Scamming, skimming and financial fraud in WNC

KNOWING THE RISK: Scam artists are constantly finding new, ingenious ways to exploit security loopholes and gain access to consumers’ personal information, from installing “skimmers” (pictured above) on unmanned points of transaction to hacking into financial databases. In turn, law enforcement and cyber security experts encourage consumers to protect themselves by being vigilant in knowing how and where scammers strike. Photo courtesy of the Asheville Police Department

When it comes to financial matters, technology is a double-edged sword: Although it’s made it easier for us to purchase things and access our accounts, it’s extended those same benefits to scammers and thieves, giving them new ways to hijack people’s personal and financial information.

Asheville is no more immune from con artists and hackers than anywhere else, says cyber security expert Daniel McCauley, who co-founded the annual BSides Asheville information security conference.

“I don’t think we’re special, in the sense of not being a target for cybersecurity threats,” he says. “There’s a good startup scene, a lot of [software/IT] developers and graphic designers, but I’ve noticed — not by anyone’s fault — the lack of focus on the security side of things.”

As of last month, the Asheville Police Department had already received 145 reports of fraud this year, 38 of which involved credit cards. That’s more than half the total number of credit card fraud cases reported in 2015.

Today’s savvy scammers have a whole host of increasingly sophisticated techniques to quickly steal information and drain bank accounts. To combat these crimes, IT professionals, law enforcement personnel and government officials are encouraging consumers and businesses to remain vigilant at transaction points and take other steps to safeguard themselves from the threat of online hackers.

Shut out

Realizing that someone has co-opted your financial or personal information can come as a nasty shock. Asheville resident Wes Cordell says he regularly checks his bank accounts each week to stay on budget. But a few months back, he noticed “a huge disparity” in his checking account.

“About $500 was missing,” he recalls. “Sometimes I get off budget, but I actually hadn’t had time to get out as much as I normally do [that week].” Luckily, Cordell contacted his bank, the Telco Community Credit Union, immediately and was able to clear up the issue.

“They had my money back in my account before I could even get back to my office,” he says. “I left work in a panic, and not 30 minutes later, I was completely at ease. [They were] really helpful.”

Others have experienced more difficulty in clearing fraudulent activity, however. Asheville entrepreneur Benji Boessel says he found out that his information had been harvested when he received a Citibank debit card in the mail that he’d never signed up for. Boessel says he contacted Citibank to find out details about who may have accessed his account, but the bank was reluctant to divulge information. Even worse, the thief had set up his own security measures.

“I needed to answer the personal questions to get into the account, such as ‘What is your mother’s maiden name?’” he recalls. “How on earth would I know the hacker’s mother’s maiden name?”

After six additional calls to various Citibank departments, Boessel finally got the bogus account shut down. But while running a credit history report, available to consumers for free three times a year, he discovered another startling fact: “Someone opened a $15,000 credit card with Capitol One,” he reveals. “I called them — luckily there was no balance yet, so I shut down the account and reported it as fraud.”

After that, Boessel put a 90-day freeze on his credit file, to prevent outside access. But while the freeze is free, it’s temporary, and Boessel plans to reinstate it after the three months are up. “Why would I ever want my credit file open to creditors in the first place?” he asks. “It should always be frozen unless I unlock it to apply for credit myself.”

Shifting the risk

Browse online forums such as Reddit and you’ll probably find conversations alleging that a particular business was where someone had their financial information stolen. To a certain extent, says McCauley, they may be correct.

“I would not rule out particular locations in town that could have been compromised,” he says. “”Without further forensic network investigations, you cannot really rule that possibility out.”

But the specific ways that thieves can evade a business’s security measures have evolved dramatically in recent years. And though there are still instances of an unscrupulous bartender or server stealing payment information, they’re not as common as one might think, according to Detective Kyle Thiel of the Hendersonville Police Department.

Background 84A1151
LEARN FROM THE PROS: Cyber security expert Daniel McCauley co-founded the annual BSides Asheville information security conference to help local businesses and residents learn how to spot and prevent fraud. Photo courtesy of Daniel McCauley

Often, the problem is with the actual credit card reader or the database where financial information is stored. The recent introduction of EMV technology, which embeds a chip in the credit card, has made transactions more secure, says McCauley, but many businesses have been slow to adopt the system. And this despite the fact that as of last October, most merchants who haven’t made the switch are now liable in cases of fraud, under the terms of a “payment network liability shift” mandated by credit card companies. (For businesses with gas pumps, the deadline is October 2017.)

“You still see businesses without chip and PIN, or they have it but it’s not set up,” he notes. “As a company, you’re taking on liability. You acknowledge the risk, yet you haven’t activated the ability to mitigate that.” Business owners, he continues, “need to be proactive, educate themselves and pass that along to employees.”

Trouble at the pump

More recently, scammers have turned their attention to gas pumps and other unmanned points of transaction, says Thiel. Colloquially known as “skimming,” the procedure involves physically installing a device on the face of an ATM or gas pump that then collects and saves each user’s credit card information.

Criminals, the detective explains, “look for vulnerabilities. … They figure out what kind of system it is, [put the skimmer] over the actual card reader, and it looks the same.”

After a day or two, the thieves remove the device, harvest the data and sell it to counterfeiters who produce fake credit cards. The complex network behind these operations often makes it difficult for local and even federal authorities to track down the culprits.

“These groups — a lot of them — seem to be from out of state,” Thiel reveals. Hendersonville police recently released a public warning regarding the use of First Citizens Bank ATMs, which Thiel says are the latest to be targeted. “A few years back it was SunTrust, and a few years before that it was Wells Fargo. They find these banks they can latch onto and really hammer down on it.”

The many faces of fraud

Skimming may be an easy and popular way to steal information, but it’s only one of many methods criminals are using these days to hack databases or persuade you to give them sensitive personal information.

On July 1, the Asheville Citizen-Times reported on fraudsters posing as Duke Energy employees who tricked several local business owners into giving them financial information by threatening to cut off power to their businesses if they didn’t comply.

And that’s only the tip of the iceberg, says Celeste Collins, executive director of OnTrack WNC. Her organization recently hosted North Carolina Secretary of State Elaine Marshall and several other speakers at a regional summit on elder fraud.

If scammers “would just take this great creative energy and use it for good,” Collins points out, “what kind of world would we live in?”

A pamphlet released by the office of North Carolina Attorney General Roy Cooper, titled Scams & Fraud: Protect Yourself —Don’t Be A Target, outlines a dizzying variety of tricks employed by swindlers, ranging from phony emails offering great prizes to crooked contractors and even scammers pretending to be someone’s grandchild in distress.

Elaine Marshall, David Kirkman, Celeste Collins
MIND YOUR ELDERS: OnTrack Financial Services Executive Director Celeste Collins (right) notes that the elderly are often common targets for financial scammers due to their larger savings accounts and unfamiliarity with newer technology. Her organization recently hosted a regional summit on Elder Fraud featuring N.C. Secretary of State Elaine Marshall (left) and NC Special Deputy Attorney General David Kirkman (center) to discuss ways to protect the elderly from scammers. Photo courtesy of Celeste Collins

With comparatively fewer debts and larger savings accounts, the elderly are an inviting target, notes Collins, particularly because they may be less familiar with newer technology and are sometimes vulnerable due to cognitive decline associated with old age.

“One out of every four people who turn 78 will have early-onset dementia,” she notes, citing statistics from the National Consumer Law Center. Scammers, says Collins, “can obtain lists of people who’ve recently turned 78.”

In such cases, she maintains, it’s up to younger relatives and friends to make older folks aware of potential scams. “Older adults can get defensive if they’ve done something that’s not very wise,” adds Collins. Learning about the latest swindles and sharing that information with loved ones before a hustler strikes “helps them not feel singled out.”

Preventive measures

The sheer number and diversity of scams can make protecting yourself seem like an impossible task. But staying vigilant about how and where you access your financial information can help protect consumers and businesses alike, says Collins.

“Passwords on devices are huge,” she says. “Put a password on your device, and make sure it’s strong: ‘12345’ or, my favorite one, ‘letmein,’ don’t cut it.”

Don’t access your sensitive information on public networks like Starbucks, advises McCauley, who also stresses the value of keeping operating systems patched and up to date.
“That’s a very effective way to essentially reduce that your attack service surface,” he says. “Operating system updates and application updates are generally accessible via a web browser; it’s very rare that you need proprietary applications for web services anymore.”

And if a chip card reader isn’t available, Thiel advises residents to physically inspect the equipment first. If the card reader looks newer than the rest of the machine, is slightly off kilter or comes off when you pull on it, it’s probably a skimmer.

“We’ve encouraged the public to start tugging on the card readers a little bit before using them,” he explains. “I know a lot of us are in a hurry, but when you walk up to it, just take a look. Once you put [your card] in there and start entering your information, they’ve got it.”

Reclaiming your identity

For those who believe they’ve been the victim of credit card fraud or identity theft, the APD’s website ( offers step-by-step instructions and a variety of resources. Contacting your financial institution immediately freezes your account, protecting it from further fraudulent charges and beginning the process of reversing any purchases that have already occurred.

Some folks stop there, but Thiel says it’s also important to contact law enforcement. “It needs to be investigated. Once you get done talking to the bank, you should report it to the law enforcement agency in whatever juristiction you’re in.”

Still, the best way to prevent fraud in all its forms, most experts and law enforcement personnel agree, is simply to rely on common sense. “Some of us use our electronics so robotically,” notes Collins. “You have to do something to interrupt that pattern. If it sounds too good to be true, it probably is.”

For businesses, taking the time to modify the default settings on transaction programs and keeping technology up to date with the current patches is often enough to discourage most attacks, says McCauley. “An attacker’s going to take the path of least resistance for most non-targeted attacks. If you make it time-consuming enough, that alone will most likely dissuade them. They may have limited resources as well.”

KNOWLEDGE IS POWER: McCauley hopes that conferences like BSides Asheville, held this year from July 22-23 at Mojo Coworking in downtown, will continue to “bring current and relevant security discussion” to consumers and local businesses looking to protect themselves from fraud and theft. Photo courtesy BSides Asheville
KNOWLEDGE IS POWER: McCauley hopes that conferences like BSides Asheville, held this year from July 22-23 at Mojo Coworking in downtown, will continue to “bring current and relevant security discussion” to consumers and local businesses looking to protect themselves from fraud and theft. Photo courtesy BSides Asheville

Old habits die hard

In the wake of high-profile hacking activity, large corporations and online companies have beefed up digital security. But despite all the current risks, most consumers probably won’t drastically change their habits anytime soon, says McCauley. And while no one wants to be a target of identity theft, he continues, in most cases, it’s not devastating.

“It’s an inconvenience, but it’s very rare that their whole financial situation is wiped out because of this,” he reports. “They’re going to get a card reissued; they’re going to get those transactions reversed. It’s just time-consuming.”

Neither Cordell nor Boessel says he’s significantly changed his spending habits since being targeted by scammers. “You can’t walk around to every business that accepts cards wondering if your identity is going to be stolen,” Cordell maintains. “Just be smart about the way you spend, and make sure that card readers and ATMs aren’t compromised by inspecting them both visually and physically.”

McCauley, meanwhile, strongly encourages business owners and entrepreneurs who can’t afford to hire a full-time IT team to take advantage of such cyber security resources as the local conference he organizes each year. The next BSides Asheville event takes place Friday, July 22 until Saturday, July 23 at Mojo Coworking in downtown Asheville. More information is available at

“It’s gut-wrenchingly hard to stay secure using your own personal computer, let alone securing a business network,” McCauley maintains. “That’s what we’re trying to do with the BSides conferences: bring current and relevant security discussion to Asheville.”


Thanks for reading through to the end…

We share your inclination to get the whole story. For the past 25 years, Xpress has been committed to in-depth, balanced reporting about the greater Asheville area. We want everyone to have access to our stories. That’s a big part of why we've never charged for the paper or put up a paywall.

We’re pretty sure that you know journalism faces big challenges these days. Advertising no longer pays the whole cost. Media outlets around the country are asking their readers to chip in. Xpress needs help, too. We hope you’ll consider signing up to be a member of Xpress. For as little as $5 a month — the cost of a craft beer or kombucha — you can help keep local journalism strong. It only takes a moment.

About Max Hunt
Max Hunt grew up in South (New) Jersey and graduated from Warren Wilson College in 2011. History nerd; art geek; connoisseur of swimming holes, hot peppers, and plaid clothing. Follow me @J_MaxHunt

Before you comment

The comments section is here to provide a platform for civil dialogue on the issues we face together as a local community. Xpress is committed to offering this platform for all voices, but when the tone of the discussion gets nasty or strays off topic, we believe many people choose not to participate. Xpress editors are determined to moderate comments to ensure a constructive interchange is maintained. All comments judged not to be in keeping with the spirit of civil discourse will be removed and repeat violators will be banned. See here for our terms of service. Thank you for being part of this effort to promote respectful discussion.

One thought on “Scamming, skimming and financial fraud in WNC

  1. boatrocker

    Hah! What do you think of your Luddite friends who try to use only cash now?
    A great way not to get scammed is to never have any money, by the way.

Leave a Reply

To leave a reply you may Login with your Mountain Xpress account, connect socially or enter your name and e-mail. Your e-mail address will not be published. All fields are required.