Ask HN: Protect loved ones from online scams?

What really irks me is getting an email like this:

    Shipping account suspended
	
    Dear XXXX,
    FedEx shipping privileges for account number ending in NNNN 
    have been suspended. To access and update your credit card
    data, log in to FedEx® Billing Online.

    Log in today (Button)

This just screams "scam", especially since I haven't used the FedEx account in months. When I log into FedEx (not using the link in the email), my account shows a zero balance and no outstanding messages. So I send the email, with headers, to "[email protected]". (They never answered.)

I call FedEx Revenue Services, and they can't find anything wrong with the account. They tell me the account isn't suspended. They want the expiration date on my credit card updated before the end of the month, but it hasn't expired yet.

I look at the message source, and it looks like it's really coming from FedEx, and the link really goes to FedEx. I keep looking, and can't find anything wrong in the headers. It's a legit email. It's just stupidity at FedEx.

Sloppy work, FedEx, sending out an email like that. You're training people to click on links they should not click on.

My mother is a daily user of the internet with extremely limited knowkedge and she has difficulty understanding even basic computer messages.

I designed a series of rules + practices which are stated as absolutes (i.e. no margin for interpretation) and they have worked well:

1. All emails with claims are false, even if I send them. Not only spam but also "snopes-like" scams from her friends. This rule always has precedence over anything else. 100% Never trust an email content. If it looks like there could be really bad consequences from ignoring an email, forward it to me and I'll decide.

I told her "imagine a stranger calls you on the phone and reads you the content of an email. Would you trust it?". She understood the metaphor.

2. She doesn't know her passwords. They are stored in the browser's keyring. Thus, she can't provide credentials to phishing websites.

3. She can click on links from emails, unless it is from a bank, because she knows her bank credentials. The combination of (2) and (3) makes the internet very usable for her as she can browse with confidence.

4. She only logs in to the bank website from her browser bookmark. She uses Safari's "Top sites" heavily, and she has learned to Google basic stuff.

5. If there is a weird message on a website, treat it as an email (i.e. it is false, etc)

6. Adblock is installed

7. She is beginning to recognize OS prompts, like icloud messages (storage, passwords). She knows she can never click on one before sending me a picture by IM. For these prompts password managers don't auto-input them and that's a problem. I must confirm its validity and then she has permission to open a notepad where her passwords are written and transcribe it to the prompt. But she always needs to send me a pic before opening the password notebook.

8. I have enabled Gatekeeper on the mac, thus she can't open binaries from the internet, only documents. Word macros are disabled.

9. If something doesn't look right, call/IM me on your cellphone

She is a very simple user and her needs are limited to websites, mail, office and a few games, so this works well. YMMV.

Maybe there are more rules that I can't remember right now, but the combination of not knowing her passwords + password manager + not trusting email + unable to run unknown binaries + adblock has worked wonderfully.

Let me know if you have more suggestions

I bought my mom an iPad (the largest one at the time) and bought her a printer that works with her iPad. In the two years since that, the only call that I've ever received was "Does this pop up that says 'OK/Cancel' that says my iPad is infected with a virus actually mean anything?" "No, Mom." "Ahh, ok. I didn't think so."

Works like a charm.

I have locked down their OS's with Unchecky, UAC to full, non-Admin accounts, all Win10 (love the forced updates).

Installed a PiHole to clear all their devices from malicious ads / malicious url's.

Seriously, since I installed PiHole my maintanance visits / calls have dropped by 90%.

They don't use a CC. Maybe once a year for flight tickets but I tell them to check the URL / https.

And I've told them 100 times: companies do not call you. They don't. Ignore calls!

This is how I did it: I got my mom an iPad. Has worked out well.

It's mostly immune to spyware, she's smart enough to know she shouldn't click on any random e-mails and not to use the same password of her email account anywhere else.

July has been made scammer / spam month for whatever reason. Saw it on a British website... so not sure if it applies to the United States, but just because I had been receiving hundreds of spam emails to my website's email account, I can imagine that other people are receiving the same amount of spam.. and some are even falling for it.

As a result of this, I wrote a series of articles to try an educate my readers on the dangers of replying and/or dealing with any spam or scam emails.

Here are the links:

http://www.confessionsoftheprofessions.com/avoid-phishing-sc...

http://www.confessionsoftheprofessions.com/truth-seo-marketi...

http://www.confessionsoftheprofessions.com/confessions-profe...

http://www.confessionsoftheprofessions.com/how-to-notice-a-s...

http://www.confessionsoftheprofessions.com/teaching-children...

The only way is really to educate them. I’ve dealt with this quite a bit with my family, and telling them what to be wary of has helped a bunch.

Imo educating works best, you can only mitigate the problem with technology. I've only installed and configured a content blocker on grandma's computer as a passive measurement against scams and for general benefits.

Otherwise I just advised her not to give out personal information, including email, phone and credit card numbers. And don't click links in emails she does not recognize the sender or looks suspicious. Best not to even open them. In doubt, I'm usually available to doublecheck.

Pendrives caused a lot of problems in the past, luckily broadband solved most of the file transfer issues.

The internet just isn't safe for some users right now. Encourage them to call you if they're doubtful, never click Ads and to never interact with people that initiate contact with them first.

Something I try to do is whenever forever I spot an obvious facebook scam (share to win free vouchers or holiday or something) -- I explain in the comment to that person exactly what I saw that makes me suspect it's a scam.

It's a subtle way to educate without "telling" which puts alot of people of. For more direct approaches, see some of the other comments about rules for his mother, etc. :)

I find this helpful as 90% of the time these scams are super obvious to me but not others, so I try to share that knowledge.

Besides adblock + auto updates, tell them how some of the scams work. Show them some example screenshots/videos etc. from different areas. Enough to make them think twice about what they are allowing to run on their computer. Scammers are usually lazy, many times their email addresses, website address, or web design might give it away - so doing a few side by side comparisons may help.

There's also a lot of youtube videos that could be easier to send and less boring to go through. Ex:

- https://www.youtube.com/embed/bjYhmX_OUQQ?rel=0

- https://www.youtube.com/embed/DXfrfbNk7jo?rel=0

- https://www.youtube.com/embed/poFAzDCGLrI?rel=0

- https://www.youtube.com/embed/5zlnI3Bzslo?rel=0

- https://www.youtube.com/embed/O4KJq0XXIy8?rel=0

- https://www.youtube.com/playlist?list=PLDBC1CF5C16D5585D

What's the reason Ubuntu didn't work?

That's basically the setup I have with my dad. He's using Ubuntu on desktop, which I taught him to use. There wasn't much to teach. He really just wants to use a browser. I taught him how to scan documents and print documents as well. That's pretty much all he needs to do.

And then he has his iPad as well, and I taught him how to print stuff from his iPad too.

I also got him to use 1Password, and he has unique password for each site.

These are all things I've taught my dad to do.

Most "non-tech" people have a reasonably small attack surface, so my approach has been to try and milk the Pareto principle:

Here are some things I've found which are simple enough to implement but actually offer substantial gains. Learned mainly from helping partners and parents:

1. Move them to Gmail. Email seems to still be the primary vector for most attacks and Gmail's filters are awesome.

2. Get them on a less permissive OS. Shifting from Windows to OSX/iOS has made a huge difference.

3. Teach them a reasonable password-generating method (correct-horse-battery-staple or some such). They are gonna forget and reset passwords regularly, which is OK. I gave up on getting them to habitually use a password manager.

4. Force (coerce/bribe/cajole) them to use 2FA on critical accounts (email, FB)

5. Tell them lots of anecdotes about hacks, things I spotted in my email, etc. As someone else pointed out, you can work in a lot of useful info in a memorable way in these anecdotes.

Tech does seem to be only part of the solution (and probably not even the major part). I've been doing some gig work for a company [http://www.popcorntraining.com] that does story-based security awareness videos, mainly for corporates. They have pretty good results based on fairly small time investment by the participants.

Sadly, most of the players in this market seem to be focused on big companies at the moment, with a few starting to aim at SMEs. We've bounced around the idea of trying to help the consumer market, but its not yet been worthwhile for them.

If you use the LogDog app, your online accounts are continously monitored for suspicious access. It sends an alert to your phone and prompts you to review the issue and change your password if necessary. We're trying to make it as understandable and as easy to operate as possible, so even technically-unsavvy people could benefit.

That being said, there's no getting around education. It's key to prevent a person from being scammed out of their passwords or oauth-access in the first place.

1) Find out what their pain points are.

2) Develop or help them develop viable processes for their needs and abilities that will sidestep issues.

This involves a small amount of educating people, less than is needed for real internet literacy. The difference is it makes them literate enough to navigate the parts they actually use, without some huge burden of additional general information that they son&t really need and which will just interfere with them learning the pieces they actually need to know.

When it comes to protecting login passwords from phishing emails, it is said that U2F hardware tokens are the best (yubikey etc) but it might not be the easiest solution for non-techies.

Good advice is to never click links in emails, but go manually to a given page (via Google perhaps) and log in yourself.

It's a bit easier if your family lives outside of English-speaking country when it comes to phishing. Phishing spam is either English, or a poor google translate 95% of the time.

+1 for the iPad recommendations.

I'd also recommend a Chromebook, for folks who don't like our can't asked the iPad option.

uBlock Origin blocks some scammer websites (just configure it). It's not a complete solution though.

Gift your loved ones an iPad or Android tablet, maybe also enable some parent control to limit their exposure. 90% of end users don't need a notebook, a tablet is the safer alternative.

i gave up when i saw they use apps to help their phone manage memory and battery. and they claimed that despite ads in the app forced lock screen, it was worth it.