I’ve worked in the tech world for a long time. Even while teaching high school Latin and English, I freelanced on the side — and I fell into the tech industry thanks to an editor friend who was desperate for a writer who could follow a brief. My favorite sub-sectors in technology include the Internet of Things (IoT), EdTech (educational technology), semiconductors, artificial intelligence/machine learning, and cybersecurity. Once I transitioned to writing and UX design full-time, many of my clients fell in the SaaS (software as a service) space.  I’ve branched out from tech into other industries over the past 13 years, but I’ve learned a ton about the dark web, fraud, and the ever-increasingly sophisticated attacks that cybercriminals launch on unsuspecting businesses and individuals.  Unfortunately, older adults (55+) have become an increasingly popular target. According to the National Council on Aging (NCOA), almost 75% of older adults have been scammed — or know a victim. In 2024, older U.S. adults lost over $2 billion to scams.
In April of this year, my 85-year-old mom was one of those adults. And the most infuriating and frustrating thing? I’ve been training her for years on what to watch for. She knows not to give out any personal information over the phone or to open suspicious emails or texts. If she gets a legitimate-looking email with an attachment she doesn’t recognize, she saves it in a folder for me to check out later. Those “You owe $54 to the PA Turnpike commission” texts? Deleted and blocked as spam.
She uses ScamAdvisor and TrustPilot to read reviews and confirm a website’s validity if it’s a brand she’s never heard of before. And honestly, she’s better at spotting AI-generated images than I am. It never occurred to me to tell her that it’s nearly impossible to hack a landline or a smartphone with up-to-date software.
Read:How to avoid travels scams: A guide for older adults
The set-up
A few weeks ago, Mom clicked on a National Geographic article. Immediately, her screen froze, and a “Microsoft” alert popped up claiming her computer was infected. She followed the steps I’d given her to unfreeze the browser (Ctrl+Shift+Esc), but it didn’t work. Next, she tried Ctrl+Alt+Del. No luck.  She shut the computer down and waited about 30 minutes. The message was still there with a 1-800 number to call. Going to pause to give Mom a shout-out because she did exactly what I told her to do if something weird happens. She checked the phone number on her cellphone (TrueCaller). The site confirmed the number as legit.
So she called. Spoiler alert: It was not a legit number.
Related: Watch for tax scams targeting Gen X and Boomers
A tangled web of lies
Mom connected with a woman, “Sophie,” who said she worked at Microsoft and could help diagnose the problem. Now, interestingly, Sophie did not ask Mom to download anything on the computer. She walked Mom through Ctrl+Shift+Esc to open the Task Manager, navigate to Chrome, and end the task. The computer — as far as Mom was concerned — was working fine.
But then the plot thickened. Sophie asked Mom where she banked, and Mom told her. At that point, she didn’t give any information besides the bank’s name. Sophie said she wanted to check something and connected Mom to her “supervisor,” while she conducted some investigation. While Mom waited, she spoke with the supervisor, who confirmed his and Sophie’s identities and provided their contact info, direct lines, email addresses, and employee numbers. He even texted pictures of their ID badges. Sophie returned to the line and said that my mom’s phone lines (both landline and cell) had been hacked, and that the hackers had gotten her banking information and withdrawn $20,000 from her account. By now, Mom was understandably worried — even more so because she believed Sophie and was afraid to call me for fear of “infecting” my cell phone. Sophie’s “Microsoft supervisor” offered to connect Mom to the fraud department at her bank.
An aside: An official Microsoft would never do this because they don’t have direct access to any bank’s fraud department.
The web tightened
Mom connected to Anna, a “bank employee” working in the fraud department. Anna told Mom that cybercriminals had withdrawn $20,000 from her checking account at 4:37 a.m. and used it to buy child pornography. She said she’d traced this withdrawal to an account in Shanghai.
Mom was, understandably, upset and beginning to panic by now. She is, however, a cool cucumber under pressure, so she compartmentalized and — because she’s also a rules follower — did everything Anna and Sophie (who got back into contact as well) asked.
- Mom logged into her bank account and confirmed a balance below the amount she was told had been stolen.
- Anna told her to go to the bank, withdraw the amount currently in the account (in cash), and deposit it in a federal ATM. At that point, Anna said, Mom would receive a text alert asking her to confirm the withdrawal and the subsequent deposit. Next, she would contact the bank to report the fraud, and both transactions would be canceled as chargebacks, and the money returned to her account.
Note: There is no such thing as a federal ATM, but Mom didn’t know that because she only uses the ATM at the local bank or goes inside.
- When she went to the bank, Anna told her to stay on the phone, not talk to anyone or answer any questions, and to let her know when she had the money.
- The teller, Mary, suspected something was up and asked Mom if everything was okay. Mom, still following instructions, said it was fine. She withdrew the money and returned to the car, where Anna gave her the address of this “federal ATM” into which she would deposit the money.
Note: The “ATM” was actually a cryptocurrency machine.
- Mom scanned the QR code that Anna had texted her at the machine. This QR code generated an account number, but Mom couldn’t tell what it was. Unfortunately, she managed to deposit most of the cash before the machine jammed. It also didn’t print a receipt.
- Anna and Sophie, by turns, were talking to her this entire time — Mom estimates she was on the phone from about 1:30 p.m. until 4:30 p.m. speaking with them and both of their managers. Of course, everyone was reassuring her that withdrawing the money and depositing it in this way would trigger the bank alert that she could use to alert the bank’s fraud department to recoup her money.
About 4:30, after the machine had jammed, she borrowed the vape store owner’s phone to call me because she was worried that her cell phone was still compromised. I didn’t recognize the number, so I let it go to voicemail. But when I heard her message, “Jodes, there’s an emergency. Dad and I are on our way home, but get to the house as fast as you can,” I got really worried.
The aftermath
Mom recounted her afternoon’s activities to me, reassuring me that Anna had told her the money would be back in her account within a day or two. In fact, she was still talking to Anna when I arrived. I also got on the phone to talk to Anna, who told me that her department handles fraud cases like this all the time, and I wasn’t to worry.
Spoiler alert: I was very worried.
Mom ended the call, and I walked her through each step of the day, starting from the first message appearing on her computer screen. I saw red flags everywhere, but I waited until she finished her story to share my concerns — and then, after breaking the news as gently as I could that she had been scammed, I insisted we go to the police to make a report.
By now, it was about 6:30, and I figured the money was long gone. I drove a very chagrined and embarrassed mom to the police station, where we talked to the officer on duty. He had some choice words for the cybercriminals and confirmed my suspicion that she had lost the amount she’d withdrawn, minus the money the machine didn’t take after it jammed. Oh, and that initial $20,000? It was never withdrawn in the first place. The scammers pulled a random number out of the air to get her to check the balance, telling her that even a smaller amount would still work for the chargeback effort. The only money they actually got was what she deposited in the bitcoin machine.
We also spoke to a department detective the next day, and he shared the report with the local FBI office. Will they catch these criminals? Probably not. But if Mom’s info helps to build a bigger case when they are caught someday, that’s something at least.
Cleaning up the colossal mess
Before I left for home that night, I took steps to protect Mom and Dad’s identities, since Mom said she’d given them all of her information. I:
- Put a credit freeze on their accounts on all three major credit bureaus
- Initiated fraud alerts with all three major credit bureaus
- Immediately canceled their ATM cards
- Added all their financial information and Mom’s email address (Dad doesn’t have email) to my fraud alert account. I use Aura for digital protection because I live and work online. It’s well worth the annual subscription, as it’s caught potential fraud several times since I started using it.
The next day, Mom and I went to the bank. Shout-out to the wonderful, caring staff at the bank where my parents have done their business for 56 years. They suspected something was up — they’re trained to spot fraud — but because Mom didn’t ask for help or offer any info when asked, their hands were tied. The bank manager even called her shortly after she withdrew the cash to ask if everything was okay, but because Mom was on her phone with the scammers, she missed the call. And because Mom willingly withdrew the money, the actual fraud department would not authorize any reimbursement of those stolen funds.
We had to:
- Open new checking and savings accounts (fortunately, the scammers didn’t get any additional money)
- Get new ATM cards and checks
- Identify which companies had direct deposit (pension and Social Security) and automatic ETFs for bill pay (insurance, utilities, car payment, etc.)
And then the phone calls. We called multiple businesses to update banking information. I took my parents to the Social Security office because the agency requires you to update your banking information in person. Â I also took their computer to the Geek Squad guys. The tech who ran the scans and installed a new ad pop-up extension (AdGuard AdBlocker) was irate (he has a 90-year-old grandmother) and did everything for free, bless him.
The moral of the story
The main factor convincing Mom of this scam’s legitimacy? The number of people involved. It wasn’t just one person but a team working in concert. She, of the usually suspicious mind, said everyone was incredibly solicitous, helpful, and patient. (Then again, if you’re working to scam someone out of money for a hefty payday, investing a few hours of your time for many thousands of dollars — and being nice about it — is probably not a heavy lift.)
Mom and Dad lost a chunk of money, but fortunately, they have a healthy rainy-day investment account. A quick call to their Primerica rep, and money to cover the bills arrived in the new checking account in under 48 hours. Other seniors who’ve been scammed aren’t so lucky.
The TL;DR? Tell your older loved ones to be suspicious of everything if they’re active online — either on their computers or smartphones. They should never, ever give out personal information over the phone. While it wasn’t part of this scam, they should never allow an external entity to take over their computer.  And the actual Microsoft company will never, ever send a pop-up on your computer screen saying it’s been hacked or infected.
I’m sorry the bank’s failsafes didn’t work. And yup, I’ve given the manager my cell phone number just in case, although I’m pretty sure this won’t happen to my parents again.
I hope it doesn’t happen to yours.
This personal finance story produced for TheStreet by Nifty 50+