As with most people who work in technology, I sometimes find myself in a tech support role during the holiday seasons (well, all the time really). I feel it's extremely important to encourage family members to think critically when sharing information or computer access with anyone out on the internet. There are two scams that I’ve recently had to deal with, and there are lessons to be learned from both of them. Hopefully by sharing these experiences, you can avoid having to deal with the negative consequences yourself.
Both of these scams required that the victim/mark be willing to trust the conman to some degree. To avoid these types of cons, one rule is plain and simple: DO NOT TRUST anyone on the internet (this means for the phones and devices connected to the internet as well). A healthy dose of paranoia and distrust are the only things that will keep you safe from these cons.
During this past Thanksgiving holiday, a family member’s computer was hacked, and I helped her clean up the pieces. How did it happen? She had called the number on what she had thought was an Amazon website. The person who answered told her that her account had been hacked. He offered her assistance and initiated a screen sharing session where he proceeded to “help” her. At least that’s what she thought, though with some mild misgivings. Unfortunately, assisting in this way is something Amazon would never do.
We’re still not sure what the hacker was after, or what was done to her machine. My family member saw him open a terminal session and after that, one can only imagine what mischief he might have made. I spent the first few days of the Thanksgiving holiday changing all her account passwords, assisting with cancelling credit cards, and rebuilding her computer.
The Amazon website she had gone to was a phishing site and was likely spawned from an email. Helping her realize how to tell the difference between a legitimate site and a fake one is difficult, but a good start. It is a good thing to look for the lock icon in the URL and only purchase from reputable stores, but it is difficult to teach this and and more difficult to practice this on a consistent basis. If in doubt, only use secure sites (those with a lock icon in the url, see screenshots below) and verify the certificate by clicking on the lock icon to see what site it is registered to.
Chrome on macOS Sierra
Safari on macOS Sierra
Internet Explorer on Windows 10
Chrome on Windows 10
For any online purchases, you should use a method of payment that protects you against fraud. For example, if someone hacks or steals your Visa account info, you are not responsible for the cost of fraudulent purchase. You do, however, have to spot them, so monitor your monthly statements carefully. Doing this means that even if someone gets your credit card number, you will hopefully notice it and be protected from liability.
Lastly, letting someone you don’t explicitly trust onto your machine is very dangerous. My advice is to discuss with family members where the line needs to be drawn before they get approached, and never let a stranger get that access.
The second story happened a couple of weeks prior to Thanksgiving. I had received a call on my cell phone from someone claiming to be with the IRS. They said that if I didn’t call them back, I would be arrested within 24 hours. I assured myself that it wasn’t real, but I had to process the story. It’s a similar calculation one makes when they see a magician cut their assistant in half for the first time. You know the truth, but the trick makes you doubt your own eyes. While I doubt I could have fallen for this IRS scam, there was a moment where I was forced to entertain the idea it might be true. If I had actually been talking to a really persuasive person, I’m not positive I couldn’t have been conned.
How could I keep safe in the future? If I were to have a plan in place on how to protect myself from trusting a conman, could I still avoid this type of scam?
In order to trust, you need to validate. How would I go about validating that the person calling me was really from the IRS? Obviously I wouldn’t trust the caller, I would look up the IRS phone number and then call them myself. Only if I were able to validate the caller from an independent source could I have some assurance I wasn’t dealing with a conman.
Both of these nefarious activities pose a huge problem. Here is my advice. It may not be the best, but it is a start in the right direction. Have a plan before you become the mark. The second is something my father used to tell me: Don’t just trust anyone.
Unfortunately in life, you will need to trust people at some point. Before you decide to trust someone you need to be able to validate them. Depending on the trust you are giving them, you may need to validate them from several sources. When in doubt, ask someone you really do trust.
With this trust and validation in mind, if you get a call from someone you cannot validate, don’t give any information. Remind yourself that you must validate them first. If someone calls you and says “Hi Grandma, I am trapped in a foreign country and need you to wire me money…” make sure you can fully validate their story and the scenario before you spend any time worrying about it. Make sure that your friends and family are aware that you would expect them to require validation, and you would do the same were the roles reversed.
Make friends and family aware of these cons. Help them have a plan, and encourage them to call someone they trust if in doubt. Help reassure them that validation is important and acceptable.