Ask HN: How do I keep my elderly father safe on the internet?
But he keeps getting scammed. He usually recognizes it after the fact, he’ll fill out a phishing form and call me right away, “I did it again.” He always feels embarrassed. They find him through emails and text messages. He ignores many of them (I know because he tells me, “Another one came through!”) but there seem to be so many that some get him.
I had to help him with something on his phone the other day and when I went to open a new tab in Mobile Safari, I saw no fewer than six different scam pages up. Fake Amazon, fake UPS, fake credit card. It was frightening. I’m worried he’s inching towards something catastrophic like sharing bank account information. It’s also making him afraid to use technology. He doesn’t want a credit card anymore, he’s so tired of having to change the number.
I don’t know what to do. He’s found so much independence thanks to technology, he’d be isolated if he stopped using it. He struggles with the most basic user interfaces, details that I take for granted are invisible to him, so I don’t think he’s likely to learn all the tricks of scammers. I can’t look over his shoulder all the time.
Does anyone have any advice for this? Any experience?
94 comments
[ 4.9 ms ] story [ 103 ms ] threadOh the sub also comes with 1password (quite complex) and malware bytes which might stop some after the fact damage.
I put in a feature request to make threat blocking work the same. But the nice thing is it’s on router level so it’s enabled without having to setup a device
- a proxy app of some sort to bundle communications w/ family (with you firmly MITM to verify).
- run a few of the scam email texts by an LLM. See if it can flag them accurately. If yes, you can ~automate the review.
Give dad a limited UI that does the basics that he needs: email and chatting with family. Problem solved.
Both options cost money but all the free solutions I know of would confuse or frustrate an elderly person that recently got into using computers and Gmail's spam detection has gotten significantly worse in the last few years.
Teach him to not click links in emails. Amazon wants him to do something? Easy. Go to the Amazon app. Amazon app not showing it? Maybe it was a scammer. This isn’t easy, and it isn’t foolproof. But just using the apps directly will help ensure he is interacting with the company he intends.
Make activities contextual to hardware. Buy things on the Amazon app on his phone, even if he browses on a desktop. The phone has the app, so there’s no uncertainty that this is Amazon. In a way it is less convenient, but in a way it is far more so.
Have the hard conversation. Maybe Dad needs a little extra oversight. Not because Dad is weak, but because Dad has already been strong enough to do the same for you when you were in need. (I’m being presumptuous here, apologies if that doesn’t track.) Maybe Dad needs shared accounts. Not because you don’t trust Dad. Because you don’t trust the internet, and it is a scary place.
A different way to look at it is that right now your description sounds like reactive support. Something goes wrong. You try to help. I’m not assuming you haven’t attempted proactive support, but it sounds like it might need more of it. Especially with family members, it is easy to inadvertently do too little to avoid doing too much.
And yes, I have been entirely reactive to it. I’ve explained how these scams worked, reminded him to stay vigilant, used all the typical tips, but I do think I need to make it harder for him to get in trouble.
But that’s very difficult to reconcile, as this person raised you. It is hard not to internalize some feeling of “how dare I?” in these cases. Since when does a parent need their child’s help at such basic things? Parents raise their children, but I don’t know of a term that captures that same feeling about an adult caring for their elderly parent. If there isn’t, there ought to be.
Additionally, consider looking into resources for caregivers. Reading material, maybe a support group, I don’t know. Whatever sounds right, if it sounds right.
You are one, a caregiver, even if you didn’t know it. That’s hard work! Sometimes invisible, even to the worker. If you feel exhausted from all of this, that’s not an unreasonable feeling. It’s hard to be proactive if you’re worn out.
Be aware of the necessary ongoing investment for anything “Home IT” you do. If it requires being on-site, if something goes wrong and you are hours away it could be a big issue.
Technical options are not bad. Sometimes they are the best. Just don’t forget to factor in ongoing maintenance and support, and all the ways that can go sideways.
It’s important to not look at the problem in isolation, too. Sure, you might be a networking expert, run your own vpn in a colo, etc, etc.
Do you have the necessary on-call AND on-site availability for when Mom can’t use Facebook because your pi-hole ate the sd card and you never got around to upgrading it to use a ssd?
- in iOS -> Settings -> Messages, enable "Filter Unknown Senders." Go through recent SMSes/iMessages and create contacts for short codes and numbers that he has communicated with.
This option won't block the messages, but it'll make them harder to find and make their links much harder to click on (AFAIK it's impossible unless he copies and pastes the URL or creates a contact for the sender).
- install uBlock Origin, which makes it much harder to reach the phishing scam sites that back a lot of these campaigns. They're often hosted on sites that are on malware filter lists. In uBO, enable all optional malware filter lists.
On iOS, do the same using AdGuard.
- in addition to the malware detection mentioned by others, consider enabling Google "Enhanced Safe Browsing": https://support.google.com/accounts/answer/11577602?hl=en
- for phone calls, install his carrier's robocall/fraud detection and blocking app. For AT&T, it's "ActiveArmor" (https://www.att.com/security/). If he has a landline, pay for caller ID and consider a phone that speaks the caller's ID (example: AT&T TL96273).
- depending on how his bills are paid: only put a small amount of money (a month or two of expenses) in accounts that are accessible without physically visiting a bank branch. If an account has no online access, no checks (nothing to read the account number off of), and no debit card, at least the maximum possible damage from a scam is limited. Either visit a branch one a month to transfer money or use a credit card for expenses.
Set it up on all devices + aggressively make it filter crap (there are block lists you can leverage)
Ublock + privacy badger + https anywhere
Other more extreme approaches: get him a router that has these capabilities and/or if friedly to running a custom firmware on it. Filter at router level.
Set up an always on vpn through a server you control. Filter the traffic.
some people...
The place to look for is certainly 'parental control' apps and set-up where you can put enough guards and notifications. More or less acting like a parent to old parent and hone on things based on their usage patterns.
They were never very outgoing people, weren't highly skilled at English being immigrants, and didn't engage in the polite courtesies that prepare you to be a well adjusted and sociable kid growing up in the USA. They had no cares for my arguments about being felt left out of activities or such.
But you know what, it's perfect for them not being scammed now, decades later. They just don't pick up the phone for anyone, or if they do and don't understand anything, they just hang up. They don't pay attention to emails or feel like they're missing out on some amazing deal that comes their way. All they have is a tendency to forward news articles that are slightly "oh I saw this 5 years ago".
Funny, it's like some evolutionary niche. Things that are a detriment in one environment turn out to be a saving grace and success in another.
Self-reference is important here when you are applying an observation of aggregate groups.
Edit: May be available for free with DNS changes: https://adguard-dns.io/en/public-dns.html (I haven't tried this)
Would he be willing and able to follow a strict rule "never give your bank account info without me"? That need should be a rare occurrence.
As for credit cards, maybe you could set up an account for him and don't even tell him the card number. Sign up for everything legitimate yourself, Netflix, Amazon, etc. If those accounts need to be updated for whatever reason, he calls you, just like with the bank.
And then if he insists that he still needs a card for one-off purchases, give him a prepaid card with limited funds, or "virtual number" that you can change. That way if it gets compromised he has a lot fewer, if any, places to change the number.
Changed his desktop pc so his account is no longer admim (can't install software). Additionally, the websites he can visit are now allow-list only with everything else blocked.
What I determined was that he was getting frustrated by the browser popups, and would click on anything that looked like it would make them go away so he could get back to what he was doing. That led to his machine being constantly reinfected after I would clean it.
Watching the "scam the scammer" education videos on Youtube would be of limited use because he would get in trouble "in the moment" and wouldn't think about his actions until much later (if at all).
If he were still around I'd install an adblocker as well as removing his admin rights.
Long term, use many uncorrelated solutions: with humans "you can fool all of the people some of the time, and some of the people all of the time", but with a single AI (as with all software) once you know how to fool it, you can simultaneously fool every single person in the world who is using it.
Also, there is some asymmetry in this problem. E.g. a little more false positives (a detection, but no actual threat) is not so bad, so we can err on that side.
[0]: https://nextdns.io/
[1]: https://adguard.com/
[2]: https://adguard-dns.io/en/welcome.html
Also have a small chat with him about not clicking on e-mail attachments, & not installing extensions. As an extra measure, turn on 2FA for all his accounts too.
In addition to being more resistant to malware, chromebooks are really easy to remotely support.
I also setup 2 factor with a yubikey for my Dad's chromebooks, with my phone as a backup authenticator. The key is simple to use (plug it in, press the button), and once you authenticate the chromebook does not need to be re-authenticated.
Smartphones are really not a great solution for seniors with limited dexterity, poor eyesight and limited computer skills.
Multiple times, I've checked up on their installs and found their accounts riddled with malicious browser extensions and search engine hijacks. They claim that they were aware of not clicking on stuff asking to install browser extensions, but they got tricked (multiple times) anyway. I suspect that the search engine hijacks helped the process.
After having this happen many times, I'm now of the stance that while ChromeOS itself is far more secure than Windows, it's very far from a turnkey silver bullet.
You really need a multi-prong strategy (ChromeOS/iOS, uBlock Origin/reputable content blockers, user education and vigilance, etc)
That will need some fine-tuning at first (and also another device at his house) but especially with a daily update of the adlists this should prevent him from going to the most common scam URLs...
If he's using his phone on the go, maybe throw in Wireguard/OpenVPN into the mix and make sure that it connects as soon as he leaves his home Wifi...
This is one of the reasons I pay for NextDNS and set my parents' network up to use it.
I haven't used their hardware myself, but I'd be curious to hear any experiences. While on the expensive side, they seem to do a good job of targeting the "I don't want to mess with this nor maintain it on an ongoing basis because I don't have the time" demographic.
[0] https://github.com/firewalla/firewalla/blob/master/LICENSE
I wonder if there's room for a service that does something like this; rent/buy a laptop which is locked down and has recommended extensions preinstalled, and a phone service (or maybe even in-person) when the user needs help.
I'm probably describing something that already exists, I just don't know it. Or maybe it isn't profitable at all.
1. "MDM for seniors." Basically, make sure all the stuff we've talked about is installed, running, and current. $x/device/month.
2. Consulting like you described - sort of an "MSP for seniors." I think this would be pretty time-intensive/hard to productize, and thus prohibitively expensive. (There are MSPs which target senior living centers, just not individuals.)
3. A membership/mailing list -- imagine an "AARP Tech Recommendations" with the changes in these HN comments, delivered 2-4x/year. It would be a standalone document with implementation-level instructions, not part of a magazine. "Hand this flyer to your kids, grandkids, or a tech-savvy friend."
To me, #3 seems most compelling. Obviously it relies on someone else to make the changes, but doing so would make it much cheaper.
AARP publishes consumer tech news (https://www.aarp.org/home-family/personal-technology/), but doesn't distill it to a quarterly-or-so cheat sheet. Arguably AARP would be the ideal distributor, and distribution through AARP might be the only way to get the CAC and price low enough.
(If anyone wants to create #3 above as a service, contact me and I'll be your first paying customer. This HN thread inspired me to ask a slightly more directed version of your question on Mastodon: https://mas.to/@troyd/110130476826925592. No replies yet.)
For email: could you maybe handle his email for him? I dunno how much he uses email.
I would set him up with a credit card with a provider that can generate temporary numbers. Or just have multiple accounts; one is a very low limit, another higher. Keep cash in one or two different bank acts, one of them just enough to pay bills.
Some wifi routers have parental controls (lol, the irony) that let you whitelist URLs. I would whitelist the common websites he uses and block all others.
I'm actually totally on board with his anger towards tech. If I didn't do tech as a living I would eliminate all my internet connections. It is just a distraction. There is so much more to life.
Personally for facetime - my dad finds it easier to communicate (he is in the early stages of dementia), to track his position and so he can use apple pay (he always forgets his wallet).
It gives him a connection to the world. He spends a lot of time watching YouTube videos about art and music techniques but he’s much more comfortable using his phone than computer. He’s been casually teaching himself Danish for a few years using Duolingo, also on the phone.
He takes a lot of photos when he’s out, usually trees so he can study them for paintings or drawings.
My mom died about ten years ago and he lives by himself in a sleepy neighborhood. He’s in an apartment building and his neighbors check in on him but he tells me that if I didn’t call daily, he could go a week without talking to another person. A dumb phone could do this but we FaceTime nightly so he and my daughter can talk.
He frequently looks at photos and videos of his granddaughter. He loves getting updates about her and goes back through his archives frequently.
He goes for long walks to the grocery store or to run errands. I think he’s started using Maps on his phone. I enabled location sharing so I can see where he has a habit of walking too far on too hot days with too little water, so I worry.
His hearing aids (Starkey Evolv AI, I think?) connect to his phone. He can control them from the app. This is also a constant source of frustration but he’s gradually getting better with them.
Most of these things could be done with single-purpose devices but that would be more complexity, more things to carry, charge, lose, break, etc,… He likes his phone. It helps him feel independent and connected.
I do wish there was a more scaled back version of the iPhone that was friendlier for the tech-averse, something closer to an Apple-improved dumb phone. He’s using an iPhone 8 Max now and if we had to replace it, we’d be forced to go to the smaller iPhone SE because there’s no way in hell that the buttonless iPhone would ever work for him. The tech keeps changing and he really needs stability and simplicity.
- uBlock Origin [0] in every single browser in every single computer in the household. This is non-negotiable in my opinion. It's the single best deterrent of scams and malware you can set up for anyone.
- NextDNS [1] as the router DNS, as the system DNS for every device, and as the DNS for every browser. This allows you to control more blocklists remotely for your father if he finds any issues. It also provides dynamic DNS-level blocking through AI and heuristics, along with the usual blocklists.
- Not used to macOS, but you likely can set up the user account to not be able to install applications (i.e. no root), this should help a lot. Using macOS or Linux is a huge win in security, simply due to distribution repositories or the app store being way more secure than downloading random EXE files from the internet.
- You will not manage to get him to use a password manager, or at least won't get him to use one correctly, so set up SMS 2FA in all of their accounts. "SMS? Isn't that insecure?", well the truth is that they will have awful passwords, you won't be able to change that, and they won't bother TOTP codes, so SMS 2FA is the next best thing. SIM swaps shouldn't be in their threat model.
-- Regarding password managers, you may be able to set one up to autofill, change password to generated ones, set up TOTP in the password manager. However, the big thing is to not expect your father or anyone else to actually bother with the password manager when creating new accounts. If you do set it up this way, tell them about it, educate them on how to use it, but make sure to nail on your father's head to NEVER type a password that's in the password manager, and instead always rely on autofill. If you're not sure which password manager to set up, take a look at Bitwarden [2] (FOSS) or 1Password [3] (which I hear is very simple for "normal people").
- Regarding credits cards, tell them to set up strict spending limits. I'm not in the US, so I don't know how's the situation there regarding virtual credits cards, but I personally choose to create a new credit card for every purchase I do. If your father has any subscriptions they have to pay, you could help him set up these virtual credit cards and assigning them to different services. Don't even take note of the password, the only use they should have is to be cancelled, you shouldn't use them to spend on anything else.
- Regarding phone security, set up caller ID and maybe even block unknown callers. For caller ID I personally have them set up with a Samsung phone which ships it by default, I'm also aware in the US some carriers may provide that service to you for the landline too apart from an app in the smartphone.
- Last, but not least, set up an email client or email service which is excellent when it comes to blocking spam. Gmail ain't it, unfortunately. I can't give you many pointers regarding this though because I'm not sure how often email will be needed nor what applications exist for macOS email clients, so you'll to search more on this.
Overall, these are the tips I'd give, so you can get started. Be aware this won't solve all issues, but it should make your life and your father life orders of magnitude easier. Best of luck and godspeed.
[0]: https://ublockorigin.com/
[1]: https://nextdns.io/
[2]: https://bitwarden.com/
[3]: https://1password.com/
I've done a ton of things here but the latest that has actually given me some piece of mind is setting up a financial aggregator app with all her accounts + some basic notification rules for withdrawals >$X connected to my email. Obviously this requires a lot of trust from your parent, a lot of trust in Plaid (which I hate and worry about), and doesn't fully protect against the worst cases since it's reactive not preventive. But it's felt like a good backstop at the very least.
This entire process has been so frustrating and nerve-racking that I'd happily pay quite a bit for a "digital security for seniors" service if something like that existed.
Good luck!
Android OS is notorious for this nonsense. Spammy apps are constantly advertised and it turns out that old people not familiar with technology can hardly differentiate between legit apps and “install to boost your battery!”…I think the right choice for a start is to get an iOS device.
And lately it's the same sort of shit... My dad will get a text message on Facebook from a "friend" (usually a dead friend) and it'll say something like, "I'm Joe's kid, and things are hard since Joe died and we need some money or we'll have to pull our kid out of school..." paraphrased, but that's generally the angle people take. And the scammers will send hundreds of messages... it makes it so hard.
I'll ask, "Dad, why did you have a 200 message conversation with this person?"
"Oh, I thought they were a scammer, but you never know... and after a while they just seemed legit." Again, paraphrased. Dad can't talk for less than 30 minutes at a time. =P
So what do I do?
1) I lock his devices and home router. I turn off data on his phone so he can only make calls when he's not on Wifi. I block ads (since those can take him to sites he doesn't need to be on), and I block fake news. https://github.com/StevenBlack/hosts
2) I sit down with him once a month and delete people on his Facebook account. I want to delete the whole account... but he uses it to talk to some of his friends... and it's important for him to keep connections. That said... FUCK Facebook for not doing more to prevent scammers. On some level, there's just no way to stay clean there. We delete anyone who died, or anyone who he hasn't spoken with in 1 year, and anyone who he has had any sort of falling out with. And man... the most frustrating thing is how many of these people we delete that just keep re-adding themselves. Facebook really should not re-suggest a friend if you delete them. It's such a sticky cancer with how it operates.
3) I sit down with him once every 2-3 months and we delete everyone in his phone and make sure contacts are up to date. I tell him to never take a call from a number he doesn't recognize, and to call me immediately if there's ever any doubt.
4) I run all the updates on his computer every month. And I check for programs that he doesn't need. Dad only has "User" access on his laptop, and I've toyed with the idea of taking away his ability to install any programs... but when we did that it meant he'd call me a lot more because someone had a Zoom meeting and he needed me to run an update. It's always a cost vs. benefit analysis with restrictions.
5) I have his phone paired to an old Tablet so I can keep tabs on him... I hate that I have to do this, but he's lost over $50k in the last 10 years to scams. And it's not the money that even matters... it's how down and how he cuts off connections with everyone once he gets scammed. The las time he lost like $5k... he wrote a check and mailed it, and somehow the person was able to cash it even though they weren't the name on the check. Anyway Dad really beat himself up over that, but it's not healthy for old people to be shut-ins. They need to talk with other people every day or the risk of dementia goes through the roof...
6) While not a perfect protection... we keep like $2k in his debit card, and we don't use credit cards. He has protections on his debit card from his bank, and that way he's got minimal exposure to online spending and credit card fraud. We just transfer over money every month from his savings / retirement accounts. And now that Dad is in his 80s, I mostly manage those for him.
7) I love for him to interact with people. Every time he goes to the dog park or gets out and meets a new friend... I'm happy and I want him to have conversations with people. But fucking hell, I swear 90% of the people who want to talk to the elderly are scammers. And at some level too... Dad doesn't mind being scammed if someone is willing to talk to him for 30 minutes... just listen to his stories. That's the hardest part. I tried hiring a nanny, just a...
> the most frustrating thing is how many of these people we delete that just keep re-adding themselves. Facebook really should not re-suggest a friend if you delete them.
Try blocking them? That might prevent re-recommendation.
But the moment you un-friend someone, they instantly show back up in your friend suggestions. So while Dad doesn't really talk to these people, the desire to not offend them, and their desire to connect with names the recognize, just puts everyone in a spot where they are prompted to re-friend one another.
Thanks though! I don't use Facebook myself, so there may be some other options I'm not aware of. I just want to not see those people and not have them show up in a friend suggestion, but also not block them from talking to Dad if they ever need to.
It's the overly-political ones, or the ones that spew fake news, that I worry about. Dad would say, "Oh I trust their father, they aren't going to lie to me, if they said they saw Joe Biden at a satanic ritual eating freshly killed Christian babies, they wouldn't lie about it!" =P (Only slightly exaggerated from some of the stuff these wackos post.) Or he thinks the internet is moderated by Walter Cronkite, "They wouldn't let them post it if it wasn't true!" (And honestly the "citation needed" marks have made things worse since a lot of times they don't show up and that makes Dad think it's been verified.)
Blocking them may be the best call... but it's hard if they find out they are blocked since that makes more drama. Then they call, "Why did you block me on Facebook, was your account hacked?" kind of stuff. I just want like a "mute" button that makes the person not ever show up in the feed or comments, but doesn't cause them to ever show up as "blocked." If you know how to do that in Facebook let me know. "Shadowban" is that the right term? =P Opt out!
Christ, I can't even stand driving an automatic car. I'm gonna be just as bad as he is with adapting to new tech. I am already. That automated voice in TikToc is the thing of my nightmares -- I hear it and it's like instant rage. I know exactly how Dad feels when he has to use a phone app! (=
When Dad grew up, he was in a very rural setting. He didn't get electricity until his senior year of high school. Then he went to work in a mine, then he went into the army. He was 21 before he ever met someone who didn't look like he did. Or ventured more than 50 miles away from his home. Computers came out and then the internet and then phones, and he had a flip phone until probably 2016.
And he was successful at what he did. Without the tech. So he had no motivation to learn it. He knew what worked for him, he knew how to get what he needed to done. The change he went through in his life time... I totally get it's been hard to keep up with it all.
But yeah man, we should have a Discord server or something (that's how you say IRC group now, yeah?) -- it's all been a bit much to deal with. Love to have some people to share experiences with. Plus... I think Dad would probably get a kick out of talking to other old people who have kids in tech.
"My son works with computers, does your son work with computers too?" I can just see them trying to explain the jobs of their offspring to one another. It'd be fucking adorable. Depending on who you ask, Dad has left the people with the impression that I do medical transcription, or program robots for welding, or farm bit coin. I love it.
ChatGPT isn't there yet, but I can see a future where it serves as a biographer for old people and automatically records and documents their lives, and prompts them daily to fill out more details. Then plays it back for them so they can approve changes to the story. I think Dad would really benefit from something like that... an obedient ego-less listener with infinite time who wanted to spend it helping immortalize Dad's story... he'd love it. And I don't feel like it's too far off.
But anyway, it'd be cool to swap stories. My email is in my profile. Cheers mate!
Credit card, ID, passport and so on
Just tell him to not give these and it should be fine
In the specific case of credit card, when buying stuff online one might give them but if he keeps getting scammed, better to either not buy online or check with you before buying