
Ask HN: Protect loved ones from online scams? - paulryanrogers
In the past some of my loved ones fell into a variety of online and phone scams. Experience in development has helped me personally, but even I&#x27;ve been taken advantage of when my guard was down.<p>Most of my efforts helping others were too little or too late: educating after the fact, Ubuntu Linux (too incompatible), password managers (left unused), etc.<p>How does the HN community protect their loved ones from these things?
======
Animats
What really irks me is getting an email like this:

    
    
        Shipping account suspended
    	
        Dear XXXX,
        FedEx shipping privileges for account number ending in NNNN 
        have been suspended. To access and update your credit card
        data, log in to FedEx® Billing Online.
    
        Log in today (Button)
    

This just screams "scam", especially since I haven't used the FedEx account in
months. When I log into FedEx (not using the link in the email), my account
shows a zero balance and no outstanding messages. So I send the email, with
headers, to "abuse@fedex.com". (They never answered.)

I call FedEx Revenue Services, and they can't find anything wrong with the
account. They tell me the account isn't suspended. They want the expiration
date on my credit card updated before the end of the month, but it hasn't
expired yet.

I look at the message source, and it looks like it's really coming from FedEx,
and the link really goes to FedEx. I keep looking, and can't find anything
wrong in the headers. It's a legit email. It's just stupidity at FedEx.

Sloppy work, FedEx, sending out an email like that. You're training people to
click on links they should not click on.

~~~
Xuebit
It is very easy to spoof an email address[1], so it could be that it is
someone from outside of FedEx.

[https://superuser.com/questions/505503/how-can-you-fake-
an-e...](https://superuser.com/questions/505503/how-can-you-fake-an-email-
address)

~~~
unkown-unknowns
However you can still check the IP address of the mail server that sent the
mail. Some things to look at:

1\. Check PTR for IP and verify that the A or AAAA record for that name points
back to the same IP.

2\. Compare with IP address of server that sent previous mail to you.

3\. Check SPF records for the domain.

4\. Check MX records for the domain. Keep in mind that they might be using
different servers for sending than for receiving though and that MX is for
receiving.

~~~
stephengillie
These sound like good steps to determine if a sender is legitimate. Is there a
plugin that already does this for existing email clients?

~~~
d3sandoval
Google gmail and inbox both show this information if you click the "view full
message" option on any particular email

~~~
OJFord
I'm pretty sure GP means Is there a client that runs this check in the
background, and either tells you or marks it Spam.

------
carlesfe
My mother is a daily user of the internet with extremely limited knowkedge and
she has difficulty understanding even basic computer messages.

I designed a series of rules + practices which are stated as absolutes (i.e.
no margin for interpretation) and they have worked well:

1\. All emails with claims are false, even if I send them. Not only spam but
also "snopes-like" scams from her friends. This rule always has precedence
over anything else. 100% Never trust an email content. If it looks like there
could be really bad consequences from ignoring an email, forward it to me and
I'll decide.

I told her "imagine a stranger calls you on the phone and reads you the
content of an email. Would you trust it?". She understood the metaphor.

2\. She doesn't know her passwords. They are stored in the browser's keyring.
Thus, she can't provide credentials to phishing websites.

3\. She can click on links from emails, unless it is from a bank, because she
knows her bank credentials. The combination of (2) and (3) makes the internet
very usable for her as she can browse with confidence.

4\. She only logs in to the bank website from her browser bookmark. She uses
Safari's "Top sites" heavily, and she has learned to Google basic stuff.

5\. If there is a weird message on a website, treat it as an email (i.e. it is
false, etc)

6\. Adblock is installed

7\. She is beginning to recognize OS prompts, like icloud messages (storage,
passwords). She knows she can never click on one before sending me a picture
by IM. For these prompts password managers don't auto-input them and that's a
problem. I must confirm its validity and then she has permission to open a
notepad where her passwords are written and transcribe it to the prompt. But
she always needs to send me a pic before opening the password notebook.

8\. I have enabled Gatekeeper on the mac, thus she can't open binaries from
the internet, only documents. Word macros are disabled.

9\. If something doesn't look right, call/IM me on your cellphone

She is a very simple user and her needs are limited to websites, mail, office
and a few games, so this works well. YMMV.

Maybe there are more rules that I can't remember right now, but the
combination of not knowing her passwords + password manager + not trusting
email + unable to run unknown binaries + adblock has worked wonderfully.

Let me know if you have more suggestions

~~~
nl
IPads work quite well for older users. They don't solve the password problem,
but at least some of the other problems are avoided.

~~~
carlesfe
She likes the big screen of her 24" imac. But when it breaks down I'll
definitely get her an ipad. She took a long time before getting into the
smartphone world, but she loves her iphone, especially Siri.

~~~
nl
Maybe a large iPad Pro?

------
imroot
I bought my mom an iPad (the largest one at the time) and bought her a printer
that works with her iPad. In the two years since that, the only call that I've
ever received was "Does this pop up that says 'OK/Cancel' that says my iPad is
infected with a virus actually mean anything?" "No, Mom." "Ahh, ok. I didn't
think so."

Works like a charm.

~~~
swinglock
If you install an ad blocker for Safari that will get rid of most of that as
well. I have found Adguard works well and is free.

------
apexalpha
I have locked down their OS's with Unchecky, UAC to full, non-Admin accounts,
all Win10 (love the forced updates).

Installed a PiHole to clear all their devices from malicious ads / malicious
url's.

Seriously, since I installed PiHole my maintanance visits / calls have dropped
by 90%.

They don't use a CC. Maybe once a year for flight tickets but I tell them to
check the URL / https.

And I've told them 100 times: companies do not call you. They don't. Ignore
calls!

~~~
jsingleton
+1 for Pi-hole: [https://pi-hole.net](https://pi-hole.net)

It's better than a browser extension, as it works for mobile devices and
native apps (e.g. Skype). Remember to set a backup secondary DNS server in
case it goes down though.

If the router allows changes to the DHCP DNS settings then make them there.
Some don't, so then you'll need to use the Pi for DHCP too.

However, keep in mind that it provides an unauthenticated web interface that
exposes all domains that have been visited. This could be a privacy risk. It's
pretty easy to simply use dnsmasq on its own if you don't want the extras.

You can also use this technique to make some news sites less annoying:
[https://unop.uk/block-bbc-breaking-news-on-all-
devices](https://unop.uk/block-bbc-breaking-news-on-all-devices)

No, BBC News still doesn't support HTTPS (it's now over 6 months later than
they said it would).

~~~
moepstar
>However, keep in mind that it provides an unauthenticated web interface that
exposes all domains that have been visited.

No, it doesn't. At least not since version 3.x with which i started using
it...

If you want more detail than just a broad overview, you need to login (though
that is just a password, no username needed)...

[https://imgur.com/a/jjcYp](https://imgur.com/a/jjcYp)

------
charlesdm
This is how I did it: I got my mom an iPad. Has worked out well.

It's mostly immune to spyware, she's smart enough to know she shouldn't click
on any random e-mails and not to use the same password of her email account
anywhere else.

------
mattbgates
July has been made scammer / spam month for whatever reason. Saw it on a
British website... so not sure if it applies to the United States, but just
because I had been receiving hundreds of spam emails to my website's email
account, I can imagine that other people are receiving the same amount of
spam.. and some are even falling for it.

As a result of this, I wrote a series of articles to try an educate my readers
on the dangers of replying and/or dealing with any spam or scam emails.

Here are the links:

[http://www.confessionsoftheprofessions.com/avoid-phishing-
sc...](http://www.confessionsoftheprofessions.com/avoid-phishing-scams/)

[http://www.confessionsoftheprofessions.com/truth-seo-
marketi...](http://www.confessionsoftheprofessions.com/truth-seo-marketing-
companies/)

[http://www.confessionsoftheprofessions.com/confessions-
profe...](http://www.confessionsoftheprofessions.com/confessions-professions-
spam-email/)

[http://www.confessionsoftheprofessions.com/how-to-notice-
a-s...](http://www.confessionsoftheprofessions.com/how-to-notice-a-scam-
email/)

[http://www.confessionsoftheprofessions.com/teaching-
children...](http://www.confessionsoftheprofessions.com/teaching-children-
about-online-privacy/)

------
navd
The only way is really to educate them. I’ve dealt with this quite a bit with
my family, and telling them what to be wary of has helped a bunch.

~~~
jcahill
There's always reducing the circle you consider "loved" ones, and CRISPR…

~~~
Dude2018
It's part of new natural selection I guess.

------
a_imho
Imo educating works best, you can only mitigate the problem with technology.
I've only installed and configured a content blocker on grandma's computer as
a passive measurement against scams and for general benefits.

Otherwise I just advised her not to give out personal information, including
email, phone and credit card numbers. And don't click links in emails she does
not recognize the sender or looks suspicious. Best not to even open them. In
doubt, I'm usually available to doublecheck.

Pendrives caused a lot of problems in the past, luckily broadband solved most
of the file transfer issues.

------
scandox
The internet just isn't safe for some users right now. Encourage them to call
you if they're doubtful, never click Ads and to never interact with people
that initiate contact with them first.

~~~
Fnoord
Its not just ads.

SEO affects search engines like Google, putting shady businesses high in the
search result (sometimes even #1).

I've seen this first hand with my mother who needed a locksmith because the
lock on her front door broke. The cost of 'repairing' was well over 500 EUR,
and the lock wasn't repaired at all, it had to be completely replaced
afterwards by a real locksmith which was legit but due to the damage the
scammer caused was expensive a well. This is a known scam trick going on in
The Netherlands, but probably just one of the many examples.

------
lathiat
Something I try to do is whenever forever I spot an obvious facebook scam
(share to win free vouchers or holiday or something) -- I explain in the
comment to that person exactly what I saw that makes me suspect it's a scam.

It's a subtle way to educate without "telling" which puts alot of people of.
For more direct approaches, see some of the other comments about rules for his
mother, etc. :)

I find this helpful as 90% of the time these scams are super obvious to me but
not others, so I try to share that knowledge.

------
ptr_void
Besides adblock + auto updates, tell them how some of the scams work. Show
them some example screenshots/videos etc. from different areas. Enough to make
them think twice about what they are allowing to run on their computer.
Scammers are usually lazy, many times their email addresses, website address,
or web design might give it away - so doing a few side by side comparisons may
help.

There's also a lot of youtube videos that could be easier to send and less
boring to go through. Ex:

\-
[https://www.youtube.com/embed/bjYhmX_OUQQ?rel=0](https://www.youtube.com/embed/bjYhmX_OUQQ?rel=0)

\-
[https://www.youtube.com/embed/DXfrfbNk7jo?rel=0](https://www.youtube.com/embed/DXfrfbNk7jo?rel=0)

\-
[https://www.youtube.com/embed/poFAzDCGLrI?rel=0](https://www.youtube.com/embed/poFAzDCGLrI?rel=0)

\-
[https://www.youtube.com/embed/5zlnI3Bzslo?rel=0](https://www.youtube.com/embed/5zlnI3Bzslo?rel=0)

\-
[https://www.youtube.com/embed/O4KJq0XXIy8?rel=0](https://www.youtube.com/embed/O4KJq0XXIy8?rel=0)

\-
[https://www.youtube.com/playlist?list=PLDBC1CF5C16D5585D](https://www.youtube.com/playlist?list=PLDBC1CF5C16D5585D)

------
dannysu
What's the reason Ubuntu didn't work?

That's basically the setup I have with my dad. He's using Ubuntu on desktop,
which I taught him to use. There wasn't much to teach. He really just wants to
use a browser. I taught him how to scan documents and print documents as well.
That's pretty much all he needs to do.

And then he has his iPad as well, and I taught him how to print stuff from his
iPad too.

I also got him to use 1Password, and he has unique password for each site.

These are all things I've taught my dad to do.

~~~
paulryanrogers
Printing, games, and slower performance for things like Netflix and boot.

------
secretsinger
Most "non-tech" people have a reasonably small attack surface, so my approach
has been to try and milk the Pareto principle:

Here are some things I've found which are simple enough to implement but
actually offer substantial gains. Learned mainly from helping partners and
parents:

1\. Move them to Gmail. Email seems to still be the primary vector for most
attacks and Gmail's filters are awesome.

2\. Get them on a less permissive OS. Shifting from Windows to OSX/iOS has
made a huge difference.

3\. Teach them a reasonable password-generating method (correct-horse-battery-
staple or some such). They are gonna forget and reset passwords regularly,
which is OK. I gave up on getting them to habitually use a password manager.

4\. Force (coerce/bribe/cajole) them to use 2FA on critical accounts (email,
FB)

5\. Tell them lots of anecdotes about hacks, things I spotted in my email,
etc. As someone else pointed out, you can work in a lot of useful info in a
memorable way in these anecdotes.

Tech does seem to be only part of the solution (and probably not even the
major part). I've been doing some gig work for a company
[[http://www.popcorntraining.com](http://www.popcorntraining.com)] that does
story-based security awareness videos, mainly for corporates. They have pretty
good results based on fairly small time investment by the participants.

Sadly, most of the players in this market seem to be focused on big companies
at the moment, with a few starting to aim at SMEs. We've bounced around the
idea of trying to help the consumer market, but its not yet been worthwhile
for them.

------
sep
If you use the LogDog app, your online accounts are continously monitored for
suspicious access. It sends an alert to your phone and prompts you to review
the issue and change your password if necessary. We're trying to make it as
understandable and as easy to operate as possible, so even technically-unsavvy
people could benefit.

That being said, there's no getting around education. It's key to prevent a
person from being scammed out of their passwords or oauth-access in the first
place.

~~~
austinjp
Never heard of LogDog, looks very interesting, thanks. Are you planning a web-
only service, or must it be a native app? Some relatives of mine don't have
smartphones but do use plenty of online services.

Are there other web-based services people here can recommend? Haveibeenpwned
is great of course, but the horse has left the stable by that point, something
that sniffs out suspicious activity before trouble occurs would be great.

~~~
sep
Nothing immediate regarding a web-only service, sorry, but it obviously makes
sense to expand the service in that direction.

HIBP is indeed great and you can actually subscribe via email to get real time
alerts. It's limited to credentials exposed via dumps.

------
Mz
1) Find out what their pain points are.

2) Develop or help them develop viable processes for their needs and abilities
that will sidestep issues.

This involves a small amount of educating people, less than is needed for real
internet literacy. The difference is it makes them literate enough to navigate
the parts they actually use, without some huge burden of additional general
information that they son&t really need and which will just interfere with
them learning the pieces they actually need to know.

------
jakub_g
When it comes to protecting login passwords from phishing emails, it is said
that U2F hardware tokens are the best (yubikey etc) but it might not be the
easiest solution for non-techies.

Good advice is to never click links in emails, but go manually to a given page
(via Google perhaps) and log in yourself.

It's a bit easier if your family lives outside of English-speaking country
when it comes to phishing. Phishing spam is either English, or a poor google
translate 95% of the time.

------
akulbe
+1 for the iPad recommendations.

I'd also recommend a Chromebook, for folks who don't like our can't asked the
iPad option.

------
zamalek
uBlock Origin blocks some scammer websites (just configure it). It's not a
complete solution though.

------
frik
Gift your loved ones an iPad or Android tablet, maybe also enable some parent
control to limit their exposure. 90% of end users don't need a notebook, a
tablet is the safer alternative.

~~~
Rjevski
Not Android. The lack of updates and ease of installing a third party APK is
just too high (not mentioning the occasional malware in the Play Store
itself).

------
gcb0
i gave up when i saw they use apps to help their phone manage memory and
battery. and they claimed that despite ads in the app forced lock screen, it
was worth it.

