I am technical and I am not sure how to become confident that withgoogle.com is a trustworthy domain. I guess I would look for official links from Google.com to it. But why bother?
Very good point. I actually got the link a while back from someone from Google. But what you're saying makes 100% sense! You wouldn't know unless there is a concrete method to verify ownership of the domain.
I think an important part of being secure online is knowing when to be careful. This site doesn't ask for any real information, so it doesn't really matter that much if withgoogle.com is a trustworthy domain or not.
I think it would have been better if this quiz made up a name and e-mail for the user instead of asking for one though.
Manage their PC, apply good security measures to it (use pihole, browser selection, disabling extensions, use extensions that prevent phishing). Teach them elementary online security and how to use a password manager.
On a more OOtB note, have all their web traffic route via a web proxy that will prevent phishing, MITMs, scan against viruses etc.
Do you have a recommendation for such a proxy? Is this something that could be accomplished at the router level without the need for additional configuration or hardware (on their part). Ideally, I’d love to flash OpenWRT or similar onto their router, enable some simple block lists and settings, and have reasonable assurance they’re protected (at least on their home network).
As I’m writing thing, I wonder if there is a “senior mode” distro/plugin for OpenWRT.
My parents are pretty old and technically illiterate. My absolute nightmare is for them to wake up one day to an empty bank account. Right now, they double check every financial email with me. We actually managed to thwart 3 phishing emails this way!!! They are preying on seniors pretty hard. They usually get the email addresses from online quizzes and other thin apps.
My dad is in his mid 60s and has been happily using Ubuntu for the better part of a year. He now no longer has to worry about most malware or windows updates interrupting his workflow. I think you are really overestimating the complexity of using Linux as a normal user.
uBlock Origin has been useful when it comes to protecting my family computer. There are so many hostile ads and websites out there. I highly recommend it (or Pi-hole or some other good filtering tool).
Personally, I have a lot of trouble with websites breaking because some script was rejected. I think its a big ask to say "if you think this website isn't working correctly, make sure the "*.cloudfront.com" is allowed to load JS resources.
Yep, it's still definitely considered one of the most secure consumer platforms both in fundamentals and in the practice of the number of bugs it's had.
No security is perfect, a small handful of bugs over the last so-many years is about as good as any platform can hope for.
If you're a CIA agent or run a bitcoin exchange it might not be good enough for you, but for most people it's a pretty good set of options.
ChromeOS is more secure and far less expensive than MacOS, although as long as you keep your parents off of Windows you won't have to worry about ransomware.
Choice of operating system won't affect whether or not people type away their details into random websites. Putting Windows and Linux in the same box and pushing iOS over them is also puzzling.
Why would someone's non-technically literate parents happen to be running a Linux distribution on their personal computers and why would that make them more susceptible to giving their details away than running OSX?
OS X - it wouldn’t make a difference. But, apps are tightly sandboxed with iOS and it doesn’t even allow some of the permissions that Android does - like intercepting phone calls and text messages.
I disagree. I've Ubuntu LTS setup on my mother-in-law's PC since more than 6 years and it's been no problem. Very low maintenance, too.
All she needs is email and web browsing. I'm pretty sure as far as security threats are concerned she is vastly better of with Linux. The usual exploits targeted at end users simply won't work.
going down the ios route is safest option.Pretty much in same boat as you taught my dad on online bill payments and banking in iPad . Set up a password manager and store all their personal information in there , make it available via touch id.
Chromebook and linux are still tech stuff which can not be handled by elderly.
Ublock Origin by gorhill is better, although the trouble with any ad-blocking plugin being used by non-technical people is that they will occasionally break a site and have no clue how to turn it off.
It is an understandable wish, sadly it is not something you can control without them living with you and having all of their outside world access go through you.
This sad state of affairs because swindlers can get at them in many different ways. I have a sign near the phone that says "If they are asking you to buy gift cards hang up, what they have told you is a lie."
Of course online access is essential today, so it isn't easy to tell them they don't get to use the computer. Or Facebook. Or NextDoor. Or any other social media site. Or Chat service. Or other Forum.
There isn't any just "read only news" (no commenting) from sites with journalists, maps, phone numbers. Kind of appliance that you can get them.
Maybe this is off-topic, but everything I know about personal security I learned from my mom. She gets spam calls like we all do, claiming to be health insurance or the IRS or something, and she'll always hang up, look up the right phone number, and call that back and see if there really is anything going on. Same with emails, she doesn't click links but instead goes to the website independently and logs in there. She taught me that if it's actually your health insurance or credit card company calling, they'll already have your information, so asking for your SSN or address is a red flag.
She's "not technical", which means she's a librarian instead of a software engineer, but she still knows much more than me about online security, and I'd bet most of our parents are kinda the same. She "runs" an iPhone and a Chromebook, which I think is the best setup for most people.
There are some phone numbers where you have to pay to call them, and so there is a current scam where you call people just to get them to call you back, and you'll have to pay.
> She's "not technical", which means she's a librarian instead of a software engineer
Funnily enough, librarians are some of the most computer-savvy people I know. I wouldn't be surprised if your mother's "librarian training" of recognizing bad information and tracking down good sources is a big part of what makes her that good at navigating the net.
Honestly, while getting phished and hacked are big issues, I would also worry about them being sucked into social media bubbles where they could start latching onto conspiracy theories, fake news, and the like. It was not too long ago where their generation believed it was a bad idea to believe anything on the Internet. I'm not sure what changed. I have seen my own parents fall suspect to that stuff now and then, so it does scare me.
Advice I could have used five years ago. I don’t even know how to talk to my parents about current events/politics now because we don’t share a common base of facts.
Perhaps broach the fact that social networks are really just advertisement delivery networks, and that they found that partitioning audiences by interests let them sell you for more money.
Try opening an incognito tab and search for flat earth on youtube, and then see what videos that window gets recommended, if they don't believe you.
The hardest part of broaching this problem is learning to accept that, as a percentage, you're probably just as wrong about the facts as your parents are. Everyone likes to think that it's only "those people" who are foolish, subject to conspiracy, or other negative descriptors. Statistically, that's just not realistic. And even if you're 100% right, approaching people with the humbleness of assuming you're 80% wrong will allow you to have better conversations.
> you're probably just as wrong about the facts as your parents are.
It depends on the subject. If you believe that climate change doesn't exist, that we never went to the moon or that the earth is flat, you are just plain wrong and I am right.
Just admit it, they don't agree with you politically and to be more specific they are not as lefty as you are. Leave them alone, having different opinion is not being "sucked into social media bubble".
Very true. I forget that parents were the original harbingers of the danger of the web and now, IMHO are the prime target for fake news and click bait.
> I have seen my own parents fall suspect to that stuff now and then, so it does scare me.
I think their generation has been influenced by our generations that really started using the internet and got it into every part of our lives. Sometimes I start falling for the conspiracy theories and have to check myself, and they don't have experience with the insane social media machine that exists now but didn't exist during their time.
Damn, I see my mum sharing all sorts of right-wing stuff on social media that is obviously fake news designed to spread virally. People are allowed to hold whatever political views they want, but the stuff she's sharing is obviously designed to enrage and cause itself to be spread.
It was an earlier generation, but my grandfather, who was a respected scientist in his field, fell victim to "Fox geezer syndrome" in his final years. I have no idea how much money various Fox-adjacent advertisers scammed out of him.
Fortunately, my parents have never had much interest in Facebook, preferring to socialize with real friends in real life. They have their own bubble to some extent, but it's way less toxic than any online version.
The difference that social media has made is that now their good friend/favorite cousin is saying the thing, not some random person on the Internet, even if it is something some random person on the Internet originally said for whatever nefarious purpose.
Walk through privacytools.io with them for at least their browser and their browser extensions, and possibly the email portion. That 30 min lesson may do them years worth of good.
Can recommend Chromebook from personal experience.
Auto-updates painlessly. Probably worth getting one with touchscreen and ability to run Android Apps. I've just updated my mum's one to Acer Chromebook R11 CB5-132T (old one was no longer getting updates after c. 5 years)
Chromebooks are great, but there is certainly still some risk if extensions are enabled. My daughter was having problems with her Chromebook, and I found that a bunch of shady extensions had been installed (I had a flashback to the 90's and toolbars). Apparently they were masquerading as games and themes.
I guess you could solve that by making it a "managed" Chromebook. Not sure if that's possible to set up for a non-corporate/school environment though :)
I think Chromebooks are about as safe as you can get these days. There is a limited amount of damage that can be done with extensions, especially now that they can only be installed via the chrome web store, and inline installations are blocked. AFAIK it's impossible to do stuff like steal credit cards or install a keylogger via an extension.
The number one thing you can do to help them is talk to them about being conned / scammed. That's by far the most likely way for them to get victimized online, and the only way that's seriously affected anyone I know.
Since they're not technical, their natural self-defense against this kind of this has trouble functioning online. Talk to them about real world analogs to pop-up ads that look like virus scanner alerts, talk to them about people pretending to be someone they know. Hell, show them the movie "Catch me if you can" and explain the same psychological tactics get used online.
Get them to consider "what do I really know, and is this too good to be true" before they talk to anyone, click a link, or buy anything online -- and they will be fine, if their judgement is otherwise unimpaired.
If they're very late in life, or otherwise have trouble with this kind of thing in the real world, there is unfortunately not much you can do to help them, other than force them to only use pre-installed apps on a tablet that you've selected, like you might with a small child. If they're not willing to do that, then it's unfortunately on them. I've had this experience both with my grandfather and a friend who lives with a brain injury, who are responsible for themselves but don't have the judgement necessary to realize how impaired they are.
And of course, make sure the computer is auto-rebooting to get updates, and they know to call you if they get a virus / malware popup they think could be real.
Based on my father and grandmother's interactions, suggesting they call if ever in doubt can be a big help. What saved her from the fake Microsoft support scam was her calling him to ask if she should go to someone cheaper to help with the non-existant issue.
Offering to do her taxes prevented some other scam. Although that did require flying out annually due to being so disorganized.
> Based on my father and grandmother's interactions, suggesting they call if ever in doubt can be a big help.
However, do understand, that this can lead to the opposite effect of constantly calling on every little thing leading to them becoming even more dependent on you.
I guess the scammers have a larger market due to the internet, but someone who has lived must have been exposed to scams many times in their long life!?
The problem is twofold, they don't have a good mental model of online interactions, and older people become more susceptible to deception as cognitive function declines.
After hearing about them getting scammed several times I finally had my parents agree to contact me before they are paying for anything online unless it's on Amazon.
Also, tell them to be suspicious of email links that require them to log in. If "PayPal" sends an email saying you need to change your password or log in for some other reason, teach them to go to type paypal.com in the browser themselves instead of clicking the link.
Absolutely, repeat this a bunch of times even at the risk of being a bit annoying. It's worth it. Make that point. Anyone asking for your password or other sensitive info is very likely a fisher (aka a thief).
Show them some Kitboga videos. He actually will imitate an elderly woman to mess with the scammers. It shows how the scammers work and could be educational... and entertaining.
Check out what we're building at Badrap (https://badrap.io/). Our service is free, and you can use it to monitor your and your parents' IP and email addresses for known vulnerabilities and data breaches. Let me know if you have any questions. :)
My recomendation is create a block server for ads in this case pi hole is a good option for all your devices (PC, Laptop, Smartphones, etc). For navegation i recommend create user with control on windows, the reason is they can't install apps or changes things in the system that compromise your information or install addons infected in the browsers
Also tell them about phone scams. Over the last year I have received several very convincing phone calls and voice messages from people pretending to be the IRS or cops. It takes a lot of willpower to convince yourself that they are scams.
A lot of scams can be stopped if you consult with someone before sending actual money. I think it's important to tell your parents that before they give anybody any money or account numbers or buy gift cards (a lot of scammers make people buy gift cards and then give them the number) they should talk to you first. And tell them that there is nothing legitimate that ever requires you to pay NOW. Scammers are really good at pressuring people to act immediately instead of asking somebody.
The IRS scam has been particularly interesting. A wave of them came through our area code, so I convinced a friend to let me talk to the scammers when it came to his phone. They had ${friend}'s name and address associated with the number, and got mad when I said (truthfully) "that's not me". I'm still curious what datasource they're using to match those three bits of information together...
Some of the scams have the caller actually pretending to be YOU. So if they have the agreement to consult with you before sending any money, what are they going to do?
I believe the standard strategy here is to say you've been in an accident, you're in the hospital while traveling, your jaw was broken, and that's why you sound different. Or you're having the nurse call them. Something to explain why your voice isn't what they expect.
This happened to my grandmother a few years ago, with somebody claiming to be me. Purportedly, I had broken my arm in Spain, and needed money for surgery. Fortunately, she had the good sense to call my parents and find out if I was actually in Spain.
My in-laws got hit by an absolutely ridiculous phone scam. Basically some guy called and said "Hey this is Apple, this is an emergency, your iCloud got hacked, you need to install this remote desktop software and give me your credit card info so I can fix it for you". They are smart people but they still fell for it. So, the advice we gave them was that no organization is going to use a phone call to deliver important or urgent information. So if a call like that comes in, just ignore it or ask for a call-back number and then try to verify it by asking us. If a company or government agency truly wants to convey important info to you, they'll send mail.
> They are smart people but they still fell for it.
If they fell for that then they're not very smart.
Would a smart person fall for it if a random hobo turned up at their door and claimed to be Jesus, but BTW he really needs you card and pin for 20 minutes, oh and $500 in cash as well!
This is so true. My father is getting closed to getting conned now.
I tell him that no matter who contacts him and how (could be the government, IRS, bank, and could be phone, or email or a door knock) he should politely end the contact immediately.
Don't listen to what they have to say, don't give them a single shred of information - not even his name or address or anything.
If he is really convinced it's something legit, HE should initiate contact with whoever they said they were - find THEIR phone number or website and contact them and ask.
That way at least he can be sure he knows who is on the other end.
Last time I was home visiting my parents I was astounded by the number of scam calls they'd get per day. Their landline was basically unusable for incoming calls because 90% of them were scammers. And they're obviously targeting older people who by nature respect/trust authority figures: "This is the IRS!" "This is the police, you're in trouble!" "I'm with Microsoft!" "This is the State Department, we need to talk about your passport" (that one was new to me). Scam texts too on their mobile phones.
The key thing people (not just the elderly) need to understand is that NOBODY LEGITIMATE will make initial contact with you over the phone or over SMS. The IRS will mail you. The police will knock on your door. If someone you don't know contacts you over the phone, 99.999% of the time it is a scam or they're selling something. Once you internalize that, you're well on your way towards avoiding being a victim.
> The key thing people (not just the elderly) need to understand is that NOBODY LEGITIMATE will make initial contact with you over the phone
My experience has been very different from yours. I've absolutely had financial institutions make unexpected phone calls to me and asking me security questions. In just the last year:
- Someone claiming to be Mastercard phoned me and asked to first verify my name and address. I was 99% sure it was a scam, but I had just enough doubt and curiosity that I called Mastercard back at a known number and it turns out that they were indeed trying to decide whether or not to block a large purchase I had made.
- Someone from the bowels of the check-clearing department of my business bank account called to verify whether or not to pay a large check I'd written to an individual.
- My regular bank called me out of the blue to check on an incoming wire transfer that had my middle initial although my bank account was set up without a middle initial, and they wanted to verify this before accepting the transfer.
In each case above, the call was from a phone number that I didn't recognize (and were un-googleable because they were internal numbers), from a person I didn't know, and the conversation started by them asking me personal or security-related questions! But they were all legitimate calls, and in fact would have caused me grief had I ignored or refused the call.
Financial institutions contribute to the mess by having poor telephone security practices themselves. They also send emails with links they want you to click on to sign in and they invent all sorts of domain names for various services/surveys/emails that bear no relation to their main domain name.
Shameless plug: I cohost a podcast about personal digital security, with a target audience of people who aren't (necessarily) in tech but are interested in understanding things and not just getting a pre-canned set of recommendations like "Use a Chromebook" (or "Use Signal use Tor"). https://looseleafsecurity.com
Some specific advice I'd give with relevant episodes:
- Get an unwanted content blocker (aka ad blocker) like uBlock Origin to protect you against malicious ads, popups, etc., and/or a cross-site content blocker like Privacy Badger to protect you from being tracked across websites and also protect you against malicious embedded content. https://looseleafsecurity.com/episodes/web-security-continue...
- Set up backups, because it's the only reliable defense against ransomware, and it's the best defense against your computer getting malware - it's easier to wipe and start over than to try to pick out the malware (especially if their child isn't around!). https://looseleafsecurity.com/episodes/backups.html
- Learn about how to protect yourself from malware. It's not clear today that antivirus or similar software has enough benefit, and they often introduce their own security issues (or just slow down the computer enough that you'll want to turn it off). But your OS has various built-in knobs about running unknown software, and you're probably better served by turning those up to the safest settings and knowing what its security prompts mean. https://looseleafsecurity.com/episodes/malware-antivirus-and... (In particular, if you're not in tech, it's not obvious that every program you download has access to all your cookies and private files ... unless you get it from your OS's app store ... unless ... we talk about this complexity in this and previous episodes.)
We post both the entire transcript and additional notes / links to further reading, so if listening to people talk isn't your preferred way of consuming content (and honestly it's not mine either!) our website should still be pretty useful.
I'd also like to add a simple thing a lot of us technical-minded folks don't think about that much, and that's making sure the parent's daily driver user account isn't an administrator. That shrinks the attack surface significantly.
Keep them offline. Get them smartphones, preferably iOS. Educate them about scams.
My parents still conduct the majority of their personal business offline, and though I have scoffed at this in the past, it makes more sense for them and also keeps them safe. Their bills come in the mail, and its not uncommon for them to go to a department store and pay the bill for that chain's credit card in person. They meet with their financial advisor in person at their house, and it's someone they've worked with for decades. They keep all of their important documents (social security cards, birth certificates, passports) in a safety deposit box at a local bank. All of their insurance agents are local, and they meet with them at their cluttered, homey offices. They call the hotlines for their primary credit cards fairly often, and listen for fraudulent charges.
Their online experiences are mediated through things like Facebook. They get e-mail, but I have them set up to use smart clients that filter out the most pernicious stuff. If they think something sounds fishy, they will ask me to look at it for them. Any digital documents (airline tickets, hotel reservations) they want to save go to both the Apple Cloud (which they can occasionally do, though I have to help) and to the printer so they can keep records.
The only downside of this is the sheer amount of mail they receive, and the difficulty of finding hard copies of documents despite their best efforts to file things. Even their mail is somewhat protected, though, as they live in a gated retirement community.
After countless majestic infections in his laptop, restricting my dad to only using a large iPad pro (with a keyboard) has saved me countless hours of maintenance.
As much as I dislike Apple and their ecosystem, iOS is the way to go. But I went with tablets over phones, just for practicality with browsing and such.
With an iPad (as opposed to an Android tablet) I don't have to worry about them installing some fake app. It also helps a that anyone can figure out iOS (although it has gotten more complex over the years).
I've also installed Pi-hole at my parent's house. Not just to protect them from misleading stuff, but also because overly aggressive ads can be very confusing. I've once had my mom tell me her tablet was broken, because she couldn't visit the news, it turned out to be a giant overlay ad that she couldn't figure out how to close.
Lastly, I have migrated their ISP based email account (dating back to the early 90's) to a gmail inbox so they can benefit from the (mostly excellent) spam and fraud detection features of gmail. Their ISP offered no spam detection at all. It still uses the same email address though, I just routed it through gmail.
The government here in the Netherlands ran some great TV commercials instructing you to hang up the phone and call back if you got a call that you didn't trust. And another TV commercial on how to check the URL and certificate if you are on your banking website. I'm very grateful for that, it already saved my dad once from a phishing attack.
> With an iPad (as opposed to an Android tablet) I don't have to worry about them installing some fake app.
Ohhh you would be surprised of the amount of fake apps on iPad!!
I know an old couple who burned a good amount of money on their new iPad trying to install some app they knew from Android (something not available ipad, I think it was WhatsApp).
The first two sentences don't make sense. By nature, a cellphone lets you ALWAYS be online. Unless you're talking about totally stripping every online app, including web browsers.
The best way to do this would be to set up a program similar to a built-in game that regularly tests them by presenting them with realistic situations and gauging their response. Pen testing with built-in realtime negative feedback of some kind when they make a mistake would keep them learning.
214 comments
[ 7.1 ms ] story [ 317 ms ] threadOf course it could have drive-by malware on it... but so could any link
I think it would have been better if this quiz made up a name and e-mail for the user instead of asking for one though.
On a more OOtB note, have all their web traffic route via a web proxy that will prevent phishing, MITMs, scan against viruses etc.
As I’m writing thing, I wonder if there is a “senior mode” distro/plugin for OpenWRT.
And for not-everyday tasks, you can just ssh in and fix it for them.
uBlock Origin Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpa... Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
For non tech users, iOS is pretty safe.
Ipad + iPhone and you're good to go. Leave the notebooks and PCs in the 80s where they belong.
No security is perfect, a small handful of bugs over the last so-many years is about as good as any platform can hope for.
If you're a CIA agent or run a bitcoin exchange it might not be good enough for you, but for most people it's a pretty good set of options.
All she needs is email and web browsing. I'm pretty sure as far as security threats are concerned she is vastly better of with Linux. The usual exploits targeted at end users simply won't work.
What makes you say "Avoid Linux"?
This sad state of affairs because swindlers can get at them in many different ways. I have a sign near the phone that says "If they are asking you to buy gift cards hang up, what they have told you is a lie."
Of course online access is essential today, so it isn't easy to tell them they don't get to use the computer. Or Facebook. Or NextDoor. Or any other social media site. Or Chat service. Or other Forum.
There isn't any just "read only news" (no commenting) from sites with journalists, maps, phone numbers. Kind of appliance that you can get them.
She's "not technical", which means she's a librarian instead of a software engineer, but she still knows much more than me about online security, and I'd bet most of our parents are kinda the same. She "runs" an iPhone and a Chromebook, which I think is the best setup for most people.
Funnily enough, librarians are some of the most computer-savvy people I know. I wouldn't be surprised if your mother's "librarian training" of recognizing bad information and tracking down good sources is a big part of what makes her that good at navigating the net.
Haha, I am 100% sure that this is not the case.
Try opening an incognito tab and search for flat earth on youtube, and then see what videos that window gets recommended, if they don't believe you.
It depends on the subject. If you believe that climate change doesn't exist, that we never went to the moon or that the earth is flat, you are just plain wrong and I am right.
I think their generation has been influenced by our generations that really started using the internet and got it into every part of our lives. Sometimes I start falling for the conspiracy theories and have to check myself, and they don't have experience with the insane social media machine that exists now but didn't exist during their time.
Fortunately, my parents have never had much interest in Facebook, preferring to socialize with real friends in real life. They have their own bubble to some extent, but it's way less toxic than any online version.
Auto-updates painlessly. Probably worth getting one with touchscreen and ability to run Android Apps. I've just updated my mum's one to Acer Chromebook R11 CB5-132T (old one was no longer getting updates after c. 5 years)
Also: install ad-blocker of course!
Since they're not technical, their natural self-defense against this kind of this has trouble functioning online. Talk to them about real world analogs to pop-up ads that look like virus scanner alerts, talk to them about people pretending to be someone they know. Hell, show them the movie "Catch me if you can" and explain the same psychological tactics get used online.
Get them to consider "what do I really know, and is this too good to be true" before they talk to anyone, click a link, or buy anything online -- and they will be fine, if their judgement is otherwise unimpaired.
If they're very late in life, or otherwise have trouble with this kind of thing in the real world, there is unfortunately not much you can do to help them, other than force them to only use pre-installed apps on a tablet that you've selected, like you might with a small child. If they're not willing to do that, then it's unfortunately on them. I've had this experience both with my grandfather and a friend who lives with a brain injury, who are responsible for themselves but don't have the judgement necessary to realize how impaired they are.
And of course, make sure the computer is auto-rebooting to get updates, and they know to call you if they get a virus / malware popup they think could be real.
Offering to do her taxes prevented some other scam. Although that did require flying out annually due to being so disorganized.
However, do understand, that this can lead to the opposite effect of constantly calling on every little thing leading to them becoming even more dependent on you.
https://www.youtube.com/watch?v=f-j12NvUwhw
A lot of scams can be stopped if you consult with someone before sending actual money. I think it's important to tell your parents that before they give anybody any money or account numbers or buy gift cards (a lot of scammers make people buy gift cards and then give them the number) they should talk to you first. And tell them that there is nothing legitimate that ever requires you to pay NOW. Scammers are really good at pressuring people to act immediately instead of asking somebody.
A phone book?
Better to just call their main support line. Most likely they’ll never have heard of ‘some guy’ and they’ll tell you your iCloud is just fine.
If they fell for that then they're not very smart.
Would a smart person fall for it if a random hobo turned up at their door and claimed to be Jesus, but BTW he really needs you card and pin for 20 minutes, oh and $500 in cash as well!
.....
Assuming people aren't smart because they fall for a scam doesn't do them justice and it shows a lack of empathy on your part.
I tell him that no matter who contacts him and how (could be the government, IRS, bank, and could be phone, or email or a door knock) he should politely end the contact immediately.
Don't listen to what they have to say, don't give them a single shred of information - not even his name or address or anything.
If he is really convinced it's something legit, HE should initiate contact with whoever they said they were - find THEIR phone number or website and contact them and ask.
That way at least he can be sure he knows who is on the other end.
The key thing people (not just the elderly) need to understand is that NOBODY LEGITIMATE will make initial contact with you over the phone or over SMS. The IRS will mail you. The police will knock on your door. If someone you don't know contacts you over the phone, 99.999% of the time it is a scam or they're selling something. Once you internalize that, you're well on your way towards avoiding being a victim.
My experience has been very different from yours. I've absolutely had financial institutions make unexpected phone calls to me and asking me security questions. In just the last year:
- Someone claiming to be Mastercard phoned me and asked to first verify my name and address. I was 99% sure it was a scam, but I had just enough doubt and curiosity that I called Mastercard back at a known number and it turns out that they were indeed trying to decide whether or not to block a large purchase I had made.
- Someone from the bowels of the check-clearing department of my business bank account called to verify whether or not to pay a large check I'd written to an individual.
- My regular bank called me out of the blue to check on an incoming wire transfer that had my middle initial although my bank account was set up without a middle initial, and they wanted to verify this before accepting the transfer.
In each case above, the call was from a phone number that I didn't recognize (and were un-googleable because they were internal numbers), from a person I didn't know, and the conversation started by them asking me personal or security-related questions! But they were all legitimate calls, and in fact would have caused me grief had I ignored or refused the call.
Financial institutions contribute to the mess by having poor telephone security practices themselves. They also send emails with links they want you to click on to sign in and they invent all sorts of domain names for various services/surveys/emails that bear no relation to their main domain name.
Some specific advice I'd give with relevant episodes:
- Use a password manager https://looseleafsecurity.com/episodes/securing-your-online-... so you can use strong, unique passwords, and and set up two-factor auth wherever possible (preferably with a security key) https://looseleafsecurity.com/episodes/two-factor-authentica... so that you're protected from the many possible attacks on passwords.
- Get an unwanted content blocker (aka ad blocker) like uBlock Origin to protect you against malicious ads, popups, etc., and/or a cross-site content blocker like Privacy Badger to protect you from being tracked across websites and also protect you against malicious embedded content. https://looseleafsecurity.com/episodes/web-security-continue...
- Set up backups, because it's the only reliable defense against ransomware, and it's the best defense against your computer getting malware - it's easier to wipe and start over than to try to pick out the malware (especially if their child isn't around!). https://looseleafsecurity.com/episodes/backups.html
- Learn about how to protect yourself from malware. It's not clear today that antivirus or similar software has enough benefit, and they often introduce their own security issues (or just slow down the computer enough that you'll want to turn it off). But your OS has various built-in knobs about running unknown software, and you're probably better served by turning those up to the safest settings and knowing what its security prompts mean. https://looseleafsecurity.com/episodes/malware-antivirus-and... (In particular, if you're not in tech, it's not obvious that every program you download has access to all your cookies and private files ... unless you get it from your OS's app store ... unless ... we talk about this complexity in this and previous episodes.)
We post both the entire transcript and additional notes / links to further reading, so if listening to people talk isn't your preferred way of consuming content (and honestly it's not mine either!) our website should still be pretty useful.
Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpa... Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
My parents still conduct the majority of their personal business offline, and though I have scoffed at this in the past, it makes more sense for them and also keeps them safe. Their bills come in the mail, and its not uncommon for them to go to a department store and pay the bill for that chain's credit card in person. They meet with their financial advisor in person at their house, and it's someone they've worked with for decades. They keep all of their important documents (social security cards, birth certificates, passports) in a safety deposit box at a local bank. All of their insurance agents are local, and they meet with them at their cluttered, homey offices. They call the hotlines for their primary credit cards fairly often, and listen for fraudulent charges.
Their online experiences are mediated through things like Facebook. They get e-mail, but I have them set up to use smart clients that filter out the most pernicious stuff. If they think something sounds fishy, they will ask me to look at it for them. Any digital documents (airline tickets, hotel reservations) they want to save go to both the Apple Cloud (which they can occasionally do, though I have to help) and to the printer so they can keep records.
The only downside of this is the sheer amount of mail they receive, and the difficulty of finding hard copies of documents despite their best efforts to file things. Even their mail is somewhat protected, though, as they live in a gated retirement community.
As much as I dislike Apple and their ecosystem, iOS is the way to go. But I went with tablets over phones, just for practicality with browsing and such.
With an iPad (as opposed to an Android tablet) I don't have to worry about them installing some fake app. It also helps a that anyone can figure out iOS (although it has gotten more complex over the years).
I've also installed Pi-hole at my parent's house. Not just to protect them from misleading stuff, but also because overly aggressive ads can be very confusing. I've once had my mom tell me her tablet was broken, because she couldn't visit the news, it turned out to be a giant overlay ad that she couldn't figure out how to close.
Lastly, I have migrated their ISP based email account (dating back to the early 90's) to a gmail inbox so they can benefit from the (mostly excellent) spam and fraud detection features of gmail. Their ISP offered no spam detection at all. It still uses the same email address though, I just routed it through gmail.
The government here in the Netherlands ran some great TV commercials instructing you to hang up the phone and call back if you got a call that you didn't trust. And another TV commercial on how to check the URL and certificate if you are on your banking website. I'm very grateful for that, it already saved my dad once from a phishing attack.
Ohhh you would be surprised of the amount of fake apps on iPad!!
I know an old couple who burned a good amount of money on their new iPad trying to install some app they knew from Android (something not available ipad, I think it was WhatsApp).