Don't Get Caught Off Guard!
This is an urgent warning for all small business owners in the United States of America that participated in the Paycheck Protection Program (PPP), a Small Business Administration-backed loan that helped businesses keep their workforce employed during the COVID-19 crisis.
With millions of sole proprietorships in the U.S., many of these businesses do not have employees. As such, sole proprietors without employees and single-member LLCs were not initially included among the small business owners eligible for PPP. The Paycheck Protection Program ended on May 31, 2021.
Towards the end of the program the Government still had money to spend down. Sole proprietorships without employees and single-member LLCs became eligible to receive forgivable PPP loans based on the revenue reported on their prior year's Schedule C.
My business is one of the many single-member LLCs that applied for and received a small forgivable loan and it was enough to get us through the COVID crisis. I am grateful for the PPP program.
The scam I fell for is about that specific PPP loan. Yes, the forgiven loan! The one that I didn't even remember taking out when this event began. The reason I am so embarrassed and ashamed of myself for falling for this scam is because I am the author of "CyberSecurity Primer" that I published on September 24, 2018. Before the pandemic, I spoke at several live events and webinars on cybersecurity as well.
When it comes to cybersecurity, I have been helping people increase their risk awareness for years. I let my guard down and the enemy broke into my strong room. It's humbling because I never thought it could happen to me the way it did.
Philosophically, in my lifetime some of my most humbling experiences are the ones that cost me the most financially because of my own stupidity. This isn't my first costly mistake, and I'm sure it probably won't be my last. But this one is different because it is not just an attack on me. I was specifically targeted, yes. But as you will learn shortly, so is every good, honest, hardworking, small business owner across the United States that participated in the PPP program.
On behalf of my fellow small business owners, I am obligated to share this personal cybersecurity breach with you in the hope that you will not become this scam's next victim.
CyberSecurity
In every cybersecurity breach there is a cybercriminal or cybercrime organization perpetrating the crime and one or more victims that become their unwitting prey. You can thank the numerous data breaches that have occurred over the years where the stolen data is readily available on the dark web where hackers sell your information to cybercriminals that hope to turn you into one of their unwitting marks as well.
These organized crime groups function within well defined but segregated corporate structures. There are departments for every different function. Distributed divisions handle different aspects of victim curation and plan execution.
Often, these divisions are air gapped meaning that nobody knows who anyone else is or what they do except the highest echelons of the organization. Yet, they all work together as a single entity to smoothly transact a crime where everyone involved benefits except the victim.
Cybercrime is their full-time job. They live and breath crime 24-hours a day, 7-days a week, every day of the year, all to profit illegally from your hard earned efforts.
A friend of mine once worked as a prison guard in Rahway, NJ. He said he goes home after his 8-hour shift and doesn't think about work again until he arrives at the prison for his next shift. In contrast, he said the criminals that make up the prison population are thinking of nothing else but how they can escape their circumstances 24/7 or exploit the guards.
Cybercrime is like the prison population. The evil behind these crimes is a 24/7 lifestyle. At sometime in your life, you will be targeted. Be aware and don't drop your guard.
Do you think something like this can't happen to you? Before you continue reading, please take a moment to check all of your email addresses on ';--have i been pwned?
This is the official dark web data breach tracking site that many password managers and anti-virus tools access through their API to warn you of data breaches and compromised passwords.
If any of your email addresses have ever been breached and it shows up on this website, cybercriminals probably already have your contact information and are planning to do something with it. They also have any other data of yours from the associated breach because they purchased it all on the dark web.
During live events, I would ask for volunteers to allow me to search for their email addresses in real time. People are always shocked and surprised when they see their addresses appear in the search with the breaches where their data was found. I always issued a warning to everyone not to volunteer for the demo if there's any chance that their email address could be found in a breach that could prove embarrassing such as the Ashley Madison data theft.
Being a victim and becoming a cybercriminal's unwitting prey has nothing to do with a person's intelligence, especially when caught off guard and presented with convincing proof, contrived as it may be. Unless you are an expert in identifying counterfeit evidence at first glance, or have an opportunity to perform a forensic analysis of the digital evidence, anyone could be fooled when caught off guard, especially a law abiding citizen for reasons you'll soon understand.
Criminal Groups: Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups use spam, phishing, and spyware/malicious code to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose threats to the Nation based on their ability to conduct industrial espionage, large-scale monetary theft, and the recruitment of new attackers. Some criminal groups may try to extort money from an organization by threatening a cyberattack or by encrypting and disrupting its systems for ransom.
Cybersecurity primer
The complexity of the scam is not the design of a single cybercriminal that may try to send you malware through some phishing scheme. The evidence you will see is so good and convincing that it could only have been produced by a top cybercrime organization. You might even think you are reading the script of an FBI TV episode.
Battle Maneuvers
Just as soldiers conduct certain strategies during a conflict, cybercriminals employ battle tactics and stratagems as well. They will do anything necessary to gain tactical or strategic advantage by accessing a victim once they decide it will be profitable, challenging, or fun for them to do so.
There are many battle tactics a cybercriminal may employ. This is a partial list from the "CyberSecurity Primer" as applicable to this particular scam:
- Reconnaissance: Cybercriminals reconnoiter their victims and plan their attacks. They research, identify, and select targets by phishing, harvesting email addresses, engaging in social engineering, and other sneaky tactics.
- Exploitation: An attacker generally has two options for exploitation:
- Social engineering and
- Software exploits—a more sophisticated technique that essentially tricks the web browser, operating system, or other third-party software into executing an attacker's code.
In this scam, social engineering is the exploit of choice.
Social Engineering: In the context of Information Security, social engineering is a technique that relies heavily on human interaction to influence an individual to violate security protocol and encourages the individual to divulge confidential information. These types of attacks are commonly committed via phone or online. Attacks perpetrated over the phone are the most basic social engineering attacks being committed. For example, an attacker may mislead a company into believing the attacker is an existing customer and have that company divulge information about that customer.
CyberSecurity primer
This cybercrime is an example of social engineering that works when the victim is caught off guard. There are two key phrases in the above definition to keep in mind:
"relies heavily on human interaction to influence an individual"
"Attacks perpetrated over the phone are the most basic social engineering attacks being committed."
Anatomy of the Crime
It's Monday afternoon and I had a tiring and disappointing morning and decided to unwind with a little video gaming after taking some ibuprofen to alleviate a sinus headache.
I'm playing FarCry 6 for the second time and Dani Rojas is about to take down a checkpoint or anti-aircraft site and my phone rings. I really needed more depleted uranium for another of Juan's resolver purchases, too. It might have been an anti-aircraft site, then.
I do not normally pick up the phone for any number not already in my contact list unless the call is prearranged. I glanced down and saw the caller ID was one town over from where relatives live. I thought it might be someone calling about my family.
When I answered, a gentleman identified himself as a Wake County Sheriff's Deputy, with such and such a name, and such and such a badge number. I live in Raleigh, NC, the state capital and largest city in Wake County. He asked if he was speaking to Victor Font and asked me to confirm my email address. He spoke my personal email address and this is how the conversation ensued.
Me: "Yes, you're speaking to me. Why do you want to confirm my email address?"
Cybercriminal #1: "Is this your email address?" [repeats email address more loudly and authoritatively]
Me: "Why do you want to confirm my email address?"
Cybercriminal #1: [very authoritatively] "MR. FONT, IS THIS YOUR EMAIL ADDRESS?" [repeats email again]
Me: [annoyed] "Yes, it's one of my emails. Why?"
I was beginning to think this insistence about confirming my email was getting a little off point. It's not unusual to receive phone calls asking for donations to support police events. The persistence about the email was strange and I should have noted it as a red flag.
Point of Return
Confirming my email is the point of no return because I had now given him the one piece of information he needed to fully perpetrate this scam. I knew better than to do that but what comes next convinced me I was talking to a real police officer. Here's what he said.
Cybercriminal #1: [much friendlier and professional sounding] "Mr. Font, I am calling to inform you that a bench warrant has been issued for your arrest yesterday by a U.S. District Court Judge for Failure to Appear and Contempt of Court and the Wake County Sheriff's department is enforcing the warrants."
I didn't believe a word he was saying at first. I never received a notice about a court appearance and I would never not show up in court if I was required to make an appearance. But this actor sounded so professional, I truly thought I was talking to a police officer.
I'm a former first responder and first responders of any kind often develop a kind of kinship over their experiences on the job. When I was speaking to these criminal actors, 3 of them to be precise, I believed I was speaking to other first responders and they chatted with me as first responders to keep the deception going. They knew first responder language. These guys are very well trained and exceptional liars. My spidey-sense didn't tingle once.
The three on-screen roles in this drama are the officer that makes the initial contact, the lieutenant that serves as the booking officer, and the watch commander. It is quite a production.
I asked the first actor a lot of questions and he explained that my PPP Loan application was flagged as fraudulent and the government wants to confirm a few things in court if they want the money back in their recovery effort. The court appearance is to stand before a judge and explain why the loan isn't fraudulent. Form a legal perspective, there are lots of things wrong with this premise as I have since learned.
I did not remember ever taking out the PPP loan because I never had employees at that time. Then he reads me information about the bank that provided the loan. They had information from the loan application.
Unbeknownst to me is that the details of every PPP loan approved and forgiven in the US is available to discover through online public record sources.
Our Government has openly revealed the details about our PPP Loans for any criminal organization in the world to design a scam against us. As one example of how public this information is, you can find out anything you want about PPP loans here: https://projects.propublica.org/coronavirus/bailouts/. I searched this site by zipcode and while I did not find my record, I was surprised about how many businesses in my zipcode received PPP money, how much, and from whom.
Forensics
The bank information jogged my memory and led me to believe that the loan details were part of the criminal file against me. I didn't even think that the details could be found online in public records, but then again it is public money so the records are public whether we like it or not.
This crook set the hook when he asked me to open my email. The from address appeared as though it was from the US Department of Justice. The sending email address is District Clerk US_DISTRICT_CLERK@usa.com.
I really did not know if this was real or not and I had no way of examining the message header while I was on the phone with this dude.
The first "document" I see is this:
It sure looks real! Doesn't it?
The first page is probably a copy of a real court document that has been altered for this purpose. Taking the time to examine the evidence would have probably saved me from this scam. In retrospect, there were a lot of red flags from the get go that I missed.
What I see in this document now is that it is clearly a fake. But in the pressure of the moment, here is what I did not notice. The font used on page 1 is a serif font. Page 2 is written with a sans-serif font. A real court document wouldn't use two different fonts like that in the same document.
Missing the font differences is bad enough, but there is also a glaring error on page two that if I had been able to set aside the shock and emotions triggered by this "evidence", I would have been astute enough to notice the error and stop the scam cold in its tracks. Do you see the mistake?
Look at the judge's name at the end of the top paragraph and compare it to the name under the signature. Do you see the difference in the last names? In the paragraph, it's Dever. Under the signature, it's Denver. No genuine bench warrant issued by a Federal court of law would ever have a mistake in the spelling of the issuing judge's name.
The 'N' in Denver is a subtle distinction from "Dever", the real judge's name in the US District Court for Eastern North Carolina. Google James C. Denver III and you will see the real judge's page from the US Department of Justice's website: https://www.nced.uscourts.gov/judges/dever.aspx pop up in the search results. The name change is subtle enough to bring up real information.
If I had caught that one mistake, I could have stopped this crime, but fear won out and I couldn't focus my mind on the evidence that was right in front of my face. I wasn't fearful of being arrested. My fear was about living through yet another disruption in our lives after all of the serious life-happens events that we have been through that forced me to suspend my business operations for almost two years while I focused full time on caring for my family's health needs.
Just as it looks like our fortunes have turned a corner and we are being led out of the wilderness, I'm confronted with a believable threat about having to go to jail for several days before I could have a preliminary hearing before a Magistrate. At that point, I would have done anything not to spend a few nights in lockup.
How much would it be worth to you if you were facing these alternatives and believed they were real?
I argued the point that I never received a notice to appear. Then I receive this "proof" in the email:
When I looked at the date on the receipt, 01-04-2024, I thought it's possible this could have been delivered to a neighbor's address. Around the holidays when our local post office staffs up with temp help, it's not unusual in the least for our mail to end up in a neighbor's mailbox. The neighbors in this neighborhood get right friendly around the holidays when we have to deliver mail to each other's homes. I didn't recognize the signature as any of my neighbors either.
Obviously, the signature is unreadable and I said so. The "police officer" responded that when I am processed after I turn myself in at the Sheriff's department, I would have to submit samples of my handwriting for analysis to prove I didn't sign the receipt and then the warrant could be vacated.
These criminals have scripted answers prepared well in advance for every objection they have anticipated their victims will raise. We are battling very smart and crafty crime organizations and these front line grifters are very well rehearsed in their roles. They are as professional as actors come. It wouldn't even surprise me if they are SAG members when they are apart from their criminal enterprises.
The most important thing they do to keep you off balance and playing their game is to keep you on the phone with them for the duration of the scam.
It's one thing to perform a forensic analysis of the evidence after the fact. It's an entirely different thing trying to figure things out when you are kept occupied in a highly stressful situation without the option of examining the evidence as deeply as you normally would while the scam is on-going.
Your emotions and fears are running high. You believe you are talking to an authority figure. Law abiding citizens will continue to obey the law under these circumstances and the authority figures representative of the law they believe they are obeying. They will cooperate with authorities that are "doing what they can" to help you stay out of county lockup by posting your bail in advance of processing.
Pay your bail as we instruct you and bring the receipt with you when you are processed and we can send you home. That's the remediation plan and it's plausible when you don't know the actual law and can't examine the evidence more deeply.
Preemptive Bail Opportunity
The Preemptive Bail Opportunity is defined in this letter:
Everything in this letter explains the fraud recovery plan. Seth P Rosebrock's signature may be genuine. He is the real Assistant General Counsel - Enforcement Section at Federal Deposit Insurance Corporation (FDIC). I am certain Mr. Rosebrock is not associated with this fake document in any way.
The "Preemptive Bail Opportunity" is the hook that gets your money.
The "Steady State Two-way Communication with Law Enforcement" is the scam that keeps you on the phone.
And the "Cash Bail Opportunity Secured by FDIC Trust Account" is the hook that gets you to withdraw cash and pay your bail at a Coin Flip machine.
Once they get you this far into the scam, you will lose your money. You will not have the wherewithal to back out at this point because you have swallowed the bait hook, line, and sinker.
Paying Your Preemptive Bail
Here's another discrepancy. The arrest warrant says:
Law requires a reasonable bail to be set.Bail is set at sum equal to or greater than Loan Forgiven. Bail shall be posted directly in accordance with policies and procedures related to self surrendering, low risk offenders posting preemptive bail in regards to the False Claims Act.
Fake Arrest warrant page 2
The "FDIC Letter states:
The bail amount will be set at 50% of the forgiven sum of the fraudulent PPP loan.
fake FDIC letter page 1 item 3.
Now that the hook was set, I was transferred to the "police lieutenant" in charge of booking and processing.
Now that I know PPP loans are a matter of public record, the forgivable loan I received was for $10,500. I don't know of too many people that have $10,500 laying around that they just withdraw from the bank to pay bail.
I protested the amount vehemently and the "watch commander" agreed to lower the bail to $5,500 and I was instructed to visit a payment terminal to deposit the cash bail into the "trusted FDIC secured account".
These are the emailed instructions the "booking officer" had me follow.
At first it didn't make sense, but with crypto fast becoming a world-wide currency, I couldn't think of any reason why the Federal Government wouldn't transfer funds as USDC. As the Myth Busters would say, "It's plausible".
Built for rapid, global payments and 24/7 financial markets, USDC is a regulated, digital currency that can always be redeemed 1:1 for US dollars. I was already familiar with USDC from the little bit of bitcoin trading I've done.
I addition to the QR code in the email, the booking officer gives you a number to type in at the crypto machine that started with 202, the area code for Washington DC.
So I went to the bank and took out $5,500, went to a Coin Flip machine, and bought the USDC as instructed. I take a photo of the transaction receipt and am on the way to the Sheriff's department.
As I start to drive away, the booking officer says that something went wrong, the deposit was red flagged and the bail has not been cleared. If I report to the Sheriff's they will have no choice but to put me in lockup until the rest of the bail is paid.
Again as per the "officer's" instructions, I repeated the entire cycle the second time to make up the balance. Now wait until you here what happens next.
Here's the transaction receipt:
Now the Bombshell Drops!
Here's the last fake collateral receipt:
Please make sure you read the red letter text. Yes, they wanted me to pick up a check at the US District Court Clerk's office as a refund for the two deposits, convert it to cash, and redeposit it as a single transaction.
By this time it was almost 5pm. I had been going through this ordeal for almost 3-hours. Thank God the bank closes at 5pm. Now the "watch commander" is on the phone with me and asks if I could make it back to the bank, get the full amount, make the deposit, and pick up the refund check in the morning.
I told you these guys were good game players. When he realized, the bank was closed, he said I could drive home and we would resume this in the morning. He reminded me not to get stopped by the police because a traffic stop would force the officer to execute the arrest warrant and take me in.
Do you think I had a restful sleep that night? No, I did not. The anxiety and stress was off the charts. I got up very early to kneel and pray.
Since I thought there was a refund check waiting for me at the U.S. District Court Clerk's Office, I looked up the address in downtown Raleigh in the Government Zone and made sure I went to the clerk's office shortly after it opened at 8:30am.
The U.S. District Court is a Federal building. You are not allowed to bring cell phones on the property at all. If you have a cell phone on you when you walk through their TSA-like security with belt off no less, they make you leave the building and put your phone in your car. The court house has no public parking. Your car could easily be parked a half mile or more away on the streets in the surrounding neighborhood.
I learned all this the Kaizen way, learning by doing. When I got to the court house, I pulled into their parking lot to talk to the guard and figure out where I had to go to see the clerk. He explained the parking rules and told me that when I came back, he'd show me where to go.
I found a spot on the street about a quarter mile away and walked back to the guard holding my cell phone in my hand. When he saw me, I literally saw him slap the side of his head. I was near enough to him at that point to ask him him if there was something wrong. He looked at me and apologized profusely about not telling me about the cell phone rule. I laughed it off with him to make him feel comfortable about it and made the round trip trek back to the car to leave it there.
Building entry security is TSA-style. There is one small metal detection portal to walk through with ID checks and pocket content x-rays. I showed my ID, signed-in, got my visitors badge, emptied my pockets, watch, and belt to send them through x-ray. The guard handed me my ID back and said I could carry my wallet through the detector while I put my ID away. And wouldn't you know it? The wallet set off the metal detector. LOL!
My wallet has RFID blocking built in. That's probably why it triggered the metal detector. The guards thought it was magnetic stripes on the cards. I don't know who is right and really don't care. I only know I had to walk through the detector twice.
I give high praise to the staff of the US District Court Clerk's office in Raleigh, NC. The people that work there are wonderful, non-judgemental, and extremely helpful.
They discussed whether the possibility of a check coming to their office was feasible and decided there could be circumstances that offer a remote possibility, but it's not a standard function of their office.
I asked them to please check the court docket for my name, and they looked at the court calendar immediately. My name has never been in a Federal court docket that they could find.
At that point, I new the game was over because the truth had been exposed and I lost this one. I actually found my loss to be somewhat amusing. I am not used to losing at games of wits.
I explained the entire situation with the clerk's office staff. One woman said they had just started receiving multiples calls daily asking about this PPP scam. They advised me to call the receptionist at the US Attorney General's office in Raleigh. She would know what to do. They told me her name and gave me her number.
When I called the AG's office, she routed me to the FBI Office in Raleigh where I spoke to an agent and gave my report to her over the phone. When she was finished, she advised me to file an additional report directly with the the FBI's CyberCrime Division through the Internet Crime Complaint Center (IC3).
The CyberCrime Division has the capability of performing the deep digital forensics that this type of scam requires in order to put a stop to it. They have all the evidence, but will I ever see that money again, probably not. I won't lie. This one hurt! But as I see it, there must a reason for it. Maybe the reason is to help you from falling for something like this yourself.
Conclusion
After I got home from the Clerk's office and filing the first FBI report, guess who called to pick up where they had left off?
When I answered and heard his voice, I said, "Yeaahhh...I just got home from the U.S. District Court Clerk's office."
"CLICK"
He disconnects the call. He had been burned. They'll call in a cleaning crew to sanitize the crime scene of digital evidence and move on to their next location to social engineer their next set of victims.
They targeted me for $11,500. The PPP loan was $10,500. I asked why there was an additional thousand.
"Court costs"
There's one more thing worth mentioning. When I was withdrawing my cash from the bank, they said to leave my cell phone in the car and not to tell anyone in the bank why I was withdrawing the money because I would put the bank in the position of aiding and abetting a criminal.
How ironic is that?
These guys played a very strong game and had me completely fooled. They had plausible answers for everything and acted their roles very well. When I got back on my computer at home and examined the message header source codes. There is nothing in them that I can see forensically that would lead me to believe the header was forged.
