Hacker Attacker: The Full-Time Job No One Prepares You For
Does getting a text message to validate your identity when making an online transaction boost your sense of security? If so, you have surely been duped. I know from experience. This is my story.
On March 19, 2021 I got a full-time job without applying. I was sought out for the position having no experience. In fact, the role was not just outside my wheelhouse, it was miles from it. I received no tutorial or training, thus becoming an autodidact at the worst job of my life—a hacker attacker—after my identity was stolen. To make matters worse, I received neither a salary nor benefits.
Forced into this burdensome role, I was unprepared for what it entailed—namely a feverous pursuit to reverse everything accomplished by an anonymous crook whose sole initiative was to slowly eat away at and destroy me, like a ravenous worm in a bucket of overripe peaches. I envisioned the predator as an itinerant mole, living an incognito existence of revolving residences and working for a squad of conspirators situated in some banal, clandestine office in Mumbai or Bucharest.
I dropped everything to focus solely on this leviathan task, which became increasingly onerous and complicated as time passed. My inbox overflowed and my to-do list grew exponentially despite performing my work as tactically as possible, hurdling over newly erected road blocks along the way, just to add to the already overwhelming disruptions from COVID-19.
Surprisingly, the most significant complication didn’t arise unexpectedly; I arranged for it to take place the morning prior to my first day “on the job.” I was an outpatient at Hospital for Special Surgery in Manhattan, where two invasive procedures left me entirely off my right foot for seven weeks. I spent my initial 12-day recovery at my partner’s apartment, cocooned in a leg cast the size of Montana.
Where was everyone? Doped up on Percocet and instructed to elevate my leg above my heart 80 percent of the time, not one family member or friend called to check in on me—until I realized I wasn’t able to receive any incoming cell phone calls or texts. By evening, Verizon claimed to have “fixed” the problem, but the following morning, my outgoing calls were blocked as well, with the exception of Verizon support, which culminated into a five-hour painstaking call to action.
The first of multiple customer services representatives vehemently insisted I owned a flip phone—something I’ve never possessed in my life. It turned out that the hacker had successfully taken ownership of my cell number, diverting all my communications to her flip phone. I’ll soon explain how I came to know the hacker’s gender. Texts intended for me were routed to her phone while anyone who called me got a recording indicating my mailbox was full. She was able to steal my identity by contacting financial institutions whose representatives, intending to verify me, sent a text message routed to her. The thought of anyone controlling my phone knotted every muscle in my body barring my right leg, which was anesthetized by a post-surgery, 48-hour nerve block.
Verizon insisted that the only way to recover my mobile number was to visit one of its branches with a photo ID and prove my identity. But that wasn’t an option—just crossing the room required a feat of endurance. “Can I get someone to go on my behalf?” I pleaded. “No” was the belligerent reply. “That’s our policy.” My confidence waned like a slow movie fade out. I dug my heels in (make that, heel) and repeatedly asked to be escalated, forcing me to reiterate my story like an actor memorizing his lines. With some so-called supervisors, I harangued; with others, I begged. Irrespective, I received not a modicum of sympathy.
My attempts were as futile as my undertaking, like when I was 3 years old trying to dig a hole in the sand straight through to China with my pink plastic shovel. Yeah, I’d show those laughing grown-ups. I was breathing failure. Steeped in dismay and rage, my only option was to plunge into a lie. “Listen,” I said, “I’m alone. I need to reach my doctor and my pharmacist or I’ll die”—(deep breath)—”and if not,” I threatened, “I’ll switch to AT&T.” I was convinced that the AT&T part, not the dying part, worked.
Finally, the representative instructed me to remove the sim card from my cell phone and recite its 20-digit code. By 7 p.m.—five hours later—I regained the use of my phone number, just about when Harry returned home from work. Exhausted, heart in mouth, I lost it. The words, “I CAN’T TAKE IT ANYMORE” spilled from my gut. Harry, being a COVID doctor with his own set of stresses, looked at me as it if it were just another day, which only heightened my enraged state.
I was relieved to reclaim use of my mobile phone but was unprepared for the approaching apocalypse—my decent into hacking hell, the full-time “job” that dominated my life. I could neither quit nor resign. I was stuck. Wasn’t it enough that every activity, from replacing a dried-up ballpoint pen to emerging from the tub with one leg ensconced in a plastic bag, seemed Herculean?
The hacking burst open a floodgate of emails, letters and phone calls alerting me to compromised accounts—many I had forgotten about—like that retail card I opened four years ago offering a first-time deal on hot sauce? I knew the hacker was solely motivated by money, yet I felt like she was gaslighting me. My daily incidences log grew to lengths too long to include, so relax, reader, you get the SparkNotes version.
In those twelve days sequestered in Harry’s apartment, I was alerted to the following compromised accounts:
- Retail bank (checking and savings)
- ATM card
- Bank-linked Mastercard
- Multiple brokerage accounts
- Investment accounts
The list was enough to occupy me for days. Prior to surgery, I hauled heaps of work files to Harry’s apartment along with books and magazines for pleasure reading, anticipating ample down time. They remained untouched. I toiled days and evenings “on the job” trying to put out fires while the hacker continued to lunge and attack like a feral cat in heat. I was running on a treadmill, getting nowhere.
The hacking elicited a heightened alertness in me, like a beagle before an impending storm. Hypersensitive and skittery, I suspected lurking danger behind every phone ring or text alert, irritating like steel wool in my underwear and only exacerbating the jingle and clatter of my racing mind. Hold music from credit card companies mercilessly played in my head. By day 12, in need of a reprieve from the confines of indoors, I took my first spin around the block with a knee scooter, seeking any hints of spring, but winter had yet to bid farewell.
I learned that the criminal was a “she” when a Fidelity Investments representative called me with a recording of the hacker’s voice, in the event I might recognize it. While I could think of no one cruel or angry enough to hack me, I was curious. The voice resembled a woman in her 20’s with no distinguishable accent, although she mispronounced my name as “Sherry.” I drank in her words and stored them. She had called to check on her attempted wire transfer and in a self-assured, smug manner, claimed she was “out walking the dogs.”
On day 13, my surgeon removed my weighty cast along with the stitches. I coined my right extremity, “Frankenfoot” in its black and blue railroad state. The swollen extremity extended from my atrophied leg like a foreign object. The cast was replaced with a less heavy boot, but I was still prohibited from putting any weight on my foot for an additional month. By now I could knee-scoot 12 blocks from Harry’s place to mine, where my snail mailbox was stuffed with letters warning me of “security concerns” and “irregular transactions.” Why would financial institutions resort to snail mail in this situation?
I was in a boxing match, but she kept bouncing back, like Mohamad Ali or a Wheeble. It’s been said that a weighty life is an interesting life. Yet her atrocities became too heavy a weight to bear. From now on, I decided, just give me easy and mundane.
The volcano of hacks continued to spew adding to the growing list: two Visa credit cards, four bank-linked store credit cards, an old AOL email account—unused in over a decade—digital payee accounts, and my Facebook account, where I’m a voyeur and never post anything. Her attempted kaleidoscope of shenanigans included wire transfers, new accounts, credit card applications, changing existing account information, adding new users, charging purchases and ordering gift cards. She was so persistent and thorough I would have hired her myself.
I spent mornings and afternoons contacting fraud departments and credit agencies, scooting from one room to the next, then off to Harry’s in the evenings where, perpetually on hold and with earphones like a vice screwed onto my head, I prepared dinner, hopping around on one foot.
What’s so frustrating is that I’m responsible. Many believe being hacked is a concomitant of irresponsibility or sloppiness, but I now know that’s not the case. Friends and family asked me how I was hacked, but I hadn’t a clue. My phone was never out of my site with the exception of the hospital, secure with my few belongings, leading me to ask the hospital security if its network had been hacked. They told me it hadn’t. I shred old documents, I never leave receipts around and rarely misplace credit cards. So why me? Being responsible, I now know, is hardly enough.
I felt beyond vulnerable and teetering on a precipice. Humbled and powerless, she bit me constantly, like mosquitoes to human ankles. Fixated on an unopened bottle of tequila in my pantry, I feared an onset of dipsomania, but I forced myself to focus on the bright side – the hacker had yet to pilfer one cent from me.
All of my accounts (barring American Express) were hacked only once, but my Citibank accounts were repeatedly hacked, in fact, three times within four weeks—likely because of my false sense of entitlement. As a Citi client for over 30 years, I wanted to maintain a level of loyalty the bank had ostensibly owed me. I emphasized that I didn’t want to be treated like any new customer. I wanted clout, damn it! So, Citi opened new accounts linked to my previous ones—a big mistake. It wasn’t until the third attempt, with fresh accounts, that I was out of the woods.
During that process, it didn’t suffice to merely change my username, password and pin. I was also required to change my security questions. Sure, easy enough. But when the banker, with detached expression, told me I couldn’t change the questions, only the answers, I didn’t know whether to laugh or cry. “How many maiden names does your mother have?” I asked, astounded with the absurdity of it all. Not only did I have to assign my deceased mother and my elementary school with false names, I had to remember them. And I had to reassign my checking account information with every creditor (utilities, maintenance, credit cards, etc.) repeatedly.
Over two months passed, and I’m balancing my checkbook—a seemingly simple task for anyone who passed grammar school math. But not this time. I received four checking and savings account statements with mismatched dates and contradicting debits and credits. After assiduously rebalancing, $40 dollars had disappeared—poof, like an aging dandelion, requiring three lengthy calls to retrieve it.
One of my clients, meanwhile, wired payment to my original checking account, which presumably was closed. So why wasn’t the payment redirected to my new account or sent back to my client’s bank? The funds were lost in a black hole only to eventually turn up in my old checking account that I was restricted from accessing. Why would the bank accept the money but not let me withdraw it? Was this the roach motel? “Can’t you just move the funds into my (emphasis on fourth) new account?” I suggested. “No, you have to come into the bank to prove your identity.” I asked what happens to clients out of town. There was no reply.
Another client pays me through Payoneer, a digital commerce platform. But I couldn’t update my bank account information, as Payoneer didn’t recognize my email address. The hacker changed my email to hers in an attempt to redirect payments. Payoneer insisted I email copies of my passport and utility bill. After what I had been through, that was not about to happen. My only option was to set up a new account. My payments were now overdue by four months.
Throughout this debacle, I continuously updated an online FBI report when privy to new (typically conflicting) information, be it names, phone numbers, emails or physical addresses (from California to Ontario)—each tidbit a paroxysm of discovery leading to nowhere. My credit reports listed employers I didn’t recognize. I wished I could stovepipe my findings to the highest-ranking official or get a designated detective on the case. By law, U.S. law enforcement agencies can track people’s movements from their mobile phone signals upon obtaining a court order. But how could I get one? The FBI wouldn’t let me speak with an agent and New York City police, amid COVID, surging crime and a mayoral election, had bigger axes to grind.
By now, every transaction I make requires a multi-factor authentication (MFA). But MFA, as I have learned the hard way, only works when its four or five-factor authentication, which can become a maze of locked doors on either end. With one vendor, I went from text to voicemail to email to security question, around and around, but I couldn’t escape. I was convinced it was a test of my sanity, generating wasted efforts, like flopping around in a pool and not knowing how to swim.
It’s been over five months, and I’m getting an inordinate amount of call and text fraud alerts. The caller recognition on my phone frequently displays names of people deliberately intending to lure me into answering. Typically, I know better not to give into temptation, but at times the bait is too enticing. One day its Frank Rich, the next is Michael Fassbender. My hand quivers, but pure grit convinces me not to cave.
I’m still trying to remove myriad late-fees, bounced-check fees and interest charges from credit card companies that are unable to withdraw funds from my defunct checking accounts. Even though I’ve updated my account information, there were oftentimes system delays. One credit card company required a notarized bank letter proving the hacking in order to remove a late fee, which was no easy task, as such a letter required multiple approvals from compliance to legal. Two months later, I received the letter reporting “possible fraud.” I requested deletion of the word “possible,” to no avail.
I wish I had a lesson or words of wisdom to relay, but I’ve nothing foolproof or concrete. Even the responsible are victims. I do believe that the more credit cards one has and the more one uses their phone in public Wi-Fi hotspots can increase vulnerability to hacking. Live and learn.
While I am now comfortably walking, I’ve heard it could take a year for the swelling in my foot to subside. By then, maybe I can retire from this “job.”