Hacker News new | past | comments | ask | show | jobs | submit login
Americans lost a record $10.3B to online scammers last year, FBI says (wsj.com)
269 points by marban 11 months ago | hide | past | favorite | 280 comments

I was scammed $350 from one of the Zelle scammers. I know, I know, I was stupid for falling for it. My experience went like this:

Just moved into new house, had the cable guy over setting up internet. I get a phone call from "The Electric Company" (they used the real name) saying that I just moved in and I didnt put down a deposit, blah blah, I need to pay $350 now or the power will go off. I needed internet for work the next day, and wifey factors.... I panicked and sent the money. I know, it was stupid, but there was a lot of shit going on, and I just fell for it.

Literally IMMEDIATELY after I pressed the "send money" button, it dawned on me, I realized what I did, I hung up the phone and IMMEDIATELY called my bank asking them to reverse the payment. They would not do ANYTHING. They were completely useless, the person got my money and I had no way to stop it.

A month later, I'm getting trees trimmed, and the company wants payment in Zelle. Begrudgingly I oblige, and send my payment to them over Zelle. It took over 48 hours for the money to be delivered to them. The tree company kept asking me what the heck was taking so long, I had to call my bank several times to see why the money wouldnt send. It was stuck in "pending" for almost 48 hours, and the Tree guys wouldnt do the work until it cleared.

Moral of my ramble: fuck scammers, and fuck Zelle.

The reality is that everyone alive is susceptible to these scams. No human is impervious to being victimized by these groups. They will pay good money for information to target people. Originally, some scammers would aim for early morning hours just as people are waking up, their brains are still groggy and vastly more susceptible to making an error. However, now that so much public information is available you can easily craft scams that are indistinguishable from reality. Scammers leverage this along with a common theme of "urgency" to minimize the time period that someone has to realize they are being taken for a ride.

Understanding this, banks have crafted Zelle to pass the responsibility down to the customer. It was a very smart move (from the financial industry's perspective).

I don’t care about Zelle one way or the other but maybe after you complained to them trying to get the first payment reversed they put some kind of a “wait 48 hours flag” on your account for future payments? Also sorry that happened to you, fuck scammers. Don’t blame yourself too hard.

Banks often have policies that have the effect of penalizing reporting fraud and other issues.

Right before a trip I wanted to withdraw $60 in cash. I went to one atm, but it showed an error and didn't dispense the cash. So I went to another. Later in the day I saw the first ATM had withdrawn from my account despite the errror.

I called and was told if I wanted to ask for the transaction to be reversed they would cancel my card and mail me a new one. Of course, that meant I wouldn't have the card on my trip.

I ended up eating the $60. Suppose I could have tried disputing further.

That's shit. My bank accused me of defrauding them when I told them the person who stole my credit card bought stuff on an invoice that showed the stuff shipped the day before they even bought it.... to a guy called "pirateargggggh3890[roughly]@hotmail.com" from a now flagged known ebay seller/fraudster. The products were a mix of religious and feminine materials ... I am an atheist man in a state far away from the one purchased.

I phoned in for an appeal and I was laughed at by the bank employees over the phone, and told I was mistaken and my family members must be the thieves. Claim denied.

Always record these calls. Screw what the state law says about this.

> I was scammed $350 from one of the Zelle scammers. I know, I know, I was stupid for falling for it.

No, you were trained to fall for it by companies behaving a lot like scammers most of the time.

A few years ago before moving into a new apartment, I needed to purchase renter's insurance per the terms of the lease. After filling out the info online with the company, I got a call a few hours later asking to finalize the details, and right before I was about to give them my payment info, I suddenly realized that giving payment info to someone who called me instead of looking up the number myself and calling them is exactly what we're told not to do, so I apologized and asked if it was all right for me to call them back. The person I was talking to said that was totally fine and gave their name and said I could ask for them, so after hanging up, I got the official number and called it. The person I talked to was able to verify that I was in fact talking to someone legit before, but they refused to transfer me to them and instead insisted on completing the transactions themself (presumably for the commission). From what I can tell, the way the reps for this company were paid incentivizes them to call people directly to try to get the sale for themself and by extension _punishes_ them for allowing the customer to take the safe next step of hanging up to look up the number and call back directly.

After I bought my new car, I got an email with a header image that looked like it had been scanned from a physical piece of paper, badly. It referenced my name and the bank I had a loan from, but all the domains in the email were not my bank. It claimed I hadn't sent in proof of insurance. I did that at the dealership on the day I bought the car.

I ignored it.

I got it again and ignored it.

On the third attempt, I finally called my bank. It actually was from them, and they really did somehow not have my proof of insurance, and really were going to cancel my loan.

I tried to explain to them what was wrong with the email, but they couldn't understand.

Edit: In the end, I physically went to the bank to handle it. I didn't do anything else remotely with them.


I somehow forgot to pay a bill for daycare, and it went to their payment recovery contractor (it went automatically, without nobody telling me anything despite me going there every day). So the company called, said I had missed a bill and I needed to pay then over the phone with my credit card. Obviously they went mad when I told them I won't pay this way without receiving any king of paper by the mail or something to at least give me the slightest confidence that this wasn't a scam attempt. They ended up mailing me two weeks later, and charged me a fee for late payment…

Seriously, how do you want people not to fall for scammers if legit companies act the same way and charge you for being cautious…

This is especially true of utility companies, who expect you to start paying them money before you ever interact with them or sign any contract, to the point where they will try to destroy your credit score if you don't pay them.

What? I’m ready to believe a lot of things about the USA, but that seems a bit far-fetched?

It's not far from the truth. I don't think they can technically get away with hitting your credit score before you signed a contract, and instead will send you a "first bill" once you do contact them, which will include the difference between the meter reading when you moved into the property, and whatever reading they had from the last tenant. Often this results in a headache while you try to avoid paying for electricity/gas you didn't consume. But it's not unheard of for utility companies to fuck with your credit score when the only major error you made was not contacting them quickly enough.

I have never experienced anything like that on either coasts of the US. The utility company has an obvious looking website that you can use to make an account and pay electronically.

In the US, any business that requests payment outside of credit card/debit card/ACH/checks is questionable.

If you have a history of non-payment they may require a security deposit, but with the exception of cable/internet most residential utility bills are sent (and paid) post-usage.

> If you have a history of non-payment

It happens if you have a history of not being a previous customer with them. I had a notice of good payment history from my previous electric company from another state and the company in the new state still required a deposit.

PGE requires either a ACH autopay or deposit. One time I paid bill by Credit Card to get 3% back, (through Bill Pay to avoid PGE 2% fees for card), PGE asked me deposit because autopay did not execute (because there was no balance).

I have never experienced like that in 4 different movings. I expect to pay since the day I get the keys till days I return keys for home. I setup and account with utility, or gas, or something. They bill me in 10-30 days, I pay again in about 30 days or less.

:: cough :: You've been preselected for a great deal on solar for your home! :: cough ::

(every time, me: "Have you bothered to look at the google maps for my home before you called?" Them: "No, let me check... Ohhhh" me: "Yeahhhh... I can't get rid of the trees because they are rooted in the neighbor's property. Not that it wouldn't be quite ironic to remove decades-old trees just to install solar on a roof.")

No, he fell for a scam because he was ignorant of how things work. That ignorance is exactly what scammers count on.

This is victim-blaming. Companies don't make clear "how things work". I've never once found a web page published by a business that makes clear exactly how they will contact you (e.g. by number xxx-xxx-xxxx for security alerts, from email address foo@company.com for bill payments with a link to company.com/billpay, etc.) so that you can follow that sheet to ensure you're not being defrauded, and that's what's needed.

Perhaps it's time for some regulation - of course, drafted with the extreme care that almost no regulation is written with, but should be...

Funnily I got some emails and phone calls from Amex some time ago that were extremely phishy (like aexp.com), but they happen to have a website listing the domains they use:


No such thing for the phone numbers though, and since they were just regular landlines not recognised by Google and not available through a Google search, I declined to provide them any information.

There absolutely needs to be regulation for that, like there is the "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).

Oh, this is really interesting, I didn't know that Amex had a page like this! This is useful, maybe I can point my bank toward it and ask them to make a similar page.

As harvey9 says in a sibling comment, "If they publish an outbound number then scammers will spoof it.", so perhaps publishing a phone number isn't useful - but they should actually state that on their web site, as well as providing a protocol that allows the bank/agency/company/utility to authenticate itself to you.

> "Mentions Legales" or "Imprint" in France and Germany (a website needs to have a page who they are actually, with an address and everyhing).

I like this concept - let's extend it to include an authentication protocol, as above.

> As harvey9 says in a sibling comment, "If they publish an outbound number then scammers will spoof it.", so perhaps publishing a phone number isn't useful

Unless telecom operators are forced to take actions to prevent spoofing.

You and your OP both are right. Companies are totally at fault for muddying waters by using the same methods as scammers (or scammers are smart by using surprisingly similar tactics), and Customer too should be aware of situations.

Zelle, Western Union, Venmo, PayPal (family) literally gives you warnings, multiple prompts, to say that it is irreversible, pay it only to known people, dont use it for government payments, make sure to check registered name, and stuff.

We as customers should know that no utility company, gas, power, internet, government offices, their representatives accept or want payments by Zelle. Zelle is great for person to person, or one time cash-like transactions. If one handover wad of cash to a person claiming a utility representative, one would not expect to get that cash back if he was fraud.

Zelle is irreversible by design (unless receiver sends it back). Otherwise what would stop from people using it like credit card chargebacks?. The only time I have heard zelle txn getting reversed is if reciever asks & insists to his bank that this money is not for me, undo this txn. Although there is a variation of fake check scam reverse zelle too. Just liek check, scammers arrange a zelle incoming from victim 1 to victim 2. Then calls victim 2that it was mistake. Please zelle it back to "me". Victim 2 does zelle. Original txn gets recalled because either victim 1 found it or his bank found it. Victim 2 is out of his good money.

I like it when they say 'call the number printed on your bank card'. If they publish an outbound number then scammers will spoof it.

There is no good way to authenticate legit vs scam many times. No amount of being clever will put in place a protocol that doesn't exist.

There is one simple and proven way to authenticate phone scams. You tell them that you will call the company back on the number you already know or have from a bill, or you will pay via the website that you also already know. Until they start commandeering phone numbers or domains you're pretty safe. There is really no reason to answer your phone for numbers you don't know unless you're job hunting or waiting for an important call. I block all numbers not in my contact list. Sure, they can masquerade as a fake number, but even if my caller ID says it's the gas company I'm not going to answer it and if I do I am not giving them any information on that call.

I mean, you're still someone at risk here if someone mails you a nice looking electric bill a few days before with fake info on it, especially in the case the scammer has enough info on you to make it look realistic.

Uh nooo.... You don't call the number that's provided in the format of the outreach - be that a physical piece of mail or an email or an SMS message.

In every case where I've gotten a message / phone call informing me that I need to provide some sensitive information or make a transaction, I determine the organization that they are purportedly representing, navigate to the official website, find the relevant contact info, and call back.

I always assumed everybody did this to prevent these exact types of situations.

Exactly. I have zero concern for my own security when it comes to scams because I know how they work and I hear about all of the latest ones because I am curious about the advances in scamology. I am concerned about my family who are fooled by these things. I'm a cynic by nature so the alerts are firing on communications with uncertified connections. I can't get trusting people to understand that there are people who care primarily about taking advantage of that trust.

No matter how many times I've been late for payments in my life, not ONCE have I ever had a human being call me up and demand payment over the phone. It's always a long series of attempts to collect through the mail.

Let alone calling up and demanding I pay using Zelle...

In the case of utility companies you can always just pick up the phone and call their main customer service number to verify your account status and balance. Text messages and emails should always be treated with suspicion, but intercepting outgoing phone calls is outside the capability of regular scammers.

I've received multiple phone calls from my bank to discuss my mortgage

Every time they call me and ask to "go through verification" - aka I give a random stranger on the phone the personal information they need to identify themselves with my bank - so I tell them I'll call them back instead

Then i call back and get bounced around through multiple teams until inevitably the call drops, I think because my mortgage was bought from another bank so it isn't well understood by customer support

Anyway, I think it is legit calls I get from the bank. I hope it isn't important because i still haven't got through to them to talk about it

Every mortgage holder routinely buys loans from other lenders. If you received bad customer service then it probably wasn't due to that specific cause but rather general incompetence and cost cutting.

This is a frustrating reality, but, out of curiosity, did you ever try asking the name and/or department of the person calling you and using that to try to get back to them when calling back?

It has become increasingly difficult to discern legitimate calls in recent times. Lately, I have been receiving calls from my bank, seemingly related to client relations, originating from a variety of random local numbers. These could potentially be the personal mobile numbers of the bank agents, though I cannot be certain. I usually don't answer these calls as I don't recognize the numbers. The only way for me to verify their legitimacy is through the branch number mentioned at the end of the voicemail messages they leave. However, if I were to actually speak with the caller, it would be challenging for me to determine the call's authenticity.

What utility company is gonna request a payment through Zelle?

How did the scammers even have the correct information?

They probably bought it from some data broker.

They sell our data to scammers to let them be entirely convincing, and then blame people who fall for it.

The data broker market is ~$250B, it's not all personal data, but the market for personal data to target these scams is huge. The worst part is many data brokers get their data from government sources like the state DMVs: https://www.privateinternetaccess.com/blog/dmvs-are-making-a...

Or iTunes Giftcards!

Thanks for this. Today, I had to open an account to send money to a friend. I was torn between Zelle and Venmo. Per my son's recommendation I went with Venmo. Not sure how many folks get screwed by Zelle, but your post made me feel a little better about going with Venmo. Although, I am sure Venmo has its fair share of shady characters...

FYI Zelle is the banks' clone of Venmo. They both have identical policies here: they don't reverse transactions.

Edit: Yardie is correct, this is assuming your counterparty doesn't pay the business fee. So this'll protect you from legitimate businesses, but a scammer isn't going to pay the extra fee to enable reversibility.

I've never needed to but Venmo definitely reverses transactions. But you have to declare it as a business transaction. A lot of businesses don't want to do that because they have to pay a fee. I pay my barber through Venmo and always record it as a service, since I prepay. I pay my tutor as a family transaction. She gets paid after our sessions.

Speaking from experience, Venmo claims to reverse transactions, but will do everything in their power to NOT reverse your transaction, even if you mark it as business payment.

I paid an architect for work over Venmo. Work was never done and the architect ghosted me. So I sent all the info to Venmo in a dispute and they told me to pound sand.

Well that sucks. It seems outside of credit cards there are very few consumer protections.

I understand Zelle / irreversible payment situations. But the bank knows who this is, its not an untraceable scam.

Why does it survive?

Because it could just as easily be a scam in the other direction. Get paid for a legitimate service, have the payment reversed. The bank doesn't want to get involved - easier to treat Zelle payments as if you handed over cash.

When you move, a whole bunch of information about your move and the fact that you moved becomes available to local business owners. I'm not sure what process is in place that does this (maybe a mailing-address change card you give your post office?) but it is what happens, in the US at least. Usually you'll get a coupon book for local businesses- the fact that they know you just moved in is due to the same process. Anyway, ostensibly bad actors would likely easily get in on this, and frankly it's a clever move because they know you're frazzled and in a state of being disarmed and they knowing you just moved (and where, which explains knowing the name of your electric company) gives them an air of legitimacy and that's the perfect time to strike. Also $350 is not an entirely unreasonable amount of money to ask for.

The USPS sells change of address information. The only way to avoid it is to file the address change as temporary instead of permanent, or not file at all and forgo USPS mail forwarding from the old address.


When I move I now file a temporary COA and have the mail forwarded to a PO box. I never forward from one residence to another (too many boilerroom sales calls and scam attempts).

When you start a business, same thing: you start getting fake bills from fake government agencies.

I'm sure many people just pay them because the hassle of reliably figuring out what's real and what isn't can easily exceed the amount of the bill.

This is so fucking infuriating. I don't know why the government can't shut these things down. They basically send you an exact copy of the official form you have to fill out with one line in it somewhere that says, "This is not an official government communication. We are not associated with the government in any way." But other than that, it looks identical to the real form. How is anyone supposed to be able to discern that difference? Luckily I've not yet fallen for it, but I have come close several times. Ass hats.

Yep - 100% agree. I opened a new business back in Nov/Dec 2022, and no less than two weeks did I get multiple, official-looking payment requests for labor law posters. They looked very real with some verbiage about "failure to comply with the law", etc. After I opened the first one, I was very motivated to pay the $89 fee (thinking I missed something when starting the business). However, after reading the letter a few times, I realized it was a scam.

The others went in the trash as soon as they came in...

I'm pretty sure the US Postal Service sells as much of your data as possible. Their Informed Delivery service seems to be primarily intended to sell ad space in your emails instead of sending you scans of your paper mail.

It's not, but when a utility asks for payment via Zelle you might want to think twice or at least check on their website first.

Zelle has all of the downsides of cryptocurrency without any of the upsides

Yep, Zelle is a piece of garbage that's hopefully banned soon. I've refused to take or send payments in Zelle, no refuse.

I'll refuse to do business with anyone who doesn't take a credit card.

Don't blame yourself, I can see making the same mistake myself. Moving is stressful and you were just trying to take care of your family and yourself. Blame the scammers, they are the trash that are taking advantage of the emotional state of movers.

How does the scam work, are they using some person (or their account) as a mule and then forward the money? Or is it just unrealistic that anything gets done about $350 so they don't care if you know who they are?

They are in India or Africa and yep, it's only $350 so no nobody (police, bank, etc.) cares

Even if it’s an amount that someone cares about, these people operate in jurisdictions where they can get away with it.

Sorry about that. Regardless of the amount, the feeling of being scammed must suck.

Zelle is insanely scary. The only reason I use a bank is for protection. If they're going to offer a service and not combat scammers, or protect me, why use it all? Sorry to hear that happened to you, it's even more scary that they knew to target you like that at the exact right time.

I tried to buy a used bike in a new city and the guy wouldn't accept anything except Zelle. I had cash, Venmo, Apple Pay, but nope, this guy was hell-bent on Zelle. When I explained to him that I don't have Zelle and wouldn't create one for a $200 bike, he started to think I was a conspiracy theorist. Zelle has done a great job of creating an image of trust and people equate it to using a credit card without fees.

If someone knocked on your door, claimed they were from The Electric Company, asked you for $350 cash, and you gave it to them, would you say “fuck cash”?

When was the last time you pulled out a stack of $20s and had to wait 48 hours for them to become valid?

Cash doesn't try to rationalize all sorts of slow, obnoxious, and expensive behavior on the basis of fraud protection and then fail to protect from fraud. There's obviously a tradeoff here, the problem is getting stuck with the ass end of both sides. I can't really speak to Zelle, but it's definitely true for ACH and wire transfers.

> Cash doesn't try to rationalize all sorts of slow, obnoxious, and expensive behavior on the basis of fraud protection and then fail to protect from fraud.

Neither does Zelle.

> When was the last time you pulled out a stack of $20s and had to wait 48 hours for them to become valid?

Never, but I have also never had that problem with Zelle in probably hundreds of times using it in over a decade.

But I also have never been given counterfeit money via Zelle, which I have been given via cash.

Both mechanisms of transferring money seem to be working pretty well, and both have drawbacks/benefits.

Like I said, I can't speak to Zelle, but I can absolutely speak to wire and ACH and they both have these problems in spades. When I hear that Zelle has the same problems, I believe. When I hear that it's perfect, I doubt, but "works for me" is not strong evidence even if true.

> in over a decade.

Wasn't Zelle introduced in 2017?

No, it was renamed then maybe. It was around as ClearXchange for a while, and some banks had their own names for it, even though it was all the same thing.

Check the history section here:


Interesting, thanks!

Technically not Zelle itself, but my bank would not allow me to pay my landlord through Zelle on the basis of fraud prevention (other people at the same bank as them are fine) or send over $1000 per day (this does sort of protect a little, but it also makes it much less useful).

Zelle is one of those services that sounds good in theory but when you actually try using it you realize that the real life use-cases are very near nil.

"You can send money directly! *"

* If you have a pre-established out-of-band trust relationship and dispute resolution system with the person you're sending it to.

Which basically means you can send money to friends and family and that's about it. But you can also do that with Venmo or CashApp. Any online transaction among strangers that uses Zelle is 100% a scam. Full stop. There's a reason that groups that sell things plaster in giant bold letters to use PayPal G&S.

By far the biggest value-adds of Zelle existing is making it really obvious who the scammers are.

> Which basically means you can send money to friends and family and that's about it.

Exactly, and that is how I have used it for 10+ years.

> But you can also do that with Venmo or CashApp.

I could, but then I have trust an additional party (PayPal or CashApp) with access to my money and accounts. This is another risk with no gain.

Ya know what, fair. That's a more sensitive risk profile than I operate under and Zelle is 3rd party to my bank but if you bank with one of the major national banks I can see that providing some comfort.

It's not actually that sensitive a risk profile -- Paypal has shown itself to be untrustworthy with how it'll just freeze an account that you have a bunch of money in or explicitly suck extra money out of your bank account or with the updated terms of service last year that they "backed down on" only slightly. Paypal also owns Venmo, so I won't touch that one. Not sure about CashApp, but I only see it listed by sketchy people and instagram influencers, so I've never considered it trustworthy to begin with. At least Zelle was part of the services provided by my bank (Chase)? Clearly it's worse than that initial impression in practice, but I'm not sure that it's really worse than Paypal or CashApp?

Zelle is not exactly 3rd party since it is operated by a company that all the big banks themselves own (and assuming you have an account at one of the big banks):


> Introduced the Early Warning brand and became wholly bank-owned.


> Seven major U.S. banks own Early Warning Services: Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.

I can get money in my kids bank accounts within minutes, with no fees, all from my banking app and without giving access to my money to some other shady techbro company. Seems like a pretty great use case and one I use every month.

Zelle is an electronic replacement for checks. It is literally a frontend to ACH (with extra security holes). That's its intended use case.

I'd tell them to take a hike. Don't come to my door asking for hard cash. IDGAF who you are.

I mean; yes. I definitely use "Accept Credit Card" as a gate keeper in many situations because cash only transactions are sketchy.

And similarly, I feel sketcky carrying large amounts of bills on me, for say buying a car - I'll go to the bank and get a bank check over having that much cash on me.

If you had cash, they would rob you for it, but since, it's digital payments and most people don't carry cash, it not economically or practical for fraudsters to steal cash.

Zelle is very clear it's not reversible. Like very very very clear. It's how it works, so the person on the other end has a guaranty you won't just claw the money back after you complete a transaction. Pretty weak to blame them for your mistake.

Ok but why is it not reversible? Is there any good reason? Is it doing Proof of Work?

It is the digital equivalent of cash. That is the whole point. When you buy something with cash, can you just reverse the transaction later? The good reason is what use is a person to person payment system where the person receiving money has no guaranty that they get to keep the money received.

How is it person to person if there's a 3rd party facilitating the transaction? Why should someone be guaranteed to keep the money if they got it fraudulently, with the victim unable to dispute?

This is not different from sending physical goods via mail: a 3d party is involved but you will be laughed out of the post office when you demand to return items you sent. And there is no guarantee too: authorities may retrieve your items, though chances are even lower when you send them overseas.

Even when you pay by check or ACH, it's not always reversible. It depends on the bank and where it was sent and how long ago.

No fan of crypto, but the idea of bank protection is kind of a joke. If you authorize the money transfer, they likely will not help you, nor cover the loss. No better than crypto in this regard. Wire transfers are internet for speed, not safety. Banking will always have inherent risks.

This is a fault of your political system, it's not a problem inherent to banks.

In my jurisdiction, banks will regularly refund and make whole people who have lost money to scams. They in theory can refuse if they think the owner of the account was careless, but in general they will refund a lot of scams.

One good consequence of this is that scammers now become the banks problem, so they will do more to help educate and prevent scams.

Rather than being able to wash their hands of scams, they will be proactive in making sure transfers are genuine, etc. Of course this can on occasion be a hassle, but in general it's reassuring that the default is not to allow large transfers to "random" people, and even more re-assuring that in general it's the bank who is on the hook for the money.

To be fair, Zelle is supposed to be competing with the likes of Venmo, where the irreversibility of the transaction is a feature, not a bug. It's supposed to work like cash, for better or worse.

Of course, in practice it kinda sucks. Zelle requires giving strangers way too much information about you. I won't use it. Much as I dislike PayPal, I use Venmo for this use case.

The only thing Zelle requires you to give is an email address (that you choose to associate with your bank account) or phone number. No different than PayPal.

It is one of its features. The previous method of sending and receiving money involves giving out your bank account number (even if not to strangers, then to PayPal), which means anyone can pull funds from your account using ACH.

It's better than ACH, I agree. But Venmo is not PayPal, just owned by them. Venmo works with usernames, not email addresses. I don't have to give a stranger anything other than that username for them to send me money.

It's the bank consortium trying to compete with Venmo with less technology budget; and fewer controls. It's terrifying that this is the best product the consortium could put out. No wonder VISA/Mastercard exist.

I Zelle my kids money all the time and only needed to know their phone numbers.

People often act like victims of scams need to be smarter, however widespread scamming places an immense burden on the broader economy. It increases the cost of doing business, since you have to do more verification for any transaction. We don't blame victims of other crimes, scamming shouldn't be an exception.

Imagine if you went to a restaurant, and the staff refused to serve you until you showed them your bank account balance to prove you could pay. It is an immense failure of law enforcement to not crack down harder on widespread scams.

> It is an immense failure of law enforcement to not crack down harder on widespread scams.

I fully agree. My identity was stolen and used to sign up for retail credit cards in a spree, and I even did the research for them. I had a timestamp of purchase, the items purchased, and the cash register number. The police could not care less. For one, they are lazy as hell and throw up jurisdictions as an excuse. The mere fact that the thief seemingly only used one store per jurisdiction seemed almost intentional in terms of taking advantage of this. The total amount stolen was $9,000, but I don't think the police gave it a second thought after I contacted them, and this was in a city big enough that had a financial crimes department.

I worked briefly for a financial crimes prevention organization, and the minimum dollar amount of loss we could get police to act on was over $100,000. We would do all the research and present them with a complete case.

> For one, they are lazy as hell

How do you know they are lazy and don't just have an excessive # of crimes to handle?

The cops have a pervasive misallocation of resources from the top down.

For example, US police eventually come up with enough evidence for prosecutors to start proceedings only in about 50% of murder cases [1]. Yet police departments spend very little of their time working on murder cases. [2]

Assuming you believe police investigating murders is valuable, I don't see how you can think police should be wasting time on broken taillight stops when they're failing that badly at it. (If the cops can't be reassigned they should be fired and their salaries used to pay cops who can)

[1] Technically I'm describing the murder clearance rate, but I use this phrasing to avoid the common and incorrect implication that a cleared murder means it's necessary actually "solved"

[2] There's no great metric for this. Assuming a police officer who just filed an incident report about a traffic stop for a broken taillight probably wasn't working on a murder case immediately before we can use incident reporting data. For ex, https://data.sfgov.org/d/wg3w-h783/visualization

Because I communicated with them.

Have you ever met and spoken at length with a cop? They're #1 concern is billing enough overtime and securing a cushy gig

I won't imply any opinions here, because this is far outside my realm of knowledge, but I will say that a sample size of 1 isn't too good.

Absolutely. And every dollar in the hands of scammers is funding the creation of new and better scams. Even if we didn't care about scam victims at all, society should vigorously pursue scammers just to keep the overall burden down.

And it seems like a no-brainer money-wise too. A dedicated task-force of 10 people might cost you a million a year, but they'll easily track down scammers doing that amount of damage per month.

I recently took an interest into a phishing campaign because the guy was using Amazon SES and kept using new email templates and it kept landing in my inbox. He was an amateur and it was easy to find juice things on his server, and it looked like he was engaging in all kinds of different scams, like phishing for bank logins, defrauding online-shops, identity theft etc. With law enforcement options, I'm pretty confident I could've nailed him with a few hours invested. Get him for one crime, you stop 10 others.

But the last time I talked to a police officer locally, he didn't know what Netflix was so I won't even try to explain phishing to them and how I got this information on the perp.

A task force of 10 law enforcement officers and support staff with the necessary technical skills is going to have a fully loaded cost way higher than $1M per year.

Fine. Pick your number. Let's be a bit generous:

Ten fully skilled security experts deputized @ 200K/yr. Fifteen assistants at $75K/yr. All personnel grossed up to 140% for fully loaded cost. Hardware, infrastructure, software, hosting services, $200K/yr. Total (((20010)+(7515))*1.4)+200 = $4,575,000/year.

You don't think that such a team could stop $50 million in crime in a year? I'd expect that $500 million would be a slow year and stopping $5billion would be more like it. There is so much of it and such low-hanging fruit...

I know of large corporation divisions where $5 million per quarter was literally their rounding error threshold three decades ago (likely more like $15 million now).

The payoff is so great it is astonishing that some large tech companies don't do it just for the general reputation of the industry. Or the banks for the same reason (e.g., I wont' touch Zelle, both because when I first checked it out it was horribly clunky, my bank wanted $20/month just to use it, and all the persistent scams).

Or, just for lulz. This is rounding-error pocket-change for these corps. If it got going, I could see a rivalry between MS, Oracle, & Alphabet execs for who could dunk the most scam dollars, and jail the most perps...

> You don't think that such a team could stop $50 million in crime in a year?

By "stop", do you mean "prevent from happening", "successfully prosecute", or "identify the perpetrators"?

My answers, respectively, are "no", "maybe, depending on the sample set", and "yes".

Hmm, why do you think they couldn't prevent $50mm? I'd expect that to be the easiest number to to maximize. Take out a ransomware crew, and you prevent all their crimes for the next years, as long as you keep them offline; get the encryption keys, and you've undone every ransom demand still standing. Just busting them in a way that their are either denied bail or have conditions placed on them so they cannot use any computing device, and you've taken them offline (and sufficient monitoring will probably jail them soon when they go back online under bail conditions.

Definitely agree that successfully prosecute is harder than ID perps...

You're dreaming. Most ransomware gangs operate offshore in countries that don't cooperate with our law enforcement or extradite suspects.

Sure, big ransomware gangs are likely overseas.

But you don't think there's enough scammers based in the US/Canada/EU to chase? Back to the Zelle scams as we started with, and an awful lot of scams that require cash mules, seem pretty trackable if someone puts in the effort, especially when people can drop the evidence at their doorstep.

Yes, there are. But none that would be addressable in any reasonable way by your above-hypothesized team of 10 cybersecurity experts. Any significant wire fraud operations are going to interesting to the FBI and something that is in their jurisdiction anyway.

What’s left would be cases like “I bought this iPhone off eBay and got mailed a brick”. If it was taking your team any longer than literally 10 minutes per successful recovery on average, you’d be better off just using that taxpayer money to reimburse victims directly. It just doesn’t make sense to throw 250/hr labor at a $500 problem.

The guy who mails out bricks instead of iPhones probably does that every day, so if you stop him, you're not just solving a $500 problem, you're solving a $500 a day problem, which is a $180k/year problem.

Maybe so, but:

1. most of them are probably outside the the jurisdiction of the hypothesized team mentioned above

2. that's a lot less than $50 million

3. this could be addressed with regular police work

>> 3. this could be addressed with regular police work

The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.

Similar to rampant bicycle theft. It definitely could and should be addressed by local cops, but is largely ignored, and ignored even when people bring them real-time tracking of the bicycle. And you're not supposed to go vigilante and get it yourself (partly due to risk to you).

For #2, $50 million, that seems like a lot of crime. But let's take the mailing a brick for an iPhone example. Each one is roughly $1000. So we need 50,000 bricks per year. That's 137 per day. Way too much for one criminal. But with 250 criminals, they only need to send a brick every couple of days. And our cop team needs to average only a single capture per day to stop $50million of crime in a year.

Jurisdiction, yeah, they'd probably need national jurisdiction, since there are probably few crimes where the criminal and crime are in the same town (other than the FB market/Craigslist criminals). So, deputized by the FBI is probably best.

So, not unreasonable to search for a solution that actually works.

> The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.

I agree that it is not. I am saying that you don't need a team of 10 cybersecurity expertise to show that someone mailed bricks or stole their cousins venmo money. Ten traditional detectives would be cheaper and a better fit.

Any technically sophisticated scams that would require a team of cybersecurity experts are likely already at the scale and scope that the FBI already does address them.

The intersection -- a technically sophisticated scam that is a small dollar amount -- isn't a problem that exists.

The reason that large cities don't spend much time on small dollar crimes is because they have bigger stuff to worry about. Yes, there's definitely people selling stolen phones on my local Craigslist, but there's also people stealing checks out of mailboxes and washing them to steal $50,000+. It makes sense to address the latter first.

Ok, so you're saying that much of it is within the scope of regular detectives with appropriate training? If so, I'm inclined to agree -- no sense applying over-the-top expertise when not needed.

Actually, chatting about it, it seems like the ordinary L1/L2/L3 service teams approach could work well. Ordinary up-trained detectives on most cases, when they hit something more complicated, call in the L2 guys/gals, and when it goes over their skillset/toolset, call in the L3 team, etc...

However it gets done, it certainly seems that we need something more than we've got.

There are a lot of talented people you can sell on the dream of working for less than their full market value in order to help vulnerable people not get scammed. It would be very fulfilling work for a lot of people

Track them down and do what? Are you deploying a local police officer to arrest a scammer in India? It seems to me that in the vast majority of cases, law enforcement efforts will immediately run into jurisdiction issues, and most of the effort will be for nothing.

That's probably true for some part of the scams, but others are domestic. The one I was looking into was most likely speaking German natively, and from what I could tell, he was a German in Germany (some info pointed to a specific German state, and his homedir was a common German first name).

You'll still have scammers from India, but you'll also have a lot that are running more elaborate scams and do a lot of damage by defrauding the government and companies.

It's a fine line. It is not victim blaming to discuss what happened and a strategy to avoid it in the future, though I hear a lot of people suggesting just that. Sure, don't shame the person who got scammed, but if there is something they could do differently that would increase their protection, it needs to be communicated.

Exactly. This taboo against "victim blaming" is kind of holding society back from properly addressing scams (and other crimes). Yes, the scammers are responsible and yes, they are the only ones who should face consequences.

That being said, it's smart to take precautions, and it's not victim blaming to suggest things people can do to reduce their risk of becoming victims. I teach my kid not to play in busy streets. That's not blaming pedestrian victims for car crashes--it's just sensible, risk-mitigating precaution.

My opinion, based on observation, is the opposite (i.e. you perceive a "taboo" against victim-blaming because victim-blaming is a real problem). Obviously we need both sides of the coin (help targets to help themselves, and hamper attackers). And yes, some people may jump to accusations of victim-blaming too quickly. But, I think it's an exaggeration to imply that there is a significant problem where people are characterizing "suggesting things people can do to reduce their risk of becoming victims" as victim-blaming in the context of money scams.

I think that, by far the greater poison holding us back is the obsession with personal responsibility that many people use as an excuse to not have to expend additional effort on dealing with a problem pragmatically. If you are suggesting educating people or giving them tools to deal with scams, that's great. But a lot of people don't want to do that under the very same rationale that you are using to justify it - that the victims could have avoided it. You are saying, "people can avoid this - we need to help them do so", but there is a significant part of society whose opinion on many topics where there is a victim is, "people can avoid this - they need to take responsibility".

Teaching your kid not to play in busy streets wouldn't be victim blaming, it would be victim blaming if your kid got hit by a speeding car and people immediately started questioning how well you taught him street safety. The problem with victim blaming isn't that it seeks to teach people to avoid becoming victimized, the problem is that it gets brought up when people have already been harmed, making it insensitive, unhelpful (something something barn door), and, often, deflecting blame from the actual bad actor.

We should agree on some time frame when it's acceptable to talk about what you could do to avoid being a victim then. It's perfectly fine to say "maybe not now" while the victim is still getting stitches, but having to wait 10 years is also pretty useless because it'll be forgotten.

When something happens is usually the best time to talk to others about that same thing. A bank exploded? Hey, have you heard that there are ways to spread the risk over multiple banks? A hospital got all their files encrypted and needs to pay a ransom? Let's talk about backup strategies and how to secure infrastructure because that could be your organization.

I don't think people discussing strategies seek to deflect blame from a potential bad actor (it doesn't need to be about crime, accidents happen all the time, and there are plenty of things you can do to lower your risk), they just want it not to happen again, or at least less frequently.

Not only law enforcement. The communication systems that allow scammers to ride on their infrastructure anonymously and fail to give their users tools to push back also bear some responsibility.

The POTS and e-mail and usenet protocols are embarrassingly broken on this front.

For anybody who is building a communication system: If you are allowing anonymous messages to users is a default behavior and it is impossible or impractical to avoid, you have created a system for spam, scams, threats, and harassment.

Putting blame on the victim and pointing out that victim could've easily prevented the crime are two different things. We can put the whole moral responsibility on the perpetrator, and simultaneously advice other potential victims to properly safeguard themselves.

Shitty people ruin society at every level. Sure online scams are part of it but we have banks, locked doors, guns, an entire law enforcement and justice system etc. all to account for the small minority of humans who will hurt others given the chance.

An idiot in my neighborhood getting robbed because they leave their garage door open at night causes my insurance premiums to go up, but they are still an idiot.

> We don't blame victims of other crimes

Humans blame victims so often they've created a specific term for it - "victim blaming"

>It is an immense failure of law enforcement to not crack down harder on widespread scams.

Do you think if we let cops put on their pretty SWAT gear and roll into the front yards of white collar criminals' front yards in their APCs they'd start taking these sorts of things seriously?

How do you guys protect elderly parents? My parents and in-laws aren’t there yet but they all in the retired age group.

A friend of the family recently had his email hacked. They sent targeted emails to all his contacts and setup a filter to hide the communication. His brother in law is a stoke victim with impaired cognition and only has access to $12k or so at a time. They were able to scam all of it from him over multiple transfers and he never picked up the phone to call the family friend. The family fiend is also his caretaker and limits his funds access for this exact reason.

The family friend is a retired old GE executive who will probably never run out of money no matter how many cars he buys due to pension funds. I wonder if he was targeted.

Unfortunately I had to just give my parents (68 and 67 years old) ground rules for all forms of communication. This happened after my dad got a fake $3000 invoice from paypal and he paid it.

1. If a service provider you use reaches out via email asking for money, its fake. Login to their online portal (it took a lot of coaxing to get them comfortable with this...)

2. If a service provider reaches out to you via SMS or Phone call, even if they know your account number or other sensitive data: Tell them you will call them back on the phone number listed on their website. If they insist, its fake.

3. If you aren't sure its fake, just ask me to look at it.

These are good ground rules. Fortunately or unfortunately, my parents were scammed once pretty early on, I believe for a small amount, so they are well aware of what to look for. But after 10 more years of cognitive decline? 20 more? Who knows if they'll still be on guard.

The simple rule of thumb that will keep people reasonably safe is: Do not trust anyone who E-mails or calls over the phone to be who they say they are. If they say they are from business XYZ, hang up the phone and call XYZ's main number and ask for them. While there are exceptions and scammers are getting craftier, incoming calls and E-mail is by far the major attack vector.

My parents are the same age and have already been scammed a few times. I set up similar rules but I am afraid they might get sucked in again. I don’t understand why law enforcement isn’t doing anything about this. Surely the surveillance dragnet they’ve set up over the last few decades can tell them who is making 750,000 calls a day to elderly people in the US?

U.S. political will to make positive and reasonable changes, like legislating that telecoms crack down on scam call sources or prevent spoofing, seems to have fallen apart. So many people are caught up in culture wars, there's only one thing they care to get behind, and it's taking our country back from those terrible, immoral, brain dead people on "the other side". Voters don't deviate from their tribe, so there's little incentive as a candidate to deviate from standard tribe policy, and so votes are inutile with respect to policy.

If there's a private sector solution to the scam calls that can be charged heavily for, that's what we're most likely to get. The competent parts of government aren't concerned with this stuff. Congress has to make it a concern, but they mostly toil on behalf of corporate lobbyists. Lobbyists aren't hired to help society at the expense of who they represent.

Intelligent, informed voters and honest politicians would have solved this and many other problems already, but we're extremely far from that ideal, and I think still trending away.

I've wondered before if posting in HN threads like this one is a better way to influence policy than going to the polls, since someone with influence could be reading. Maybe what I should actually be doing is writing to my representatives, as that's probably more impactful than either.

You can do it all; going to the polls takes the least amount of effort out of anything else.

Yeah it's people in Nigeria etc.

#3 might be something to try and like really hammer home. Be like "I would rather you ask me about 100 different scam attempts and save $1000s then just pay"

These are all very good. Here's one that saved me a fuckton of tech support time: set up dns adblocking/malware domain blocking right on their network/router settings. Save it to the factory defaults too if supported or put some tape over the reset pinhole button.

My stepfather always tries the factory reset button as if it's just a more hardcore reboot to "fix" the internet when the service is simply out.

I have power of attorney and manage their finances for them (mid 90s relative). They spend on a credit card which I make payments against, and review transactions monthly for anomalies (anything besides Walmart, grocery store, pharmacy, Amazon, and recurring monthly services or utilities throws red flags). Make sure your estate planning is properly performed before they decline (physically or mentally).

Behavioral improvements and education are nice to haves, but constant vigilance has a high cost for folks at this age and it only takes one successful adversarial attempt to succed. In this case, strong controls and guardrails are a superior solution imho.

($dayjob is infosec/risk mgmt)

> They spend on a credit card

That's a great idea. And it's easier than ever, now -- at least in my experience. For a while I still had to use bill pay or debit for some of my utilities, but now even those all take credit card. I do it for convenience and the rewards (and because the last time my wife used her debit card it got skimmed), but the result is the same -- 100% of my own spending is on my credit card now. This would work great for my own mother if she gets to a point where I doubt her ability to resist con artists.

You might run into headwinds because in their era using a credit card was generally seen as a bad thing (borrowing, takes longer in line, etc). You might have luck finding a card with cash back rewards and/or a referral fee and selling them on those aspects.

If they want someone to take care of them, then they need to give up some agency. Spending everything via credit card is the easiest and most effective way to solve this problem.

I mean, children also generally don't want someone to take care of them, and yet they don't have much say in the matter.

It’s easier to assume agency over your children than an adult. Sometimes, you even have to go to court (depending on circumstances).

With elderly loved ones, as with everything in life, a negotiation takes place.

I agree, but that negotiation isn't necessarily in explicit terms. In my experience elderly people will spend all day insisting that they will do something themselves (protecting their own ego), yet most of the time if you go ahead and just do it for them they just accept it and move on.

Yeah, my grandfather was absolutely opposed to giving up any agency. Especially to his daughters, so I was the front man. When we had to take away his car keys, he came after me with his cane. Hilarious in retrospect, as it was almost a cartoon. But at the time, it was quite dramatic.

Interesting! Would a specialized credit card be useful to you here? My Amex has pretty nice instant notifications, which are enough for my own fraud monitoring. But for an elderly relative, would you want something more sophisticated?

In my grandmother's case, it's a run of the mill Bank of America rewards credit card (I had to burn goodwill just to get this far, so we agreed to stay with her preferred bank). Before my mother's death, when I was supporting her financially and her having had a long history of and struggle with addiction, I used TrueLink (which I cannot recommend enough, and had found them here on HN) as it allows you control which category of merchants the payment method can be used with and has strong reporting capabilities on spend.


https://www.ycombinator.com/companies/true-link (YC S13)

If you come across this comment and need advice in logistics for caring for loved ones, contact info in my profile.

Allow list their phone number to only allow numbers they know to call/communicate with them.

Restrict websites to a few domains on the devices they use. Youtube, wsj, etc...

If they want a new one just tell them to ask you.

It sucks and has problems, but its the only real straightforward and viable option I've seen work.

Source: have grandparents who were regularly getting scammed or close to being scammed on a weekly basis.

I think you can get away with these restrictions since most of our grandparent’s lives, they didn’t have much access to these services.

But what do we do when we get old? Will we be rational enough to disconnect ourselves? What if we don’t have any children that can help us make this decision?

The best option I found was to explain - multiple times - to my grandparents that these scams exist and how each of them work. Hopefully if they are ever approached by a scammer, they'll remember my warning and that hesitation will break them out of the fear used in the scams.

I upgraded my mom from an iPad to a Chromebook (her first computer) recently. I installed uBlock Origin and set a secure password for the Google account which I store in my password manager, and then instructed her to use the Chrome password manager when she needs it.

While I'm confident in the security of Chromebook in general, I'm worried by how readily she pulls out her credit card and types the number into obscure sites for purchasing wedding gifts, etsy items, etc. A few years ago she would click on Facebook ads and buy shit quality products for little reason, but I think she eventually learned not to do that.

At least it's a credit card and not a debit card. My dad manages the banking, and is a bit more sophisticated, but even he does things like install programs meant to protect him that actually expose him to more vulnerabilities. For example, there is some Symantec monstrosity installed on his computer that injects a green checkmark into Google search results next to each site it thinks is "trustworthy."

It's definitely frightening and mostly a numbers game whether they'll be the next victims of a scam.

I went the other way. I pulled PCs and anything they COULD install bad software out of the equation.

Beyond the obvious stuff like installing an ad blocker, I don't know. The best idea I've seen is what you already said, just limit access to funds. When my dad went through Alzheimers, we canceled his cards through the bank or let them expire and just never told him. But he was far enough gone that he would never have had reason to buy anything anyway so he never noticed. For someone still functional but easily tricked and unreceptive to the idea of limits, I don't know.

I frequently remind my parents that nearly every email and phone call they get is a scammer. Might be good to "pen test" your parents, through a friend or something.

I pretty much just tell them to assume that anyone contacting them by whatever means asking them to do anything is a scammer.

In my experience, trying to list and explain all of the ways that scams happen actually has the complete opposite effect — either it ends up as information overload and they don't remember it, or they become so fearful of doing wrong in specific situations that they almost certainly become more vulnerable to fear-based attacks as a result.

I did the same. It worked quite well even though my mother is a deeply trusting person who sees the good in everyone.

I tell her that if she ever has any doubt whatsoever that she’s to call me any time any where and I’ll help.

I also promised to cover any financial loss due to eg making a late payment because of my advice.

I've conditioned my parents to doubt every form of communication that comes to them, whether its a phone call, mailed invoice, or emailed. They'll take a picture and ask me before doing anything about it. Hopefully this practice continues as they age. Sure its a little more of a nuisance for me, but it also gives peace of mind that I'm helping in some small way.

I really think there should be a startup that integrates with Plaid pulling all bank transactions to build AI models for this.

I think real time alerts or daily summaries sent to trusted caretakers. Another layer is having the caretaker approve of the transactions. Can think of this as 2 factor authentication where they'd have to hack multiple phones or accounts for a successful scam.

For example, seeing multiple gift cards would be suspicious. Or if you know your parents never take out more than 100$ from the ATM.

Sometimes though they willingly scam themselves. My dad gave this real life scammer 30k in advance payment in return for future caregiving services. We told him she was scamming us and he didn't care. When she asked him for more money to buy a new car he finally realized she was truly scamming him.

This seems a great app to get access to via using a scam!

Is there any way with US banks to only allow transfers via in-person, at-the-bank requests? Some accounts just don't need the convenience of online access, and tired of the "identity theft" spiel from banks to absolve themselves of responsibility.

> How do you guys protect elderly parents?

I told my mother (who is 81) that the answer is always no. There is never an emergency, the answer is always no, she should hang up and then talk to me. Personally, if possible (we live 10 minutes apart) or at least on the phone. Any legitimate need for money can wait that long.

Fortunately, my mother has a somewhat technical background and her mind is 100% still there, so it hasn't ever been a real concern yet. She's skeptical by nature of what she sees online.

We have this sort of issue with my mother-in-law (90s). The best thing I did was setup a Chromebook (ChromeOS Flex) with just the basics (mail, photos, etc). From there, we routinely login to the GMail account and remove crap from her emails. It is tough - especially since the world is so on-line (photos of grandchildren, etc). Given the huge disparity between her age and technology, it is extremely important we act as her proxy for her online communications. Privacy be dammed.

Talk to your bank to see what additional layers of security they can offer for moving money around.

It could be as common as sending a pin to YOUR phone or that they actually call the bank to authorize it.

Some join accounts also require approval from both parties to transfer large amounts of money.

Additionally you can open a secondary account for your elderly relatives for daily expenses, they fund this account from their main account.

Anything you do, do it at the banking level, do not rely on your elderly relatives to doge pretty sophisticated scams.

We need a mechanism like a credit lock. The ability to block all transactions over $XX.00 until verified out of band. For a lot of these people, that would be only a few times per year and not a big headache. We need to give the CFPB more power.

How do you guys protect elderly parents? My parents and in-laws aren’t there yet but they all in the retired age group.

How do you protect your car from your teens crashing it? Don't give them the keys

Something I haven't seen mentioned is a DNS firewall to block phishing domains and newly registered domains. I use NextDNS for that and I'm sure there are others.

Call your governments, and apply pressure to force them to force the business community (telcos, banks, etc) to stop tolerating this and get serious about it.

My mom knows that if someone asks her for money outside of her normal bills, she texts me. This has worked well for us.

> How do you guys protect elderly parents? My parents and in-laws aren’t there yet but they all in the retired age group.

The ability to reason about money deteriorates with cognitive decline, in large part, I think, because it so abstract.

The solution is for them to not have direct access to control all their finances, but rather get monthly amounts via a trust. That way, downside is limited.

>rather get monthly amounts via a trust. That way, downside is limited.

Unless the trustee is a scammer, or worse, one of several adult children who don't agree on how finances should be managed.

Rigorous trust design is important. Firstly, you have to trust the trustees (so you "scammer" risk is irrelevant).

Secondly, it is typical to mitigate against a single trustee not acting in good faith by have an odd number of trustees.

>you have to trust the trustees (so you "scammer" risk is irrelevant).

So you are saying that if you trust the trustee, they can't be a scammer? I don't agree.

I don’t know whether you’ve ever established a trust (I have), but the whole point in selecting trustees is that you trust them. They’re not some random person who duped you into a scam.

They might break your trust (as the person who originated the trust) but that’s not the same as a scammer. A scammer is someone who who commits or participates in a fraudulent scheme or operation.

There's a scam going around targeting teenage boys that I don't see people talking about. Scammer poses as a cute teenage girl on Snapchat/TikTok/Instagram and starts DMing a teenage boy late at night. Eventually convinces boy to send a dick pic, then reveals himself and says, "Got you! I'm going to send that dick pic to your parents and everyone at your school unless you send me money!" The scammers will even voice call them at this point and threaten them that way.

The boy that got scammed is so embarrassed that they won't tell anyone and they send the money.

It seems they must be carefully targeting relatively clean cut (so they'll be sure to be embarrassed) and wealthy kids (so they actually have $300 to send). It's mind blowing how well these scammers do their homework

Variations of this have been going around for years. Sometimes scammers will even work with cam models to record victims sexting over videoconference.

At one point they were targeting Muslim men because they knew the cultural implications of those videos being sent to their communities. I remember reading a story about a raft of suicides linked to that particular scam.

There’s also less sophisticated versions where the scammer will only claim to have hacked the victim’s webcam and demand money to avoid sending it to the victim’s friend list on social media.

After reading about this, I bought a bunch of cheap plastic webcam covers to give to everyone I know. They were only ~$1/ea on Amazon and work great.

That’s a pretty old scam, but kids these days seem to have easier access to credit cards than when I was growing up, so I expect it is quite lucrative.

They did this to US service men. The scammers claimed to be underaged girls and they would ruin the soldiers reputation unless they paid.

Some committed suicide from the shame.

Flight of the Intruder (the novel, less the movie) is very much based on sextortion.

Do you feel any sorrow about pedophiles willing to abuse kids removing themselves from society?

You can join the US military at 18. An 18 year old dating a 17 year old is not a pedophile. What if the girl said she was 18 and then she reveals later she isn't?

The problem is US law is so fucked up that having sex with someone that's days younger than you can be illegal and punishable by labeling you as a sex offender for the rest of your life. Even if the other person had a fake id and lied to you!

Lots of countries have "Romeo & Juliet Laws" that decriminalizes sex with minors if both parties are within a few years of each other. For example, France has the age of consent at 15, and decriminalizes sex with under 15s if both parties are within 5 years of each other. There are caveats: the exception doesn't apply if one party has legal or factual authority over the victim, or are related.

It varies by state here but a lot of people don’t know what their state considers legal.

The implication I got from that comment is that they would claim to be underage after receiving the photos.

This extortion is so common that it has an entire subreddit devoted to it (/r/sextortion) and it's often busier than the /r/scams subreddit.

In addition to those resources, Episode 4 of the Netflix series "Web of Make Believe" is basically a one hour documentary all about how sextortion operations work. Every episode of that series is solid gold.

What's terrifying after the cultural secretiveness of sex, is the legal position this puts a minor; if a 17 year old goes to the authorities, some jurisdictions would legally be required to file against the victim for creating child pornography.

> There's a scam going around targeting teenage boys that I don't see people talking about.

Its not just teenagers, they target older men. I get requests on whatsapp from profiles with an attractive woman's display pic. I sometimes accept these requests and chat with them. They all want to have a video call on whatsapp.

I have never done any video calls with these scammers but their end goal is to have a video call where the woman might be wearing revealing clothes or even nude, get a screenshot where your face is on the call and then blackmail you, if you dont pay up that screenshot will be sent to your contacts.

There's a Black Mirror episode with this plot.

I mean.. did you watch to the end of the episode? In the episode the scammers were targeting people trafficking child pornography, so it's a bit harder to empathize.

I don't know why spoilers are relevant to this thread

This will get much, much more ugly very quickly.

Oh your daughter is spending her gap year in South East Asia? Find her social media -> download the videos with a sample of her voice -> generate audio of her asking you to help/send money because "she was robbed at a gunpoint" -> message your phone number/WhatsApp/Facebook account etc.

These scams are possible now, but their quality will increase exponentially given that you won't need to know perfect English or be well versed in tech to do this.

You don't even need the fancy fake voice. Scammers called my Grandmother once, this was about 5/6 years ago, pretending to be me, her grandson. Pretending to be me, they told her I was in jail for cocaine possession and that she needed to wire money to bail me out. She believed it at first and was in her car driving into town to wire the money when she decided to try calling my cell to check. I told her I was in my office at work, and that I don't do drugs, lol. I am glad she had the idea to call my cell! I am fairly certain the only reason it didn't work on her in particular is that she knows I am a giant computer nerd with no friends so that was not something I was likely to be doing, haha!

Currently they just say they have them. A more common one is pretending to be the police. They tell the family member that they have to pay bond for their child/grandchild to be released.

My mom almost got tricked by a police scammer saying they have an arrest warrant for her due to not paying a debt and that she would be arrested if she didn't pay the money. Only reason it didn't work was because she didn't have the money and called me crying asking for help. Now she knows to never trust anyone requesting or demanding money over the phone.

It's the quantity that scares me the most. These methods are imminently automatable, especially with a connection to social media graphs.

I've gotten a few voicemails that are a recorded message telling me that I am going to be arrested the next day unless I call back. I know it's a scam but it's still physically alarming. I picture being arrested, I picture being thrown in jail at the mercy of the justice system. I imagine what will happen with my job and my family. Its so frightening that I completely understand why people will pay hundreds of dollars to make that feeling go away.

The sickening thing is that I'm sophisticated enough to not fall for it. I'm white, I'm college educated, I'm a comfortably employed engineer, I know that I'm at a relatively low risk of being arrested without cause. A lot of other people probably get these calls, probably suspect it's a scam, but don't have the same level of confidence and just hand the money over. These scams prey on the people who can least afford it.

I was also getting voicemails from a lovely recorded female voice saying "someone who loves you very much has asked us to reach out to you, please call us back". Again, rationally I know it's a scam, but still emotionally I feel how nice it would be to think that someone out there cares about me. It much be nearly irresistible to lonely people.

I got those a few times here in Austria. In fairness for me it was amusing since it’s obvious the FBI don’t have jurisdiction here and seems unlikely they’d use an obvious and poor text to speech generator.

A more clever one I got just the other day started with a text to me in German claiming to be from my son saying he lost his phone and this was his new number. Even though it was preposterous I did take a few moments to recognise it was a scam.

She's the scammer, of course she is putting out poor me as I put out calls. She is to chicken to answer the door to me, a officer and the woman and children she stole from. Chicken bock bock.

Your not sophisticated enough to not get caught. I AM SARAH MILNER I AM MISSING MY CHILDREN AND A CRAP LOAD OF MONEY ETC. Thou shalt NOT STEAL! you have My name and number and I walk by my house and car everyday. But no more. It's myn and I'm getting it back. Along with my children. I have 3, 2girls 1 boy. Anything else to say? Anything you say will be used and held against you. I need you to please contact tpd and return my belongings, we have been aware of the situation.Im having that number shut off as well.

   Sarah milner 
   4424 e bellevue

Thou shalt not steal! Stealing is illegal, improper and not the way to get to the top. Yes call me Sarah Milner the owner of everything you stole, you have my kids too?!!! I have worked my whole life in care centers and been a mom to my children 15 years. No one can take that from my children and I. And everyone knows who the real me is! YOU ARE FAKE!

You are the scam! And I'm right here. Quit running.

Feel like this number will only grow with the consumer AI advances.

Text is one thing, but also thinking of deep faking video/audio. Elderly seem especially susceptible. I have a close friend's grandma that was scammed out of 5k from a fake voice call.

My new rule number 1. Always offer to call them back on a published number.

My 84 year-old mother is constantly targeted. It’s extremely frustrating. Luckily she is extremely sharp and spots them easily. But if she wasn’t, it would be a constant struggle.

Email, text, and live phone calls are the typical approach. I can’t count how many times people have claimed to be her grandson needing emergency funds (usually bail). She also gets fake invoices via USPS but I manage her mail so it never gets to her. It is never ending.

The reply I was seeking.

My wife got suckered into one a few days ago (though hung up before anything bad happened). We ordered a replacement pair of glasses for my daughter, and the store said they would call when the glasses came in so we could pick them up.

Flash forward a few days, and she gets an automated called saying something akin to "Your delivery is on hold, please press 1", so she did, and got connected to an "agent" who she started talking with. In her conversation it became obvious to me it was a scammer, so I told her to hang up, but not before she got overly concerned at me.

She's pretty aware of these things, but it was just a right place at the right time kind of thing that caught her off guard even though there were plenty of warning signs.

> it was just a right place at the right time kind of thing

Scammers abuse this principle by sending out texts to the tune of "Your package is on hold until you pay.". The chances a random person is expecting a package at any given time are pretty good.

And confirmation bias is strong. The above commenter didn't even have a package being delivered -- they were going to pick up the glasses from the store. But you sometimes hear what you expect to hear, rather than what was actually said.

I recently came across this video [1] made by a famous youtuber who was able to interview a scammer that regularly creates copycats accounts of his youtube profile to scam his user base. It gives an interesting backstory and if the scammer was actually telling the truth, there must be so many people who still fall for these schemes.

[1] https://www.youtube.com/watch?v=iROF9Dd7FXA

Glad the article answered my question right away - A large part of the fraud is in the crypto space

2.57 billion crypto, 7.73 billion in the space you respect

I'm just here to watch the goal post move

7.73 billion represents a very small fraction relative to actual utility. 2.57 billion represents 99.9% of something that has virtually no utility other than scamming people.

the most obvious red flag is that perspective is unfalsifiable. hence why you would have to always move the goal posts predictably further.

as in, the crypto numbers could have been any amount and you would have said the same thing.

if it was $1bn you would have said that, $500mm you would have said that.

and thats, in conjunction with nothing in the crypto space having any utility, for you, and nobody else’s utility being valid, for you.

Well said. It's always fascinating to see how quickly (and predictably) logic gets thrown out whenever cryptocurrencies are discussed on hn. Thank you for pointing this out.

I lost over 4 btc investing on a chain platform I didn't know what to do because I was unable to withdraw my profit, I believed that I would be able to cover the debt with my profits and I thought there won't be even a chance to get my investment back. Until I contacted Henry Walter after seeing positive reviews about him 4days back on this platform , I got in touch with him and he gave an explanation of how the process would look like and what exactly we need to put in place for this to work out, which I did and followed all his instructions to my greatest surprise I confirmed the payment of my recovered funds to my crypto wallet, he has been really helpful to me, I bet you all should contact him on email: davidmoore9951 @ gma il,com he’s genuine

Many responses state that "government should do something" or "there would be net positive payback if we only hired a team of experts to hunt these scammers down".

But consider the IRS. They are supposed to go after millions of tax cheats who "scam" the rest of the taxpayers by failing to pay taxes they legally owe[0], but Congress generally does whatever they can to prevent the IRS from enforcing the tax laws. So why would they be interested in going beyond that to pursue scammers that prey on those who are not ultra-sophisticated?


Congress does not have the ability to enable the IRS to collect many of these taxes even if they wanted to, as many of the scammers live outside of the US. The only real way to address the issue is to either force domestic intermediaries (banks, telecom) to put up roadblocks, or have law enforcement do their best to corporate with foreign law enforcement.

The US gov could pull a FACTA if they really cared: Institutions and employees found to process more then a specified percentage of scammed funds/giftcards get sanctioned, thereby cutting them out of the defacto world financial system.

This approach works extremely well for FACTA, so much so that some foreign banks bend local laws to comply. Scammers would get absolutely destroyed if this was implemented.

There aren’t any legitimate foreign companies involved in gift card scams, just the scammers stealing otherwise legitimate gift cards issued for US companies and selling them on secondary markets. Google doesn’t really have any way to manage what people do with a physical Google Play gift card, nor does the grocery store that sells it. If you were to make those parties responsible for fraud, they’d simply stop selling them. Gift card are neither of their primary businesses.

Scammers could also just move on to cryptocurrencies, which are already subjected to sanctions in some cases with varying degrees of success.

Banks are easier to sanction because they have a more tangible physical presence.

Maybe if the government did something to force companies to handle this or prevent attempts. The majority of phone calls, snail mail, and even email are nothing but spam and phishing attempts. I just don't even answer my phone anymore, as it's not a phone. It's just a terminal for spam calls. According to my mail, the warranty on my car and house has expired a couple dozen times. Even Gmail's spam filtering has gotten worse where several make it through.

Maybe the government should be enforcing laws and pursuing criminals as opposed to expecting businesses to solve this via creating a credit rating system for all aspects of one’s life.

In some areas if you live in apartments, folks actually knock on your door to sell you religion and vacuum cleaners. 2023 and still we have door to door sales.

The scammers are getting better data now too. I ended my AT&T service and sent back my modem, with a penalty if you fail to do so. Somehow, a separate entity is now calling me about it, in the exact time frame AT&T would if I had not returned it. If I hadn't checked the phone number they ask you to call (other people reported the same thing) then I would not have known it was a scam

Great job FBI adding up the totals, now how about some enforcement, much of this has to be organized.

Get ready for the gpt powered scams that call your family members and use a text to speech model that mimics your voice because a few second snapshot of your voice is all that’s now needed to reasonably mimic you.

Maybe it’s too expensive to run right now for scammers, but just wait a few months or weeks for the open source models to shrink and improve!

A number as made up as the one in the original headline of this submission.

Does the FBI do anything about this? Is the fact that Indian and other "third world" scammer call centers operate with near-impunity being treated as an assault on American citizens as it should?

Yeah, uh, the travesty that is the "do not call" federal list is all you need to know.

Like everything these days, if it's not for important people, and by people I mean corporations, the government doesn't care.

You want to know what shows how bad our government is these days? I'd guess that support for Do-Not-Call is probably over 70% popular support, and it never gets implemented properly, enforcement is clearly nonexistent.

There is a decade-long war on consumer protection and credit protections for everyday people.

$10.3B is just the reported amount. How many people (like myself) never report it. Surely many times that amount?

Why would you not report it?

In my case, I was scammed about $350. What is local pd or anyone gonna do to help me with that? Nothing, that's what. Absolutely nothing. Why waste my time even more?

I have a friend who is a federal agent. He commiserates with those of us not reporting, as it takes time and attention (not spent earning money) to report. It also creates a digital trail of information that all too often gets misdirected into misadventure. Way more often than most people realize. The only real value to reporting these things is to give a government a measure of how bad something really is, so they might take informed policy action.

What happened?

1st occurrence - years ago, my company had a business account at a Minnesota bank. I was issued a debit card on that account. The debit card was bilked for $850 by an “unknown” party. I informed the bank. They complained that I had a personal debit card on a corporate business account - which was not allowed (heck I never even asked for it) - if it were a business card I would be covered, but with a personal card I was not. They canceled the card, never to be replaced. Needless to say I communicated my displeasure, but at the end of the day there was nothing I could do.

2nd occurrence - in the past 12 months, I get the classic text message, “Steve, as you know it’s my brother’s birthday and I always send him a $500 gift card. I am in the hospital unable to communicate or take care of this, and I was wondering if you could do it for me - here is his number : 212-xxx-xxxx.” Now I DID know it was his birthday and I DID know she always gave him a $500 gift card (pretty nice sister), and I DID know she was in hospital for a few days. I also knew that he lived in NY so the 212 area code was a nice touch. But I also am very familiar with gift card scams, so I just wrote it off. I was thinking I should just call him, wish him a happy birthday myself and ask him a personal question about his sister to which only he would know the answer. In any event I was just about to board a flight and it would no longer be his birthday when I landed. Then literally 5 mins later I get another text from one of our mutual friends, who lives on the other side of the country - “Steve, is there any way you can help, <name withheld> needs someone to send the birthday gift card to <name withheld>. I told her I could not do it but suggested she might ask you instead.”. Okay this was now getting interesting, The texts came from 2 separate women. I knew both of their Verizon accounts were set up with 2FA (heck I set it up for them!). What’s the chance of both of their accounts being hacked at the same time? (extremely high as any cyber-security expert knows). Both of these women were trusted personal friends - it wasn’t some inside job - they were in fact hacked. Verizon was hacked. Etc. I have some last minute urgent business distracting me, with which I am on the phone with my PA - at the end of that call, I instruct my PA “oh also, send a $500 gift card to <name withheld> at 212-xxx-xxxx from <name withheld>”. I figured she would do it through our Amex facility, which has recourse for such fraud. She just bought one off a website. Now everything that happened I knew better. But it happened anyway. It was one of those perfect storm situations where I just wanted things taken care of and I wasn’t being diligent. I’m not proud of it, quite embarrassed in fact. The ex-husbands of both of those women are cyber-security clients of mine. Part of me even thought it was one or both of them. In the end, THEY were the only ones to whom I reported the scam (oh and whoever is reading this) as I felt a professional obligation. Any cyber-security expert will tell you that it is this social engineering and grooming that is the key to many of these scams. Scammers are even more surreptitious now, using AI-generated voices to leave messages sounding just like the known confidant. Be very wary and just always …. say no!

Ok, yeah, that's more elaborate than the average scam. And yes, it's only getting worse from here with all the new AI advances.

The scam I've only recently began seeing is the Paypal Invoice scam. You'll get an email directly from Paypal saying you owe money for an antivirus subscription or for some service or something.

I didn't fall for it because I figured anyone with a Paypal account can generate and send an invoice through Paypal to any email address. But I wouldn't be surprised if this scam gets a lot of people. It's a well known company, the email is directly from them, and it's a legit looking invoice saying they owe money.

I thought about setting up a foundation that mock scams people as a form of scam education after my wife was scammed in a classic tax text scam. Thoughts?

Thats an interesting idea. Sort of like a scam pen test? Some other commenters talked about the difficulty in getting other family members to take the threat seriously, maybe this could work as a demonstration tool.

Yeah 100%, the family members could give contact info for those they think are vulnerable and you can as you say 'pen test' them.

Love it. Execute the scam, immediately send the money back (or better, somehow don't accept it in the first place) and tell them what happened with a link to an informative webpage. Might even be self-sustaining if you solicit donations from the victims concurrently with revealing the fake scam (though, uh, perhaps they'd be unusually wary about giving any amount of money right then and there to some organization they'd never heard of before).

ChatGPT-4 throws some cold water on the idea, naturally, though I still think there's something there:



i have an idea for a non-profit foundation that would leverage LLMs to perform "online scam pentesting" at scale, as a public service. basically, we would execute pretend online scams very similar to real online scams that people are victimized by (fake invoices, romance scams, etc), but immediately send the money back if the pseudo-victim falls for it along with a brief explanation of what happened and our foundation's mission, along with a link to an informative webpage with helpful resources on online scams. (if the victim ignores the pseduo-scam, we'd perhaps wait a day and then followup with the same info.)

this seems to me like it'd be potentially legally fraught, though i'm not sure exactly how, or if there's any relevant legal precedent on the topic. what do you think?


I am not a lawyer, but I can provide some general thoughts on the potential legal challenges associated with your idea. It's important to consult with a legal professional for advice tailored to your specific situation and jurisdiction.

Consent: Executing pretend online scams without the consent of the individuals involved could potentially be a legal issue. Consent might be difficult to obtain without revealing the purpose of the exercise, which could defeat the purpose of the "pentesting."

Privacy: Collecting, storing, and processing personal information might raise privacy concerns, especially if the information is sensitive. Different jurisdictions have different regulations, such as GDPR in the European Union and CCPA in California, which govern the collection and processing of personal data.

Fraud: Even though your intention is to educate and protect people from scams, the act of sending fake invoices or pretending to be someone else could potentially be considered fraudulent behavior. This could open up your organization to legal liabilities.

Unintended consequences: If someone experiences financial, emotional, or other harm as a result of your "pentesting," they might choose to take legal action against your organization.

Regulation of LLMs: Depending on the jurisdiction, there might be specific regulations governing the use of LLMs, especially for activities that can be perceived as deceptive.

Precedent: While there may not be direct legal precedents for this type of activity, similar cases involving penetration testing and ethical hacking might provide some guidance. However, those cases typically involve consent from the targeted organization, which is a key difference from your idea.

To minimize potential legal risks, you could consider alternative approaches to educating people about online scams. This could include creating awareness campaigns, providing educational resources, or partnering with organizations that share your mission to fight online scams. Regardless of the approach you choose, it's essential to consult with legal professionals to ensure compliance with relevant laws and regulations.

Yeah, I think there would be a thin line to tread between being helpful and informative and being scammy. I would not want to actually go through with the scam and soliciting donations as an unknown orginisation seems spammy/scammy. I think it would probably be better to charge people to attempt to scam people they think may be vulnerable or themselves.

Lately I have been getting really smart and crafty scams. 1. No obvious reasons to believe it is a scam i.e. no typos or anything. Mail from a prepaid card that we didn’t use a certain card balance and them asking us to send information (includes SSN#) so we could claim the unused card balance. 2. My wife got a mail from the vendor of a certain HSA account saying that they had been breached and her information could be compromised and to signup for some experian service that had a little different domain name from experian.com.

I almost fell for these two because 1. We did get gift cards from ppl few years ago and maybe I didn’t use them all 2. I’m aware of experian credit locking but if I were to do that I would Google experian and not point to that strange domain. Also why is vendor of HSA company contacting us, shouldn’t the HSA company inform us about this hypothetical breach?

An entire article on this and no information provided or linked as to the patterns and techniques of these scams to inoculate readers against them...



apparently, if you are a business owner, you can pentest-phish your own employees, this sounds like an interesting business to be in: https://www.knowbe4.com/phishing-security-test-offer-ga-nav

Most of this qualifies of straight-up fraud that will never be prosecuted.

You're lucky if the police will take a report. Detectives will only poke around if they know it's local.

AGs and DAs don't care about small-scale scams and ripoffs and cheats, generally aren't equipped to investigate them, and if the party committing fraud is in another country are likely to throw up their hands and say "not in my jurisdiction."

The only way this can be addressed is the extremely unlikely scenario of making the platforms legally responsible for getting the money back, under the threat of sanctions measured as a multiple of losses or a fraction of total revenue.

Part of me wonders whether some of the recent advancements in LLMs could help detect and stop scams by having them pre-process emails, texts, or monitor transcripts of ongoing phone calls and have them alert the user if the content seems scammy, or even just advise of common-sense precautions that could be taken (for example "you should hang up and call your bank back at the number on their website").

Another part of me is kind of horrified at the privacy implications of that, and questions if that potential trade-off would be worth it given that such a service would undoubtedly be run by a private corporation.

If anything, LLM's will make it worse.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact