’s Cyber Security Unit.
At the time of writing only a few days have elapsed since the incident took place, and it remains to be seen whether Cohen will ever recover his money, or the criminals will be brought to justice.
Lessons to Learn from Andy Cohen’s Experience
So what lessons can we draw from Cohen’s unfortunate experience? A few spring to mind.
- Never click the link in an unsolicited text or email, however legitimate it appears. Go to your bank’s site from your own usual bookmark, or fire up its app (the same goes for Netflix, Apple, Amazon, and other often-impersonated companies) instead.
- Check the sender’s email address, whenever you receive a message telling you there’s a problem with the account. You can also double-check by copying and pasting the email address into Spokeo’s email lookup (the same is true for the sender’s phone number, with texts).
- No legitimate bank, credit card carrier, or government agency will ask for your Apple ID. The scammer wasn’t lying about that. Never give it out.
- Don’t automatically accept incoming calls from “fraud prevention,” “loss prevention” or any other official-sounding source as legitimate, even when they seem to know a lot about you. Tell them you’ll call back, then reach out to your bank through the number on the back of your debit or credit card – Cohen’s chastened advice – or the number on their legitimate website.
- Never let anybody persuade you to read back any codes sent to your phone. Seriously, never do this! Most of these authentication texts and emails will tell you this explicitly, because those codes are for your use only. Anybody asking for them is a red flag of “Party HQ in Beijing” proportions.
Unless you’ve deliberately reached out to your phone carrier for technical support, never let anyone persuade you to enter codes into your phone (especially if you aren’t tech-savvy enough to know what they do). It’s painfully obvious in retrospect but may slip past you in the moment, as Cohen learned to his cost.
What to Do If You’re Scammed
It may be that this article came just a bit too late for you, and that you’ve already fallen for a phishing or telephone scam like the one Andy Cohen spoke of on television. We’ve previously written at length about what to do if you’re scammed out of money, but here’s the TL;DR:
- Report your experience to the FTC’s Report Fraud website. The site will help you create a personalized, step-by-step recovery plan, which will be a real help.
- Report the incident as well to the FBI’s Internet Crime Complaint Center (IC3), and also to your local police (as Cohen did). Your local force – unlike the NYPD – may not have the resources to do much about it, but some companies need you to furnish a police report before they’ll help you unravel the fraud.
- Follow the steps laid out on Apple’s own support site for recovering a compromised Apple ID, if the scammers persuaded you to give it to them.
- Reach out to your bank, credit card company, or any other players who may be affected by the specific scam you’ve encountered. Talk to their customer service or fraud prevention departments, document the incident thoroughly, and see how much they can help you. Also – and this is important – take advantage of any extra security features they offer, such as automated alerts or multi-factor authentication.
- Check your carrier’s website, or call its tech support, to learn how to turn off call forwarding (or other unwanted features) on your phone, if you’ve fallen for that admittedly unusual ploy.
- Place a credit freeze and/or a fraud alert with the major credit-reporting agencies. You’ll probably need their help to get fraudulent charges removed from your record.
Kudos to Cohen for Sharing His Experience
The elements of this scam were not unusual. Phishing texts and emails have been around for a long time, with occasional new wrinkles (like scammers using QR codes instead of links). Phone scams impersonating banks or government agencies among others are especially common; these “imposter scams” are the most-reported form of fraud, according to the FTC.
What’s unusual about the scam Cohen encountered is the way it combined the two. Scammers are creative people, in their narrowly specialized way, and it was a stroke of genius to combine these well-proven strategies in a two-tiered attack. That’s uncommon, and shows an increasing level of sophistication on the bad guys’ side of the ledger.
That’s why reporting and publicizing these incidents is so important for the rest of us. It’s embarrassing to admit you’ve been taken, especially when you’re a public figure, so we can only tip our hats in respect to Andy Cohen for stepping forward. Thanks, Andy!
Sources
Today: Exclusive: Andy Cohen Fell Victim to a Credit Card Scam. Here’s What He Learned
US Federal Trade Commission: Report to Help Fight Fraud!
US Federal Bureau of Investigation: Internet Crime Complaint Center (IC3)
Apple Support: If You Think Your Apple ID Has Been Compromised
US Federal Trade Commission: Consumer Sentinel Network Data Book 2022