Please don’t suppose I’m unaware I’ve been an idiot. I recount what happened to me last week without expecting your sympathy or understanding, and this account carries only the very slightest plea in mitigation: the suggestion that it could happen to you too, even if you don’t think you’d ever be so stupid.
Because I certainly didn’t think I was. I’m not IT-illiterate, I’m not particularly slow-witted, I’ve attended ‘take online security seriously’ lectures, and I do know about the new ways thieves steal from the unsuspecting these days. I’m forewarned.
So I thought myself proof against such attempts when the landline phone rang on Friday morning. My partner had just gone riding, so when the caller said she was from BT, and believed I was dissatisfied with our fluctuating broadband speeds, I assumed he had made a complaint because he is indeed dissatisfied.
She sounded as though she was in a call centre in India (you could hear a noisy background of calls) and spoke with a thick accent. I could hardly understand her but, then again, one often can’t with these call centres. She handed me over to ‘my supervisor’, a man. He wanted to take me through a few tests of my broadband quality, and did I have a screen I could use? I did, and logged in, holding the cordless phone to my ear. He asked me to confirm my address and the spelling of my name (‘so BT can be sure we’re speaking to our client’) which I did.
He then dictated the URL of a testing website to go to, and I got it on to my screen. First we went (I’ve retrieved all this information from my Chrome history) to the WC3 Markup Validation Service, then to the Nu Html Checker.
I was getting a bit confused, and from here on my memory begins to tangle. The ‘supervisor’ was directing me from website to website, including a login to my MyBT website, and I began to lose track of why I was doing all these things, simply telling him what was on my screen. The one that worries me, though, is the last one we went to: the AnyDesk App for Remote Desktops, which came after the TeamViewer Automatic Download. By this point things were happening on my screen without my intervention — as though someone or something had taken over.
I had now been on the phone for 35 minutes. If when I had first picked up I had known the time or the complication that would be involved, I would have told them to call back later, when Julian could have handled it. But I had been led very slowly into all this, and was beginning to feel that, having invested so much time already, we might as well get through to a result.
Also — and this is hard to describe — I think I had become rather passive. In an IT landscape where I was lost, this ‘supervisor’ had become my guide. He had me by the hand and I was simply doing what I was told — even feeling I was letting him down by being slow to understand his instructions, and taking pleasure from his pleasure when we got the results he was looking for on to the screen.
‘We’re going to get a conclusion now,’ he said. My hands were off the keyboard, and the AnyDesk App for Remote Desktops thing was flashing all sorts of figures and symbols and incomprehensible IT language on to my screen. It did now occur to me that there might be something suspicious going on, but I felt it would sound irrational to tell him — now, after all this time — that I was going to hang up.
‘Scroll down right to the bottom of what’s on the screen,’ he told me, ‘and you’ll see the result’. It said: ‘Due to client: £386 compensation.’ He was apparently looking at the same screen. ‘That’s compensation for a poor service,’ he said. ‘BT will be fixing the defective service as soon as possible.
‘But we need to get the compensation to you straight away.’ Now I was smelling a rat. ‘First I want to confirm your address.’ It occurred to me that he already had my address, but I gave it. ‘Now can I check we have the right bank details for you?’ he said. ‘Can I confirm which bank you bank with?’
I was now very suspicious but I told him the bank’s name, as this did not strike me as very secret information. ‘And I’ll need some details from your account,’ he said.
Whoa. ‘BT have my bank details already,’ I said. ‘I pay by direct debit.’
‘But we need to confirm that the man I’m speaking to is the account holder,’ he said — or words to that effect. At last my brain was kicking in. His explanation made no sense. ‘No,’ I said, and told him so. ‘All you need to do is credit my account,’ I said. The scales had fallen from my eyes. I hung up.
Immediately he phoned back. I told him to stop calling, but each time I killed the call the phone rang again, so I left it off the hook. On my smartphone I called my bank and agreed that they can block internet access to my account until I’ve had my laptop checked over for ‘malware’. What may these crooks have been able to extract? I have no idea.
For half an hour my hands trembled. I was surprised how shaken it left me feeling. I don’t think I’d ever have given him passwords or anything, or accessed my account while he might have been able to watch — but I’ve rather lost confidence in my own sceptical good sense. Could he be watching now?
Yet it didn’t and wouldn’t occur to me to tell the police. They’d be as far out of their depth as I am. It’s the Wild West out there, and we’re alone and unprotected. Analogue law enforcement in a digital world.