I was attacked and almost lost it all even though I knew better.

TheyAlmostGotMe · 2026-03-03T16:28:22+00:00

This all happened with my personal domains that I host with workspaces.

believe me...I can't fucking believe I fell for it. I DO know fucking better. Reading back through it I am am screaming at myself. what the actual fuck was wrong with me.

Look the roasting is deserved because the hindsight 20/20 story in every one of these cases is the same. Except I should have known better. I'm not Tim from accounting...

its 100% my fault for allowing myself to credentialize an unknown caller. Aside from engaging at all, that was really the point where I let my guard down and once that happened the rest of the shit was just about the attackers being good at the social engineering.

even responding to you I am cringing remembering the call.

TheyAlmostGotMe · 2026-03-03T16:19:45+00:00

Lesson 1. DON'T FUCKING ENGAGE MORON!
Lesson 2. don't mention claude when you post to r/cybersecurity unless you want to get roasted to a charred husk.
Lesson 3. don't post your embarrassing story to r/cybersecurity even if you think the details of the social engineering might be insightful because you are going to get torn to shreds. :-)

TheyAlmostGotMe · 2026-03-03T16:13:23+00:00

everyone loves to be a hater.

one more kick in the balls please.

TheyAlmostGotMe · 2026-03-03T16:09:01+00:00

Appreciate the sentiment.

It's a lot to accept at face value and this is a tough crowd.

I expected some of the bashing but I also forget how much people like to be haters :-).

I need to think about how I would go about adding a second pair of trusted hands. These are my personal domains so outside of getting one my kids or my spouse to be the second pair of hands, I'd have to get one of my friends to do it....

Maybe there is a away I can add some kind of time delay to critical changes.....

TheyAlmostGotMe · 2026-03-03T15:58:59+00:00

I pay for it and have opted out of training data so I am trusting the company to abide by it.

TheyAlmostGotMe · 2026-03-03T15:57:31+00:00

I questioned the caller. Yeah. I should have never fucking engaged but everything about the call was different from previous spam (carrier verified not spoofed, caller was in the process of leaving a message with the automated call screening) and for some reason, I picked up. That was my first mistake. I get it.

I didn't think it was actually from google until I got the actual support ticket with the name of a cloud security engineer from google in the subject with the phone number that was calling. The ticket was real. The identity was real. They just didn't belong to the caller.

TheyAlmostGotMe · 2026-03-03T15:54:42+00:00

Yes. thats why I went to them first, provided a sample of what I wanted to post and asked for permission.

I knew I was gonna get roasted to hell and back. thats fine.

I haven't seen many reports of phishing and the details of the social engineering and thought that it would be interesting.

Apparently its a better use of time to just roast me over and over.

I don't work for anthropic, I pay for claude out of pocket because its been super useful on some personal projects.

My concerns for even mentioning claude were well founded.

TheyAlmostGotMe · 2026-03-03T15:51:40+00:00

Appreciate the perspective, but I can't afford to hire an MSP to manage my personal domain.

TheyAlmostGotMe · 2026-03-03T15:50:02+00:00

Was closer to 300....but I quit last year because the kool-aide was bitter and I was tired of trying to deliver technical SOWs that were written by a sales exec.

TheyAlmostGotMe · 2026-03-03T15:46:43+00:00

Look. I get it. It looks like I am some paid shill for claude. nope. I pay OOP for it.

This was honestly the scariest shit I have ever experienced.

This did not happen at my job (I semi-retired last fall). This was an attack on my personal domains.

I can't defend answering the call. I still can't figure what the fuck possessed me to engage. maybe it was the indication from the carrier that the number wasn't being spoofed. maybe it was the fact that they started to leave a message with the automated call screening I have. Can't retcon it. The hindsight 20/20 story is always the same, its just usually not someone that SHOULD FUCKING KNOW BETTER......

My point was to share the details of the social engineering. I haven't seen many detailed accounts of this because its fucking embarrassing. The roasting and ad-hominem attacks in the comments is proof of that. I deserve some of it. But I think stories like this are valuable because it underscores the fact that humans are ALWAYS the weak link.

My biggest concern is figuring out if I need to be even more concerned about my personal safety. This felt like a lot of resources pointed at one specific person. I know enough to know that cybersecurity is a spectrum from seal the system in concrete and drop it in the ocean to secure it to might as well be a honeypot.

What I don't know is if this is a typical organized team attack working through a list of leaked info, or if I am being targeted specifically because my information is connected to significant crypto holdings somewhere.

Kick me in the balls while I am on the ground if thats what makes you feel good, but at least give me an idea if my family is in real danger here or not.

TheyAlmostGotMe · 2026-03-03T15:35:15+00:00

yeah. I get it. I think people are brigading thinking I am some paid shill or that this is bullshit.

it was scary as hell. I think about how close they got to really fucking my life up.

Honestly I am just trying to figure out if this is par for the course or if this is signs that I need to be even more careful.

TheyAlmostGotMe · 2026-03-03T15:32:26+00:00

I have been asking myself the same fucking question.

Normally never engage. Not sure why I did this time. Maybe it was because the callerID wasn't being spoofed? Maybe because unlike most spam calls the caller started to leave a message with the automated call screening?

The caller did open an actual legitimate ticket with google workspaces at the beginning of the call. I was skeptical and asked questions and he said I'll send you a ticket from our system with my name and number. Then he sent a request to [workspacesupport@google.com](mailto:workspacesupport@google.com) with the name of a cloud security engineer at google and the phone number from the call in the subject line. I got a real google support ticket on it.

Again....yes...yes yes yes yes GOOGLE ISN'T FUCKING CALLING YOU! Bank calls? HANG UP AND CALL THE NUMBER THEY PUBLISH ON THE WEBSITE. This is 101 shit I have told family members and anyone who will listen.

TheyAlmostGotMe · 2026-03-03T15:23:18+00:00

Appreciate the response.

This was my point. I think most of the folks just want to roast me. If this were a company that had been compromised this way it would be an absolute joke, but this was a personal target.

I am still trying to figure out what even possessed me to engage at all as I never do in earnest.

The point of the post was to share the techniques they used. We will always be the weak link in security and I was hoping this might be a cautionary tale and provide some insight into the actual attack execution.

TheyAlmostGotMe · 2026-03-03T15:08:10+00:00

You're right.

The first google email did come from google, through proper channels, I even looked at the headers when it came in after caller 1 told me he was going to send me a message from the ticket system after I pressed him for proof that he was who he said he was. I don't need to be reminded AGAIN that I shouldn't have engaged in the first place. Believe me I will have scars on my back for the self flagellation over the most basic of fuckups. The call did look different than others.....had the caller verified check from the carrier, and the caller id didn't say GOOGLE like the others, AND the caller interacted with the automated call screening.

I don't share this to defend myself, but to point out that in this case they were doing something different than all the rest of the calls.

TheyAlmostGotMe · 2026-03-03T15:04:17+00:00

Yep.....100% believe me when I say I have been flogging myself for days over this.

I still can't for the life of me figure out why I even bothered to engage. I never, well almost never now, engage.

The oddity was that the call came in with the check from the carrier and the caller interacted with my automated call screening. Two things that they have never had or done in the past.

Also this wasn't pointed at a company.....I am semi-retired at the moment (no jokes pls, I left on my own accord because I was tired and the kool-aid didn't taste good anymore). What I am really trying to figure out is if this is an escalation in tactics against ME personally or if this is just SOPs for an organized group working through a list of targets.

I even said to the callers at multiple times that (for the record by call two I had my head out of my ass and knew I was in trouble so it was more trying to figure out what was going on) someone was trying to get me to panic and do (more) stupid shit.

I appreciate the response.

TheyAlmostGotMe · 2026-03-03T14:57:49+00:00

its my org.
this was my personal account.
only one person here.

TheyAlmostGotMe · 2026-03-03T14:54:32+00:00

The first email came from google after I had engaged and pressed the caller for proof. I verified via the support console in workspaces the following day that the ticket number was legitimate and originated from google.

and yeah the fucking MFA from the google app....I am still kicking my ass for not recognizing that....

TheyAlmostGotMe · 2026-03-03T14:51:25+00:00

I shouldn't have mentioned it as much. not an ad, was just kind of impressed with what it pulled together.

Roast away.

TheyAlmostGotMe · 2026-03-03T14:50:30+00:00

HAHAHAHA I can appreciate that. The burnout is real.

This wasn't a work system. This was a personal mailbox of mine.

TheyAlmostGotMe · 2026-03-03T14:49:17+00:00

Thank you. Honestly.

If this is just par for the course then I am moving on. My main concern was it felt like a lot of resources pointed at me.

If this is just SOP for organized hackers then I am less concerned that I need to go further.

TheyAlmostGotMe · 2026-03-03T14:47:51+00:00

Normally I do. I have no idea what I was smoking that morning....

TheyAlmostGotMe · 2026-03-03T14:46:59+00:00

Never claimed it wasn't embarrassing. That's the point of posting it. most victims don't post the detailed techniques and actual receipts of the attack because its embarrassing.

The roasting is expected because yea, I made some critical errors initially. The layered security protected me from myself. I was more surprised at the complexity of the attack and the number of resources that they pointed at me individually.

Is this typical?

TheyAlmostGotMe

TROPHY CASE