Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Protect loved ones from online scams?
97 points by paulryanrogers on July 29, 2017 | hide | past | favorite | 60 comments
In the past some of my loved ones fell into a variety of online and phone scams. Experience in development has helped me personally, but even I've been taken advantage of when my guard was down.

Most of my efforts helping others were too little or too late: educating after the fact, Ubuntu Linux (too incompatible), password managers (left unused), etc.

How does the HN community protect their loved ones from these things?

What really irks me is getting an email like this:

    Shipping account suspended
    Dear XXXX,
    FedEx shipping privileges for account number ending in NNNN 
    have been suspended. To access and update your credit card
    data, log in to FedEx® Billing Online.

    Log in today (Button)
This just screams "scam", especially since I haven't used the FedEx account in months. When I log into FedEx (not using the link in the email), my account shows a zero balance and no outstanding messages. So I send the email, with headers, to "abuse@fedex.com". (They never answered.)

I call FedEx Revenue Services, and they can't find anything wrong with the account. They tell me the account isn't suspended. They want the expiration date on my credit card updated before the end of the month, but it hasn't expired yet.

I look at the message source, and it looks like it's really coming from FedEx, and the link really goes to FedEx. I keep looking, and can't find anything wrong in the headers. It's a legit email. It's just stupidity at FedEx.

Sloppy work, FedEx, sending out an email like that. You're training people to click on links they should not click on.

I got a similar dodgy looking email from Dell. It was from some different e-mail address (dellteam.com instead of dell.com). It was a failed transaction.

The email was completely dodgy, had several typos. There was a lack of instructions on what to do, just a "please contact us". I tried to contact customer service instead of the representative, but it was impossible because I needed an order code, which they never gave me. Emails to the individuals were never replied to and he insisted on only calling and handling a bank transfer over the phone.

The whole situation was very similar to a man in the middle attack.

It turned out to be legit, but the whole situation makes me never want to order anything from them again.

I've made the same complaint, "you're training people to click on links," to I-forget-who. "Your security is important to us, and we'll send that directly to the crickets."

Either the people you are able to contact don't care, because they have no idea what you're talking about, or they don't care because they wrote/required exactly what you're complaining about, out of expediency or ignorance.

It is very easy to spoof an email address[1], so it could be that it is someone from outside of FedEx.


However you can still check the IP address of the mail server that sent the mail. Some things to look at:

1. Check PTR for IP and verify that the A or AAAA record for that name points back to the same IP.

2. Compare with IP address of server that sent previous mail to you.

3. Check SPF records for the domain.

4. Check MX records for the domain. Keep in mind that they might be using different servers for sending than for receiving though and that MX is for receiving.

These sound like good steps to determine if a sender is legitimate. Is there a plugin that already does this for existing email clients?

Google gmail and inbox both show this information if you click the "view full message" option on any particular email

I'm pretty sure GP means Is there a client that runs this check in the background, and either tells you or marks it Spam.

With SPF, DKIM, DMARC, coupled with blacklists and the reputation system of big mail providers that's making it difficult to host your own email, it's actually quite to impersonate an email address.

Try it, then see how many times you can hit a @gmail address.

I found that this does not stop one from sending emails that appear to originate from addresses like info@paypal.com as long as the contents of the email are different from known spam emails. They are not flagged by GMail at all as long as you send them from a reputable email server through services like mailgun.com.

SPF will catch these really easily.

Sure but if the link leads to the actual FedEx website then what would be the point?

One possibility is the "Hostile Subdomain Takeover" attack recently mentioned here, where an attacker could have control of, say, help.fedex.com https://news.ycombinator.com/item?id=14860149

Tweet their customer service (@FedExHelp). My friend who works in tech support (not at FedEx) recommends this practice.

How well would something like that work with a completely-fresh Twitter account?

I wonder if the link is to something on FedEx's site that has an XSS vuln and redirects elsewhere?

There should be a way to give a credit-card number that is automatic identified as fraud and triggers persecution when used.

Everyone knows that such spam mails are NOT sent by the company, but by scammers. Look at the raw email header.

So why is this comment on top?

It seems HN got mainstream and with it the usefulness is declining - low quality comments staying on top that can be answered by common sense.

For the record, that's John Nagle:


Generally it's good to assume that Animats knows more about how the internet works than you do, especially if it is something related to networks.

It's likely that Animats knows what he's doing.

He also says that the email contains a link to the real website, not to a scam website.

So, if it was sent by a scammer what's the purpose? How does it work?

And if it was sent by the company, why are they sending email that looks like a scam?

The mail header entry at the point it leaves FedEx's systems and enters my website is:

    Received: from pvma00057.prod.fedex.com ([]:61625 helo=mx28.infosec.fedex.com)
	by gator4118.hostgator.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.87)
	(envelope-from <prvs=1370ad99fd=bounce@nds.fedex.com>)
	id 1dWn4C-00092V-Dd
	for nagle@animats.com; Sun, 16 Jul 2017 12:10:48 -0500
    DKIM-Signature: v=1; a=rsa-sha256; d=fedex.com; s=edc; c=relaxed/relaxed;
	q=dns/txt; i=@fedex.com; t=1500225037;
    X-AuditID: cc870862-345fb700000012f5-3f-596b9e0d6fb1
That looks OK. Unless FedEx has an open mail forwarder, a break-in at "pvma00057.prod.fedex.com", or DNS trouble, that's from FedEx.

IP seems legit, is from FedEx - apologize.

  NetRange: -
  NetName:        FEDEX-2009-BLOCK
  NetHandle:      NET-204-135-0-0-1
  Parent:         NET204 (NET-204-0-0-0-0)
  NetType:        Direct Assignment
  OriginAS:       AS7726
  Organization:   FedEx (FEC)
  RegDate:        2009-07-20
  Updated:        2017-04-29
  Ref:            https://whois.arin.net/rest/net/NET-204-135-0-0-1

  OrgName:        FedEx
  OrgId:          FEC
  Address:        70 FedEx Parkway
  City:           Collierville
  StateProv:      TN
  PostalCode:     38017
  Country:        US
  Updated:        2014-06-02
  Ref:            https://whois.arin.net/rest/org/FEC

My mother is a daily user of the internet with extremely limited knowkedge and she has difficulty understanding even basic computer messages.

I designed a series of rules + practices which are stated as absolutes (i.e. no margin for interpretation) and they have worked well:

1. All emails with claims are false, even if I send them. Not only spam but also "snopes-like" scams from her friends. This rule always has precedence over anything else. 100% Never trust an email content. If it looks like there could be really bad consequences from ignoring an email, forward it to me and I'll decide.

I told her "imagine a stranger calls you on the phone and reads you the content of an email. Would you trust it?". She understood the metaphor.

2. She doesn't know her passwords. They are stored in the browser's keyring. Thus, she can't provide credentials to phishing websites.

3. She can click on links from emails, unless it is from a bank, because she knows her bank credentials. The combination of (2) and (3) makes the internet very usable for her as she can browse with confidence.

4. She only logs in to the bank website from her browser bookmark. She uses Safari's "Top sites" heavily, and she has learned to Google basic stuff.

5. If there is a weird message on a website, treat it as an email (i.e. it is false, etc)

6. Adblock is installed

7. She is beginning to recognize OS prompts, like icloud messages (storage, passwords). She knows she can never click on one before sending me a picture by IM. For these prompts password managers don't auto-input them and that's a problem. I must confirm its validity and then she has permission to open a notepad where her passwords are written and transcribe it to the prompt. But she always needs to send me a pic before opening the password notebook.

8. I have enabled Gatekeeper on the mac, thus she can't open binaries from the internet, only documents. Word macros are disabled.

9. If something doesn't look right, call/IM me on your cellphone

She is a very simple user and her needs are limited to websites, mail, office and a few games, so this works well. YMMV.

Maybe there are more rules that I can't remember right now, but the combination of not knowing her passwords + password manager + not trusting email + unable to run unknown binaries + adblock has worked wonderfully.

Let me know if you have more suggestions

IPads work quite well for older users. They don't solve the password problem, but at least some of the other problems are avoided.

She likes the big screen of her 24" imac. But when it breaks down I'll definitely get her an ipad. She took a long time before getting into the smartphone world, but she loves her iphone, especially Siri.

Maybe a large iPad Pro?

I put my mum on Linux Mint, hid the menu launcher and put icons for all the stuff she uses on her desktop, set updates to automatic and put her on a Gmail account on a domanin I own.

That and a basic crash course in treat everything as suspicious unless you know it isn't has sufficed so far.

If she has any doubts she just rings me but that's rare.

Main reason not to use Linux is because there’s no Microsoft Office support

My mum writes a fair bit, I switched her from Office to LibreOffice with few issues.

Actually I guess oldtimers (i.e. the parents of most of us) would prefer real menus.

I bought my mom an iPad (the largest one at the time) and bought her a printer that works with her iPad. In the two years since that, the only call that I've ever received was "Does this pop up that says 'OK/Cancel' that says my iPad is infected with a virus actually mean anything?" "No, Mom." "Ahh, ok. I didn't think so."

Works like a charm.

If you install an ad blocker for Safari that will get rid of most of that as well. I have found Adguard works well and is free.

I have locked down their OS's with Unchecky, UAC to full, non-Admin accounts, all Win10 (love the forced updates).

Installed a PiHole to clear all their devices from malicious ads / malicious url's.

Seriously, since I installed PiHole my maintanance visits / calls have dropped by 90%.

They don't use a CC. Maybe once a year for flight tickets but I tell them to check the URL / https.

And I've told them 100 times: companies do not call you. They don't. Ignore calls!

+1 for Pi-hole: https://pi-hole.net

It's better than a browser extension, as it works for mobile devices and native apps (e.g. Skype). Remember to set a backup secondary DNS server in case it goes down though.

If the router allows changes to the DHCP DNS settings then make them there. Some don't, so then you'll need to use the Pi for DHCP too.

However, keep in mind that it provides an unauthenticated web interface that exposes all domains that have been visited. This could be a privacy risk. It's pretty easy to simply use dnsmasq on its own if you don't want the extras.

You can also use this technique to make some news sites less annoying: https://unop.uk/block-bbc-breaking-news-on-all-devices

No, BBC News still doesn't support HTTPS (it's now over 6 months later than they said it would).

>However, keep in mind that it provides an unauthenticated web interface that exposes all domains that have been visited.

No, it doesn't. At least not since version 3.x with which i started using it...

If you want more detail than just a broad overview, you need to login (though that is just a password, no username needed)...


This is how I did it: I got my mom an iPad. Has worked out well.

It's mostly immune to spyware, she's smart enough to know she shouldn't click on any random e-mails and not to use the same password of her email account anywhere else.

July has been made scammer / spam month for whatever reason. Saw it on a British website... so not sure if it applies to the United States, but just because I had been receiving hundreds of spam emails to my website's email account, I can imagine that other people are receiving the same amount of spam.. and some are even falling for it.

As a result of this, I wrote a series of articles to try an educate my readers on the dangers of replying and/or dealing with any spam or scam emails.

Here are the links:






The only way is really to educate them. I’ve dealt with this quite a bit with my family, and telling them what to be wary of has helped a bunch.

There's always reducing the circle you consider "loved" ones, and CRISPR…

It's part of new natural selection I guess.

Imo educating works best, you can only mitigate the problem with technology. I've only installed and configured a content blocker on grandma's computer as a passive measurement against scams and for general benefits.

Otherwise I just advised her not to give out personal information, including email, phone and credit card numbers. And don't click links in emails she does not recognize the sender or looks suspicious. Best not to even open them. In doubt, I'm usually available to doublecheck.

Pendrives caused a lot of problems in the past, luckily broadband solved most of the file transfer issues.

The internet just isn't safe for some users right now. Encourage them to call you if they're doubtful, never click Ads and to never interact with people that initiate contact with them first.

Its not just ads.

SEO affects search engines like Google, putting shady businesses high in the search result (sometimes even #1).

I've seen this first hand with my mother who needed a locksmith because the lock on her front door broke. The cost of 'repairing' was well over 500 EUR, and the lock wasn't repaired at all, it had to be completely replaced afterwards by a real locksmith which was legit but due to the damage the scammer caused was expensive a well. This is a known scam trick going on in The Netherlands, but probably just one of the many examples.

Something I try to do is whenever forever I spot an obvious facebook scam (share to win free vouchers or holiday or something) -- I explain in the comment to that person exactly what I saw that makes me suspect it's a scam.

It's a subtle way to educate without "telling" which puts alot of people of. For more direct approaches, see some of the other comments about rules for his mother, etc. :)

I find this helpful as 90% of the time these scams are super obvious to me but not others, so I try to share that knowledge.

Besides adblock + auto updates, tell them how some of the scams work. Show them some example screenshots/videos etc. from different areas. Enough to make them think twice about what they are allowing to run on their computer. Scammers are usually lazy, many times their email addresses, website address, or web design might give it away - so doing a few side by side comparisons may help.

There's also a lot of youtube videos that could be easier to send and less boring to go through. Ex:

- https://www.youtube.com/embed/bjYhmX_OUQQ?rel=0

- https://www.youtube.com/embed/DXfrfbNk7jo?rel=0

- https://www.youtube.com/embed/poFAzDCGLrI?rel=0

- https://www.youtube.com/embed/5zlnI3Bzslo?rel=0

- https://www.youtube.com/embed/O4KJq0XXIy8?rel=0

- https://www.youtube.com/playlist?list=PLDBC1CF5C16D5585D

What's the reason Ubuntu didn't work?

That's basically the setup I have with my dad. He's using Ubuntu on desktop, which I taught him to use. There wasn't much to teach. He really just wants to use a browser. I taught him how to scan documents and print documents as well. That's pretty much all he needs to do.

And then he has his iPad as well, and I taught him how to print stuff from his iPad too.

I also got him to use 1Password, and he has unique password for each site.

These are all things I've taught my dad to do.

Printing, games, and slower performance for things like Netflix and boot.

Most "non-tech" people have a reasonably small attack surface, so my approach has been to try and milk the Pareto principle:

Here are some things I've found which are simple enough to implement but actually offer substantial gains. Learned mainly from helping partners and parents:

1. Move them to Gmail. Email seems to still be the primary vector for most attacks and Gmail's filters are awesome.

2. Get them on a less permissive OS. Shifting from Windows to OSX/iOS has made a huge difference.

3. Teach them a reasonable password-generating method (correct-horse-battery-staple or some such). They are gonna forget and reset passwords regularly, which is OK. I gave up on getting them to habitually use a password manager.

4. Force (coerce/bribe/cajole) them to use 2FA on critical accounts (email, FB)

5. Tell them lots of anecdotes about hacks, things I spotted in my email, etc. As someone else pointed out, you can work in a lot of useful info in a memorable way in these anecdotes.

Tech does seem to be only part of the solution (and probably not even the major part). I've been doing some gig work for a company [http://www.popcorntraining.com] that does story-based security awareness videos, mainly for corporates. They have pretty good results based on fairly small time investment by the participants.

Sadly, most of the players in this market seem to be focused on big companies at the moment, with a few starting to aim at SMEs. We've bounced around the idea of trying to help the consumer market, but its not yet been worthwhile for them.

If you use the LogDog app, your online accounts are continously monitored for suspicious access. It sends an alert to your phone and prompts you to review the issue and change your password if necessary. We're trying to make it as understandable and as easy to operate as possible, so even technically-unsavvy people could benefit.

That being said, there's no getting around education. It's key to prevent a person from being scammed out of their passwords or oauth-access in the first place.

Never heard of LogDog, looks very interesting, thanks. Are you planning a web-only service, or must it be a native app? Some relatives of mine don't have smartphones but do use plenty of online services.

Are there other web-based services people here can recommend? Haveibeenpwned is great of course, but the horse has left the stable by that point, something that sniffs out suspicious activity before trouble occurs would be great.

Nothing immediate regarding a web-only service, sorry, but it obviously makes sense to expand the service in that direction.

HIBP is indeed great and you can actually subscribe via email to get real time alerts. It's limited to credentials exposed via dumps.

1) Find out what their pain points are.

2) Develop or help them develop viable processes for their needs and abilities that will sidestep issues.

This involves a small amount of educating people, less than is needed for real internet literacy. The difference is it makes them literate enough to navigate the parts they actually use, without some huge burden of additional general information that they son&t really need and which will just interfere with them learning the pieces they actually need to know.

When it comes to protecting login passwords from phishing emails, it is said that U2F hardware tokens are the best (yubikey etc) but it might not be the easiest solution for non-techies.

Good advice is to never click links in emails, but go manually to a given page (via Google perhaps) and log in yourself.

It's a bit easier if your family lives outside of English-speaking country when it comes to phishing. Phishing spam is either English, or a poor google translate 95% of the time.

+1 for the iPad recommendations.

I'd also recommend a Chromebook, for folks who don't like our can't asked the iPad option.

uBlock Origin blocks some scammer websites (just configure it). It's not a complete solution though.

Gift your loved ones an iPad or Android tablet, maybe also enable some parent control to limit their exposure. 90% of end users don't need a notebook, a tablet is the safer alternative.

Not Android. The lack of updates and ease of installing a third party APK is just too high (not mentioning the occasional malware in the Play Store itself).

Cost in money and waste are other factors. Perhaps I can put Chrome OS on one of their existing computers.

i gave up when i saw they use apps to help their phone manage memory and battery. and they claimed that despite ads in the app forced lock screen, it was worth it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact