Art shop falls victim to hacker

What started as a phone call to a bank last month to report suspected fraudulent charges soon led the owner of a Springfield art shop to fall prey to a hacker, leading to a loss of roughly $16,000.

It’s been a rough few weeks for The Local Bevy LLC owner Andrea Petersburg, who said the hacker pretending to be a U.S. Bank representative transferred most of the funds out of her business account following a series of scam phone calls over the first few days of April. While Petersburg has filed a police report, she said the thief’s identity is yet to be determined.

“It’s a lot of money. My business bank account had less than $200 in it,” she said. “I mean, he wiped me clean.”

Petersburg said she isn’t sure why she was targeted by the hacker but suspects an online purchase she made on a website using her business debit card might have put her on his radar.

“It’s awful, and it’s a horrible learning experience. So now I am in the middle of trying to get my money back from the bank,” she said.

According to the FBI, phishing scams have several variations, such as vishing, which happen over the phone and are designed to trick victims to give criminals access to information they shouldn’t have. In Petersburg’s case, it was her debit card account information, which the hacker accessed after she provided a security code she received on her phone. She said the hacker represented himself as a member of the bank’s fraud department.

After divulging she’d been hacked on The Local Bevy Facebook page, Petersburg said she had customers and even a couple of undisclosed businesses reach out for support.

“I’ve had many, many, many individuals come into the store and tell me their stories about how they’ve been scammed and hacked,” she said.

The shop at 617 S. Pickwick Ave. in the Rountree neighborhood is far from the only business to fall victim to cybercrime.

The FBI’s Internet Crime Complaint Center 2023 annual report noted the cost of reported cybercrime in the U.S. jumped 22% last year to over $12.5 billion. The center received a record 880,418 complaints in 2023, up roughly 10% from the previous year.

Investment fraud, business email compromise and technical/customer support and government impersonation scams were the top three costliest crimes tracked by the agency. The tech and government impersonation scams alone had nearly 52,000 victims losing a total of more than $1.3 billion.

‘Heart just dropped’
When she initially contacted the U.S. Bank fraud department, Petersburg said she noted a couple of small fraudulent charges – roughly under $100 – on the business debit card, which she’s used since opening her shop in 2020. The bank removed the charges and said they would issue a new debit card.

A few days later, Petersburg received a call from what she thought was the bank fraud department again, alerting her to additional fraudulent activity on the card. She later learned it was the hacker.

“Here I’m thinking that they’re helping me. I go, ‘Yes, I have had some issues,’” she said.

Petersburg suspects the hacker had software that mimicked the bank number, as it was consistent with what she previously called.

“He sounded like he was going to help me. I was expressing concerns to him, and he was assuring me that everything would be fine,” Petersburg said, adding she shared a security code that came in the same text thread she has previously received from the bank. “There were no red flags until the end, whenever he said that his supervisor was at a conference and that he had to call me back so that his supervisor could be on the line during the call.”

The call was in the evening, and Petersburg said she found it odd that a supervisor would be at a conference at dinnertime.

She then called the bank fraud department in the hopes they could clear up her confusion. She expected the bank representative on the other line would have notes from the call.

“And she goes, ‘I don’t see anything.’ My heart just dropped,” Petersburg said. “That’s when I knew that I had been talking to the hacker.”

Caution ahead
Chris Kays, owner of F1 Computing Solutions LLC, said his four-employee company has offered cybersecurity services since around 2012 when it became a managed services provider. He estimated close to 80% of his company’s business involves cybersecurity work, up from roughly 25% in 2012. 

Kays said hackers target small businesses because they figure the companies don’t have money to implement cybersecurity protections such as firewalls, antivirus software and encryption tools. Artificial intelligence is only increasing the arsenal in the criminals’ toolbelt, he said.

“That’s going to be a challenge for any business, and it’s going to be hard for small businesses,” he said. “Small businesses, they can’t handle this themself. There’s no way. You have to have an outside MSP that has a good vendor.”

Tyler Stilley, virtual chief information security officer at Pearson-Kelly Technology, said his company has implemented cybersecurity as part of its managed information technology services for around six years.

“Just day in and day out today, it’s almost become extremely common to see that another business has been hit. We’ve almost gotten a bit desensitized to it,” he said.

Some of the more high-profile national victims of cyberattack and breaches in the past year include T-Mobile US Inc. (Nasdaq: TMUS) and casino giants MGM Resorts International (NYSE: MGM) and Caesars Entertainment Inc. (Nasdaq: CZR).

“It usually starts and ends with the individual, the person behind the keyboard,” Stilley said. “The problem that we have is that security is still often seen as a bit of an inconvenience or a barrier, and that creates some challenges whenever it comes to actually trying to get businesses to adopt security from a holistic perspective.”

While declining to disclose any of Pearson-Kelly’s clients, Stilley said his company tries to address cybersecurity concerns from a leadership level to get buy-in from the organization.

Kays said while pricing varies, most businesses could invest $1,200-$1,500 for a firewall and a $600-$800 annual software subscription. Cloud backup services would be around $100 per month.

“Cybersecurity and technology need to be at the company’s forefront. That needs to be one of the first things they think of these days,” he said. “Businesses have to look at how much is your business and data worth to you, basically.”

Both Kays and Stilley say training employees on cybersecurity awareness is vital. That’s where an MSP comes into play, Kays said.

“Training their employees on email, how to look for spam emails, phishing emails– that’s a big, big security issue is when somebody clicks on something that’s going to allow something through,” Kays said. “It’s hard to stop it if somebody clicks on something.”

Stilley said having multifactor authentication, a multistep account login process that forces users to enter more information beyond a password, is another valuable defense.

Next steps
At The Local Bevy, it’s mostly back to business as usual for Petersburg. One notable exception is she’s no longer using debit cards – business or personal. She no longer trusts them, and will now only pay with cash or credit cards. According to the Electronic Funds Transfer Act, which protects consumers when they transfer funds electronically using debit cards, the cardholders’ potential liability for fraudulent transactions is virtually unlimited.

While she filed paperwork with the bank for reimbursement soon after the theft was discovered, the claim was denied as officials said it was missing pertinent information such as Petersburg’s police report number and a signed claim form.

“As far as getting denied right away, it doesn’t make me happy to hear it. But if they don’t have the information they need, I can see why,” Petersburg said, adding she’s seeking to have her claim reopened for review. “So how long will this take? I have no idea.”

Petersburg said bank officials haven’t given her any promises she’ll ever see any of the money the hacker stole. Still, she said she won’t give up.

“I’m still fighting and still going to do what I can to get the money back,” she said. “That’s the really sad reality of it. Not everybody does get their money back.”