Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
EP 52 - Grandma’s Wishing Nobody’s Phishing
8 Plays9 months ago
Today’s question:
My mother-in-law recently reacted to a shady text message that was a clear phishing attempt. We cancelled her credit card in time, but I worry this won’t be the last time, because she’s not great with tech. Do you have any advice on how I can help her better recognize and understand these threats, while also limiting her exposure to them?
For more info and to download a free PDF of today's episode notes, visit: www.chriskreuter.com/CDWI
Join the Kreuter Studios mailing list: https://mailchi.mp/810367311f3d/ksbulletin
Recommended
Transcript
Bridging the Gap to Your Future
00:00:15
Speaker
Crystal Deal with it focuses on bridging the gap between where you're at now and where you'd like to be. We'll explore wisdom and techniques from a wide variety of domains and industries, and apply them to your unique challenges. I love developing frameworks, processes, and storytelling metaphors that enable personal and business growth. Through actionable next steps, we'll build momentum and confidence. My goal is to help you clear roadblocks, do more with what you have, and realize the potential of yourself and your team.
Originality vs. AI Tools
00:00:41
Speaker
So throw your challenges my way and Crystal Deal.
00:00:49
Speaker
First, an AI statement that all elements of this episode are products of the author, Chris Kreuter, and made without the use of any AI tools.
Protecting Against Phishing Scams
00:01:03
Speaker
So today's question, my mother-in-law recently reacted to a shady text message that was a clear phishing attempt. We canceled her credit card in time, but I worry that this won't be the last time because she's not great with tech. Do you have any advice on how I can help her better recognize and understand these threats while also limiting her exposure to them? So I'm gonna start today's episode with a definition of phishing, and that's P-H-I-S-H-I-N-G.
00:01:29
Speaker
This is a form of social engineering where a cyber threat actor poses as a trustworthy colleague, friend, or organization. Their goal is to lure out sensitive information or network access. Lores can include emails, text messages, or even phone calls. If successful, they can gain access to more than just the target's information. It could be access to a larger network, organizations that they're a part of, and future third party targets.
00:01:57
Speaker
Victims can experience data or service loss, identity fraud, malware infection, ransomware, monetary loss, impacted reputation, and more.
The Prevalence and Methods of Phishing
00:02:08
Speaker
So some quick statistics here, phishing is the most common form of cybercrime. Many estimates say between 80 to 90% of cybercrime is through a phishing attack. The FTC, the Federal Trade Commission in the US, reported that consumers lost nearly $8.8 billion of scams in 2022 alone. And that's an increase of over 30% over 2021 numbers. And of that 8.8, 1.2 billion of it was through social media.
00:02:35
Speaker
And this isn't even a complete picture because only 23 of the 50 US states report into the FTC's consumer Sentinel network. And this is all despite the active cybersecurity measures that are employed by the massive corporations who are responsible for delivering much of our digital existence. For example, Google blocks about 100 million phishing emails every day.
00:02:58
Speaker
We regularly hear about data breaches in the news, and these are common ways of exposing contact information, emails, phone numbers, addresses that enable phishing attacks. These leaked or hacked emails provide cyber attackers with powerful templates, and they use these to build realistic spoofs to trick additional targets. And I've seen this firsthand with devastating effectiveness. Some of these attacks are very sophisticated.
00:03:22
Speaker
It is common for bad actors to imitate brands that many of us use. Commonly spoofed brands include shipping companies like DHL, FedEx, UPS, and even the US Postal Service, Google, Microsoft, Amazon, and LinkedIn, and many more. And this is a global problem across all industries and countries.
00:03:42
Speaker
And given our askers question, it's important to add that the elderly are not the worst actors here. 18 to 40 year olds are just as susceptible as senior citizens. Sometimes even more so, as they're more publicly online, they're in more places creating more spoofable content.
Five-Phase Approach to Combat Phishing
00:03:58
Speaker
So let's tackle this question in five phases. P, provide perspective. H, help genuinely. I, introduce better tools. S, set up safeguards. And H, heed rules.
00:04:13
Speaker
So P, provide perspective. What methods do phishing attacks use? They use text messages, emails, phone calls, social media, including DMs, look-alike or imposter websites. And the most intense scams can combine these methods to immerse targets into a faked situation. And what types of scams are there? There could be these corporate imposters. It could be an online shopping scam, delivery issues, negative balance, even claims of fraud can be fraud.
00:04:44
Speaker
Prizes, sweepstakes and lotteries. There could be investment opportunities. This includes multi-level marketing or MLM scams. It could be a business or job opportunity. It could be a charity scam and even a romance scam.
00:04:59
Speaker
How do scammers actually get your money and or information? It can be through a bank or wire transfer. This can include making changes in account information to affect transactions to occur later. It can be direct account access, logging into your account and changing credentials, locking you out as they transfer funds directly. They can be credit card account numbers. These do tend to be abused quickly. They'll spam businesses local to you to minimize the fraud flagging. They're gonna get whatever they can before the card is either reported or shut off.
00:05:29
Speaker
It can be payment apps, cash app, Venmo, PayPal, Zelle, et cetera. They can be gift cards. These are pleas for help with shopping, gift cards, assisting with someone's financial loss. Remember that gift cards are not safe assets. Use them as quickly as you can.
00:05:46
Speaker
They can be cryptocurrency. These are nearly impossible to trace digital assets that quickly disappear. And they can also use your stolen identity to mimic you in other places. This could be opening fake bank accounts, taking out loans, stealing Social Security benefits, and more.
Adapting to Technological Threats
00:06:01
Speaker
Where can phishing attacks occur? At home? They can occur at work? Where they can undermine an entire business impacting co-workers, customers, and vendors? They can happen at clubs, groups, or other recreational organizations? They can happen without your involvement at all if your information was exposed through the victimization of a friend, family member, or corporation that has your sensitive information.
00:06:24
Speaker
And how bad will this situation get? I hate to say it, but it's going to be a lot worse. AI voice mimicking is getting close to lifelike. AI video spoofing as well. Many social media scams leverage this right now with a lot of quick clipping type of things that utilize this combination of virality, algorithms, and a lack of education and desire to vet the legitimacy of information.
00:06:47
Speaker
The use of social engineering is also rising. Emotional pleas, realistic scenarios, and intense details that build trust and or create a sense of urgency that can trigger victims into quick action with less discernment. These are becoming increasingly sophisticated and ruthless attacks. A single scam can ruin a family, no matter how smart, well-educated, and intention that they are.
00:07:10
Speaker
The aims of bad actors are not always financial either. Fishing for information can lead to revealing sensitive details that can aid in physical attacks and or terrorist activities. H. Help Genuinely A lot has changed with technology over my 40 plus years. During the 1980s, I had a mostly analog childhood. Households were starting to get online, experimenting with phone line modems and internet service providers like Prodigy and America Online.
00:07:38
Speaker
By the time I entered college, the internet was a major force in society. Corporate and government systems were managing themselves mostly online, and many others were going through that process. And before I turned 30, social media exploded in use. MySpace led to Facebook, LinkedIn, Instagram, and many others. And this was happening in large part due to the development of smartphones around 2007. With many of us getting computers in our pockets, our culture began to shift into an always-on mentality.
00:08:07
Speaker
And now in my fourth decade, we're seeing massive developments and investments in algorithms, automation, and artificial intelligence. The human cost to produce scams is nearing zero, which is why we're seeing significant upticks in the quantity and quality of cyber scams.
00:08:23
Speaker
Now imagine you're in your in-laws shoes. There were still major technological and societal shifts, such as the growth of television, the space race, and suburban expansion, just to name a few. But the impact of these changes on day-to-day life were lower and slower. The overall complexity of the tools that were embedded in their daily lives was lower than it is today. And there were far fewer ways that these new technologies enable fraud against unsuspecting people. Not to say fraud didn't happen, it just took different forms.
00:08:53
Speaker
And it wasn't as ubiquitous. Therefore, it really is important that you're going to accept where they're at. Everyone has a different ability to grasp the information and techniques that you're going to be trying to convey. Remember that the pace of change far exceeds what they grew up with. You likely grew up surrounded by digital technology. They didn't.
00:09:12
Speaker
All these threats can be scary. Their experience of the world is more analog, and there is a likelihood that many of the terms and inner workings of the technologies are difficult to understand. However, in our modern society, it is very difficult to not be online. Many government agencies, corporations, and even small businesses require online components, interaction through chatbots, QR codes, apps, reward programs, and online accounts with logins and passwords.
00:09:40
Speaker
I just checked my password vault and I have over 200 logins myself. Heck, I'm even overdue for some internet spring cleaning. And all this online presence is done under the guise, and to some extent the reality, of convenience. But each interaction online does come with some risk. Remind them that everyone has a responsibility to pay attention to this issue now. Ignorance is no longer permissible. It is better to ask for help in protecting themselves now rather than begging for forgiveness and or restitution later.
00:10:11
Speaker
Getting frustrated with them will just be perceived as an indictment on their intelligence. Keep reminding yourself of your best intention to be genuinely helpful in protecting your parent or in-law and those around them. Don't talk down to them. This is going to require persistent effort too. It's not something that's going to be solved in one sitting or the few quick fixes. It's going to take everyone's constant vigilance and a continuing education into scammers, strategies, and tactics.
00:10:38
Speaker
Let's move to I, introducing better tools. Have them rethink their need for a smartphone. This is definitely on a case by case basis, as there are legitimate needs for these powerful devices. But if our askers family member predominantly uses their phone for calls, text messages and messaging applications, a modern dumb phone may be a much better option.
00:10:58
Speaker
This would force activities such as online shopping, web browsing, logging into medical portals, and social media engagement to occur on a regular computer which offers better navigation, customization, and firewall protections. These larger screens also allow for magnification of text and images, making it easier for elderly people with poor eyesight to navigate. Ensure that they're registered with the National Do Not Call Registry.
Enhancing Online Security
00:11:24
Speaker
While many would agree that there are mixed results, regulators such as the FTC are making efforts to curb robocalling and cold marketing calls. The best way to take advantage of their efforts is to at least be on the registry list. The website for the registry also contains the form to report unwanted calls, which helps with their enforcement efforts.
00:11:42
Speaker
Have them review all of their subscription services. For services they want and consistently use, consider turning them from monthly auto renewals to annual one-time payments, and this has two major benefits. One, a one-time annual commitment often offers a cost savings.
00:11:58
Speaker
For example, the current one-time yearly subscription rate for Amazon Prime costs $139 a year as opposed to $15 per month, which is a $41 savings. And the second benefit is that you can re-up every year as a one-time payment rather than storing a credit card on the Amazon website.
00:12:16
Speaker
Which brings us to this issue of saving credit and debit card numbers or bank account information on websites and online portals. This includes online shopping, utility payments, medical portals and more. Each one of these is a potential vulnerability to a bad actor.
00:12:31
Speaker
all for the benefit of the removal of a small amount of friction. Many credit card companies will provide a service that creates virtual credit card numbers for temporary one-time purchases or even repeat purchases from the same source, such as a subscription. They'll also allow you to set up an expiry date for those virtual numbers. Many utility bills can be paid as they come in using online one-time payment portals without having to log in and save your payment information.
00:12:57
Speaker
Now, our askers-in-law is going to need a system to remember which bills need these methods, but don't forget that most people over the age of 40 grew up learning how to balance a checkbook. Heck, even I learned. They're likely going to get used to doing things a little more old-school quicker than you would. You could have them use a VPN service or virtual private network.
00:13:17
Speaker
This includes avoiding submitting or sharing sensitive information, especially credit card numbers and banking info, over public Wi-Fi or on a public computer such as at a library. Packet sniffing by bad actors is a real thing. This can occur in physical locations such as coffee shops or co-working spaces. Most people's internet service providers are also mining tons of data from their internet use.
00:13:40
Speaker
These threats can all be easily countered by using a VPN, virtual private network service. There are many reputable ones out there that offer excellent protection for modest fees and minimal impact on your internet bandwidth. But this additional complexity and steps before getting online might be a bridge too far. So you want to find ways for a VPN service to enable right on computer startup. And that would probably the best way to go.
00:14:04
Speaker
Have them research companies and charities before taking any action. Do the official websites or watchdog groups list the same contact information, domain addresses, and content as a suspected scam? Avoid sites and services that can be rife with scams or potential for abuse, and this includes Craigslist and Facebook Marketplace. Using these sites can lead to situations with real, physical danger. Make no mistake that bad actors are preying on people through these convenient, more locally-oriented services.
00:14:34
Speaker
You may also want to consider a password management system. Every site or system should have a unique password associated with it. If you have over 200 of them, they can be very difficult to remember. You need to avoid using the same password for everything.
00:14:48
Speaker
and also avoid easily guessed passwords, especially those tied to publicly available information such as the names of family members, dates of birth, model of their car, breed of pet, street address, places of education or warship, et cetera. And the length of a password often matters more than the complexity. It's okay to use a series of longer, unrelated words that could make it easier to type and remember. And lastly, add a passcode to their mobile device. We'll touch a little bit more on that later.
00:15:18
Speaker
S. Setting up safeguards. Never share account information, credit card information, passwords, banking details, or sensitive personal information with anyone who contacts you over text, phone, or email. Confirm anyone claiming to be a representative is really who they say they are. When in doubt, hang up, locate the company's customer support hotline, and redial that number.
00:15:44
Speaker
If possible, set up two-factor authentication for them if it's possible. This is where a website will text or email you when logging in online with a password to confirm that that login is authentic. Some might offer setting up a PIN number in addition to a password. I definitely recommend choosing the text option over email as it's on a different device.
00:16:05
Speaker
You can also create a safe word for family members, but definitely don't share it. Alternatively, if you suspect someone is mimicking a family member, ask them an unusual question from your shared past, one that's obscure but easily answerable by that family member. I'll give you a real-life example here. If I were to get a strange call that I think might be my sister but might be someone mimicking her, I might ask them.
00:16:27
Speaker
Hey, what made me give you the phone when we were kids? If she doesn't answer quickly with something like, threatening with a knife, I know it's a scam. There's no way a fisher would know this off the top of their head. Until now, I suppose. Another safeguard is to avoid shared accounts. This includes setting up a way for your parents to use your accounts, thinking that it might be easier for you to monitor and protect them. You may be reducing the number of targets, but you're making the remaining targets bigger.
00:16:52
Speaker
Try to limit interactions on communication apps such as WhatsApp and Facebook Messenger that are highly susceptible to scams and phishing attacks. At the very least, never put any sensitive information into those chats. If someone gets access to your account, those direct messages can create a lot more problems. Another really important tip, don't let their grandkids be on their phone.
00:17:14
Speaker
They might click a random phishing text pop-up that comes into their device, or accidentally, or on purpose, look through their emails and click a malware link. If they absolutely have to have a younger kid use something on their phone, an app, Minecraft, whatever, teach your in-law to at least put that phone into airplane mode first.
00:17:34
Speaker
Have them perform regular bank statement checks, monthly if they get them on paper, weekly if they have online banking access. This is a trickier one, but you could have them regularly change their credit card number. This may seem like an annoyance and hassle, but this can help reduce the risk of exposed numbers from third-party breaches. It also helps prevent continued monthly charges for accounts they're not using, forcing them to reconfirm their subscriptions with some potential money savings as an added bonus.
00:18:01
Speaker
Have them properly remove all personal data before donating, recycling, or trading in old, damaged, or non-functional devices such as tablets, cell phones, and laptops. Have them secure and properly destroy physical documents that have sensitive information. Examples here are utility bills, credit card offers, bank and investment account statements,
00:18:22
Speaker
Be cautious in your definition here. There's no harm in shredding more than necessary. A lot of towns are going to offer free periodic shredding programs and many office supply stores offer reputable and secure shredding services for modest by the pound fees. You can have them utilize email spam filters. They might be using an old badly protected mail client such as AOL. Have them set up a new account on something more reputable that has better filters.
00:18:47
Speaker
Have them check if they have identity protection insurance through an employer or other insurance program, or have them purchase supplemental protection. Lastly, have them go old school. Using checks is still legal and accepted in more places than you think, and they provide more of a paper trail. And lastly, have them shop physically more than virtually. This is better for your local community that's hiring local people and paying them paychecks. Keep more money in your community instead of going to Amazon for everything.
Reducing Scam Risks
00:19:15
Speaker
H. Heed rules. Close down accounts they're not using. Review yearly at a minimum. This reduces the number of ways scammers can reach your inbox. It also reduces the number of companies who can expose you to a data breach. This includes accounts that may not have financial implications, but still contain sensitive information. For example, old medical portals.
00:19:36
Speaker
Ancestry search sites, unused social media accounts, activity trackers, phone apps, physical and online stores they rarely or never visit, old work logins. Don't use the internet on mobile devices. Use a laptop or desktop with a larger screen. It's easier to see issues with spoofed emails or websites. Avoid store credit cards and accounts. Shopping as a guest is okay. Often the loyalty points programs aren't worth the tracking and the risk of data exposure.
00:20:06
Speaker
or at least limit the number of them that you use. Always have your guard up. Basic protections work great as long as they're followed. Be careful what you post. Even if you mean well, consider if you're creating an exposure for somebody else. Also, check the source of what's coming in. Is it a trusted phone number? Is it a spoofed email? If you suspect a bad phone call, hang up. Call the known contact back. It could be a scammer imitating your friend and family member. When in doubt, stop and ask.
00:20:36
Speaker
And if you do think you might have been scammed, find out what to do next.
Reporting and Reflecting on Scams
00:20:40
Speaker
And I have lots of links through everything I've talked about today in the show notes. And if you do identify a scam, a great thing to do is report it to reportfraud.ftc.gov. Together we can help fight against this scourge. This episode's quote is courtesy of Yuval Noah Harari, who's a popular author of books such as Sapiens, Homo Deus, and more.
00:21:02
Speaker
One basic misconception is that people tend to equate information with truth. And information isn't true. Lies are also information. Fictions and fantasies are also information. Most information in the world is not about the truth. And with that, have a great day.
00:21:19
Speaker
If you feel that Chris dealt with it, I'd appreciate your support of the show by sharing it with someone who might benefit. Ratings on your favorite podcast player are also helpful in growing the audience. Visit chriscroiter.com for free downloadable PDFs with notes and resources from today's episode, sign up for the CDWY mailing list, or to send in your problems or requests for future shows, that's C-H-R-I-S-K-R-E-U-T-E-R.com, or use the link in the show notes. Thanks for listening to Chris'll Deal With It.
00:21:54
Speaker
you