Watch out for scams, folks
“Maybe I should call my son and check…”
My dad is well-trained to call me for anything that looks even slightly off. Some of the scams thrown at him have been very convincing.
My in-laws too, now. They were taken in by a scammer who got full control of their Internet banking account. Thankfully, NAB’s anti-fraud protection kicked in and prevented the loss of a lot of money.
These scammers target the elderly. They are without scruples and will laugh while taking someone’s life savings. I honestly don’t know how they live with themselves.
Advice for spotting scams:
-
Microsoft don’t call you. I’ve worked with Microsoft gold partners for over fifteen years, I have premier support packages and the ability to raise requests with them. My employers/customers pay hundreds of thousands of dollars per year for me to be able to do this. They never initiate contact even with me. They sure don’t do that with regular users. If “Microsoft” is calling, it’s a scam. Every. Single. Time.
-
If the contact is coming from a company you don’t deal with, it’s a scam.
-
If the contact is coming from a company you do deal with: they will know your name and account details. If they initiate the call and want to confirm any information with you, ask for a reference number and hang up. Then go to their website, call the contact number and provide the reference number before confirming anything. If they are reluctant to do this, they are a scam.
-
Don’t just rely on scammers looking/sounding like scammers. I’ve seen some really legitimate looking phishing attempts. They’ll know your name, employer, address. They’ll be super friendly and helpful. If on the phone, they’ll be confident and efficient. But so will the real company. If you didn’t call them, be very on-guard.
-
Never ever, for any reason, provide either your password or that confirmation code if they initiate the contact.
I am THRILLED to say my parents have learned the same. I would rather them call me about every single Windows Update message than have them call for a single scam
Great points! I’d say never provide your password or confirmation code ever on the phone. They shouldn’t have you password stored anyway. Only a salted hash of it.
deleted by creator
deleted by creator
Grr - jebora failed me on the reply. Sorry for the spam.
Some places will use a password or code they send to you in order to ID you. My ISP will use my password to ID me. The bank will sms me a code for some interactions. That’s why the disclaimer on them initiating contact.
Another good one is ‘you cant win a competition that you never entered’
-
The thing that got me with this is that it somehow went from “I’ve got a $3,000 bill I need to pay” to her transferring $10,000. Is my family weird, or is that something that most people would just do? I mean, even taking out the whole scam bit, do people actually just hand out that type of money without a serious conversation about what exactly is going on? I’d be really worried that there was some sort of gambling or drug problem behind something like that, I’d be dropping everything to make real contact and figure out what’s going on.
She’s 83. I know one of my grandmothers, who is in her mid-80s and lives alone, is constantly trying to offload her savings to the rest of the family because she doesn’t want to spend it on herself. Her children keep telling her to keep the money, but she refuses to listen. Maybe there is a similar thing going on here.
I could well be. All of these scams seem to prey on some sort of anxiety, and often on people trying to do the right thing.
I wonder how much we could reduce scams if we focussed on helping people with managing finances and dealing with financial systems, instead of focusing on “personal responsibility”. It seems like scams used to focus on greedy people looking for a get rich quick scheme, now they target people who are just trying to manage day to day, and with all of the changes we’ve made to how things work it’s not easy to keep up.
There definitely needs to be some sort of ongoing and widespread education initiative in place to help people protect themselves. Relying on companies and/or governments to function perfectly, or blaming victims who are extremely vulnerable through no fault of their own, doesn’t work. As long as Australians don’t understand how anything works or the risks associated with what they are doing, they will continue to fall victim to scams, data breaches, identity theft, etc. It’s actually painful when I watch other people use a web browser and they don’t even know how to install an ad-blocker. Just the absolute basics like that are completely beyond the average person.
Hmm I doubt it since in the articles it says she’s had many sleepless nights about the lost money, not to mention the lengths she’s gone to to get it back.
Stories like this are a sad reminder of how woefully uneducated and vulnerable the average person is online. The bit where the bank asks the son to “take the phone to a repair shop and have it wiped” (factory reset) and he is shocked because he thinks he needs to “hand over PINs and passwords to some random person”, is evidence that this isn’t just a problem with the elderly. Even middle-aged and younger people really have no idea how anything works or how to do the basics themselves. Whilst the bank’s anti-fraud and customer service departments definitely seem to have issues, solely relying on these institutions to function perfectly and save us when things go wrong is completely the wrong approach. Greater efforts need to be made to educate people so they can limit their attack surface themselves in the first place.
The problem with that approach is people don’t engage with the education efforts, and if they learn anything it tends to be incomplete and often not helpful. Like people who hear about the Marketplace scams and believe PayID is an unsafe payment method, rather than realising that it is a scam involving fake PayID messages. People tend to pick up weird nearly superstitious ideas about how to protect themselves, while skipping the bits that are actually helpful. I’m not sure that you can prevent that, it’s just the way people are. Making it possible for people to speak to real people at banks and institutions, through communication channels they understand, would have to be a start though. Pushing people to navigate through various constantly changing systems of messaging, chatbots and voice recognition phone systems is just creating more vulnerability.
I remember about… 20-25 years ago I used to run programs to help educate elderly people on the dangers of being online, how to use forums, things to look out for etc. I checked to see if groups like U3A (https://u3amelbcity.org.au/) ran courses on it and it doesn’t look like it.
People tend to pick up weird nearly superstitious ideas about how to protect themselves, while skipping the bits that are actually helpful. I’m not sure that you can prevent that, it’s just the way people are.
Isn’t this the point of education though? To sift through the giant mess of information available out there and help people access the useful stuff? There will always be those, such as conspiracy theorists, who fall through the cracks but I don’t think this is a reason to just write off any and all attempts entirely. I believe most people are definitely capable of a) improving their technological literacy and b) developing safer habits with the right guidance.
I saw that recently the UK introduced a law that sending and receiving banks have to each pay for half the scam. We need that here as it forces banks to create good fraud detection. Here’s an article on it: https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000
If that was introduced I’d be surprised if most scams weren’t stopped after a few years
I just got a new scam (to me) today that nearly got me.
An email about my Spotify account. I’d recently changed my plan, so good timing by the scammers. It said there was a payment problem and would be charged a cancellation fee.
Fortunately, I’ve trained myself to ONLY GO DIRECT TO THE SITE AND LOGIN THERE. So, I go to spotify, and the account looks all good. Then when I looked at the email more closely, yep, all the links go to a site not spotify. Gave myself a pat on the back.
Once the scam email is marked as spam, it garbles itself, so you can’t look at what it had said. Hadn’t seen that before. Of course, if you unmark it as spam, you can see it again.
Be careful out there!
That sounds impossible. Have you got the raw source?
I was amazed. Assumed it’s a whopping big pile of JavaScript in an html attachment. Yeah, i still have it. Will take a proper look tomorrow if I remember…
Checked it out, and it’s simpler than I thought.
Screen caps of email. The first is as it arrived in the Inbox, the second in the Junk folder.
Basically, they have an inline HTML file (and an inline spotify png). The HTML has lots of embedded rubbish text, associated with a specific style. That style is set to display:none, so it is hidden.
Now by default Thunderbird shows me the inline images and css. As it’s set none, I don’t see the rubbish text and the message looks and reads like a normal message.
But when it’s marked as Junk, Thunderbird won’t show the image, and won’t show any css. So the message then displays all the rubbish text and it looks garbled.
eg: the Bold heading in the body of the email is actually the html here
That’s pretty standard with moz - junk mail use hotlinked images and shit so they can see on their traffic side when an email is viewed. It’s why mail programs increasingly block external content by default (well that and the viral payloads). When you flag as spam, thunderbird takes it out of the ‘allow remote content’ list.