Ask HN: How do you protect your parents from tech scammers?

155 points by nilsb ↗ HN
My dad recently received a call from “Windows support”. He figured out it was a scam call and so luckily no further harm came from it. However, how do you protect your parents from similar tech scams - short of locking down their computers with parental controls?

183 comments

[ 3.7 ms ] story [ 109 ms ] thread
I will add to this for small business owners, my parents who have a restaurant got contacted by "Google maps support" who had tricked Google maps to have a wrong address for the place, and then contacted them to "resolve the issue with a fee".
Teach them this simple heuristic:

No tech company these days will ever call a customer, especially not Microsoft.

If you do receive a call from a more traditional institution like a bank, don't divulge any information. All banks have strong identity theft protections in place, but you haven't authenticated the caller. Ask for a reference id so that you can call the company back using a phone number that you yourself looked up on their company web page.

If the caller has any reason not to comply (and they will have plenty of reasons why they can't), or they insist you use a number that they provide, hang up and forget about it.

'If you do receive a call from a more traditional institution like a bank, don't divulge any information.'

The problem with this, in the UK at least, is that banks do call and ask for personal info such as date of birth, etc. The irony always seems lost on them when you refuse to give it.

Which bank? I've found them mostly understanding when I've asked people if I can call back.

Although they still try to ask for your DOB first, which means you can't have a blanket "If someone calls from your bank and asks for your DOB, they are definitely fraudsters" rule.

Note that fraudsters are doing things like faking caller ID and holding the line open, playing dialling tone on landline calls so that you hang up, think you are dialling again, and actually are still on the original call. The fix there is to use your mobile to call them back, or call someone else first. You can also feed them wrong information and see how they react, but I'd still do the call back thing.

I haven't had them ask for personal info, but I've had NatWest 'advisors' ring from random mobile numbers to confirm I was attending an appointment.

Its quite disconcerting, especially as most corporate VOIP extends to mobiles.

Calling someone else first is a false sense of security: if scammers are faking a dial tone, they will starthaving software to connect the call too, and then resume the scam when you call the bank number.

If it's a landline, call on a mobile.

Hah yes I've had this from NatWest. I always insist that they provide me with a number to phone them back, then check it against their website before dialing.
Not only banks.

My pension provider, Scottish Widows, did this to me a few weeks back, from a private number to boot.

I told them I'd call them back and they were fine. Not sure if it was a scam or not but suspect not as they were pretty ok about the whole thing.

There's a lot of institutional stupidity in banking, given that they need to verify the customer at the same time that the customer needs to verify the bank.

That said, the "call back" test is an easy smell test -- a bad actor will have a huge problem with that, while the bank usually won't think too much of it.

fyi .. Etrade has this stupidity fwiw.
if they call you, it's them who want something from you, right? So they can just bugger off. My bank in Russia used to call me all the time to offer stuff, usually credits. I've ended up just blacklisting them. If there's anything wrong with my account they never call, they block the card and wait for me to call them
That always baffles me with HSBC when they call and ask for personal information like DOB or other to confirm the identity. (The calls were legitimate.) I always tell them I won't provide the information, and then they ask me to call back. But why do they ask for it, when on the other hand they also recommend not to disclose any personal information to unknown parties (the phone number is not good enough verification), escapes me.
The one that drives me bloody insane on HSBC is the text from the bank's 'security department' telling you to call them on a number that is unlisted on any web page.

I've tried to explain to them several times that they are training their customers to fall or scams, but they seem to be unable to comprehend.

// Aside: If this kind of stuff bugs folks enough to want to help change the whole industry, come work with us. Rethink and build better workflows to “do it right” for customers of a global bank.
Yes! First Direct did this to me, and when I asked to call back for security reasons, he was borderline upset. "But sir, I have your mother's maiden name; surely that should be enough validation?" I didn't know whether to laugh or cry.
I know you probably asked yourself this, but could that call also have been a scam?

I mention it because (and this is I think a good contribution to the thread) "getting upset" correlates strongly with "hiding something" and with "axe to grind with the world" and with "not disciplined or patient enough to get a job."

I did wonder, but when I insisted, hung up, and called back, the next CS rep saw the call in their CRM and knew exactly what they wanted to discuss with me. So it's unlikely.

Honestly I think I'd rather had have it be a scam, at that point :/

Ha! Well your current relationship with a bank is probably a scam too, but they're smart enough not to bleed you too quickly!
You can set a password for First Direct to use when calling you. That's worked fine for me, but then I did set up the password like... 20 years ago maybe? Maybe a bit more, I was in this city so that's 20-25 years ago.

It doesn't need to be a very good password, because it's not as though it can be brute forced. It's like the Socialist Millionaire's Protocol situation, a human is in the loop, if you get the answer wrong twice the human is already very annoyed, so you cannot try 100 passwords let alone a billion.

Perhaps last year, when I was trying to resolve some broadband issues with Virgin Media, I had to recite my account password over the phone in order to pass the security check....

Thankfully I don't share passwords across accounts, so only had to update that one!

I've had banks call and ask for personal info. I tell them, "I'm sorry, I don't give that information unless I called you."

They immediately understood, gave me a reference number, and told me to get my credit card and call the number on the back and give the reference number.

When I called back I was able to pick up right where I left off.

On one hand I was impressed that they had this flow, but on the other hand I was disappointed that they were training people that it's ok to give personal information on the phone.

I had another bank do what I thought was the right thing. I got a recorded call that said, "We believe someone used your card to make a gas purchase in Las Vegas. We have locked your card. If this was you, please call the number on the back of your card, press 3, and an operator will be able to unlock your card. Or you can log in with the app and unlock the card yourself."

They did all the right things. They told me unique information that helped identify they weren't a scammer but didn't reveal anything too personal, and then told me how to securely contact them.

That is actually a scam (or can be), where they would play the hang-up sound, play the sound when you dialed the keys and then have a second person continue the call. It worked because land-lines didn't end the call until both parties hanged-up. That means when you picked up the phone again, you were still connected to them.

Don't know if that scam still works, or not, and the same flow is probably used by legitimate senders.

Actually some tech companies do call; at least Dell (well I guess you could argue it’s not a tech company) did cold call me to try to sell overpriced extended warranty on their shitty tower. Probably legit since apparently loads of people get this sort of calls, plus they don’t actually ask for service tag or personal info and you can pay on dell.com so rather pointless as a scam.
But having people mistake sales calls for scams doesn't really do any harm.
I've convinced many of my loved ones to get two-factor authentication on at least their primary e-mail addresses and to treat everything as something that can be compromised e.g. don't make any of your bank accounts front facing that have any more money in them then you are willing to lose.

Obviously this doesn't protect them against the complete set of problems but it is quick to implement and keeps me from being the personal security manager of those I care about.

At the end of the day if someone is running a sophisticated phishing scam some savvy people are going to fall for it - I think the name of the game is damage mitigation not prevention. As long as you can mitigate people from losing a life changing amount of money I think you've won here.

Also want to ask if anyone has a 'parents' Linux setup that has worked well over the years... I tried once maybe 8 years ago and had to figure out how to walk my mom through a kernel panic through the phone... didn't work well :)
Have you - in later years - figured which distro if any, was the easiest and hassle-free, for older people in general (if not your parents specifically)?
I installed ubuntu for my grand father and, two years later, has not had any problem (whereas it took less than a week before he asked my do uninstall the adblocker I gave him...).
My mom has been using Ubuntu MATE for a few years and doesn't even know it. I just put a Firefox icon on the desktop and it was basically the same as any other computer for her.
I have setup xubuntu for my parents to look similar to windows. No sudo access, no password default login on boot. Firefox/Chrome with ublock origin. Virtualbox with win10 is installed for Office. If at all anything happens I do a remote login and check/fix things. Works well so far.
My non-technical parents have been Mint for years with minimal problems. One thing that makes life easier is that they were okay with me enabling sshd for the cases when they want me to investigate something for them.

(An incidental benefit of a Linux household - the calls from "Microsoft" become a lot funnier and less scary.)

My parents have been running Zorin OS lite for a couple years now, they have not had any problems with it. It's based on ubuntu and the lite version has xfce as the desktop. Runs great on their older computer, looks enough like windows that they jumped in without any issues, and it has a pretty basic interface.
My parents are both very intelligent. My mom (a PhD) actually fell for one of those pop-ups that warn your computer is infected. It took many phone calls to reverse the automated charges...

That being said, getting my parents from Windows to Mac was to biggest ROI. Before, with Windows and even Malware Bytes Anti-Malware, I had to literally drive home hours for emergency tech support.

However, I’ve educated them against popup clicking now so much that they pointedly ignore Mac update popup notifications. Oh well, it is what it is. And what it is is much better now in Mac land.

(comment deleted)
> My parents are both very intelligent. My mom (a PhD) actually fell for one of those pop-ups that warn your computer is infected.

There have been many studies that have found that education level, job function ,etc are not indicators of whether someone will fall for a scam. It can and does happen to people all over the place.

This. Everyone can be scammed, without exception. Being smart is not very protective. In fact, some studies have also shown that very intelligent people are more likely to fall for certain types of scams.
As far as I've seen, the single most important factor in whether someone will fall for a scam is the degree to which they match the "target audience" of the scam's script. The practice of spear phishing embodies this principle taken to its logical extreme.
Since I gave my dad a Chromebook instead of a Windows machine - I have no problems at all. It is very hard for the tech support scammers to make him install anything on it.
Most malware I've seen in the field is Chrome extensions, so I would not assume this is enough. I recommend disabling browser extensions for maximum computer illiterate IT safety.
And then online banking and your government eID Middleware won't work...
Whoa, there's governments that require browser extensions to work? That's terrifying (but enlightening, thanks).
My dad is good with computers and has a great online-bullshit radar. My mom and aunt are god awful though. My aunt fell for a 'virus scan' scam recently and the fallout was kind of rough to deal with. Full backup of photos & docs, new passwords, and a full factory reset of the computer. Not a fun weekend for her.

My rules for them: 1. If someone calls you from the bank, hang up and call them back from their phone number listed on their website. 2. If a pop-up comes up warning for viruses, call me immediately. 3. If a pop-up comes up warning about governments coming for you, call me immediately. 4. No one on Earth is going to try to give you money for free online.

I've had to answer plenty of calls about online bullshit, but I prefer that than having to try to deal with the Bank after they get scammed.

Disable browser extensions. It'll remove 90% of fake and real malware they'll run into.
People do not use IE 8 anymore. This hasn't been true in probably half a decade.
I'm mostly talking about Chrome extensions, though Firefox has its fair share of malicious extensions too.
I don't think there is a magic bullet - and yes I have completely considered adding parental controls.

I think there's probably two prongs of attack. Helping them manage their IT and Scam prevention. Scam prevention covers cold calls "from your bank", random letters in the post, people knocking on the door etc. IT competence is supplementary and confidence here helps prevent the former. e.g. If you've installed every toolbar offered to your browser, then a) You shouldn't be in charge of a browser and b) Are more likely to need the help of MS when they call.

Things I've done, in no particular order:

Offered to be their IT support. If in doubt over anything, please call me first. I don't mind, it's how I can be helpful and show gratitude. If I've called them, I've normally got free time, so good time to ask if there's anything they want me to look at whilst I'm here.

Added their machines to my Google One Backup (or whatever your backup solution of choice is with an online family plan). I've tried leaving them with USB drives to plug in and local backup scheduled, but never seems to work out.

Accept some people shouldn't own a PC. Chromebook/ipad provide most of what they need and are relatively sheltered.

Push them towards online services for say email. Yes, they might be used to Thunderbird that you initially set them up with - but de-corrupting local storage, missing emails from that time they accidentally used POP, hooking in AV, anti-spam etc etc. Gmail (or your provider of preference) handles that for you (and you can just use thunderbird with that if you insist - and it will grab mails from that ISP account you mysteriously are attached to).

Education. Quite surprisingly my PC-cautious relative (never messes up, but refuses to embrace) decided to take a "Computer Driving License" course. I was slightly disparaging to be honest, but she found it interesting - and started realizing what she could do. e.g. Address book previously a txt file (kept on a USB stick for security, naturally), made the switch to Excel and mail-merged the envelopes for the Christmas letter.

It's pretty bad in Canada - you get really convincing scammers pretending to be our taxation agency pushing you to pay back taxes in iTunes Giftcards.

This is an obvious scam, but for people who aren't up on this and fearful of "the man" I expect these kinds of scams work for every 1 in 100k people at best and are still probably lucrative enough for them to keep going.

The answer for the OP problem and the Canadian problem are the same: the government never calls you, Microsoft never calls you, no tech company will ever call you.

the government never calls you, Microsoft never calls you, no tech company will ever call you

And none of them will ever ask for payment in gift cards.

There was a fascinating story I read (which now I obviously can't find), which explained why spam emails/pop-ups appear to be so bad. It's because the scammers don't want thousands of responses, they want tens of responses from people who'll believe a shonky looking scam is real. Allows you to triage your potential market down to those more likely to complete the second more expensive (needs a scammer) and unbelievable (government wants taxes in gift-cards) step.
I switched my grandparents PC to linux, Ubuntu in particular. It covers everything they want to do (light web browsing, some text processing, printing, transfering images from their phone/camera to the PC). Has been working great for 3yrs now.

I've also noticed that installing adblock helps, since there's less shady stuff to click.

I've had my parent's PC on Linux for almost 10 years (mostly Xubuntu, was on Mint for a bit). I initially expected to reinstall Windows after a few months, but it worked pretty well. I told them that it looks and works[0] like Windows, and they were off.

[0] As for as using the GUI is concerned. Normal people don't care about the internal workings of their technology.

> I've had my parent's PC on Linux for almost 10 years

I did this with my daughter, and never told her it wasn't Windows. She didn't know or care for years -- until she developed a taste for cutting-edge video games.

this proved to be very effective in my case as well, a gnu\linux distribution + ublock origin.
Give them a chromebook. No virus scanner or firewall needed.

It's 2020 and the "Personal Computer" paradigm is past its expiration date.

Want to keep hobbying with Windows and manage your "PC" like a pet, good luck with that!

Hardware should be managed like cattle with a cloud native setup if you ask me.

Racehorse owners loose 90 cent on every dollar invested, cowboys fly helicopters.

I tell this to my in-laws as well, but they don't seem to understand the difference between hackers and privacy invaders. Yes, Apple and Google want to know you, but, in general they know they security stuff and won't try to fool you with it. But they think it's about the same as giving data to hackers that want to scam them. He thinks for example that using a Gmail address as an apple account makes it magically so that both companies now know everything about you. I have a hard time explaining the difference between security/data-protection and hacking.

In a way I understand them. Google wanting to track you is nefarious but still, the security from viruses/hackers/cryptolocking viruses is unmatched for a Chromebook or an iPad.

My own father wants privacy, has has Apple products, he doesn't want (i/any)Cloud, I buy him a Synology NAS saying the data is his, then Photos libraries go corrupt because the NAS does not have APFS attributes (damn thing works for months until it doesn't). What a nightmare. And I'm explaining all this to a man that doesn't really understand where his Browser ends and the internet starts. So he will wonder if his data is on his Macbook because he can see it in the browser logged into the Synolgy. And then he won't close the browser because the Synology is backing up... It's pretty complex if you think about it. I can understand all the distrust.

But if they already own an iPad maybe this metaphor can make it more easy to explain. Chrome OS on a chromebook is like iOS, Windows / MacOS functions like Android. For me this has kept the discussion simple and people already on iOS understand the difference in flavor immediately.
Some people like it if their data is theirs and not on some server being used for personal advertisements.
For the sake of nuance, in 2019 "tech" has been in unfair bad spotlight while it has been a blessing for society.

We literally have magical powers at our fingertips. People however do not want to spend money on the software that makes this possible, period.

We still have companies like Coke that sell sugar water and propel a tsunami of obesitas at scale with an advertisement budget that only recently is surpassed by Google's annual profit.

There is advertisement and advertisement, helping every business with tools to sell more products and services is moving us forward. Google's Chrome OS offering is a clear business contract which has a paid option.

It is up to you if you want to keep using it for free. I hope more of "us" can convince more people to start paying for software services like GSuite and Chrome OS.

And Apple's iCloud runs on Google's Cloud Spanner. So it's the same "server" anyway.

(comment deleted)
simple... they call me first.

if there is one thing i have _never_ done to my parents, or _anyone_ for that matter, is make fun of them if they call me and ask me for my professional opinion in tech matters. this has extended to situations when they think the situation is shoddy like they are being taken in a scam. i think _this_ is the single reason why my parents have never fell victim to scams. i feel that _most_ parents, or elderly people for that matter, fall victim cause they feel pressure from both ends... the first being the scammers themselves, the second being scared to ask _anyone_ if the situation is legit for fear of being made fun of.

_noone_ should feel scared of being ridicule when asking any question regarding their safety or well-being.

Same here. My 79-yr-old mother is far from sophisticated about tech stuff but understands the basic idea of scams, and is naturally inclined to assume people are out to get something from her. So when she gets suspicious calls or letters (she doesn’t follow her email that closely), she calls me. Sometimes she will try to engage with the scammers, which I’ve tried to tell here is counter-productive.
Good point.

What if the scammer plot "do not call your kids" into their scheme?

Then it's an obvious red flag if the parents know to always call, no matter what!
Yes, when the scheme is simple and straightforward, there is no point to say "do not call your children". But within a little bit sophisticated schemes, scammers can find a reason to plot in this kind of demand. Such as your computer has been compromised by terrorist organization, do not call anyone especially your children.
it should be second nature to ask for help for something you don't understand or feel uncomfortable with. my parents and friends would literally say that they need to consult with their tech guy, that's me :), to make sure everything is alright. they would know something is wrong with the situation right away if they were told not to talk to me by the person.

and that really goes for _ANY_ situation in life. if you are told _not_ to talk to someone else about a situation, you are being controlled and taken advantage of.

I've watched some of Kitboga's streams on Twitch and you are correct. They will not same do not call your children, but they will say they need them to stay on the line over the duration of the call. In fact, if you do get disconnected, they are very quick to call back.
Then it's 99.9999% safe to ignore. There is no reason that calling someone else would be a problem for anything that is legitimate.
^ This.

My parents ring me if they get an odd popup on a webpage to double check if they should ignore it or not. If someone calls them telling them there's something wrong they politely tell the person they will ask me to look at it and politely end the call. And if they purchase stuff off a new website they check with me before they make any purchase so they don't pass their credit card to a dodgy site.

It's better they call and ask me than take a risk, last thing I want to happen is my parents to fall victim to a scam.

i will say that i also install and configure ublock origin on all the browsers that i and my parents use. it's surprising how many times, just innocent web browsing gets you in trouble cause of ads and drive by malware.
+1 for ad blockers - installing one (I use uBo as well) on the computers I "manage" must've saved my relatives 100s of € in falling for scams. I'm sure of this, because a month ago Facebook pushed a bypass for ad blockers and within days, one of my relatives almost lost 300€. What saved her was her poor understanding of English - she called me to translate something for her and I immediately smelled a scam.
> simple... they call me first.

This… seems a bit naive to think your parents will call you first every single time they want to do something special with their computer. It makes me think of parents that assume their teenagers aren't doing anything stupid because they are confident the kids are sharing everything with them.

Anectode: My in-laws are renting their property through Internet. They occasionally receive calls by interested renters and they successfully manage it by themselves. They are almost in their 70's. One day someone had a payment issue and asked to pay them differently, asking for account information so they could send the money directly. They managed to trick them into putting their card number on a fake website displaying the agreed-upon amount. They lost about 100€, the bank couldn't revert the transaction for some reason.

Parents only call you when they are unsure of something. The problem is when the scammer manage to convince them everything is normal, which is exactly what they are good at.

if you think it's naive for your users or loved ones to call you when they have the slightness doubt about something, then perhaps the problem is with how they feel treated or the way you present yourself to them when need help? are you welcoming to their questions or do you act annoyed with them?
> Parents only call you when they are unsure of something. The problem is when the scammer manage to convince them everything is normal, which is exactly what they are good at.

> if you think it's naive for your users or loved ones to call you when they have the slightness doubt about something...

I think you just affirmed their point. You're acknowledging they only call when they have even the slightest doubt. They're saying that is exactly the problem, because they won't call when they have no doubt that everything is normal.

Since your mention euros: I am sure you know that cc transactions are protected in the EU and that you cannot be held accountable above 200 or 250€ (don't remember, this changed recently) when the transaction is fraudulent.

I know you said 100€, but I do not belive a bank will make the claim. I was in that situation twice, the first time they did not even mention it, and the other time they did mention it. When I asked "and so what" they said that they just informed me of that but they they will, of course, not make the claim.

I think this is the key. As a kid, I remember family member of mine would routinely take their computer into friends at their company's IT department (their personal computer, mind you) because they felt less embarrassed asking a coworker for help than their kids. I try to make sure my parents don't feel awkward or embarrassed for asking me with tech help.
> i feel that _most_ parents, or elderly people for that matter, fall victim cause they feel pressure from both ends... the first being the scammers themselves, the second being scared to ask _anyone_ if the situation is legit for fear of being made fun of.

A friends parent got done by a phone scam. "Your router has been compromised, please let us check your PC, oh no they've got the computer, install this. Oh no - they've hacked your bank account and used it to Launder money, the fraud office will contact you. etc etc. The bank saved them when they tried to move a second load of money.

I don't believe for a moment they didn't contact anyone because of a fear of being laughed at - they believed the narrative that this was a secret operation. Ironically it had all the hallmarks of a classic eve online scam.

Do not assume all scammers are mediocre and transparent. Do not assume a close personal relationship is enough.

It's all good until they don't realize the thing that is happening is something they should call about.

You'll sit down to talk to your parents someday and the damage will already be done.

The scammers are fast. They are good. They are like vultures hovering over the elderly. Our parents don't see this stuff coming, and they comply too quickly.

My wife administers a nursing home and this is a daily problem. Their residents get calls from scammers constantly and they have to stop little old men and women from walking out of the building to catch a bus to go to the bank to send money to one scammer after another.

They are always telling them, no, the medicare office does not want you to put all your money in a government bank account for them to make deposits to - those are scammer accounts. No, a nephew you never heard about does NOT need to be bailed out of jail. No, you do not have to buy a pre-paid visa card over the phone in order to pay for medications. No, you never have to purchase a coupon for $50 that will save you $100 at the store, those don't exist. It goes on and on and on and on.

Yeah this doesn't really sound like a strategy for preventing them from getting scammed
You can't prevent everything :(

a lot of the situations you described are targeted at people with dementia and other neurological disorders. there really isn't anything you can do in those cases.

thankfully my parent have their wits and don't suffer from such disorders.

It can also happen quickly with isolated parents if they're at a transition point (still living home) and a scammer walks in. I had a friend who's father was starting to suffer from dementia and had a woman who got control of some of his bank account info and was emptying him out. After my friend had his dad hospitalized, she was calling the hospital trying to get access to him and he had to get his room changed to an alias. Hospitals have frighteningly poor security measures.
When I visit relatives in the hospital there is no one stopping/verifying/questioning me. At all. No checks, no questions, nothing. If you act like you know where you are going no one worries enough to stop you. It has left me feeling concerned each time, especially when it is a younger relative in the hospital.
Definitely. But it may be enough depending on your parents, I think for now it's enough for my mother for example. And the title question is "How do you protect your parents?" not "How, hypothetically, should everybody's parents be protected?"

My mother phoned me because her laptop was yelling at her. Bad guys had taken over her browser (IE maybe? Or Edge? I genuinely don't remember) and on start-up it was repeating a verbal message on maximum volume about how they now controlled her computer and she needed to call them to... well you know how these go.

But she had the sense to realise that even though it said she must call _them_ she could rather call _me_ and since it was yelling at her she put the laptop down and left it yelling into thin air. I walked her through the surprisingly easy process to disable it and get her back in her comfort zone. I explained what they'd tried to achieve, that they had tried to trick her into thinking they were more powerful than they really were - and praised her for taking the time to call me.

Scammers can definitely be fast. My grandfather was scammed recently. He got a phone call claiming to be some sort of technical support for the retirement community he was living in. Eventually he figured out he was being scammed, hung up, and called me.

Unfortunately, because it had happened so quickly he didn't remember everything the scammer had asked him to do. So it took quite a bit of searching until we figured it out.

This is how I approach it at work (a non-profit where we deal with sensitive data). Every new employee and volunteer goes through a 30-minute training webinar on security when they start: spotting phishing emails, choosing good passwords, 2FA etc.

At the end, I tell them that if something just feels off, even if they can't figure out why, I'd rather they call or message me on Slack than ignore it. It absolutely never bothers me when they do it - in fact, it makes me feel better. Maybe 1% of reports are actual issues, but I'd rather deal with 99% false positives than miss even one thing.

I’ve seen the kind of videos that FAANGs require their new employees to watch. Not good. Even scarily bad.

If you are at a FAANG, then the phish success rate against your company is probably in the mid single digit percentages.

If you’re at a Fortune 50 company, then the phish success rate against your company is most likely in the high single digit percentage range — if you’re lucky.

If you’re at a company not big enough to be in the Fortune 50, then the phish success rate at your company is most likely in the double digit percentage range. That’s right, over 10% of all phishing messages sent to people in your company will end up hooking their targets.

And the sad thing is that we techies are the ones that are supposed to be most aware of these things and most likely to be able to protect against them.

This is not the best advice when your 90 year old father loves using his Mac and iPhone, and is constantly "fixing" things when something "didn't work"
_noone_ should feel scared of being ridicule when asking any question regarding their safety or well-being.

In 2020, does this mean anything online anymore? Or does it mean more than ever? I've gotten to the point where a -50 karma is just a momentary annoyance, and I just think of it as "imaginary Internet points."

I could see how a kid who was conditioned to see their self-value in karma or views might take it hard. I've certainly been in that boat. Has there been a peak, then decline in online social media cynicism, like there was with child computer literacy? (Went up, peaked, then went down.) (Thankfully, my parents have always been extreme social media cynics.)

Scammers have ways around that as well. My father called me once asking about malware, he also mentioned that they actually placed a timer, applying pressure that he supposed to respond within 2 minutes. There are a lot of tricks those scammers are using.
My mom is 88 yo.

I have installed ChromeOS on her laptop, uBlock in Chrome, set router DNS to my own (which filters out spam, malware, ads etc.).

Set an iPhone option to accept only calls from Contacts. I am also going through call lists periodically and block marketing calls etc.

I have also cut the cord on land line.

This is something I've been thinking about for a while. If my dad goes before my Mom, I want to set something up to protect my Mother. She's an extremely trusting person, and generally not good at understanding the things she signs. I don't want to take autonomy from her, but I'd like to set something up so any purchase over some set threshold would need to be verified by either my brother or myself. My Dad is probably going to leave her with a pretty decent nest egg... and I really worry about her, especially since both my brother and I live in another State.
Maybe you can try letting her getting scammed on small things, so that she can train her ability to discern scams. Before she get scammed on something huge. The best would probably be a game, game doesn't have a huge consequence, this is good for training. Maybe some game like Resistance or The Werewolves of Millers Hollow. Maybe she is in deny, that someone would think of taking advantage of someone else thrust. Would be curious to know if making her take advantage of someone else thrust trought a game (like one cited above), would help her evolve.
^ But also, tell her before you do this. Respecting autonomy and agency matters.
Consider taking some autonomy away from her.

A lot of work to set up, but it might be worth it in your case.

Put almost all of her money in a main account that requires approval from you or your brother.

Give your mom a checking account with regular monthly deposits from the main account.

We did this for my mom, and she was relieved to have the burden off her shoulders.

I wonder if parental controls would be more palatable if they were called something like "Remote Security Administration" and your child set themselves up as the "administrator" with your permission.
Rather than 2 Factor, could have 2 Person Authentication.

Not just for parents. If say I've rolled in one night, after one too many beers after work, might be handy if my wife had to confirm any random purchases I attempt to make.

I think you're on to something. I get worn out if someone calls me all the time for support. But if I got an email asking me to approve a security action, like downloading a lesser known URL or installing an app, that'd be pretty fine.

And it can be async too (at the cost of convenience): "You will be notified when your download is complete and the security administrator has reviewed it for safety"

I've actually considered doing something similar by proxying all of their web traffic through my server and setting up a dynamic whitelist of domain names. I'd pre-populate it with sites I'm sure are 'safe' and have it send me a notification for anything new. If I approve it, it gets whitelisted.

Sounds pretty easy to implement, but it would take a long time to get my folks used to it and a sibling or two probably wouldn't hurt for efficiency.

This is a great idea. All about not making it seem patronising.
Two things:

- I buy them Apple devices. n=4 here, but it really seems when my family (mom, father-in-law, mother-in-law, and older brother who is borderline tech illiterate) made the switch from Android to iOS devices or even PC to Mac, they just had less of an issue with this. It's anecdotal, I am not a diehard Apple fanboy, but take it for what it is.

- I tell them to always close any and all popups. Point blank, carte blanche, doesn't matter how sincere it seems, or if it even is legitimate, just close it. If there's something she ends up not being able to do eventually she just calls me.

First thing I did when I set them up w/ a PC years ago is send them an email from our President with obfuscated links to something absurd. These brought home the dual points if never trusting the sender's identity and never clicking links. There's be more to it but that's 80% right there.
It's disappointing that US telecoms are so far behind in shaken/stirred, reputation based call blocking, etc. Email spam is not the problem for me that it was 10+ years ago. Telephone spam and scam, on the other hand, is worse than ever, and rising.

Maybe NLP will get to the point that an automated answering service would pass for human, and screen callers effectively and cheaply.

Of course, if NLP (and speech processing) gets that good, the scammers can just automate their operations and we're in another arms race.
I was assuming the NLP on the screening side could take advantage of things the scammers don't always know. Like "who are you trying to reach?", for example.
Unfortunately my mother trained herself mostly (I do block a bunch of stuff at a DNS level though on her PC), she lives with me and umpteen times a week:

"Can you come here the computer/phone/ipad is saying something, have I been hacked"

- no, it's telling you that you have an email, no it's telling you that you are getting a call, no that's your other son asking you a question...

"How do I save something again"

- you've been working with computers longer than I've been alive... click the save button "where" the disk "where" or go to file save "where is file" points "I don't see it" my finger is touching it!!!

- Are you ^(!@#$@ kidding me

- Look at your paper, you've written this down three times

"How do I save something to my zip disk"

- You don't have a zip disk, you have a usb drive or a thumb drive, you've never had a zip disk, I've never had a zip disk, zip disks were stupid and still are and I don't understand why Amazon has them for sale for so much!

"can you print this for me at work"

- no, I've told you this 37 times, go to FedEx office with your usb drive, I'm not printing 173 pages of whatever that is and risk getting fired

I promise you, it's all a con. There's no way she doesn't know exactly what she's doing and just likes messing with me. I've showed her how to turn the volume up and down on her iPhone at least 100 times. You've got 3 buttons, figure it out mom! I swear I'm going to have a stroke or a heart attack one of these days while showing her how to do something for the 97th time.

My brother on the other hand... when he still lived close it felt like every other week I was reinstalling windows for him. He'd torrent everything, click any link, open ever attachment... eventually I just blocked obscene numbers of domains and ran him through a 'family safe' DNS filter. I don't know what he does now, I guess his teenage step son has to suffer through helping him.

Don't baby them. Ask them productive questions in response - "well, which icon do you think is for saving?" You can guide them "well usually that's at the top of the screen" but don't take the device from them or do it for them.

You want to teach them how to fish, not hand fish to them every time they ask.

Have them watch Kitboga. https://kitboga.com/
Was just about to say this but cmd-f'ed for it first... :)

Kitboga is great. His tone is not too aggressive or caustic like some other scambaiters. And he is extremely funny. I mean brilliantly funny..

He livestreams on https://twitch.tv/kitboga at least 4 times a week generally...

I am surprised no one mentioned AdBlock yet. Often you contract an virus/adware/... through and ad, especially when the ad is confused with a feature of the website. I use noscripts also, but that is not for non tech peoples. Apart from that I don't know, maybe, do not give them admin rights on the computer?
Easy: just ask the scammer where he calls from, then hang up and call them yourself. If the problem is legitimate, you get to talk to real clerk and resolve it, if not the real person will tell you that. Bonus points: tell them the phone of the scammer and they can do smth about it, like start investigation as to who leaked your data to criminals.