Ask HN: How do you protect your parents from tech scammers?
My dad recently received a call from “Windows support”. He figured out it was a scam call and so luckily no further harm came from it. However, how do you protect your parents from similar tech scams - short of locking down their computers with parental controls?
183 comments
[ 3.7 ms ] story [ 109 ms ] threadNo tech company these days will ever call a customer, especially not Microsoft.
If you do receive a call from a more traditional institution like a bank, don't divulge any information. All banks have strong identity theft protections in place, but you haven't authenticated the caller. Ask for a reference id so that you can call the company back using a phone number that you yourself looked up on their company web page.
If the caller has any reason not to comply (and they will have plenty of reasons why they can't), or they insist you use a number that they provide, hang up and forget about it.
The problem with this, in the UK at least, is that banks do call and ask for personal info such as date of birth, etc. The irony always seems lost on them when you refuse to give it.
Although they still try to ask for your DOB first, which means you can't have a blanket "If someone calls from your bank and asks for your DOB, they are definitely fraudsters" rule.
Note that fraudsters are doing things like faking caller ID and holding the line open, playing dialling tone on landline calls so that you hang up, think you are dialling again, and actually are still on the original call. The fix there is to use your mobile to call them back, or call someone else first. You can also feed them wrong information and see how they react, but I'd still do the call back thing.
Its quite disconcerting, especially as most corporate VOIP extends to mobiles.
If it's a landline, call on a mobile.
My pension provider, Scottish Widows, did this to me a few weeks back, from a private number to boot.
I told them I'd call them back and they were fine. Not sure if it was a scam or not but suspect not as they were pretty ok about the whole thing.
That said, the "call back" test is an easy smell test -- a bad actor will have a huge problem with that, while the bank usually won't think too much of it.
I've tried to explain to them several times that they are training their customers to fall or scams, but they seem to be unable to comprehend.
I mention it because (and this is I think a good contribution to the thread) "getting upset" correlates strongly with "hiding something" and with "axe to grind with the world" and with "not disciplined or patient enough to get a job."
Honestly I think I'd rather had have it be a scam, at that point :/
It doesn't need to be a very good password, because it's not as though it can be brute forced. It's like the Socialist Millionaire's Protocol situation, a human is in the loop, if you get the answer wrong twice the human is already very annoyed, so you cannot try 100 passwords let alone a billion.
Thankfully I don't share passwords across accounts, so only had to update that one!
They immediately understood, gave me a reference number, and told me to get my credit card and call the number on the back and give the reference number.
When I called back I was able to pick up right where I left off.
On one hand I was impressed that they had this flow, but on the other hand I was disappointed that they were training people that it's ok to give personal information on the phone.
I had another bank do what I thought was the right thing. I got a recorded call that said, "We believe someone used your card to make a gas purchase in Las Vegas. We have locked your card. If this was you, please call the number on the back of your card, press 3, and an operator will be able to unlock your card. Or you can log in with the app and unlock the card yourself."
They did all the right things. They told me unique information that helped identify they weren't a scammer but didn't reveal anything too personal, and then told me how to securely contact them.
Don't know if that scam still works, or not, and the same flow is probably used by legitimate senders.
Obviously this doesn't protect them against the complete set of problems but it is quick to implement and keeps me from being the personal security manager of those I care about.
At the end of the day if someone is running a sophisticated phishing scam some savvy people are going to fall for it - I think the name of the game is damage mitigation not prevention. As long as you can mitigate people from losing a life changing amount of money I think you've won here.
(An incidental benefit of a Linux household - the calls from "Microsoft" become a lot funnier and less scary.)
That being said, getting my parents from Windows to Mac was to biggest ROI. Before, with Windows and even Malware Bytes Anti-Malware, I had to literally drive home hours for emergency tech support.
However, I’ve educated them against popup clicking now so much that they pointedly ignore Mac update popup notifications. Oh well, it is what it is. And what it is is much better now in Mac land.
There have been many studies that have found that education level, job function ,etc are not indicators of whether someone will fall for a scam. It can and does happen to people all over the place.
My rules for them: 1. If someone calls you from the bank, hang up and call them back from their phone number listed on their website. 2. If a pop-up comes up warning for viruses, call me immediately. 3. If a pop-up comes up warning about governments coming for you, call me immediately. 4. No one on Earth is going to try to give you money for free online.
I've had to answer plenty of calls about online bullshit, but I prefer that than having to try to deal with the Bank after they get scammed.
I think there's probably two prongs of attack. Helping them manage their IT and Scam prevention. Scam prevention covers cold calls "from your bank", random letters in the post, people knocking on the door etc. IT competence is supplementary and confidence here helps prevent the former. e.g. If you've installed every toolbar offered to your browser, then a) You shouldn't be in charge of a browser and b) Are more likely to need the help of MS when they call.
Things I've done, in no particular order:
Offered to be their IT support. If in doubt over anything, please call me first. I don't mind, it's how I can be helpful and show gratitude. If I've called them, I've normally got free time, so good time to ask if there's anything they want me to look at whilst I'm here.
Added their machines to my Google One Backup (or whatever your backup solution of choice is with an online family plan). I've tried leaving them with USB drives to plug in and local backup scheduled, but never seems to work out.
Accept some people shouldn't own a PC. Chromebook/ipad provide most of what they need and are relatively sheltered.
Push them towards online services for say email. Yes, they might be used to Thunderbird that you initially set them up with - but de-corrupting local storage, missing emails from that time they accidentally used POP, hooking in AV, anti-spam etc etc. Gmail (or your provider of preference) handles that for you (and you can just use thunderbird with that if you insist - and it will grab mails from that ISP account you mysteriously are attached to).
Education. Quite surprisingly my PC-cautious relative (never messes up, but refuses to embrace) decided to take a "Computer Driving License" course. I was slightly disparaging to be honest, but she found it interesting - and started realizing what she could do. e.g. Address book previously a txt file (kept on a USB stick for security, naturally), made the switch to Excel and mail-merged the envelopes for the Christmas letter.
This is an obvious scam, but for people who aren't up on this and fearful of "the man" I expect these kinds of scams work for every 1 in 100k people at best and are still probably lucrative enough for them to keep going.
The answer for the OP problem and the Canadian problem are the same: the government never calls you, Microsoft never calls you, no tech company will ever call you.
And none of them will ever ask for payment in gift cards.
I've also noticed that installing adblock helps, since there's less shady stuff to click.
[0] As for as using the GUI is concerned. Normal people don't care about the internal workings of their technology.
I did this with my daughter, and never told her it wasn't Windows. She didn't know or care for years -- until she developed a taste for cutting-edge video games.
It's 2020 and the "Personal Computer" paradigm is past its expiration date.
Want to keep hobbying with Windows and manage your "PC" like a pet, good luck with that!
Hardware should be managed like cattle with a cloud native setup if you ask me.
Racehorse owners loose 90 cent on every dollar invested, cowboys fly helicopters.
In a way I understand them. Google wanting to track you is nefarious but still, the security from viruses/hackers/cryptolocking viruses is unmatched for a Chromebook or an iPad.
My own father wants privacy, has has Apple products, he doesn't want (i/any)Cloud, I buy him a Synology NAS saying the data is his, then Photos libraries go corrupt because the NAS does not have APFS attributes (damn thing works for months until it doesn't). What a nightmare. And I'm explaining all this to a man that doesn't really understand where his Browser ends and the internet starts. So he will wonder if his data is on his Macbook because he can see it in the browser logged into the Synolgy. And then he won't close the browser because the Synology is backing up... It's pretty complex if you think about it. I can understand all the distrust.
We literally have magical powers at our fingertips. People however do not want to spend money on the software that makes this possible, period.
We still have companies like Coke that sell sugar water and propel a tsunami of obesitas at scale with an advertisement budget that only recently is surpassed by Google's annual profit.
There is advertisement and advertisement, helping every business with tools to sell more products and services is moving us forward. Google's Chrome OS offering is a clear business contract which has a paid option.
It is up to you if you want to keep using it for free. I hope more of "us" can convince more people to start paying for software services like GSuite and Chrome OS.
And Apple's iCloud runs on Google's Cloud Spanner. So it's the same "server" anyway.
if there is one thing i have _never_ done to my parents, or _anyone_ for that matter, is make fun of them if they call me and ask me for my professional opinion in tech matters. this has extended to situations when they think the situation is shoddy like they are being taken in a scam. i think _this_ is the single reason why my parents have never fell victim to scams. i feel that _most_ parents, or elderly people for that matter, fall victim cause they feel pressure from both ends... the first being the scammers themselves, the second being scared to ask _anyone_ if the situation is legit for fear of being made fun of.
_noone_ should feel scared of being ridicule when asking any question regarding their safety or well-being.
What if the scammer plot "do not call your kids" into their scheme?
and that really goes for _ANY_ situation in life. if you are told _not_ to talk to someone else about a situation, you are being controlled and taken advantage of.
My parents ring me if they get an odd popup on a webpage to double check if they should ignore it or not. If someone calls them telling them there's something wrong they politely tell the person they will ask me to look at it and politely end the call. And if they purchase stuff off a new website they check with me before they make any purchase so they don't pass their credit card to a dodgy site.
It's better they call and ask me than take a risk, last thing I want to happen is my parents to fall victim to a scam.
This… seems a bit naive to think your parents will call you first every single time they want to do something special with their computer. It makes me think of parents that assume their teenagers aren't doing anything stupid because they are confident the kids are sharing everything with them.
Anectode: My in-laws are renting their property through Internet. They occasionally receive calls by interested renters and they successfully manage it by themselves. They are almost in their 70's. One day someone had a payment issue and asked to pay them differently, asking for account information so they could send the money directly. They managed to trick them into putting their card number on a fake website displaying the agreed-upon amount. They lost about 100€, the bank couldn't revert the transaction for some reason.
Parents only call you when they are unsure of something. The problem is when the scammer manage to convince them everything is normal, which is exactly what they are good at.
> if you think it's naive for your users or loved ones to call you when they have the slightness doubt about something...
I think you just affirmed their point. You're acknowledging they only call when they have even the slightest doubt. They're saying that is exactly the problem, because they won't call when they have no doubt that everything is normal.
I know you said 100€, but I do not belive a bank will make the claim. I was in that situation twice, the first time they did not even mention it, and the other time they did mention it. When I asked "and so what" they said that they just informed me of that but they they will, of course, not make the claim.
A friends parent got done by a phone scam. "Your router has been compromised, please let us check your PC, oh no they've got the computer, install this. Oh no - they've hacked your bank account and used it to Launder money, the fraud office will contact you. etc etc. The bank saved them when they tried to move a second load of money.
I don't believe for a moment they didn't contact anyone because of a fear of being laughed at - they believed the narrative that this was a secret operation. Ironically it had all the hallmarks of a classic eve online scam.
Do not assume all scammers are mediocre and transparent. Do not assume a close personal relationship is enough.
You'll sit down to talk to your parents someday and the damage will already be done.
The scammers are fast. They are good. They are like vultures hovering over the elderly. Our parents don't see this stuff coming, and they comply too quickly.
My wife administers a nursing home and this is a daily problem. Their residents get calls from scammers constantly and they have to stop little old men and women from walking out of the building to catch a bus to go to the bank to send money to one scammer after another.
They are always telling them, no, the medicare office does not want you to put all your money in a government bank account for them to make deposits to - those are scammer accounts. No, a nephew you never heard about does NOT need to be bailed out of jail. No, you do not have to buy a pre-paid visa card over the phone in order to pay for medications. No, you never have to purchase a coupon for $50 that will save you $100 at the store, those don't exist. It goes on and on and on and on.
a lot of the situations you described are targeted at people with dementia and other neurological disorders. there really isn't anything you can do in those cases.
thankfully my parent have their wits and don't suffer from such disorders.
My mother phoned me because her laptop was yelling at her. Bad guys had taken over her browser (IE maybe? Or Edge? I genuinely don't remember) and on start-up it was repeating a verbal message on maximum volume about how they now controlled her computer and she needed to call them to... well you know how these go.
But she had the sense to realise that even though it said she must call _them_ she could rather call _me_ and since it was yelling at her she put the laptop down and left it yelling into thin air. I walked her through the surprisingly easy process to disable it and get her back in her comfort zone. I explained what they'd tried to achieve, that they had tried to trick her into thinking they were more powerful than they really were - and praised her for taking the time to call me.
Unfortunately, because it had happened so quickly he didn't remember everything the scammer had asked him to do. So it took quite a bit of searching until we figured it out.
At the end, I tell them that if something just feels off, even if they can't figure out why, I'd rather they call or message me on Slack than ignore it. It absolutely never bothers me when they do it - in fact, it makes me feel better. Maybe 1% of reports are actual issues, but I'd rather deal with 99% false positives than miss even one thing.
If you are at a FAANG, then the phish success rate against your company is probably in the mid single digit percentages.
If you’re at a Fortune 50 company, then the phish success rate against your company is most likely in the high single digit percentage range — if you’re lucky.
If you’re at a company not big enough to be in the Fortune 50, then the phish success rate at your company is most likely in the double digit percentage range. That’s right, over 10% of all phishing messages sent to people in your company will end up hooking their targets.
And the sad thing is that we techies are the ones that are supposed to be most aware of these things and most likely to be able to protect against them.
In 2020, does this mean anything online anymore? Or does it mean more than ever? I've gotten to the point where a -50 karma is just a momentary annoyance, and I just think of it as "imaginary Internet points."
I could see how a kid who was conditioned to see their self-value in karma or views might take it hard. I've certainly been in that boat. Has there been a peak, then decline in online social media cynicism, like there was with child computer literacy? (Went up, peaked, then went down.) (Thankfully, my parents have always been extreme social media cynics.)
I have installed ChromeOS on her laptop, uBlock in Chrome, set router DNS to my own (which filters out spam, malware, ads etc.).
Set an iPhone option to accept only calls from Contacts. I am also going through call lists periodically and block marketing calls etc.
I have also cut the cord on land line.
A lot of work to set up, but it might be worth it in your case.
Put almost all of her money in a main account that requires approval from you or your brother.
Give your mom a checking account with regular monthly deposits from the main account.
We did this for my mom, and she was relieved to have the burden off her shoulders.
Not just for parents. If say I've rolled in one night, after one too many beers after work, might be handy if my wife had to confirm any random purchases I attempt to make.
And it can be async too (at the cost of convenience): "You will be notified when your download is complete and the security administrator has reviewed it for safety"
Sounds pretty easy to implement, but it would take a long time to get my folks used to it and a sibling or two probably wouldn't hurt for efficiency.
a couple of weeks ago, so I told them to call me before they make any technical purchase/decision.
Recently featured on ProductHunt: https://www.producthunt.com/posts/phonescreen
Their website: https://www.phonescreen.co
- I buy them Apple devices. n=4 here, but it really seems when my family (mom, father-in-law, mother-in-law, and older brother who is borderline tech illiterate) made the switch from Android to iOS devices or even PC to Mac, they just had less of an issue with this. It's anecdotal, I am not a diehard Apple fanboy, but take it for what it is.
- I tell them to always close any and all popups. Point blank, carte blanche, doesn't matter how sincere it seems, or if it even is legitimate, just close it. If there's something she ends up not being able to do eventually she just calls me.
Maybe NLP will get to the point that an automated answering service would pass for human, and screen callers effectively and cheaply.
"Can you come here the computer/phone/ipad is saying something, have I been hacked"
- no, it's telling you that you have an email, no it's telling you that you are getting a call, no that's your other son asking you a question...
"How do I save something again"
- you've been working with computers longer than I've been alive... click the save button "where" the disk "where" or go to file save "where is file" points "I don't see it" my finger is touching it!!!
- Are you ^(!@#$@ kidding me
- Look at your paper, you've written this down three times
"How do I save something to my zip disk"
- You don't have a zip disk, you have a usb drive or a thumb drive, you've never had a zip disk, I've never had a zip disk, zip disks were stupid and still are and I don't understand why Amazon has them for sale for so much!
"can you print this for me at work"
- no, I've told you this 37 times, go to FedEx office with your usb drive, I'm not printing 173 pages of whatever that is and risk getting fired
I promise you, it's all a con. There's no way she doesn't know exactly what she's doing and just likes messing with me. I've showed her how to turn the volume up and down on her iPhone at least 100 times. You've got 3 buttons, figure it out mom! I swear I'm going to have a stroke or a heart attack one of these days while showing her how to do something for the 97th time.
My brother on the other hand... when he still lived close it felt like every other week I was reinstalling windows for him. He'd torrent everything, click any link, open ever attachment... eventually I just blocked obscene numbers of domains and ran him through a 'family safe' DNS filter. I don't know what he does now, I guess his teenage step son has to suffer through helping him.
You want to teach them how to fish, not hand fish to them every time they ask.
Kitboga is great. His tone is not too aggressive or caustic like some other scambaiters. And he is extremely funny. I mean brilliantly funny..
He livestreams on https://twitch.tv/kitboga at least 4 times a week generally...