Free advice!

I’m often asked if something, usually an email or phone call,  is a scam.  As a strong believer in the benefits the internet can deliver, the fraudsters devaluing it with scams and spam make me angry.

The simplest guidance is that if you are suspicious you are right to be.  90% of scams are readily identifiable as such. The other 10% are scams too just a bit less obvious.
Successful scams rely on:

• Credibility – it’s easy to copy the design of an email from a genuine business, including their logo, web email and postal addresses.  The aim is to get you to click something, one of those addresses or to download an “important” document.  It’s all made harder by the fact that genuine businesses do exactly the same.
• Temptation – an offer to provide something at an unusually competitive price (or free).
• Offers to do the impossible – “We can get you onto the first page of Google search results“.  Even at very significant cost and effort nobody can deliver that. If it looks too good to be true it’s a scam.
• Urgency –  Only 3 left at this price; Offer closes in 30 minutes; On-screen count-down timer until end of sale price offer; 5 sold in the last hour. Their hope is that you won’t want to miss out so you rush to make a decision. I have yet to try to book a flight or hotel without something like this intervening. Maybe sometimes they’re telling the truth but maybe not.
• Validation – A customer in [your town] has just bought…; Endorsed by [celebrity name]; Rated First by [well known consumer review source]; Winner of [possibly fictitious award by prestigious sounding organisation]. Who cares, what matters is whether the product is right for you
• Fear – some confidential data will be made public, your bank account has been hacked… If you are concerned make independent checks.
  For small business a common one is “someone has asked us to buy a domain name similar to yours, we are obliged to to offer the name to you first”. If you think the name is truly one you should own (probably not), buy it elsewhere.
• Appeals to your better nature
  • I need to buy an Amazon voucher for an urgent gift but I’m having difficulty, please do it for me I’ll refund tomorrow.
  • For everyone who clicks this link Bil Gates will donate £1 to a children’s cancer charity. If he wants to give to charity, what’s stopping them? They want something from you.
  • Can you send us some old books for our school library in a deprived area/African village. The aim is to build-up a relationship then exploit it.
• Appeals to your green/worst nature 
  • “I turned an investment of £200 into a £1000 a day income for only an hour’s work a day. No special skills needed, I’ll share my secret in this free tutorial.”  Here are some more credible options: Jack, give me your cow and I’ll give you these magic beans; Turn again Dick Whittington, the streets of London are paved with gold.
  • You’ve won the Irish Lottery – strange I don’t recall buying a ticket but no harm checking. Yes there is.
  • Beautiful women in [your town] are looking for men like you… Yeah, sure they are…! They need to look a bit harder.

Be on your guard:

• If you recieve a communication of any kind from someone you don’t know and who you’ve not asked to contact you.
• If there is any urgency to their request.
• If there’s any payment involved, however small.
• If an email has a button to press or an attachment to open don’t unless you are 100% certain of the sender, that you are expecting the email and it is personalised.  Even then, if you have any concern whatsoever,  check back with the supposed sender.
• Even if an email appears to come from a known contact, if it’s unexpected and especially if it includes a payment request (especially involving urgency), a link to click, an attachment to open, a phone number to call it’s far better to check than to be scammed.
• If an email is advising you of a change of email, phone or web address, that could be the start of the process to steer you into a scam.
• If an alert is tells you you need to change a password, don’t click a provided link however credible it looks. Do separately go to the relevant it site and see if that is advising of a problem. Log in anyway and set up not just a strong password but also MFA if possible (see below).
• If you are asked to share any confidential information about yourself or anyone else.
• If  you are asked to grant access to your PC or mobile phone such as to fix a technical problem.
• If you are asked to look at “log files” on your PC (these record common routine minor errors, the caller tells you the errors indicate a serious problem, this is a pretext to get you to download malware or to give them access to your PC).
• Threats to share your confidential data with friends, family, employers, HMRC, the Police unless you pay a fine.
• If an offer seems too good to be true – it is!
• “Boiling a frog” – it’s commonly stated (please don’t try this!) that if you immerse a frog in cold water and gradually heat it up, the frog won’t jump out but will end up being boiled alive, whereas if you dropped it into hot water it would immediately try to escape. There is an analogy with how many successful scams work (including but not only, romance scams). A trivial contact gradually develops into some kind of trust-relationship, the alarm bells should start ringing when that trust is used to request that you make a small financial transaction on behalf of the other party.  It will escalate.

With the advent of Artificial Intelligence allied to the highly sophisticated skills of the crooks, scams are becoming daily more convincing.  Given the many thousands of pounds a successful scam can deliver to the fraudsters there’s no wonder they are prepared to go to such lengths. Soon the scams will feature AI generated moving images of friends or family speaking using AI generated copies of their voices. Photos and segments of speech posted on social media provide the source material for the AI systems to “learn” from.

Some checks you can make:

• There are websites that deal with common scams. A Google search for a short phrase from a suspicious email will usually find reports of it being used in scams. If the search fails it doesn’t mean its not a scam.
• Contact any other party apparently involved but by using a different channel of communication (e.g. if you received a call on  mobile, check using a different phone or WhatsApp). Do not use any contact details or instructions in the original communication, they are readily faked.
• Use something to verify that a friend, family member or colleague you are communicating with is not being impersonated. In conversation something like “do you remember…”. That could be a genuine shared memory or a fake question “Do you remember our trip to Antarctica” that will deliver genuine surprise from the legitimate contact.
• Have an agreed “safe word” amongst your close family.

Stay safe, protect yourself:

You can reduce the risk in numerous ways

• Never share your password with enyone, even your husband/wife. If you really have no choice but to share a password or allow a trusted third party access to your PC (or mobile), then watch what they are doing, afterwards change your password then run a virus scanner.  Don’t allow a third party to plug in a USB menory stick or load anything to any of your electronic devices.
• Use MFA (Multi Factor Authentication) wherever possible or even better PassKeys.
• Use a commercial security product such as Norton
• As well as strong passwords (and MFA or PassKeys) use a non-obvious user name
• Scammers harvest information from your social media accounts and can use that to manipulate others.  Example: Imagine a scammer finds out your travel plans. Usually as simple as seeing your social media postings about a trip you are currently on. Perhaps they have been leaked by an unscrupulous travel company employee, perhaps your, or a correspondent’s, email account has been hacked.  The scammer can contact your friends masquerading as you with some kind of story like saying something like I’ve been taken ill and need cash to pay the medical bills, please send £££, I’ll be very grateful and will refund you the moment I get back home.  Urgency is a common factor and they may ask you to use an unfamilar phone number or email address. Typically payment is requested to a Western Union address (because they have been accused of releasing the funds without adequate identity checks).
• Don’t use online banking from your mobile when connected via WiFi (often provided free by hotels and restaurants), the traffic can be intercepted.

Still not sure if someone’s trying to scam you? Your suspicion is probably proof enough.

Friction

Password security has become an obstacle to accessing online services.  In IT this is called “friction” – methods that make your intended actions harder to achieve, they get in the way. Who can possibly have unique 16 character passwords which include numbers, upper- and lower-case letters, non alphanumerics like $%& for dozens of services. One solution is to use a password vault – that’s good except you have to log in to that and if it were to be hacked it holds the keys to everything.
MFA is intended to reduce friction at the same time as increasing security.

The best approach we have at present is tols like Google Authenticator 

MFA (Multi Factor Authentication) and PassKeys.

Since the early 1990s we’ve largely been using a username and password to protect our online activities.
That’s no longer good enough. Even strong passwords can be leaked. How?

• a “keylogger” has been installed on your PC/phone (numerous ways to do that without your knowledge)
• your login over WiFi has been intercepted
• you left your paper notebook somewhere someone else coud see your list of logons
• you fell for a scammer’s email and logged into a fake site. When that happens they capture your login details then use them to log you in to the real site so you don’t realise you’ve been scammed.

More secure login methods involve

• Something You Know (Knowledge Factor): Information stored in the user’s memory, including passwords, PINs, security questions, or personal data.
• Something You Have (Possession Factor): A physical or virtual item in the user’s control, such as a smartphone (for SMS or app codes), hardware token (YubiKey), smart card.
  SMS (text message) is widely used but open to abuse. Google authenticator or similar generates one-time login codes for sites you register with it.  See below.
• Something You Are (Inherence Factor): Biological traits, or biometrics, such as fingerprints, facial recognition, iris scans, or voice patterns.

Other Factors:

• Something You Do: Behavioral patterns like typing rhythm (keystroke dynamics, seldom used, too many potential problems). 
• Somewhere You Are: Geolocation or IP address tracking (my mobile phone stays unlocked while I’m within range of my home WiFi signal.)

Using two or more of these categories makes it significantly harder for an attacker to compromise an account compared to a password alone.
A leaked password alone is no use unless someone also knows where to use it and your logon name. I log failed attempts to login to some of my WordPress websites, the most common username the hackers use is admin because that is what millions of wordpress users choose to use. Better but still weak is your email or even a username the same as the password. By simply using ANYTHING other than admin, security is immediately increased.

Google authenticator

Very secure and relatively low-friction. One issue is that whatever authenticator you use it has to be on a computer device you use and have access to. You can keep instances of your authenticator on multiple devices so it’s important to choose one that works on your devices (Windows PC, Apple Mac, Android Mobile, Apple Mobile, Linux PC). For maximum coverage I moved from Authy (they dropped Window PC support), to Ente.io

The apps may offer backup codes, a small printed list of one-time login codes but just for specific sites so not a lot of use if you have many sites you don’t want a wallet full of printed codes.