Thank You for Hacking Me

Illustration: Cun Shi
(Originally published in the NY Times) Illustration by Cun Shi

I got hacked.

I say “I”; it was my email account, but it felt — feels still — deeply personal. It started on a Tuesday at exactly 7:20 a.m. E.S.T. I know because I received a text message at that time saying that my email password had just been changed. If I had made this change, I need not “take any action.” But if not, “click this link.”

I was bleary, jet-lag weary, having returned the night before from 10 days’ traveling in Europe, but I was quite sure I had changed nothing but my sheets since getting home. Right then, a message from a friend popped up on my Facebook page delivering the news that something was amiss: “Just received a strange email from you asking for money. Change your password.”

It was already too late.

I opened my Gmail account to find the inbox drained. The 9,187 emails I had the night before were gone. The green and red instant messaging lights had blinked out. My contact list of 800-plus names had vanished. Panicked, I tried writing an email to friends to ask what to do; no names popped up with auto-fill. My mouth went dry, my heart started racing. Then, a single email arrived in my inbox, the fraudulent one, forwarded by a friend:

“Hi,” the subject line read.

Am so sorry to bother you, I am in Limassol, Cyprus for a week andIjust misplaced my bag containing all my vital items, phone and money. I am stranded at the moment and may need a little help from you. Thanks Bill

I had received this same email two weeks before from a friend’s account (the only difference being his name) but had dismissed it instantly as fake; nothing about it sounded remotely like him. As I would later gather, this wasn’t necessarily so clear in my case. That I had been traveling in Europe — posting photos, sending emails from abroad — made this scenario, bizarre as it sounded, seem, if not probable, at least not impossible to some. The hackers had found someone well-suited to their con. Or had they?

“I could tell by the punctuation that it wasn’t from you,” one friend told me. (It’s true — I am punctilious even with text-messaging.) For another, the tip-off was the stilted phrase “my vital items.” For others, it was the sign-off — Bill, while they know me as Billy.

But many were not 100 percent sure. I received a wave of concerned messages and phone calls: an elderly aunt, a cousin, childhood friends, my next-door neighbor from when I lived in San Francisco, former employers and co-workers, New York friends, people I’d met in Iceland last year and in Italy just days before — an unrelated but loosely connected network from all over the globe, a real-life social networking map — all checking in to make sure the Billy they knew or had known once wasn’t the Billy now stuck in Limassol. I even heard from a college roommate, the uber-straight Jack Klugman to my Tony Randall:

“Give me a phone call if you really are stranded in Cyprus. But you better know some single girls.”

A number responded directly to the first email, thinking it was me, and got this reply:

i’ve been to the embassy and was issued a temporary passport. I just need to borrow about €950. Western Union transfer is the fastest option to wire funds. See details needed for transfer below.

Some went on to test the hackers with questions that only the real me would know. “What member of our college drama department faculty did Kate date?” asked one.

No reply came: proof that identity thieves can be thwarted with details arising from friendship alone. Who needs one of those scrambled letter codes?

Twenty-four hours passed with no serious repercussions, then another 12. By that point, I had pretty much straightened things out — changed my passwords and security settings, disabled the phony Yahoo account the thief had created under my name, recovered my emails, restored my contact list, reported the fraud, and sent emails to close friends I hadn’t heard from to warn them to ignore any requests from me for money. It would all blow over, I told myself. And then late that night, I got a phone call.

“Billy?!” a voice called; it was someone with whom I’m acquainted professionally but not terribly close. He sounded upset. “Are you O.K.?”

“Yes, I’m O.K. — ”

“ — But did you get the money?”

“Oh, Kevin, no.” I paused. “You didn’t wire someone money, did — ”

“ — Yes: $700, Western Union, like you instructed, and I was just about to send the other $500 you asked for.”

In a rush of words I tried to explain that this was a scam, awkwardly trying to reassure Kevin how much I appreciated what he had done to help — truly at his own expense. He is not someone who can afford to just give away $700.

There was a long silence. Then Kevin managed to laugh. “I was completely duped; it all seemed plausible up until you thanked me for wiring the money. You didn’t sound — ” he was searching for the word.

“Grateful?”

“Yeah, grateful. You just asked when I would send the rest. That’s when I suspected it couldn’t be you.”

Nothing could be done to recover his money; it had already been picked up on the other side of the world. I spent a sleepless night worrying about who else might have been duped, who else I might hear from, and kicking myself for not having done more. I had been lax about the security settings on my account and hadn’t changed my simple account password in years.

Kevin and I met up the next day. I repaid half the amount he’d wired to “rescue” me; he insisted he was partly responsible and would not accept more. Walking home alone afterward, I thought for the first time about the identity of the hacker. What did this person think as he or she responded to my friends’ messages of genuine concern? Did it seem funny? Was there any sense of guilt at all? Or did the hacker happily pocket the dough and feel a flush of excitement for having conned someone, and then move on to the next victim?

Hold on, I thought, stopping in the middle of the sidewalk to talk to myself: I refuse to feel victimized by this. It has been a huge hassle, and frightening, but there is a consolation here: the knowledge that my “vital items” definitely are not missing and never were. What is truly vital, and what I hope never to lose, are friends who would come to my aid at a moment’s notice. As I would to theirs.

Recent Essays

Essay Archives