It's your own fault you got conned

A few weeks ago, a blog post started doing the rounds on Twitter.

http://andy-welch.tumblr.com/post/56687596225/wont-get-fooled-again

This is the blog of Andy Welch, a music journalist. I suggest reading the post before continuing to read this, but if you just want a summary, he was conned out of money by some very clever fraudsters.

Of course immediately every self-dubbed 'expert' went into overdrive, analysing the con, placing blame, criticising banks, security and, I'm sorry to say, the victim. In fact, it was a tweet by an ex-colleague of mine, an intelligent person for whom I have a lot of respect, that made me write this post.

In my opinion the con works because in general people have an expectation that when you hang up the phone the call is cut off. In actual fact, only the maker of the call can terminate it (except for 999 calls). If the maker of the call stays on the line, even if the receiver hangs up, the call remains in place. The clever part of the con in question is that the fraudsters had some kind of device for playing phone 'noises' down the phone. They rang the victim, claimed to be from his bank and told him his account had been hacked, and that he needed to ring the number on the back of his card. Once the victim hung up, the fraudsters kept the line open, but played a dialtone down the line. The victim then picked up the phone, heard the dialtone and proceeded to ring the number of his bank, completely unaware that he was still connected to the fraudsters. We're told all the time by security experts that you should never give cold callers any information, and that if you're in doubt you should hang up and ring the bank yourself. The victim in this case followed that advice to the letter, but because of an oversight in the way the phone system works, he still ended up giving the fraudsters the information they wanted, thinking he was talking to his bank.

Discussing the blog post on Twitter the next day, I was quite saddened to hear people dismissing the story and claiming the victim was stupid for falling for the con. In my opinion, the victim in this case (or any case for that matter) is in no way to blame. Saying 'he was stupid' is in the same vein as saying 'she shouldn't have been dressed like that' about a rape victim. It's just not OK. Imagine getting mugged in a town you don't know very well and later being told by a policeman that it's your own stupid fault you got mugged because, unbeknownst to you, that particular part of town is a high crime area. This is exactly what happened. You can't expect everyone to know everything.

Of course, the person making the harmful claims was a technology expert. It's alarmingly common for people who know a little bit about technology to be arrogant about people falling for cons that rely on the victim not knowing how the technology works, and this arrogance needs to stop. I'm happy to say that the victim got all their money back, although not without a lot of hassle, and if there's a silver lining in the cloud it's that he now knows a lot more about how the phone system works, and if he gets a call supposedly from his bank again he'll no doubt use a mobile to call them back, not the line he just used. Additionally, he's written the blog post, so others can hopefully educate themselves on how this con works. But not everyone will read the blog post, and I bet there are still many people out there who don't know about the hanging up flaw on the phone system, and will probably fall for the same con if it happens to them.

We as computer experts will do much better to help educate potential victims in a positive way, rather than knocking actual victims down a few pegs. As long as there are criminals more knowledgable than their victims, these cons will continue, but the onus should not be on the victim, it's on us to help them from becoming victims in the first place. The only people who actively deserve any critisism are the criminals, anything else is blaming the victim, which is never OK.