How do you guys protect elderly parents? My parents and in-laws aren’t there yet but they all in the retired age group.
A friend of the family recently had his email hacked. They sent targeted emails to all his contacts and setup a filter to hide the communication. His brother in law is a stoke victim with impaired cognition and only has access to $12k or so at a time. They were able to scam all of it from him over multiple transfers and he never picked up the phone to call the family friend. The family fiend is also his caretaker and limits his funds access for this exact reason.
The family friend is a retired old GE executive who will probably never run out of money no matter how many cars he buys due to pension funds. I wonder if he was targeted.
I think you can get away with these restrictions since most of our grandparent’s lives, they didn’t have much access to these services.
But what do we do when we get old? Will we be rational enough to disconnect ourselves? What if we don’t have any children that can help us make this decision?
I have power of attorney and manage their finances for them (mid 90s relative). They spend on a credit card which I make payments against, and review transactions monthly for anomalies (anything besides Walmart, grocery store, pharmacy, Amazon, and recurring monthly services or utilities throws red flags). Make sure your estate planning is properly performed before they decline (physically or mentally).
Behavioral improvements and education are nice to haves, but constant vigilance has a high cost for folks at this age and it only takes one successful adversarial attempt to succed. In this case, strong controls and guardrails are a superior solution imho.
You might run into headwinds because in their era using a credit card was generally seen as a bad thing (borrowing, takes longer in line, etc). You might have luck finding a card with cash back rewards and/or a referral fee and selling them on those aspects.
If they want someone to take care of them, then they need to give up some agency. Spending everything via credit card is the easiest and most effective way to solve this problem.
Yeah, my grandfather was absolutely opposed to giving up any agency. Especially to his daughters, so I was the front man. When we had to take away his car keys, he came after me with his cane. Hilarious in retrospect, as it was almost a cartoon. But at the time, it was quite dramatic.
I agree, but that negotiation isn't necessarily in explicit terms. In my experience elderly people will spend all day insisting that they will do something themselves (protecting their own ego), yet most of the time if you go ahead and just do it for them they just accept it and move on.
Interesting! Would a specialized credit card be useful to you here? My Amex has pretty nice instant notifications, which are enough for my own fraud monitoring. But for an elderly relative, would you want something more sophisticated?
In my grandmother's case, it's a run of the mill Bank of America rewards credit card (I had to burn goodwill just to get this far, so we agreed to stay with her preferred bank). Before my mother's death, when I was supporting her financially and her having had a long history of and struggle with addiction, I used TrueLink (which I cannot recommend enough, and had found them here on HN) as it allows you control which category of merchants the payment method can be used with and has strong reporting capabilities on spend.
That's a great idea. And it's easier than ever, now -- at least in my experience. For a while I still had to use bill pay or debit for some of my utilities, but now even those all take credit card. I do it for convenience and the rewards (and because the last time my wife used her debit card it got skimmed), but the result is the same -- 100% of my own spending is on my credit card now. This would work great for my own mother if she gets to a point where I doubt her ability to resist con artists.
Beyond the obvious stuff like installing an ad blocker, I don't know. The best idea I've seen is what you already said, just limit access to funds. When my dad went through Alzheimers, we canceled his cards through the bank or let them expire and just never told him. But he was far enough gone that he would never have had reason to buy anything anyway so he never noticed. For someone still functional but easily tricked and unreceptive to the idea of limits, I don't know.
The best option I found was to explain - multiple times - to my grandparents that these scams exist and how each of them work. Hopefully if they are ever approached by a scammer, they'll remember my warning and that hesitation will break them out of the fear used in the scams.
I frequently remind my parents that nearly every email and phone call they get is a scammer. Might be good to "pen test" your parents, through a friend or something.
Is there any way with US banks to only allow transfers via in-person, at-the-bank requests? Some accounts just don't need the convenience of online access, and tired of the "identity theft" spiel from banks to absolve themselves of responsibility.
Unfortunately I had to just give my parents (68 and 67 years old) ground rules for all forms of communication. This happened after my dad got a fake $3000 invoice from paypal and he paid it.
1. If a service provider you use reaches out via email asking for money, its fake. Login to their online portal (it took a lot of coaxing to get them comfortable with this...)
2. If a service provider reaches out to you via SMS or Phone call, even if they know your account number or other sensitive data: Tell them you will call them back on the phone number listed on their website. If they insist, its fake.
3. If you aren't sure its fake, just ask me to look at it.
#3 might be something to try and like really hammer home. Be like "I would rather you ask me about 100 different scam attempts and save $1000s then just pay"
These are good ground rules. Fortunately or unfortunately, my parents were scammed once pretty early on, I believe for a small amount, so they are well aware of what to look for. But after 10 more years of cognitive decline? 20 more? Who knows if they'll still be on guard.
The simple rule of thumb that will keep people reasonably safe is: Do not trust anyone who E-mails or calls over the phone to be who they say they are. If they say they are from business XYZ, hang up the phone and call XYZ's main number and ask for them. While there are exceptions and scammers are getting craftier, incoming calls and E-mail is by far the major attack vector.
These are all very good. Here's one that saved me a fuckton of tech support time: set up dns adblocking/malware domain blocking right on their network/router settings. Save it to the factory defaults too if supported or put some tape over the reset pinhole button.
My stepfather always tries the factory reset button as if it's just a more hardcore reboot to "fix" the internet when the service is simply out.
My parents are the same age and have already been scammed a few times. I set up similar rules but I am afraid they might get sucked in again. I don’t understand why law enforcement isn’t doing anything about this. Surely the surveillance dragnet they’ve set up over the last few decades can tell them who is making 750,000 calls a day to elderly people in the US?
U.S. political will to make positive and reasonable changes, like legislating that telecoms crack down on scam call sources or prevent spoofing, seems to have fallen apart. So many people are caught up in culture wars, there's only one thing they care to get behind, and it's taking our country back from those terrible, immoral, brain dead people on "the other side". Voters don't deviate from their tribe, so there's little incentive as a candidate to deviate from standard tribe policy, and so votes are inutile with respect to policy.
If there's a private sector solution to the scam calls that can be charged heavily for, that's what we're most likely to get. The competent parts of government aren't concerned with this stuff. Congress has to make it a concern, but they mostly toil on behalf of corporate lobbyists. Lobbyists aren't hired to help society at the expense of who they represent.
Intelligent, informed voters and honest politicians would have solved this and many other problems already, but we're extremely far from that ideal, and I think still trending away.
I've wondered before if posting in HN threads like this one is a better way to influence policy than going to the polls, since someone with influence could be reading. Maybe what I should actually be doing is writing to my representatives, as that's probably more impactful than either.
I really think there should be a startup that integrates with Plaid pulling all bank transactions to build AI models for this.
I think real time alerts or daily summaries sent to trusted caretakers. Another layer is having the caretaker approve of the transactions. Can think of this as 2 factor authentication where they'd have to hack multiple phones or accounts for a successful scam.
For example, seeing multiple gift cards would be suspicious. Or if you know your parents never take out more than 100$ from the ATM.
Sometimes though they willingly scam themselves. My dad gave this real life scammer 30k in advance payment in return for future caregiving services. We told him she was scamming us and he didn't care. When she asked him for more money to buy a new car he finally realized she was truly scamming him.
We need a mechanism like a credit lock. The ability to block all transactions over $XX.00 until verified out of band. For a lot of these people, that would be only a few times per year and not a big headache. We need to give the CFPB more power.
I pretty much just tell them to assume that anyone contacting them by whatever means asking them to do anything is a scammer.
In my experience, trying to list and explain all of the ways that scams happen actually has the complete opposite effect — either it ends up as information overload and they don't remember it, or they become so fearful of doing wrong in specific situations that they almost certainly become more vulnerable to fear-based attacks as a result.
I told my mother (who is 81) that the answer is always no. There is never an emergency, the answer is always no, she should hang up and then talk to me. Personally, if possible (we live 10 minutes apart) or at least on the phone. Any legitimate need for money can wait that long.
Fortunately, my mother has a somewhat technical background and her mind is 100% still there, so it hasn't ever been a real concern yet. She's skeptical by nature of what she sees online.
> How do you guys protect elderly parents? My parents and in-laws aren’t there yet but they all in the retired age group.
The ability to reason about money deteriorates with cognitive decline, in large part, I think, because it so abstract.
The solution is for them to not have direct access to control all their finances, but rather get monthly amounts via a trust. That way, downside is limited.
I upgraded my mom from an iPad to a Chromebook (her first computer) recently. I installed uBlock Origin and set a secure password for the Google account which I store in my password manager, and then instructed her to use the Chrome password manager when she needs it.
While I'm confident in the security of Chromebook in general, I'm worried by how readily she pulls out her credit card and types the number into obscure sites for purchasing wedding gifts, etsy items, etc. A few years ago she would click on Facebook ads and buy shit quality products for little reason, but I think she eventually learned not to do that.
At least it's a credit card and not a debit card. My dad manages the banking, and is a bit more sophisticated, but even he does things like install programs meant to protect him that actually expose him to more vulnerabilities. For example, there is some Symantec monstrosity installed on his computer that injects a green checkmark into Google search results next to each site it thinks is "trustworthy."
It's definitely frightening and mostly a numbers game whether they'll be the next victims of a scam.
I've conditioned my parents to doubt every form of communication that comes to them, whether its a phone call, mailed invoice, or emailed. They'll take a picture and ask me before doing anything about it. Hopefully this practice continues as they age. Sure its a little more of a nuisance for me, but it also gives peace of mind that I'm helping in some small way.
Call your governments, and apply pressure to force them to force the business community (telcos, banks, etc) to stop tolerating this and get serious about it.
We have this sort of issue with my mother-in-law (90s). The best thing I did was setup a Chromebook (ChromeOS Flex) with just the basics (mail, photos, etc). From there, we routinely login to the GMail account and remove crap from her emails. It is tough - especially since the world is so on-line (photos of grandchildren, etc). Given the huge disparity between her age and technology, it is extremely important we act as her proxy for her online communications. Privacy be dammed.
Something I haven't seen mentioned is a DNS firewall to block phishing domains and newly registered domains. I use NextDNS for that and I'm sure there are others.
Feel like this number will only grow with the consumer AI advances.
Text is one thing, but also thinking of deep faking video/audio. Elderly seem especially susceptible. I have a close friend's grandma that was scammed out of 5k from a fake voice call.
7.73 billion represents a very small fraction relative to actual utility. 2.57 billion represents 99.9% of something that has virtually no utility other than scamming people.
I recently came across this video [1] made by a famous youtuber who was able to interview a scammer that regularly creates copycats accounts of his youtube profile to scam his user base. It gives an interesting backstory and if the scammer was actually telling the truth, there must be so many people who still fall for these schemes.
Oh your daughter is spending her gap year in South East Asia? Find her social media -> download the videos with a sample of her voice -> generate audio of her asking you to help/send money because "she was robbed at a gunpoint" -> message your phone number/WhatsApp/Facebook account etc.
These scams are possible now, but their quality will increase exponentially given that you won't need to know perfect English or be well versed in tech to do this.
Currently they just say they have them. A more common one is pretending to be the police. They tell the family member that they have to pay bond for their child/grandchild to be released.
My mom almost got tricked by a police scammer saying they have an arrest warrant for her due to not paying a debt and that she would be arrested if she didn't pay the money. Only reason it didn't work was because she didn't have the money and called me crying asking for help. Now she knows to never trust anyone requesting or demanding money over the phone.
You don't even need the fancy fake voice. Scammers called my Grandmother once, this was about 5/6 years ago, pretending to be me, her grandson. Pretending to be me, they told her I was in jail for cocaine possession and that she needed to wire money to bail me out. She believed it at first and was in her car driving into town to wire the money when she decided to try calling my cell to check. I told her I was in my office at work, and that I don't do drugs, lol. I am glad she had the idea to call my cell! I am fairly certain the only reason it didn't work on her in particular is that she knows I am a giant computer nerd with no friends so that was not something I was likely to be doing, haha!
Not sure what is more worrying - that people lost $10.3B or that this money is now in the hands of criminals who can do some bad things with it.
I understand this is not just one scammer, but if they pooled that money together, this is kind of level of money that could influence elections in a small country or buy a small army or be used to take over legitimate businesses and use them for further money laundering while paying off politicians and civil servants.
I doubt all the nefariously-collected money will in turn be used for nefarious purposes. It's entirely likely that a good portion of it would be used to do things like, pay for a decent living space for their family, buy a newer car, possibly buy a business to turn to more legit ways to make money that don't have the risk of getting caught.
Not sure what is more worrying - that people lost $10.3B or that this money is now in the hands of criminals who can do some bad things with it.
It's like when crypto is stolen. It's harder to process ill-gained proceeds than legally obtained proceeds. This means it takes time to launder it; you cannot just buy cars or whether with it; the govt. and police may be looking for it. So this means it likely has a deflationary effect in the short term by taking money out of the US economy that could otherwise be spent, but in the longer-term may have national security implications if the money goes to fund drugs, terrorism, whatever.
I was scammed $350 from one of the Zelle scammers. I know, I know, I was stupid for falling for it. My experience went like this:
Just moved into new house, had the cable guy over setting up internet. I get a phone call from "The Electric Company" (they used the real name) saying that I just moved in and I didnt put down a deposit, blah blah, I need to pay $350 now or the power will go off. I needed internet for work the next day, and wifey factors.... I panicked and sent the money. I know, it was stupid, but there was a lot of shit going on, and I just fell for it.
Literally IMMEDIATELY after I pressed the "send money" button, it dawned on me, I realized what I did, I hung up the phone and IMMEDIATELY called my bank asking them to reverse the payment. They would not do ANYTHING. They were completely useless, the person got my money and I had no way to stop it.
A month later, I'm getting trees trimmed, and the company wants payment in Zelle. Begrudgingly I oblige, and send my payment to them over Zelle. It took over 48 hours for the money to be delivered to them. The tree company kept asking me what the heck was taking so long, I had to call my bank several times to see why the money wouldnt send. It was stuck in "pending" for almost 48 hours, and the Tree guys wouldnt do the work until it cleared.
Moral of my ramble: fuck scammers, and fuck Zelle.
When you move, a whole bunch of information about your move and the fact that you moved becomes available to local business owners. I'm not sure what process is in place that does this (maybe a mailing-address change card you give your post office?) but it is what happens, in the US at least. Usually you'll get a coupon book for local businesses- the fact that they know you just moved in is due to the same process. Anyway, ostensibly bad actors would likely easily get in on this, and frankly it's a clever move because they know you're frazzled and in a state of being disarmed and they knowing you just moved (and where, which explains knowing the name of your electric company) gives them an air of legitimacy and that's the perfect time to strike. Also $350 is not an entirely unreasonable amount of money to ask for.
Yep - 100% agree. I opened a new business back in Nov/Dec 2022, and no less than two weeks did I get multiple, official-looking payment requests for labor law posters. They looked very real with some verbiage about "failure to comply with the law", etc. After I opened the first one, I was very motivated to pay the $89 fee (thinking I missed something when starting the business). However, after reading the letter a few times, I realized it was a scam.
The others went in the trash as soon as they came in...
This is so fucking infuriating. I don't know why the government can't shut these things down. They basically send you an exact copy of the official form you have to fill out with one line in it somewhere that says, "This is not an official government communication. We are not associated with the government in any way." But other than that, it looks identical to the real form. How is anyone supposed to be able to discern that difference? Luckily I've not yet fallen for it, but I have come close several times. Ass hats.
I'm pretty sure the US Postal Service sells as much of your data as possible. Their Informed Delivery service seems to be primarily intended to sell ad space in your emails instead of sending you scans of your paper mail.
The USPS sells change of address information. The only way to avoid it is to file the address change as temporary instead of permanent, or not file at all and forgo USPS mail forwarding from the old address.
When I move I now file a temporary COA and have the mail forwarded to a PO box. I never forward from one residence to another (too many boilerroom sales calls and scam attempts).
If someone knocked on your door, claimed they were from The Electric Company, asked you for $350 cash, and you gave it to them, would you say “fuck cash”?
When was the last time you pulled out a stack of $20s and had to wait 48 hours for them to become valid?
Cash doesn't try to rationalize all sorts of slow, obnoxious, and expensive behavior on the basis of fraud protection and then fail to protect from fraud. There's obviously a tradeoff here, the problem is getting stuck with the ass end of both sides. I can't really speak to Zelle, but it's definitely true for ACH and wire transfers.
> Cash doesn't try to rationalize all sorts of slow, obnoxious, and expensive behavior on the basis of fraud protection and then fail to protect from fraud.
Neither does Zelle.
> When was the last time you pulled out a stack of $20s and had to wait 48 hours for them to become valid?
Never, but I have also never had that problem with Zelle in probably hundreds of times using it in over a decade.
But I also have never been given counterfeit money via Zelle, which I have been given via cash.
Both mechanisms of transferring money seem to be working pretty well, and both have drawbacks/benefits.
Like I said, I can't speak to Zelle, but I can absolutely speak to wire and ACH and they both have these problems in spades. When I hear that Zelle has the same problems, I believe. When I hear that it's perfect, I doubt, but "works for me" is not strong evidence even if true.
No, it was renamed then maybe. It was around as ClearXchange for a while, and some banks had their own names for it, even though it was all the same thing.
Technically not Zelle itself, but my bank would not allow me to pay my landlord through Zelle on the basis of fraud prevention (other people at the same bank as them are fine) or send over $1000 per day (this does sort of protect a little, but it also makes it much less useful).
Zelle is one of those services that sounds good in theory but when you actually try using it you realize that the real life use-cases are very near nil.
"You can send money directly! *"
* If you have a pre-established out-of-band trust relationship and dispute resolution system with the person you're sending it to.
Which basically means you can send money to friends and family and that's about it. But you can also do that with Venmo or CashApp. Any online transaction among strangers that uses Zelle is 100% a scam. Full stop. There's a reason that groups that sell things plaster in giant bold letters to use PayPal G&S.
By far the biggest value-adds of Zelle existing is making it really obvious who the scammers are.
Ya know what, fair. That's a more sensitive risk profile than I operate under and Zelle is 3rd party to my bank but if you bank with one of the major national banks I can see that providing some comfort.
Zelle is not exactly 3rd party since it is operated by a company that all the big banks themselves own (and assuming you have an account at one of the big banks):
It's not actually that sensitive a risk profile -- Paypal has shown itself to be untrustworthy with how it'll just freeze an account that you have a bunch of money in or explicitly suck extra money out of your bank account or with the updated terms of service last year that they "backed down on" only slightly. Paypal also owns Venmo, so I won't touch that one. Not sure about CashApp, but I only see it listed by sketchy people and instagram influencers, so I've never considered it trustworthy to begin with. At least Zelle was part of the services provided by my bank (Chase)? Clearly it's worse than that initial impression in practice, but I'm not sure that it's really worse than Paypal or CashApp?
I can get money in my kids bank accounts within minutes, with no fees, all from my banking app and without giving access to my money to some other shady techbro company. Seems like a pretty great use case and one I use every month.
I mean; yes. I definitely use "Accept Credit Card" as a gate keeper in many situations because cash only transactions are sketchy.
And similarly, I feel sketcky carrying large amounts of bills on me, for say buying a car - I'll go to the bank and get a bank check over having that much cash on me.
If you had cash, they would rob you for it, but since, it's digital payments and most people don't carry cash, it not economically or practical for fraudsters to steal cash.
How does the scam work, are they using some person (or their account) as a mule and then forward the money? Or is it just unrealistic that anything gets done about $350 so they don't care if you know who they are?
No fan of crypto, but the idea of bank protection is kind of a joke. If you authorize the money transfer, they likely will not help you, nor cover the loss. No better than crypto in this regard. Wire transfers are internet for speed, not safety. Banking will always have inherent risks.
To be fair, Zelle is supposed to be competing with the likes of Venmo, where the irreversibility of the transaction is a feature, not a bug. It's supposed to work like cash, for better or worse.
Of course, in practice it kinda sucks. Zelle requires giving strangers way too much information about you. I won't use it. Much as I dislike PayPal, I use Venmo for this use case.
The only thing Zelle requires you to give is an email address (that you choose to associate with your bank account) or phone number. No different than PayPal.
It is one of its features. The previous method of sending and receiving money involves giving out your bank account number (even if not to strangers, then to PayPal), which means anyone can pull funds from your account using ACH.
It's better than ACH, I agree. But Venmo is not PayPal, just owned by them. Venmo works with usernames, not email addresses. I don't have to give a stranger anything other than that username for them to send me money.
It's the bank consortium trying to compete with Venmo with less technology budget; and fewer controls. It's terrifying that this is the best product the consortium could put out. No wonder VISA/Mastercard exist.
This is a fault of your political system, it's not a problem inherent to banks.
In my jurisdiction, banks will regularly refund and make whole people who have lost money to scams. They in theory can refuse if they think the owner of the account was careless, but in general they will refund a lot of scams.
One good consequence of this is that scammers now become the banks problem, so they will do more to help educate and prevent scams.
Rather than being able to wash their hands of scams, they will be proactive in making sure transfers are genuine, etc. Of course this can on occasion be a hassle, but in general it's reassuring that the default is not to allow large transfers to "random" people, and even more re-assuring that in general it's the bank who is on the hook for the money.
In the case of utility companies you can always just pick up the phone and call their main customer service number to verify your account status and balance. Text messages and emails should always be treated with suspicion, but intercepting outgoing phone calls is outside the capability of regular scammers.
I've received multiple phone calls from my bank to discuss my mortgage
Every time they call me and ask to "go through verification" - aka I give a random stranger on the phone the personal information they need to identify themselves with my bank - so I tell them I'll call them back instead
Then i call back and get bounced around through multiple teams until inevitably the call drops, I think because my mortgage was bought from another bank so it isn't well understood by customer support
Anyway, I think it is legit calls I get from the bank. I hope it isn't important because i still haven't got through to them to talk about it
This is a frustrating reality, but, out of curiosity, did you ever try asking the name and/or department of the person calling you and using that to try to get back to them when calling back?
Every mortgage holder routinely buys loans from other lenders. If you received bad customer service then it probably wasn't due to that specific cause but rather general incompetence and cost cutting.
The data broker market is ~$250B, it's not all personal data, but the market for personal data to target these scams is huge. The worst part is many data brokers get their data from government sources like the state DMVs: https://www.privateinternetaccess.com/blog/dmvs-are-making-a...
No matter how many times I've been late for payments in my life, not ONCE have I ever had a human being call me up and demand payment over the phone. It's always a long series of attempts to collect through the mail.
Let alone calling up and demanding I pay using Zelle...
There is one simple and proven way to authenticate phone scams. You tell them that you will call the company back on the number you already know or have from a bill, or you will pay via the website that you also already know. Until they start commandeering phone numbers or domains you're pretty safe. There is really no reason to answer your phone for numbers you don't know unless you're job hunting or waiting for an important call. I block all numbers not in my contact list. Sure, they can masquerade as a fake number, but even if my caller ID says it's the gas company I'm not going to answer it and if I do I am not giving them any information on that call.
I mean, you're still someone at risk here if someone mails you a nice looking electric bill a few days before with fake info on it, especially in the case the scammer has enough info on you to make it look realistic.
Uh nooo.... You don't call the number that's provided in the format of the outreach - be that a physical piece of mail or an email or an SMS message.
In every case where I've gotten a message / phone call informing me that I need to provide some sensitive information or make a transaction, I determine the organization that they are purportedly representing, navigate to the official website, find the relevant contact info, and call back.
I always assumed everybody did this to prevent these exact types of situations.
It has become increasingly difficult to discern legitimate calls in recent times. Lately, I have been receiving calls from my bank, seemingly related to client relations, originating from a variety of random local numbers. These could potentially be the personal mobile numbers of the bank agents, though I cannot be certain. I usually don't answer these calls as I don't recognize the numbers. The only way for me to verify their legitimacy is through the branch number mentioned at the end of the voicemail messages they leave. However, if I were to actually speak with the caller, it would be challenging for me to determine the call's authenticity.
This is victim-blaming. Companies don't make clear "how things work". I've never once found a web page published by a business that makes clear exactly how they will contact you (e.g. by number xxx-xxx-xxxx for security alerts, from email address foo@company.com for bill payments with a link to company.com/billpay, etc.) so that you can follow that sheet to ensure you're not being defrauded, and that's what's needed.
Perhaps it's time for some regulation - of course, drafted with the extreme care that almost no regulation is written with, but should be...
Funnily I got some emails and phone calls from Amex some time ago that were extremely phishy (like aexp.com), but they happen to have a website listing the domains they use:
No such thing for the phone numbers though, and since they were just regular landlines not recognised by Google and not available through a Google search, I declined to provide them any information.
There absolutely needs to be regulation for that, like there is the "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).
Oh, this is really interesting, I didn't know that Amex had a page like this! This is useful, maybe I can point my bank toward it and ask them to make a similar page.
As harvey9 says in a sibling comment, "If they publish an outbound number then scammers will spoof it.", so perhaps publishing a phone number isn't useful - but they should actually state that on their web site, as well as providing a protocol that allows the bank/agency/company/utility to authenticate itself to you.
> "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).
I like this concept - let's extend it to include an authentication protocol, as above.
You and your OP both are right. Companies are totally at fault for muddying waters by using the same methods as scammers (or scammers are smart by using surprisingly similar tactics), and Customer too should be aware of situations.
Zelle, Western Union, Venmo, PayPal (family) literally gives you warnings, multiple prompts, to say that it is irreversible, pay it only to known people, dont use it for government payments, make sure to check registered name, and stuff.
We as customers should know that no utility company, gas, power, internet, government offices, their representatives accept or want payments by Zelle. Zelle is great for person to person, or one time cash-like transactions. If one handover wad of cash to a person claiming a utility representative, one would not expect to get that cash back if he was fraud.
Zelle is irreversible by design (unless receiver sends it back). Otherwise what would stop from people using it like credit card chargebacks?. The only time I have heard zelle txn getting reversed is if reciever asks & insists to his bank that this money is not for me, undo this txn. Although there is a variation of fake check scam reverse zelle too. Just liek check, scammers arrange a zelle incoming from victim 1 to victim 2. Then calls victim 2that it was mistake. Please zelle it back to "me". Victim 2 does zelle. Original txn gets recalled because either victim 1 found it or his bank found it. Victim 2 is out of his good money.
This is especially true of utility companies, who expect you to start paying them money before you ever interact with them or sign any contract, to the point where they will try to destroy your credit score if you don't pay them.
It's not far from the truth. I don't think they can technically get away with hitting your credit score before you signed a contract, and instead will send you a "first bill" once you do contact them, which will include the difference between the meter reading when you moved into the property, and whatever reading they had from the last tenant. Often this results in a headache while you try to avoid paying for electricity/gas you didn't consume. But it's not unheard of for utility companies to fuck with your credit score when the only major error you made was not contacting them quickly enough.
If you have a history of non-payment they may require a security deposit, but with the exception of cable/internet most residential utility bills are sent (and paid) post-usage.
It happens if you have a history of not being a previous customer with them. I had a notice of good payment history from my previous electric company from another state and the company in the new state still required a deposit.
PGE requires either a ACH autopay or deposit. One time I paid bill by Credit Card to get 3% back, (through Bill Pay to avoid PGE 2% fees for card), PGE asked me deposit because autopay did not execute (because there was no balance).
I have never experienced anything like that on either coasts of the US. The utility company has an obvious looking website that you can use to make an account and pay electronically.
In the US, any business that requests payment outside of credit card/debit card/ACH/checks is questionable.
I have never experienced like that in 4 different movings. I expect to pay since the day I get the keys till days I return keys for home. I setup and account with utility, or gas, or something. They bill me in 10-30 days, I pay again in about 30 days or less.
A few years ago before moving into a new apartment, I needed to purchase renter's insurance per the terms of the lease. After filling out the info online with the company, I got a call a few hours later asking to finalize the details, and right before I was about to give them my payment info, I suddenly realized that giving payment info to someone who called me instead of looking up the number myself and calling them is exactly what we're told not to do, so I apologized and asked if it was all right for me to call them back. The person I was talking to said that was totally fine and gave their name and said I could ask for them, so after hanging up, I got the official number and called it. The person I talked to was able to verify that I was in fact talking to someone legit before, but they refused to transfer me to them and instead insisted on completing the transactions themself (presumably for the commission). From what I can tell, the way the reps for this company were paid incentivizes them to call people directly to try to get the sale for themself and by extension _punishes_ them for allowing the customer to take the safe next step of hanging up to look up the number and call back directly.
I somehow forgot to pay a bill for daycare, and it went to their payment recovery contractor (it went automatically, without nobody telling me anything despite me going there every day). So the company called, said I had missed a bill and I needed to pay then over the phone with my credit card. Obviously they went mad when I told them I won't pay this way without receiving any king of paper by the mail or something to at least give me the slightest confidence that this wasn't a scam attempt. They ended up mailing me two weeks later, and charged me a fee for late payment…
Seriously, how do you want people not to fall for scammers if legit companies act the same way and charge you for being cautious…
After I bought my new car, I got an email with a header image that looked like it had been scanned from a physical piece of paper, badly. It referenced my name and the bank I had a loan from, but all the domains in the email were not my bank. It claimed I hadn't sent in proof of insurance. I did that at the dealership on the day I bought the car.
I ignored it.
I got it again and ignored it.
On the third attempt, I finally called my bank. It actually was from them, and they really did somehow not have my proof of insurance, and really were going to cancel my loan.
I tried to explain to them what was wrong with the email, but they couldn't understand.
Edit: In the end, I physically went to the bank to handle it. I didn't do anything else remotely with them.
:: cough :: You've been preselected for a great deal on solar for your home! :: cough ::
(every time, me: "Have you bothered to look at the google maps for my home before you called?" Them: "No, let me check... Ohhhh" me: "Yeahhhh... I can't get rid of the trees because they are rooted in the neighbor's property. Not that it wouldn't be quite ironic to remove decades-old trees just to install solar on a roof.")
I don’t care about Zelle one way or the other but maybe after you complained to them trying to get the first payment reversed they put some kind of a “wait 48 hours flag” on your account for future payments? Also sorry that happened to you, fuck scammers. Don’t blame yourself too hard.
Banks often have policies that have the effect of penalizing reporting fraud and other issues.
Right before a trip I wanted to withdraw $60 in cash. I went to one atm, but it showed an error and didn't dispense the cash. So I went to another. Later in the day I saw the first ATM had withdrawn from my account despite the errror.
I called and was told if I wanted to ask for the transaction to be reversed they would cancel my card and mail me a new one. Of course, that meant I wouldn't have the card on my trip.
I ended up eating the $60. Suppose I could have tried disputing further.
That's shit. My bank accused me of defrauding them when I told them the person who stole my credit card bought stuff on an invoice that showed the stuff shipped the day before they even bought it.... to a guy called "pirateargggggh3890[roughly]@hotmail.com" from a now flagged known ebay seller/fraudster. The products were a mix of religious and feminine materials ... I am an atheist man in a state far away from the one purchased.
I phoned in for an appeal and I was laughed at by the bank employees over the phone, and told I was mistaken and my family members must be the thieves. Claim denied.
Don't blame yourself, I can see making the same mistake myself. Moving is stressful and you were just trying to take care of your family and yourself. Blame the scammers, they are the trash that are taking advantage of the emotional state of movers.
Thanks for this. Today, I had to open an account to send money to a friend. I was torn between Zelle and Venmo. Per my son's recommendation I went with Venmo. Not sure how many folks get screwed by Zelle, but your post made me feel a little better about going with Venmo. Although, I am sure Venmo has its fair share of shady characters...
FYI Zelle is the banks' clone of Venmo. They both have identical policies here: they don't reverse transactions.
Edit: Yardie is correct, this is assuming your counterparty doesn't pay the business fee. So this'll protect you from legitimate businesses, but a scammer isn't going to pay the extra fee to enable reversibility.
I've never needed to but Venmo definitely reverses transactions. But you have to declare it as a business transaction. A lot of businesses don't want to do that because they have to pay a fee. I pay my barber through Venmo and always record it as a service, since I prepay. I pay my tutor as a family transaction. She gets paid after our sessions.
Speaking from experience, Venmo claims to reverse transactions, but will do everything in their power to NOT reverse your transaction, even if you mark it as business payment.
I paid an architect for work over Venmo. Work was never done and the architect ghosted me. So I sent all the info to Venmo in a dispute and they told me to pound sand.
Zelle is very clear it's not reversible. Like very very very clear. It's how it works, so the person on the other end has a guaranty you won't just claw the money back after you complete a transaction. Pretty weak to blame them for your mistake.
It is the digital equivalent of cash. That is the whole point. When you buy something with cash, can you just reverse the transaction later? The good reason is what use is a person to person payment system where the person receiving money has no guaranty that they get to keep the money received.
How is it person to person if there's a 3rd party facilitating the transaction? Why should someone be guaranteed to keep the money if they got it fraudulently, with the victim unable to dispute?
This is not different from sending physical goods via mail: a 3d party is involved but you will be laughed out of the post office when you demand to return items you sent. And there is no guarantee too: authorities may retrieve your items, though chances are even lower when you send them overseas.
Because it could just as easily be a scam in the other direction. Get paid for a legitimate service, have the payment reversed. The bank doesn't want to get involved - easier to treat Zelle payments as if you handed over cash.
Zelle is insanely scary. The only reason I use a bank is for protection. If they're going to offer a service and not combat scammers, or protect me, why use it all? Sorry to hear that happened to you, it's even more scary that they knew to target you like that at the exact right time.
I tried to buy a used bike in a new city and the guy wouldn't accept anything except Zelle. I had cash, Venmo, Apple Pay, but nope, this guy was hell-bent on Zelle. When I explained to him that I don't have Zelle and wouldn't create one for a $200 bike, he started to think I was a conspiracy theorist. Zelle has done a great job of creating an image of trust and people equate it to using a credit card without fees.
The reality is that everyone alive is susceptible to these scams. No human is impervious to being victimized by these groups. They will pay good money for information to target people. Originally, some scammers would aim for early morning hours just as people are waking up, their brains are still groggy and vastly more susceptible to making an error. However, now that so much public information is available you can easily craft scams that are indistinguishable from reality. Scammers leverage this along with a common theme of "urgency" to minimize the time period that someone has to realize they are being taken for a ride.
Understanding this, banks have crafted Zelle to pass the responsibility down to the customer. It was a very smart move (from the financial industry's perspective).
My 84 year-old mother is constantly targeted. It’s extremely frustrating. Luckily she is extremely sharp and spots them easily. But if she wasn’t, it would be a constant struggle.
Email, text, and live phone calls are the typical approach. I can’t count how many times people have claimed to be her grandson needing emergency funds (usually bail). She also gets fake invoices via USPS but I manage her mail so it never gets to her. It is never ending.
1st occurrence - years ago, my company had a business account at a Minnesota bank. I was issued a debit card on that account. The debit card was bilked for $850 by an “unknown” party. I informed the bank. They complained that I had a personal debit card on a corporate business account - which was not allowed (heck I never even asked for it) - if it were a business card I would be covered, but with a personal card I was not. They canceled the card, never to be replaced. Needless to say I communicated my displeasure, but at the end of the day there was nothing I could do.
2nd occurrence - in the past 12 months, I get the classic text message, “Steve, as you know it’s my brother’s birthday and I always send him a $500 gift card. I am in the hospital unable to communicate or take care of this, and I was wondering if you could do it for me - here is his number : 212-xxx-xxxx.” Now I DID know it was his birthday and I DID know she always gave him a $500 gift card (pretty nice sister), and I DID know she was in hospital for a few days. I also knew that he lived in NY so the 212 area code was a nice touch. But I also am very familiar with gift card scams, so I just wrote it off. I was thinking I should just call him, wish him a happy birthday myself and ask him a personal question about his sister to which only he would know the answer. In any event I was just about to board a flight and it would no longer be his birthday when I landed. Then literally 5 mins later I get another text from one of our mutual friends, who lives on the other side of the country - “Steve, is there any way you can help, <name withheld> needs someone to send the birthday gift card to <name withheld>. I told her I could not do it but suggested she might ask you instead.”. Okay this was now getting interesting, The texts came from 2 separate women. I knew both of their Verizon accounts were set up with 2FA (heck I set it up for them!). What’s the chance of both of their accounts being hacked at the same time? (extremely high as any cyber-security expert knows). Both of these women were trusted personal friends - it wasn’t some inside job - they were in fact hacked. Verizon was hacked. Etc. I have some last minute urgent business distracting me, with which I am on the phone with my PA - at the end of that call, I instruct my PA “oh also, send a $500 gift card to <name withheld> at 212-xxx-xxxx from <name withheld>”. I figured she would do it through our Amex facility, which has recourse for such fraud. She just bought one off a website. Now everything that happened I knew better. But it happened anyway. It was one of those perfect storm situations where I just wanted things taken care of and I wasn’t being diligent. I’m not proud of it, quite embarrassed in fact. The ex-husbands of both of those women are cyber-security clients of mine. Part of me even thought it was one or both of them. In the end, THEY were the only ones to whom I reported the scam (oh and whoever is reading this) as I felt a professional obligation. Any cyber-security expert will tell you that it is this social engineering and grooming that is the key to many of these scams. Scammers are even more surreptitious now, using AI-generated voices to leave messages sounding just like the known confidant. Be very wary and just always …. say no!
In my case, I was scammed about $350. What is local pd or anyone gonna do to help me with that? Nothing, that's what. Absolutely nothing. Why waste my time even more?
I have a friend who is a federal agent. He commiserates with those of us not reporting, as it takes time and attention (not spent earning money) to report. It also creates a digital trail of information that all too often gets misdirected into misadventure. Way more often than most people realize. The only real value to reporting these things is to give a government a measure of how bad something really is, so they might take informed policy action.
My wife got suckered into one a few days ago (though hung up before anything bad happened). We ordered a replacement pair of glasses for my daughter, and the store said they would call when the glasses came in so we could pick them up.
Flash forward a few days, and she gets an automated called saying something akin to "Your delivery is on hold, please press 1", so she did, and got connected to an "agent" who she started talking with. In her conversation it became obvious to me it was a scammer, so I told her to hang up, but not before she got overly concerned at me.
She's pretty aware of these things, but it was just a right place at the right time kind of thing that caught her off guard even though there were plenty of warning signs.
> it was just a right place at the right time kind of thing
Scammers abuse this principle by sending out texts to the tune of "Your package is on hold until you pay.". The chances a random person is expecting a package at any given time are pretty good.
And confirmation bias is strong. The above commenter didn't even have a package being delivered -- they were going to pick up the glasses from the store. But you sometimes hear what you expect to hear, rather than what was actually said.
People often act like victims of scams need to be smarter, however widespread scamming places an immense burden on the broader economy. It increases the cost of doing business, since you have to do more verification for any transaction. We don't blame victims of other crimes, scamming shouldn't be an exception.
Imagine if you went to a restaurant, and the staff refused to serve you until you showed them your bank account balance to prove you could pay. It is an immense failure of law enforcement to not crack down harder on widespread scams.
Absolutely. And every dollar in the hands of scammers is funding the creation of new and better scams. Even if we didn't care about scam victims at all, society should vigorously pursue scammers just to keep the overall burden down.
And it seems like a no-brainer money-wise too. A dedicated task-force of 10 people might cost you a million a year, but they'll easily track down scammers doing that amount of damage per month.
I recently took an interest into a phishing campaign because the guy was using Amazon SES and kept using new email templates and it kept landing in my inbox. He was an amateur and it was easy to find juice things on his server, and it looked like he was engaging in all kinds of different scams, like phishing for bank logins, defrauding online-shops, identity theft etc. With law enforcement options, I'm pretty confident I could've nailed him with a few hours invested. Get him for one crime, you stop 10 others.
But the last time I talked to a police officer locally, he didn't know what Netflix was so I won't even try to explain phishing to them and how I got this information on the perp.
A task force of 10 law enforcement officers and support staff with the necessary technical skills is going to have a fully loaded cost way higher than $1M per year.
Ten fully skilled security experts deputized @ 200K/yr. Fifteen assistants at $75K/yr. All personnel grossed up to 140% for fully loaded cost. Hardware, infrastructure, software, hosting services, $200K/yr. Total (((20010)+(7515))*1.4)+200 = $4,575,000/year.
You don't think that such a team could stop $50 million in crime in a year? I'd expect that $500 million would be a slow year and stopping $5billion would be more like it. There is so much of it and such low-hanging fruit...
I know of large corporation divisions where $5 million per quarter was literally their rounding error threshold three decades ago (likely more like $15 million now).
The payoff is so great it is astonishing that some large tech companies don't do it just for the general reputation of the industry. Or the banks for the same reason (e.g., I wont' touch Zelle, both because when I first checked it out it was horribly clunky, my bank wanted $20/month just to use it, and all the persistent scams).
Or, just for lulz. This is rounding-error pocket-change for these corps. If it got going, I could see a rivalry between MS, Oracle, & Alphabet execs for who could dunk the most scam dollars, and jail the most perps...
Hmm, why do you think they couldn't prevent $50mm? I'd expect that to be the easiest number to to maximize. Take out a ransomware crew, and you prevent all their crimes for the next years, as long as you keep them offline; get the encryption keys, and you've undone every ransom demand still standing. Just busting them in a way that their are either denied bail or have conditions placed on them so they cannot use any computing device, and you've taken them offline (and sufficient monitoring will probably jail them soon when they go back online under bail conditions.
Definitely agree that successfully prosecute is harder than ID perps...
But you don't think there's enough scammers based in the US/Canada/EU to chase? Back to the Zelle scams as we started with, and an awful lot of scams that require cash mules, seem pretty trackable if someone puts in the effort, especially when people can drop the evidence at their doorstep.
Yes, there are. But none that would be addressable in any reasonable way by your above-hypothesized team of 10 cybersecurity experts. Any significant wire fraud operations are going to interesting to the FBI and something that is in their jurisdiction anyway.
What’s left would be cases like “I bought this iPhone off eBay and got mailed a brick”. If it was taking your team any longer than literally 10 minutes per successful recovery on average, you’d be better off just using that taxpayer money to reimburse victims directly. It just doesn’t make sense to throw 250/hr labor at a $500 problem.
The guy who mails out bricks instead of iPhones probably does that every day, so if you stop him, you're not just solving a $500 problem, you're solving a $500 a day problem, which is a $180k/year problem.
>> 3. this could be addressed with regular police work
The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.
Similar to rampant bicycle theft. It definitely could and should be addressed by local cops, but is largely ignored, and ignored even when people bring them real-time tracking of the bicycle. And you're not supposed to go vigilante and get it yourself (partly due to risk to you).
For #2, $50 million, that seems like a lot of crime. But let's take the mailing a brick for an iPhone example. Each one is roughly $1000. So we need 50,000 bricks per year. That's 137 per day. Way too much for one criminal. But with 250 criminals, they only need to send a brick every couple of days. And our cop team needs to average only a single capture per day to stop $50million of crime in a year.
Jurisdiction, yeah, they'd probably need national jurisdiction, since there are probably few crimes where the criminal and crime are in the same town (other than the FB market/Craigslist criminals). So, deputized by the FBI is probably best.
So, not unreasonable to search for a solution that actually works.
> The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.
I agree that it is not. I am saying that you don't need a team of 10 cybersecurity expertise to show that someone mailed bricks or stole their cousins venmo money. Ten traditional detectives would be cheaper and a better fit.
Any technically sophisticated scams that would require a team of cybersecurity experts are likely already at the scale and scope that the FBI already does address them.
The intersection -- a technically sophisticated scam that is a small dollar amount -- isn't a problem that exists.
The reason that large cities don't spend much time on small dollar crimes is because they have bigger stuff to worry about. Yes, there's definitely people selling stolen phones on my local Craigslist, but there's also people stealing checks out of mailboxes and washing them to steal $50,000+. It makes sense to address the latter first.
Ok, so you're saying that much of it is within the scope of regular detectives with appropriate training? If so, I'm inclined to agree -- no sense applying over-the-top expertise when not needed.
Actually, chatting about it, it seems like the ordinary L1/L2/L3 service teams approach could work well. Ordinary up-trained detectives on most cases, when they hit something more complicated, call in the L2 guys/gals, and when it goes over their skillset/toolset, call in the L3 team, etc...
However it gets done, it certainly seems that we need something more than we've got.
There are a lot of talented people you can sell on the dream of working for less than their full market value in order to help vulnerable people not get scammed. It would be very fulfilling work for a lot of people
Track them down and do what? Are you deploying a local police officer to arrest a scammer in India? It seems to me that in the vast majority of cases, law enforcement efforts will immediately run into jurisdiction issues, and most of the effort will be for nothing.
That's probably true for some part of the scams, but others are domestic. The one I was looking into was most likely speaking German natively, and from what I could tell, he was a German in Germany (some info pointed to a specific German state, and his homedir was a common German first name).
You'll still have scammers from India, but you'll also have a lot that are running more elaborate scams and do a lot of damage by defrauding the government and companies.
It's a fine line. It is not victim blaming to discuss what happened and a strategy to avoid it in the future, though I hear a lot of people suggesting just that. Sure, don't shame the person who got scammed, but if there is something they could do differently that would increase their protection, it needs to be communicated.
Exactly. This taboo against "victim blaming" is kind of holding society back from properly addressing scams (and other crimes). Yes, the scammers are responsible and yes, they are the only ones who should face consequences.
That being said, it's smart to take precautions, and it's not victim blaming to suggest things people can do to reduce their risk of becoming victims. I teach my kid not to play in busy streets. That's not blaming pedestrian victims for car crashes--it's just sensible, risk-mitigating precaution.
Teaching your kid not to play in busy streets wouldn't be victim blaming, it would be victim blaming if your kid got hit by a speeding car and people immediately started questioning how well you taught him street safety. The problem with victim blaming isn't that it seeks to teach people to avoid becoming victimized, the problem is that it gets brought up when people have already been harmed, making it insensitive, unhelpful (something something barn door), and, often, deflecting blame from the actual bad actor.
We should agree on some time frame when it's acceptable to talk about what you could do to avoid being a victim then. It's perfectly fine to say "maybe not now" while the victim is still getting stitches, but having to wait 10 years is also pretty useless because it'll be forgotten.
When something happens is usually the best time to talk to others about that same thing. A bank exploded? Hey, have you heard that there are ways to spread the risk over multiple banks? A hospital got all their files encrypted and needs to pay a ransom? Let's talk about backup strategies and how to secure infrastructure because that could be your organization.
I don't think people discussing strategies seek to deflect blame from a potential bad actor (it doesn't need to be about crime, accidents happen all the time, and there are plenty of things you can do to lower your risk), they just want it not to happen again, or at least less frequently.
My opinion, based on observation, is the opposite (i.e. you perceive a "taboo" against victim-blaming because victim-blaming is a real problem). Obviously we need both sides of the coin (help targets to help themselves, and hamper attackers). And yes, some people may jump to accusations of victim-blaming too quickly. But, I think it's an exaggeration to imply that there is a significant problem where people are characterizing "suggesting things people can do to reduce their risk of becoming victims" as victim-blaming in the context of money scams.
I think that, by far the greater poison holding us back is the obsession with personal responsibility that many people use as an excuse to not have to expend additional effort on dealing with a problem pragmatically. If you are suggesting educating people or giving them tools to deal with scams, that's great. But a lot of people don't want to do that under the very same rationale that you are using to justify it - that the victims could have avoided it. You are saying, "people can avoid this - we need to help them do so", but there is a significant part of society whose opinion on many topics where there is a victim is, "people can avoid this - they need to take responsibility".
> It is an immense failure of law enforcement to not crack down harder on widespread scams.
I fully agree. My identity was stolen and used to sign up for retail credit cards in a spree, and I even did the research for them. I had a timestamp of purchase, the items purchased, and the cash register number. The police could not care less. For one, they are lazy as hell and throw up jurisdictions as an excuse. The mere fact that the thief seemingly only used one store per jurisdiction seemed almost intentional in terms of taking advantage of this. The total amount stolen was $9,000, but I don't think the police gave it a second thought after I contacted them, and this was in a city big enough that had a financial crimes department.
I worked briefly for a financial crimes prevention organization, and the minimum dollar amount of loss we could get police to act on was over $100,000. We would do all the research and present them with a complete case.
The cops have a pervasive misallocation of resources from the top down.
For example, US police eventually come up with enough evidence for prosecutors to start proceedings only in about 50% of murder cases [1]. Yet police departments spend very little of their time working on murder cases. [2]
Assuming you believe police investigating murders is valuable, I don't see how you can think police should be wasting time on broken taillight stops when they're failing that badly at it. (If the cops can't be reassigned they should be fired and their salaries used to pay cops who can)
[1] Technically I'm describing the murder clearance rate, but I use this phrasing to avoid the common and incorrect implication that a cleared murder means it's necessary actually "solved"
[2] There's no great metric for this. Assuming a police officer who just filed an incident report about a traffic stop for a broken taillight probably wasn't working on a murder case immediately before we can use incident reporting data. For ex, https://data.sfgov.org/d/wg3w-h783/visualization
An idiot in my neighborhood getting robbed because they leave their garage door open at night causes my insurance premiums to go up, but they are still an idiot.
Not only law enforcement. The communication systems that allow scammers to ride on their infrastructure anonymously and fail to give their users tools to push back also bear some responsibility.
The POTS and e-mail and usenet protocols are embarrassingly broken on this front.
For anybody who is building a communication system: If you are allowing anonymous messages to users is a default behavior and it is impossible or impractical to avoid, you have created a system for spam, scams, threats, and harassment.
>It is an immense failure of law enforcement to not crack down harder on widespread scams.
Do you think if we let cops put on their pretty SWAT gear and roll into the front yards of white collar criminals' front yards in their APCs they'd start taking these sorts of things seriously?
Putting blame on the victim and pointing out that victim could've easily prevented the crime are two different things. We can put the whole moral responsibility on the perpetrator, and simultaneously advice other potential victims to properly safeguard themselves.
Shitty people ruin society at every level. Sure online scams are part of it but we have banks, locked doors, guns, an entire law enforcement and justice system etc. all to account for the small minority of humans who will hurt others given the chance.
There's a scam going around targeting teenage boys that I don't see people talking about. Scammer poses as a cute teenage girl on Snapchat/TikTok/Instagram and starts DMing a teenage boy late at night. Eventually convinces boy to send a dick pic, then reveals himself and says, "Got you! I'm going to send that dick pic to your parents and everyone at your school unless you send me money!" The scammers will even voice call them at this point and threaten them that way.
The boy that got scammed is so embarrassed that they won't tell anyone and they send the money.
It seems they must be carefully targeting relatively clean cut (so they'll be sure to be embarrassed) and wealthy kids (so they actually have $300 to send). It's mind blowing how well these scammers do their homework
That’s a pretty old scam, but kids these days seem to have easier access to credit cards than when I was growing up, so I expect it is quite lucrative.
I mean.. did you watch to the end of the episode? In the episode the scammers were targeting people trafficking child pornography, so it's a bit harder to empathize.
You can join the US military at 18. An 18 year old dating a 17 year old is not a pedophile. What if the girl said she was 18 and then she reveals later she isn't?
The problem is US law is so fucked up that having sex with someone that's days younger than you can be illegal and punishable by labeling you as a sex offender for the rest of your life. Even if the other person had a fake id and lied to you!
Lots of countries have "Romeo & Juliet Laws" that decriminalizes sex with minors if both parties are within a few years of each other. For example, France has the age of consent at 15, and decriminalizes sex with under 15s if both parties are within 5 years of each other. There are caveats: the exception doesn't apply if one party has legal or factual authority over the victim, or are related.
In addition to those resources, Episode 4 of the Netflix series "Web of Make Believe" is basically a one hour documentary all about how sextortion operations work. Every episode of that series is solid gold.
Variations of this have been going around for years. Sometimes scammers will even work with cam models to record victims sexting over videoconference.
At one point they were targeting Muslim men because they knew the cultural implications of those videos being sent to their communities. I remember reading a story about a raft of suicides linked to that particular scam.
There’s also less sophisticated versions where the scammer will only claim to have hacked the victim’s webcam and demand money to avoid sending it to the victim’s friend list on social media.
After reading about this, I bought a bunch of cheap plastic webcam covers to give to everyone I know. They were only ~$1/ea on Amazon and work great.
What's terrifying after the cultural secretiveness of sex, is the legal position this puts a minor; if a 17 year old goes to the authorities, some jurisdictions would legally be required to file against the victim for creating child pornography.
> There's a scam going around targeting teenage boys that I don't see people talking about.
Its not just teenagers, they target older men. I get requests on whatsapp from profiles with an attractive woman's display pic. I sometimes accept these requests and chat with them. They all want to have a video call on whatsapp.
I have never done any video calls with these scammers but their end goal is to have a video call where the woman might be wearing revealing clothes or even nude, get a screenshot where your face is on the call and then blackmail you, if you dont pay up that screenshot will be sent to your contacts.
>> Americans lost a record $10.3B to online scammers last year, FBI says
I laugh a little at the language. What is the net loss? How many Americans have gained money through online scams? If we want to talk about the impact to the economy, those dollars are not necessarily leaving the equation. Illegal market activity is still market activity.
I just had some fraudulent withdrawals on my bank account pretending to be paypal. They did the two sub-$1 authorization transactions, then took out $400 then "reversed" it by putting it back into my account... maybe to attract less suspicion and execute a larger fraud later?? Anyway, my bank reversed the withdrawals and I just got to keep the $400 the scammers deposited in.
Maybe if the government did something to force companies to handle this or prevent attempts. The majority of phone calls, snail mail, and even email are nothing but spam and phishing attempts. I just don't even answer my phone anymore, as it's not a phone. It's just a terminal for spam calls. According to my mail, the warranty on my car and house has expired a couple dozen times. Even Gmail's spam filtering has gotten worse where several make it through.
Maybe the government should be enforcing laws and pursuing criminals as opposed to expecting businesses to solve this via creating a credit rating system for all aspects of one’s life.
In some areas if you live in apartments, folks actually knock on your door to sell you religion and vacuum cleaners. 2023 and still we have door to door sales.
It is important for everyone to protect their contact information as usually the first step for scammers is harvesting those details. Use a junk email account for all of your online transactions. Try getting a secondary phone number you can give out to everyone who isn't close to you. Avoid giving access to your contacts for any mobile apps. Be mindful about who has your contact info and what you are sharing.
286 comments
[ 3.5 ms ] story [ 268 ms ] threadA friend of the family recently had his email hacked. They sent targeted emails to all his contacts and setup a filter to hide the communication. His brother in law is a stoke victim with impaired cognition and only has access to $12k or so at a time. They were able to scam all of it from him over multiple transfers and he never picked up the phone to call the family friend. The family fiend is also his caretaker and limits his funds access for this exact reason.
The family friend is a retired old GE executive who will probably never run out of money no matter how many cars he buys due to pension funds. I wonder if he was targeted.
Restrict websites to a few domains on the devices they use. Youtube, wsj, etc...
If they want a new one just tell them to ask you.
It sucks and has problems, but its the only real straightforward and viable option I've seen work.
Source: have grandparents who were regularly getting scammed or close to being scammed on a weekly basis.
But what do we do when we get old? Will we be rational enough to disconnect ourselves? What if we don’t have any children that can help us make this decision?
Behavioral improvements and education are nice to haves, but constant vigilance has a high cost for folks at this age and it only takes one successful adversarial attempt to succed. In this case, strong controls and guardrails are a superior solution imho.
($dayjob is infosec/risk mgmt)
With elderly loved ones, as with everything in life, a negotiation takes place.
https://www.truelinkfinancial.com/
https://www.ycombinator.com/companies/true-link (YC S13)
If you come across this comment and need advice in logistics for caring for loved ones, contact info in my profile.
That's a great idea. And it's easier than ever, now -- at least in my experience. For a while I still had to use bill pay or debit for some of my utilities, but now even those all take credit card. I do it for convenience and the rewards (and because the last time my wife used her debit card it got skimmed), but the result is the same -- 100% of my own spending is on my credit card now. This would work great for my own mother if she gets to a point where I doubt her ability to resist con artists.
1. If a service provider you use reaches out via email asking for money, its fake. Login to their online portal (it took a lot of coaxing to get them comfortable with this...)
2. If a service provider reaches out to you via SMS or Phone call, even if they know your account number or other sensitive data: Tell them you will call them back on the phone number listed on their website. If they insist, its fake.
3. If you aren't sure its fake, just ask me to look at it.
The simple rule of thumb that will keep people reasonably safe is: Do not trust anyone who E-mails or calls over the phone to be who they say they are. If they say they are from business XYZ, hang up the phone and call XYZ's main number and ask for them. While there are exceptions and scammers are getting craftier, incoming calls and E-mail is by far the major attack vector.
My stepfather always tries the factory reset button as if it's just a more hardcore reboot to "fix" the internet when the service is simply out.
If there's a private sector solution to the scam calls that can be charged heavily for, that's what we're most likely to get. The competent parts of government aren't concerned with this stuff. Congress has to make it a concern, but they mostly toil on behalf of corporate lobbyists. Lobbyists aren't hired to help society at the expense of who they represent.
Intelligent, informed voters and honest politicians would have solved this and many other problems already, but we're extremely far from that ideal, and I think still trending away.
I've wondered before if posting in HN threads like this one is a better way to influence policy than going to the polls, since someone with influence could be reading. Maybe what I should actually be doing is writing to my representatives, as that's probably more impactful than either.
I think real time alerts or daily summaries sent to trusted caretakers. Another layer is having the caretaker approve of the transactions. Can think of this as 2 factor authentication where they'd have to hack multiple phones or accounts for a successful scam.
For example, seeing multiple gift cards would be suspicious. Or if you know your parents never take out more than 100$ from the ATM.
Sometimes though they willingly scam themselves. My dad gave this real life scammer 30k in advance payment in return for future caregiving services. We told him she was scamming us and he didn't care. When she asked him for more money to buy a new car he finally realized she was truly scamming him.
It could be as common as sending a pin to YOUR phone or that they actually call the bank to authorize it.
Some join accounts also require approval from both parties to transfer large amounts of money.
Additionally you can open a secondary account for your elderly relatives for daily expenses, they fund this account from their main account.
Anything you do, do it at the banking level, do not rely on your elderly relatives to doge pretty sophisticated scams.
In my experience, trying to list and explain all of the ways that scams happen actually has the complete opposite effect — either it ends up as information overload and they don't remember it, or they become so fearful of doing wrong in specific situations that they almost certainly become more vulnerable to fear-based attacks as a result.
I tell her that if she ever has any doubt whatsoever that she’s to call me any time any where and I’ll help.
I also promised to cover any financial loss due to eg making a late payment because of my advice.
How do you protect your car from your teens crashing it? Don't give them the keys
I told my mother (who is 81) that the answer is always no. There is never an emergency, the answer is always no, she should hang up and then talk to me. Personally, if possible (we live 10 minutes apart) or at least on the phone. Any legitimate need for money can wait that long.
Fortunately, my mother has a somewhat technical background and her mind is 100% still there, so it hasn't ever been a real concern yet. She's skeptical by nature of what she sees online.
The ability to reason about money deteriorates with cognitive decline, in large part, I think, because it so abstract.
The solution is for them to not have direct access to control all their finances, but rather get monthly amounts via a trust. That way, downside is limited.
Unless the trustee is a scammer, or worse, one of several adult children who don't agree on how finances should be managed.
Secondly, it is typical to mitigate against a single trustee not acting in good faith by have an odd number of trustees.
So you are saying that if you trust the trustee, they can't be a scammer? I don't agree.
While I'm confident in the security of Chromebook in general, I'm worried by how readily she pulls out her credit card and types the number into obscure sites for purchasing wedding gifts, etsy items, etc. A few years ago she would click on Facebook ads and buy shit quality products for little reason, but I think she eventually learned not to do that.
At least it's a credit card and not a debit card. My dad manages the banking, and is a bit more sophisticated, but even he does things like install programs meant to protect him that actually expose him to more vulnerabilities. For example, there is some Symantec monstrosity installed on his computer that injects a green checkmark into Google search results next to each site it thinks is "trustworthy."
It's definitely frightening and mostly a numbers game whether they'll be the next victims of a scam.
Text is one thing, but also thinking of deep faking video/audio. Elderly seem especially susceptible. I have a close friend's grandma that was scammed out of 5k from a fake voice call.
I'm just here to watch the goal post move
as in, the crypto numbers could have been any amount and you would have said the same thing.
if it was $1bn you would have said that, $500mm you would have said that.
and thats, in conjunction with nothing in the crypto space having any utility, for you, and nobody else’s utility being valid, for you.
[1] https://www.youtube.com/watch?v=iROF9Dd7FXA
Oh your daughter is spending her gap year in South East Asia? Find her social media -> download the videos with a sample of her voice -> generate audio of her asking you to help/send money because "she was robbed at a gunpoint" -> message your phone number/WhatsApp/Facebook account etc.
These scams are possible now, but their quality will increase exponentially given that you won't need to know perfect English or be well versed in tech to do this.
My mom almost got tricked by a police scammer saying they have an arrest warrant for her due to not paying a debt and that she would be arrested if she didn't pay the money. Only reason it didn't work was because she didn't have the money and called me crying asking for help. Now she knows to never trust anyone requesting or demanding money over the phone.
I understand this is not just one scammer, but if they pooled that money together, this is kind of level of money that could influence elections in a small country or buy a small army or be used to take over legitimate businesses and use them for further money laundering while paying off politicians and civil servants.
I doubt all the nefariously-collected money will in turn be used for nefarious purposes. It's entirely likely that a good portion of it would be used to do things like, pay for a decent living space for their family, buy a newer car, possibly buy a business to turn to more legit ways to make money that don't have the risk of getting caught.
It's like when crypto is stolen. It's harder to process ill-gained proceeds than legally obtained proceeds. This means it takes time to launder it; you cannot just buy cars or whether with it; the govt. and police may be looking for it. So this means it likely has a deflationary effect in the short term by taking money out of the US economy that could otherwise be spent, but in the longer-term may have national security implications if the money goes to fund drugs, terrorism, whatever.
They outlawed it but when it was going it was ~5-10 billion dollars each year with tens of thousands of employees and hundreds of businesses.
It's a huge problem and has massive implications for world politics.
Just moved into new house, had the cable guy over setting up internet. I get a phone call from "The Electric Company" (they used the real name) saying that I just moved in and I didnt put down a deposit, blah blah, I need to pay $350 now or the power will go off. I needed internet for work the next day, and wifey factors.... I panicked and sent the money. I know, it was stupid, but there was a lot of shit going on, and I just fell for it.
Literally IMMEDIATELY after I pressed the "send money" button, it dawned on me, I realized what I did, I hung up the phone and IMMEDIATELY called my bank asking them to reverse the payment. They would not do ANYTHING. They were completely useless, the person got my money and I had no way to stop it.
A month later, I'm getting trees trimmed, and the company wants payment in Zelle. Begrudgingly I oblige, and send my payment to them over Zelle. It took over 48 hours for the money to be delivered to them. The tree company kept asking me what the heck was taking so long, I had to call my bank several times to see why the money wouldnt send. It was stuck in "pending" for almost 48 hours, and the Tree guys wouldnt do the work until it cleared.
Moral of my ramble: fuck scammers, and fuck Zelle.
I'm sure many people just pay them because the hassle of reliably figuring out what's real and what isn't can easily exceed the amount of the bill.
The others went in the trash as soon as they came in...
https://www.forbes.com/sites/adamtanner/2013/07/08/how-the-p...
Cash doesn't try to rationalize all sorts of slow, obnoxious, and expensive behavior on the basis of fraud protection and then fail to protect from fraud. There's obviously a tradeoff here, the problem is getting stuck with the ass end of both sides. I can't really speak to Zelle, but it's definitely true for ACH and wire transfers.
Neither does Zelle.
> When was the last time you pulled out a stack of $20s and had to wait 48 hours for them to become valid?
Never, but I have also never had that problem with Zelle in probably hundreds of times using it in over a decade.
But I also have never been given counterfeit money via Zelle, which I have been given via cash.
Both mechanisms of transferring money seem to be working pretty well, and both have drawbacks/benefits.
Wasn't Zelle introduced in 2017?
Check the history section here:
https://en.wikipedia.org/wiki/Zelle_(payment_service)
"You can send money directly! *"
* If you have a pre-established out-of-band trust relationship and dispute resolution system with the person you're sending it to.
Which basically means you can send money to friends and family and that's about it. But you can also do that with Venmo or CashApp. Any online transaction among strangers that uses Zelle is 100% a scam. Full stop. There's a reason that groups that sell things plaster in giant bold letters to use PayPal G&S.
By far the biggest value-adds of Zelle existing is making it really obvious who the scammers are.
Exactly, and that is how I have used it for 10+ years.
> But you can also do that with Venmo or CashApp.
I could, but then I have trust an additional party (PayPal or CashApp) with access to my money and accounts. This is another risk with no gain.
https://www.earlywarning.com/about
> Introduced the Early Warning brand and became wholly bank-owned.
https://www.investopedia.com/what-is-early-warning-services-...
> Seven major U.S. banks own Early Warning Services: Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.
And similarly, I feel sketcky carrying large amounts of bills on me, for say buying a car - I'll go to the bank and get a bank check over having that much cash on me.
Of course, in practice it kinda sucks. Zelle requires giving strangers way too much information about you. I won't use it. Much as I dislike PayPal, I use Venmo for this use case.
It is one of its features. The previous method of sending and receiving money involves giving out your bank account number (even if not to strangers, then to PayPal), which means anyone can pull funds from your account using ACH.
In my jurisdiction, banks will regularly refund and make whole people who have lost money to scams. They in theory can refuse if they think the owner of the account was careless, but in general they will refund a lot of scams.
One good consequence of this is that scammers now become the banks problem, so they will do more to help educate and prevent scams.
Rather than being able to wash their hands of scams, they will be proactive in making sure transfers are genuine, etc. Of course this can on occasion be a hassle, but in general it's reassuring that the default is not to allow large transfers to "random" people, and even more re-assuring that in general it's the bank who is on the hook for the money.
No, you were trained to fall for it by companies behaving a lot like scammers most of the time.
Every time they call me and ask to "go through verification" - aka I give a random stranger on the phone the personal information they need to identify themselves with my bank - so I tell them I'll call them back instead
Then i call back and get bounced around through multiple teams until inevitably the call drops, I think because my mortgage was bought from another bank so it isn't well understood by customer support
Anyway, I think it is legit calls I get from the bank. I hope it isn't important because i still haven't got through to them to talk about it
They probably bought it from some data broker.
They sell our data to scammers to let them be entirely convincing, and then blame people who fall for it.
Let alone calling up and demanding I pay using Zelle...
In every case where I've gotten a message / phone call informing me that I need to provide some sensitive information or make a transaction, I determine the organization that they are purportedly representing, navigate to the official website, find the relevant contact info, and call back.
I always assumed everybody did this to prevent these exact types of situations.
Perhaps it's time for some regulation - of course, drafted with the extreme care that almost no regulation is written with, but should be...
https://www.americanexpress.com/us/security-center/phishing-...
No such thing for the phone numbers though, and since they were just regular landlines not recognised by Google and not available through a Google search, I declined to provide them any information.
There absolutely needs to be regulation for that, like there is the "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).
As harvey9 says in a sibling comment, "If they publish an outbound number then scammers will spoof it.", so perhaps publishing a phone number isn't useful - but they should actually state that on their web site, as well as providing a protocol that allows the bank/agency/company/utility to authenticate itself to you.
> "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).
I like this concept - let's extend it to include an authentication protocol, as above.
Zelle, Western Union, Venmo, PayPal (family) literally gives you warnings, multiple prompts, to say that it is irreversible, pay it only to known people, dont use it for government payments, make sure to check registered name, and stuff.
We as customers should know that no utility company, gas, power, internet, government offices, their representatives accept or want payments by Zelle. Zelle is great for person to person, or one time cash-like transactions. If one handover wad of cash to a person claiming a utility representative, one would not expect to get that cash back if he was fraud.
Zelle is irreversible by design (unless receiver sends it back). Otherwise what would stop from people using it like credit card chargebacks?. The only time I have heard zelle txn getting reversed is if reciever asks & insists to his bank that this money is not for me, undo this txn. Although there is a variation of fake check scam reverse zelle too. Just liek check, scammers arrange a zelle incoming from victim 1 to victim 2. Then calls victim 2that it was mistake. Please zelle it back to "me". Victim 2 does zelle. Original txn gets recalled because either victim 1 found it or his bank found it. Victim 2 is out of his good money.
It happens if you have a history of not being a previous customer with them. I had a notice of good payment history from my previous electric company from another state and the company in the new state still required a deposit.
In the US, any business that requests payment outside of credit card/debit card/ACH/checks is questionable.
I somehow forgot to pay a bill for daycare, and it went to their payment recovery contractor (it went automatically, without nobody telling me anything despite me going there every day). So the company called, said I had missed a bill and I needed to pay then over the phone with my credit card. Obviously they went mad when I told them I won't pay this way without receiving any king of paper by the mail or something to at least give me the slightest confidence that this wasn't a scam attempt. They ended up mailing me two weeks later, and charged me a fee for late payment…
Seriously, how do you want people not to fall for scammers if legit companies act the same way and charge you for being cautious…
I ignored it.
I got it again and ignored it.
On the third attempt, I finally called my bank. It actually was from them, and they really did somehow not have my proof of insurance, and really were going to cancel my loan.
I tried to explain to them what was wrong with the email, but they couldn't understand.
Edit: In the end, I physically went to the bank to handle it. I didn't do anything else remotely with them.
(every time, me: "Have you bothered to look at the google maps for my home before you called?" Them: "No, let me check... Ohhhh" me: "Yeahhhh... I can't get rid of the trees because they are rooted in the neighbor's property. Not that it wouldn't be quite ironic to remove decades-old trees just to install solar on a roof.")
Right before a trip I wanted to withdraw $60 in cash. I went to one atm, but it showed an error and didn't dispense the cash. So I went to another. Later in the day I saw the first ATM had withdrawn from my account despite the errror.
I called and was told if I wanted to ask for the transaction to be reversed they would cancel my card and mail me a new one. Of course, that meant I wouldn't have the card on my trip.
I ended up eating the $60. Suppose I could have tried disputing further.
I phoned in for an appeal and I was laughed at by the bank employees over the phone, and told I was mistaken and my family members must be the thieves. Claim denied.
Edit: Yardie is correct, this is assuming your counterparty doesn't pay the business fee. So this'll protect you from legitimate businesses, but a scammer isn't going to pay the extra fee to enable reversibility.
I paid an architect for work over Venmo. Work was never done and the architect ghosted me. So I sent all the info to Venmo in a dispute and they told me to pound sand.
Why does it survive?
Understanding this, banks have crafted Zelle to pass the responsibility down to the customer. It was a very smart move (from the financial industry's perspective).
I'll refuse to do business with anyone who doesn't take a credit card.
Email, text, and live phone calls are the typical approach. I can’t count how many times people have claimed to be her grandson needing emergency funds (usually bail). She also gets fake invoices via USPS but I manage her mail so it never gets to her. It is never ending.
https://www.aura.com/learn/how-to-identify-a-scammer-on-the-...
https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phish...
apparently, if you are a business owner, you can pentest-phish your own employees, this sounds like an interesting business to be in: https://www.knowbe4.com/phishing-security-test-offer-ga-nav
2nd occurrence - in the past 12 months, I get the classic text message, “Steve, as you know it’s my brother’s birthday and I always send him a $500 gift card. I am in the hospital unable to communicate or take care of this, and I was wondering if you could do it for me - here is his number : 212-xxx-xxxx.” Now I DID know it was his birthday and I DID know she always gave him a $500 gift card (pretty nice sister), and I DID know she was in hospital for a few days. I also knew that he lived in NY so the 212 area code was a nice touch. But I also am very familiar with gift card scams, so I just wrote it off. I was thinking I should just call him, wish him a happy birthday myself and ask him a personal question about his sister to which only he would know the answer. In any event I was just about to board a flight and it would no longer be his birthday when I landed. Then literally 5 mins later I get another text from one of our mutual friends, who lives on the other side of the country - “Steve, is there any way you can help, <name withheld> needs someone to send the birthday gift card to <name withheld>. I told her I could not do it but suggested she might ask you instead.”. Okay this was now getting interesting, The texts came from 2 separate women. I knew both of their Verizon accounts were set up with 2FA (heck I set it up for them!). What’s the chance of both of their accounts being hacked at the same time? (extremely high as any cyber-security expert knows). Both of these women were trusted personal friends - it wasn’t some inside job - they were in fact hacked. Verizon was hacked. Etc. I have some last minute urgent business distracting me, with which I am on the phone with my PA - at the end of that call, I instruct my PA “oh also, send a $500 gift card to <name withheld> at 212-xxx-xxxx from <name withheld>”. I figured she would do it through our Amex facility, which has recourse for such fraud. She just bought one off a website. Now everything that happened I knew better. But it happened anyway. It was one of those perfect storm situations where I just wanted things taken care of and I wasn’t being diligent. I’m not proud of it, quite embarrassed in fact. The ex-husbands of both of those women are cyber-security clients of mine. Part of me even thought it was one or both of them. In the end, THEY were the only ones to whom I reported the scam (oh and whoever is reading this) as I felt a professional obligation. Any cyber-security expert will tell you that it is this social engineering and grooming that is the key to many of these scams. Scammers are even more surreptitious now, using AI-generated voices to leave messages sounding just like the known confidant. Be very wary and just always …. say no!
Flash forward a few days, and she gets an automated called saying something akin to "Your delivery is on hold, please press 1", so she did, and got connected to an "agent" who she started talking with. In her conversation it became obvious to me it was a scammer, so I told her to hang up, but not before she got overly concerned at me.
She's pretty aware of these things, but it was just a right place at the right time kind of thing that caught her off guard even though there were plenty of warning signs.
Scammers abuse this principle by sending out texts to the tune of "Your package is on hold until you pay.". The chances a random person is expecting a package at any given time are pretty good.
Imagine if you went to a restaurant, and the staff refused to serve you until you showed them your bank account balance to prove you could pay. It is an immense failure of law enforcement to not crack down harder on widespread scams.
I recently took an interest into a phishing campaign because the guy was using Amazon SES and kept using new email templates and it kept landing in my inbox. He was an amateur and it was easy to find juice things on his server, and it looked like he was engaging in all kinds of different scams, like phishing for bank logins, defrauding online-shops, identity theft etc. With law enforcement options, I'm pretty confident I could've nailed him with a few hours invested. Get him for one crime, you stop 10 others.
But the last time I talked to a police officer locally, he didn't know what Netflix was so I won't even try to explain phishing to them and how I got this information on the perp.
Ten fully skilled security experts deputized @ 200K/yr. Fifteen assistants at $75K/yr. All personnel grossed up to 140% for fully loaded cost. Hardware, infrastructure, software, hosting services, $200K/yr. Total (((20010)+(7515))*1.4)+200 = $4,575,000/year.
You don't think that such a team could stop $50 million in crime in a year? I'd expect that $500 million would be a slow year and stopping $5billion would be more like it. There is so much of it and such low-hanging fruit...
I know of large corporation divisions where $5 million per quarter was literally their rounding error threshold three decades ago (likely more like $15 million now).
The payoff is so great it is astonishing that some large tech companies don't do it just for the general reputation of the industry. Or the banks for the same reason (e.g., I wont' touch Zelle, both because when I first checked it out it was horribly clunky, my bank wanted $20/month just to use it, and all the persistent scams).
Or, just for lulz. This is rounding-error pocket-change for these corps. If it got going, I could see a rivalry between MS, Oracle, & Alphabet execs for who could dunk the most scam dollars, and jail the most perps...
By "stop", do you mean "prevent from happening", "successfully prosecute", or "identify the perpetrators"?
My answers, respectively, are "no", "maybe, depending on the sample set", and "yes".
Definitely agree that successfully prosecute is harder than ID perps...
But you don't think there's enough scammers based in the US/Canada/EU to chase? Back to the Zelle scams as we started with, and an awful lot of scams that require cash mules, seem pretty trackable if someone puts in the effort, especially when people can drop the evidence at their doorstep.
What’s left would be cases like “I bought this iPhone off eBay and got mailed a brick”. If it was taking your team any longer than literally 10 minutes per successful recovery on average, you’d be better off just using that taxpayer money to reimburse victims directly. It just doesn’t make sense to throw 250/hr labor at a $500 problem.
1. most of them are probably outside the the jurisdiction of the hypothesized team mentioned above
2. that's a lot less than $50 million
3. this could be addressed with regular police work
The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.
Similar to rampant bicycle theft. It definitely could and should be addressed by local cops, but is largely ignored, and ignored even when people bring them real-time tracking of the bicycle. And you're not supposed to go vigilante and get it yourself (partly due to risk to you).
For #2, $50 million, that seems like a lot of crime. But let's take the mailing a brick for an iPhone example. Each one is roughly $1000. So we need 50,000 bricks per year. That's 137 per day. Way too much for one criminal. But with 250 criminals, they only need to send a brick every couple of days. And our cop team needs to average only a single capture per day to stop $50million of crime in a year.
Jurisdiction, yeah, they'd probably need national jurisdiction, since there are probably few crimes where the criminal and crime are in the same town (other than the FB market/Craigslist criminals). So, deputized by the FBI is probably best.
So, not unreasonable to search for a solution that actually works.
I agree that it is not. I am saying that you don't need a team of 10 cybersecurity expertise to show that someone mailed bricks or stole their cousins venmo money. Ten traditional detectives would be cheaper and a better fit.
Any technically sophisticated scams that would require a team of cybersecurity experts are likely already at the scale and scope that the FBI already does address them.
The intersection -- a technically sophisticated scam that is a small dollar amount -- isn't a problem that exists.
The reason that large cities don't spend much time on small dollar crimes is because they have bigger stuff to worry about. Yes, there's definitely people selling stolen phones on my local Craigslist, but there's also people stealing checks out of mailboxes and washing them to steal $50,000+. It makes sense to address the latter first.
Actually, chatting about it, it seems like the ordinary L1/L2/L3 service teams approach could work well. Ordinary up-trained detectives on most cases, when they hit something more complicated, call in the L2 guys/gals, and when it goes over their skillset/toolset, call in the L3 team, etc...
However it gets done, it certainly seems that we need something more than we've got.
You'll still have scammers from India, but you'll also have a lot that are running more elaborate scams and do a lot of damage by defrauding the government and companies.
That being said, it's smart to take precautions, and it's not victim blaming to suggest things people can do to reduce their risk of becoming victims. I teach my kid not to play in busy streets. That's not blaming pedestrian victims for car crashes--it's just sensible, risk-mitigating precaution.
When something happens is usually the best time to talk to others about that same thing. A bank exploded? Hey, have you heard that there are ways to spread the risk over multiple banks? A hospital got all their files encrypted and needs to pay a ransom? Let's talk about backup strategies and how to secure infrastructure because that could be your organization.
I don't think people discussing strategies seek to deflect blame from a potential bad actor (it doesn't need to be about crime, accidents happen all the time, and there are plenty of things you can do to lower your risk), they just want it not to happen again, or at least less frequently.
I think that, by far the greater poison holding us back is the obsession with personal responsibility that many people use as an excuse to not have to expend additional effort on dealing with a problem pragmatically. If you are suggesting educating people or giving them tools to deal with scams, that's great. But a lot of people don't want to do that under the very same rationale that you are using to justify it - that the victims could have avoided it. You are saying, "people can avoid this - we need to help them do so", but there is a significant part of society whose opinion on many topics where there is a victim is, "people can avoid this - they need to take responsibility".
I fully agree. My identity was stolen and used to sign up for retail credit cards in a spree, and I even did the research for them. I had a timestamp of purchase, the items purchased, and the cash register number. The police could not care less. For one, they are lazy as hell and throw up jurisdictions as an excuse. The mere fact that the thief seemingly only used one store per jurisdiction seemed almost intentional in terms of taking advantage of this. The total amount stolen was $9,000, but I don't think the police gave it a second thought after I contacted them, and this was in a city big enough that had a financial crimes department.
How do you know they are lazy and don't just have an excessive # of crimes to handle?
For example, US police eventually come up with enough evidence for prosecutors to start proceedings only in about 50% of murder cases [1]. Yet police departments spend very little of their time working on murder cases. [2]
Assuming you believe police investigating murders is valuable, I don't see how you can think police should be wasting time on broken taillight stops when they're failing that badly at it. (If the cops can't be reassigned they should be fired and their salaries used to pay cops who can)
[1] Technically I'm describing the murder clearance rate, but I use this phrasing to avoid the common and incorrect implication that a cleared murder means it's necessary actually "solved"
[2] There's no great metric for this. Assuming a police officer who just filed an incident report about a traffic stop for a broken taillight probably wasn't working on a murder case immediately before we can use incident reporting data. For ex, https://data.sfgov.org/d/wg3w-h783/visualization
The POTS and e-mail and usenet protocols are embarrassingly broken on this front.
For anybody who is building a communication system: If you are allowing anonymous messages to users is a default behavior and it is impossible or impractical to avoid, you have created a system for spam, scams, threats, and harassment.
Do you think if we let cops put on their pretty SWAT gear and roll into the front yards of white collar criminals' front yards in their APCs they'd start taking these sorts of things seriously?
Humans blame victims so often they've created a specific term for it - "victim blaming"
The boy that got scammed is so embarrassed that they won't tell anyone and they send the money.
It seems they must be carefully targeting relatively clean cut (so they'll be sure to be embarrassed) and wealthy kids (so they actually have $300 to send). It's mind blowing how well these scammers do their homework
Some committed suicide from the shame.
The problem is US law is so fucked up that having sex with someone that's days younger than you can be illegal and punishable by labeling you as a sex offender for the rest of your life. Even if the other person had a fake id and lied to you!
At one point they were targeting Muslim men because they knew the cultural implications of those videos being sent to their communities. I remember reading a story about a raft of suicides linked to that particular scam.
There’s also less sophisticated versions where the scammer will only claim to have hacked the victim’s webcam and demand money to avoid sending it to the victim’s friend list on social media.
After reading about this, I bought a bunch of cheap plastic webcam covers to give to everyone I know. They were only ~$1/ea on Amazon and work great.
Its not just teenagers, they target older men. I get requests on whatsapp from profiles with an attractive woman's display pic. I sometimes accept these requests and chat with them. They all want to have a video call on whatsapp.
I have never done any video calls with these scammers but their end goal is to have a video call where the woman might be wearing revealing clothes or even nude, get a screenshot where your face is on the call and then blackmail you, if you dont pay up that screenshot will be sent to your contacts.
I laugh a little at the language. What is the net loss? How many Americans have gained money through online scams? If we want to talk about the impact to the economy, those dollars are not necessarily leaving the equation. Illegal market activity is still market activity.