The primer that everyone needs
Recently, a family member of mine got scammed by some clever crooks. They sent her an email that appeared to be an Amazon receipt for expensive items she did not order, and she did what she thought was the responsible thing — she called the fraud number on the email. A nice person on the other end “helped” her out, and smoothly and gently talked her into making a bunch of credit card charges that she did not understand.
MasterCard thankfully agreed to not put her on the hook for the money they stole, so everything’s OK. But this seems like a good opportunity to talk to everyone about how to avoid being scammed, because professional criminals can be very, very good at seeming legit.
First of all, if you ever get emails, calls, or letters that alarm you, and you want someone to check them out, please call or text someone else you trust and get a second opinion before you believe it.
Second, I realize that even talking openly about security is uncomfortable and can feel cold to the needs of the world — especially this year, when there has been an inspiring movement against the abuses by our government’s security forces.
But keeping yourself safe doesn’t mean being paranoid or selfish — it’s a way of responsibly helping others, by lowering the incentive for deception and theft. Talking completely and openly about this, with no embarrassment, and coming up with a set of practices, tools and rules, makes it easier to keep the world safe, which can actually reduce our collective worry and stress. We would wish a strong foundation on others; it’s just as important to build one ourselves.
Keeping yourself safe doesn’t mean being paranoid or selfish.
OK, here is my advice for keeping yourself and your information safe.
1. Information someone pushes to you, vs. information you find yourself
Any contact that is “incoming” — an email you receive, a call you receive, a door to door salesman, etc. — may be fake. You should assume it might be fake, no matter how convincing or charming they are. You can be polite, but if you want to continue the conversation, explain that you have to get off (you can always say you have to go to the bathroom), and then Google the company’s phone numbers and call them yourself. You can click links to articles in emails from friends, or in emails from companies that you requested (like when you forget your password). But if you get a link to a site where you’ll enter your password, DON’T click it. Instead, Google the company’s website yourself, visit it using that link, and login there. A link that looks legit in an email, like https://amazon.com/SignIn, can be faked!
2. Have hard lines about security
Decide, right now, to never tell your password to someone you do not know; to never input a password or credit card number on a site you didn’t type in yourself, or find in your own search; to never tell someone you don’t know personally your computer’s IP address; to never install a program that you didn’t find yourself, or that someone you don’t know personally told you to install. Real IT/security staff do not need your password to view your account. If someone you don’t know personally asks for it, they are likely trying to trick you. (There are some gray areas that are tricky: credit card numbers and even social security numbers are asked for by a surprising number of places these days.) If you decide you have a hard line, that means you are ready to remind yourself, “I know this seems legit, but I have a hard line on this, so I’m going to stop, even if that seems weird.”
3. Understand what “social engineering” is
“Social engineering” is when someone takes advantage of the different social rules we follow depending on how we mentally categorize the interaction we’re in. (It’s like using Gestalt Therapy for bad!) The criminals who scammed my friend were really effective. They provided lots of context clues that suggested that they were the good guys, and that she was talking to someone she trusted. They did things like casually asking about the weather, offering updates about their own children and learning about hers, finding out what part of town she lived in, etc. Those pieces of info actually gave them a lot of levers to use to manipulate her. Of course, this is how we operate as humans! We choose leaders and allies, we bring others into our circle of trust, we obey instructions, because of the context we build up over time for them. But this can be exploited, and there are people who are practiced in exploiting it.
4. Be ready to deploy “polite vagueness”
I have some questions for you: is absolutely everything regarding your family fine? Is there anything important in your family that could benefit from your attention? So it would be true if you said to a caller, a texter, or someone at your door: “I’m sorry, I value this conversation, but there is some important family business that needs my attention right now and I’m afraid I have to cut it short. My email address is ____________________ . Please email me.” (Then hang up or close the door.) This might sound unnecessarily polite right now, and if you want to just hang up, be my guest. But I’ve found it can be surprisingly hard to sever an interpersonal link that the other person is communicating trust about; it can feel surprisingly impersonal and unnatural. “Polite vagueness” is your ally here because your politeness and your honesty empower you to cut off the connection. (As for giving your email address, that’s a judgment call, but I just figure my email address is already getting so much spam, what’s the difference.) It’s especially important to be ready to do this when you think the contact is legit, but just aren’t totally sure. You can always reconnect another time.
5. Urgency is a red flag:
Do not trust any email, call or visitor that alleges something urgent. Clever fraudsters use urgency to get you to let down your guard. If you are concerned about the situation they are describing, remind yourself to be cautious, and try to get out of the conversation (or close the email) and ask yourself what you think you should do when you are free to think without the caller’s influence.
6. Get clear on your rules now
Get clear on your rules now, so that you don’t have to wing it if you find yourself in a situation where someone is alarming you and trying to get you to take action. Criminals count on shame, embarrassment, and silence to make their ruses more effective.
Tools to use
1. Use good spam filters
Most of us use Gmail, which does a very good job of just not showing you fraudulent email in the first place. (If you’re using something older than Gmail, I urge you to consider switching to Gmail; or if you’re boycotting Google’s ecosystem, try to find an established email provider with good spam filtering.)
Phone call spam is harder. You should add your numbers to the National Do Not Call Registry (Google it yourself, don’t click my link!) If you have a landline, I recommend a free filtering service that we use called Nomorobo (Google it yourself!) which is easy to set up. I believe Nomorobo also can operate on an iPhone or Android, though I haven’t tried it.
2. Use a “password manager”
A password manager is a program you run on your computer and on your phone which stores your usernames and passwords for all your sites in a secure form. It’s way more useful than remembering passwords, way faster than typing passwords in (it’s a godsend on the phone), and way more safe than writing down passwords somewhere. I recommend 1Password (Google it yourself!); it’s $36/year for one person, or $60/year for a “family” of up to 5 people. This is the easiest money I spend every year. I do warn that it’s a bit confusing to set up at first, but I promise it’s worth it. (If you’re using LastPass or another password manager, great!)
3. Don’t use the same password on multiple sites
OK, I confess that I totally do use the same small list of passwords on a bunch of random sites like Reddit where money isn’t involved. So the real advice I have is, don’t use the same password on multiple sites that involve money. One of the great things about a password manager is it can generate new passwords when you sign up for sites, so you don’t have to reuse the same few passwords you’ve memorized on multiple sites. That way, if one site gets hacked and its passwords get discovered (this happens disturbingly often; I absolutely guarantee you that at least two username-password combinations you’ve used are known to the entire criminal world), criminals can’t use that info to access your other sites.
4. Use “2 factor authentication” on your banking and email sites
“2 factor authentication” is that thing where you log in, then they send you a text message and you have to type in the code they sent you. It’s annoying but it’s worth it. It’s especially important to do it on your Gmail account; we don’t usually think of that on the same security level as banking, but what if someone got access to your Gmail account? They could see where you bank, tell your bank to reset your password, get the password reset email from your inbox, and access your bank.
Please let me know if you have questions, things I left out (i’m sure there’s stuff I forgot), or corrections!