How we talk about scams needs to change.

I work for my local power company. I'd seen generic notices to the public about being wary about scammer, but nothing so direct about using the threat of a power shut off to extort $$. Always thought it was people trying to gain access to homes for robberies. Which also happens.

So when I got a call I almost fell for it. We are selling my aunt's property, and realtors have to pick unknown calls. Passed the call to me.

They were soooo skilled at manipulation. I looked passed the first few minor mistakes. It took insider knowledge to raise my guard. Even then I wasn't sure it was a scam until after I hung up and called the legit line. I owed $75, not $900.

Had I known they used power shut off as a lure, I'd have been more wary. They probably used the listing.

Be wary of scams isn't enough. You need to know the basic MO, which can be really creative. Once they have you it is really hard to get their claws off.

I think we should treat people who get scammed and come out and talk about it like heroes.

Agree.

From a couple of days ago, a hidden number, I answer only with hello then wait. This is paypal , did not use my name about money booked from your account, 500 Euros, press 1 to connect to accounts department.

I just kept quiet and waited to see if a human would try and talk me in to revealing some information.

Had I answered with my name that number could be sold as confirmed.

I was **inches** away from being scammed by someone pretending to be animal control and saying they had my dog who had run away and needed a deposit for surgery, claiming she’d been hit by a car.

I absolutely would have given them my cc number. I was so scared and sad and relieved — just such a rush of emotions. But they asked for Zelle and it was just…off.

Like with you, part of what made it clear it was a scam was when they got mad that I tried to hang up and call them. I was like “dog people are not this mean.” Cause wow they were so, so mean.

But truly they would have had me.

I agree emphatically.

Thinking about the org context: It's impossible to build a culture of better security while also reinforcing a culture if personal fear and shame for being scammed. It's not your fault someone lied to you. Compensating controls are the responsibility of the organization; the staff responsibility is to follow procedures, and the procedure should invoke the compensating control. That is a completely different concept than "don't get scammed or it's your bad."

Scams especially phishing attacks rely on ignorance as much as a lapse in attention.

And I have had friend’s email get hacked and be used to spread the attack.

Somebody I’ve worked with just got snared by phishing a few days ago,. And that account was linked to his major sources of income online.

It’s crazy not to make use of two factor authentication the very least for the family jewels so to speak

Absolutely 👏

Embarassment and fear of derision from others helps scammers, scammers count on it.

I've spent a good bit of time studying why people fall for scams and why they don't listen to advice.

Some people are genuinely lazy and don't want to be bothered, but luckily they're in the minority. Most people, I think, just need better information.

Large companies, unfortunately, are actively working to make phishing easier by moving away from having real humans and by behaving more and more like phishers, which makes even good information less helpful to people.

Big businesses want people to be OK with getting phone calls from automated systems where we can't talk with humans and the "bot", if we can even interact with it, is dumber than a log. They expect us to authenticate ourselves to them when they call us. They make it either impossible or extremely time consuming to even talk to a human.

So when you tell people to never believe caller ID, to not believe any calls, to call a company back if you think they're actually trying to call you, it's understandable that they don't want to spend (sometimes literally) hours doing that.

The same goes with email. I tell people to not click links in email if they can help it. If they have reason to think the email might be legitimate (that is, they're expecting the email), I tell them to copy and paste the link in to a browser window and look at the URL. But what are people supposed to do when a link says "Walmart" (because email clients these days are basically web browsers), yet the URL actually starts with "walmartbpr.srvys.io"? Are people supposed to know how to deal with this?

This happens with banks, medical institutions, stores...

So how do we educate people to be careful when it's the opposite of what businesses are doing? Why should it be incumbent on users and not corporations to be more careful?

Your point is CRITICAL. As an infosec pro I have worked with scam victims and similar and the shame is such a huge factor in negative outcomes.

It’s why there’s a very conscious, if partially successful, effort to relabel “pig butchering” as “romance baiting” (the original term comes from China).

Also, Dad has dementia and has gotten scammed a few times (ie fake tech support). He knows I won’t judge him if he comes to me.

So you remember end of April when I had a scammer supposedly part of the (Name of my bank) Fraud Unit latch on. I posted about it then. It was a shocking experience. The scammer had my legal name, address and knew I did my banking there and had a money market account. They did not ASK me to reveal anything. I thought it was for reals. They told me only 14 money market accounts there in different branches were involved. That it was an inside job with one staff arrested. They were quietly looking to see if there were accomplices.

Yes I did what was requested. Withdrew my money at bank and started a new account there but used a special acct # as requested “that would be masked” so an employee couldn’t discover it for a week. This was required to protect me. I felt really uneasy but well , my money was saved from fraud.

Drove out of parking lot and still felt really bad so called son who was traveling on business. He called the bank and guess what, there’s no Fraud department. Drove back to bank 20 minutes later. Was able to stop transfer. Started all 4 brand new accounts. Froze my credit at 3 big credit bureaus. I was told likely need at least a year because the scammer had enough added info now they likely sold my info. I’m damn lucky to have saved my money and no loss. Yikes.

I have a question for you. The person that I know that just had their email hacked apparently had two factor authentication on his YouTube channel.

As a matter of curiosity, what are the ways TFA can be cracked?

@cmthiede

Had an interesting discussion regarding why so much spam is OBVIOUSLY fake.

It is because they are also building a contact list of the more easily fooled.

I think you have a good point there.

It's a long time since I've worked in an A&E department, but for quite a number of people, one of the most painful aspects of their injuries was explaining how it came about.

"Well, I was just..."
“You didn't! What on earth were you thinking of?"

The embarrassment of being scammed very likely means that a new angle continues to be useful for longer than it should.

And never say never. I once got caught off guard by a bank calling on a Saturday morning. As I gave out info over the phone that I shouldn't have given over the phone, my fellow looked at me in horror. We immediately went to my bank, which fortuanelty was open, explained what had happened, & I got a new bank card & scrutiny of my accounts. Fortunately all was well.

Turns out the scam the phone person was informing me of was real, but the actual bank person thought the call odd.

Sensitive content Clicca per aprire/chiudere

Scams are embedded in the very fabric of society.

Republicans are stirring up Trans panic to get evangelicals to vote. Evangelicals have a worldview that women must remain underpaid or unpaid labor to society & to men.

Just as they were "outraged" by a black president and the possibility of female presidential candidates, they were "outraged" by blacks who could "pass as white" and Latinos who were perfectly bilingual.

You can't do wage suppression without superficial bigotry.

agreed!

also expose the people who avoided a scam by being like "no I won't send $100 to my nephew in distress"

i always find it funny when people think they’re smarter than the scammers

youtube.com/@JimBrowning makes videos on how the scammers operate and how he stops scamming operations, but even he has been scammed before

its only a matter of time before someone is scammed

Jim Browning

Tracking and identifying scammers who knock my front door, call me or shove popups onto my computer screen. ** Please do not email me asking for help with hacking issues. I cannot help.

^YouTube

I largely agree, but I can't help but remember the virus age in the '80s.

I worked at a company where a business VP (not a techie) wanted to introduce unnecessarily convoluted rules to protect the company from viruses. His justification was that he'd been infected five times in the past month and KNEW how these things worked.

I pointed out that I'd not ever suffered a virus infection and that perhaps we should be listening to the people who didn't get infected for policy.

🧵 (1/n)

ANYONE can make a dumb mistake. Especially on one bad day.

And there's a lot of bad behavior from "legit" sources that makes scamming easier.

The IRS *DID* call me once. I assumed it was a scam, and got into some trouble over it that took months to resolve.

One of the utilities I rely on actually *DOES* send invoices by email. They haul trash. They're not infosec experts.

This obviously makes one think twice about "obvious scam" messages, even if you're careful.