Is the most wonderful time of the year ... for scammers 😖

The holiday season is in full swing, so are scammers unfortunately.  I wish I could visit more community centers helping seniors and other more vulnerable groups.  It is shameful for scammers to target seniors (you will grow old one day too, dip s*).  It is frustrating seeing people, especially seniors, keep getting scammed compromising their identities, personal information, safety, and savings.  

Old school scammers used to be easily identified and still spamming low effort scams through email accounts with hideous typos and low quality images.  However, we now have to deal with more sophisticated scammers with high quality images, realistic looking fake web-sites, spoofed email senders ... etc.   It is extremely challenging to help others avoid being the next victim.

1.  Too much time, too little things to do
We know not to open or read spam emails.  Who has time for it anyway? Bingo!  No matter how many times you warn them not to open or click on any unknown emails and links, seniors still keep opening them anyway.  They think 'Let's see what kind of scam it is' or 'I've lived long enough to know what is real or fake.' One after another and by opening those emails, they have also notified the scammers the account is active and worth trying.  Given the high quality of email content and images with a convincing spoofed email sender, the next victim could be any of us.   Asking seniors to review raw messages (or original messages in Gmail) is nearly impossible.  The font size of raw messages is very small and unstructured making it extremely difficult to read and understand.  I recently investigated one of the Google account recovery scams claiming someone with an unknown Gmail account successfully verified as its account recovery (Your Google Account was recovered successfully).  

The original message shown all SPF, DKIM and DMARC were passed.   How could it even be possible?  Something wrong with Gmail or someone managed to use google workspace setting SPF, DKIM and DMARC for spoofing?  Contact Google? (You are so cute!) Frankly, I would have a hard time identifying such a scam if the user has not already set up 2F authentication.  It means someone could not possibly (theoretically speaking) had logged into the account without a secondary verification, usually your mobile device, text or email verification, followed by a new device log-in alert if someone indeed tried or had successfully logged into your account.  The 'goal' of this scam was to make the potential victim panic and click the link to take what they thought to be a corrective action to further extort their personal and financial information.

When receiving an email seeming to be coming from Google with such sophisticated spoof, it was difficult not falling into the scam especially when panicking.   As advised, never click on any links from unknown email senders.  But wait! This is from Google! Yes, even Google.  Do not click any links but log into your account directly and review your account information:

a.  Click your icon from the upper right and click 'Manage your Google Account'
b.  Click 'Security' on the left of your screen to review recent security activity of your account.  At this point, you should know if someone other than yourself accessed your account and with what device
c.  Check 2-step verification setting which should be turned on.  If not, set it up now!  You will either need a mobile phone number or a second email account as the 2nd step of your verification.  We recommend using Microsoft or Google authenticator (i.e. RSA token without a stand-alone device) for general users.  It seems 'techy' but it is pretty simple to set up by scanning a QR code.  RSA token is old school industry standard but seniors may not be able to enter the ID fast enough before the token gets refreshed every 60 seconds.  Hence, text message maybe a better option which can be dictated by their mobile devices.  
d.  In case you received a similar scam email about account recovery, you should check 'How you sign in to Google' and review the 'Recovery email' and 'Recovery phone number' information.  
e.  For peace of mind, we recommend changing the password immediately even after you reviewed all the information and activities which nothing seemed fishy with your account. 

2.  Feeling lucky or special
A 80yrs old lady complained she was 'scammed' by Macys.  She felt special for being 'chosen' and getting a special offer from Macys to receive a set of expensive cookware (they sure knew their demographic! but very likely the email account was once compromised) for free.  She was 'scammed' by Amazon years ago and it was also a set of cookware (same old tricks).  She showed me the website which the URL was clearly a spoof but the content was impressively realistic.  I would not be able to tell the difference at a glance if not checking the URL or page source.  The old lady felt very special as a 'chosen winner' despite she did not need another set of cookware.  To make matters worse, she filled out her information, including credit card number on the spoofed website but did not click 'confirmed' at the check-out.  She told me the transaction was caught by the credit card company and did not go through.  The old lady thought she was very smart for not confirming the payment but was unaware and did not understand her information has already been sold and widely distributed on the dark web as she entered them.  She even said 'I deleted the history.' (kinda burn it after read.  It did not work that way, ma'am')  As they live long enough to stay alive after wars and pandemics, it is difficult for them to accept they have been victimized by some low life rando (of course they are not rando but organized crime).  Most victims often stay quiet (feeling stupid) and in many cases refuse to take actions such as canceling and reissuing a new credit card.   They believe the bank will take care of them (banking service, the good old days) and/or do not want to go through the hassle of waiting and getting a new card.  

3.  Loneliness
There are many seniors who live alone for different reasons.  They are vulnerable and find it very difficult to break the ice in technology.  Some decided to stay away completely by using land-line and with no internet access at home yet fake AI calls still got them anyway.  Some decided to learn just enough to talk or to text their grand kids online, reconnect with families and friends.  There are also fearless rebels who intended to stay current which is how the trouble started.   We should encourage our seniors not to be intimated by technology but how can we protect them from those fast paced and sophisticated scams?

Many seniors do not like to be told what to do (ditto!) so reminding them repeatedly not to do this and that goes nowhere.  Instead, we encourage seniors to show us what they received or had seen/happened (guess we solve a bit of their loneliness inadvertently) .  When we replied, whether remotely or in person, we always provided multiple screenshots and step-by-step instructions highlighting different areas to explain noting what to watch for.  Older generation feels more reassured when they can write things down, print stuff out and keep hard copies.  You may feel quite environmental unfriendly especially most information are available online.  However, you need to adopt their ways with what works for them.  Since they initiated the conservation, there was no ice to break but just a chat and they were willing to learn more (or chat more from their perspective).  

As the holiday season approaches, email accounts will be more active connecting friends and families, more online holiday purchases, catching holiday deals and sales.  Please pay attention to your seniors if there are any signs of unusual behaviors such as not wanting to turn on the computer or checking emails, phone calls, anxiously checking packages or refusing to accept packages, visiting their bank frequently (which is not necessary a bad thing but a sign something may have happened) ... etc.  You may always find help and trainings through community college and community centers.  Drop me a note if you have trouble finding any local resources.