Delivery alert

There may be an issue with the delivery of your newspaper. This alert will expire at NaN. Click here for more info.

Recover password

BBB chief falls prey to intrusion

“It was a rough day.”

That’s how Brian Baca describes the day in early November when he, of all people, fell for a scam.

Baca is the president of the regional Better Business Bureau, the organization dedicated to smoking out scamsters and protecting consumers. Its motto: “Start With Trust.”

He was willing to talk about what happened to him in hopes others can learn about the sophisticated, very creepy intrusion into his life and to perhaps prevent it from happening to others.

“Everyone needs to be aware all the time,” Baca said during a recent interview. “You have to be diligent … looking out for this every day.”

The scam that took Baca is a bit complicated – “this blew me away,” one BBB expert said – but there are lots of lessons to be learned, so bear with me.

BACA: “It does seem the scammers are one step ahead.”

BACA: “It does seem the scammers are one step ahead.”

The backdrop is that Baca was in the midst of closing on a Farmington building the BBB was donating to Big Brothers Big Sisters. There were lots of emails back and forth between the two organizations, so Baca didn’t think twice about one from the Big Brothers email address that was titled “Kindly Review The Attached Document.”

When he clicked to open it, it was blank, but he was then prompted to provide his Google email username and password. He complied.

Big mistake.

The email was bogus. Because Baca had provided his Google log-on information, the hackers were able to get into his email account. Once there, they immediately started sending identical bogus emails to all of the BBB chief’s contacts – thousands of them because they included anyone Baca had ever emailed. Even his mother got one.

Those fraudulent emails that went out under his name had the same “Kindly Review” subject line and asked the recipient to do as Baca was told: click on the document and then provide Google email credentials.

The point of the scam was to get inside as many emails as possible – very quickly – and to steal personal information such as bank account numbers, Social Security identification, etc.

Now, here’s the devious part. The hack was designed with several elements to keep Baca in the dark about the emails emanating from his account. First, those emails were signed with Baca’s usual auto-signature – name, title and all contact info. However, the phone numbers had been altered. So anyone trying to call Baca about the email would get a wrong number.

Second, the hacker had set up filters so that all responding emails with the same “Kindly Review The Attached Document” subject line would go directly to Baca’s trash. Same for subject lines like “scam” or “hacked,” just in case one of his contacts suspected something amiss and sent an email asking him if he’d been hacked.

This set-up was to ensure the hacker had time to send out the fake mass emails and then perform a scan to find personal information. And that can take just minutes.

Fortunately for Baca, his assistant, Connie Quillen, caught on rather quickly and dashed to his trash file. There, she and Baca could see in real time the hacker sending out the phony emails.

The day was rough because he and Quillen spent the rest of it emailing all of his contacts to tell them to delete the bad email, to change their passwords and to run a virus scan. Because Baca doesn’t have a handy contact list on his computer, they had to go through distribution lists and try to recover the names of people who were targeted so they could be warned.

So, here are some of the lessons learned, courtesy of the Better Business Bureau:

  • Your email is not where you should store information, Quillen said. This means not having any personal information in your computer for hackers to peruse.
  • If you do need to send out personal information, make a copy of it if you need to keep a record and then hit the delete button. Next, go to your trash, and delete the information from there.
  • Don’t let your guard down and give out your logon information, even if an email seems to be coming from someone you know.

At the end of the ordeal, Baca said he felt most sorry for all the others who were were targeted.

“I felt bad for all the people who got the emails,” he said. “It does seem the scammers are one step ahead.”

Ellen Marks is assistant business editor at the Albuquerque Journal. Contact her at or 505-823-3842 if you are aware of what sounds like a scam. To report a scam to law enforcement, contact the New Mexico Consumer Protection Division toll-free at 1-800-678-1508.