Technology

How to Protect Grandma from Cyber Security Scams

Erik Service

Today’s seniors merely adopted information technology; Millennials were born in it, molded by it.  As such, it often falls to the latter generation to protect their elders from the online villains who prey on technological illiteracy.  So when Grandma mentions her new, well-heeled beau from Lagos and his tax predicament, her grandkids know that they must become the hero she deserves, before it’s too late.

The archetypal ‘Nigerian Prince Scam’ is a great starting point.  It is thought to have first been distributed using fax technology, but its origins may date back to the 19th century where it manifested as the “Spanish Prisoner Scam” when it was delivered via handwritten letters.  Fundamentally, it is a confidence trick that requires the victim to entrust a conman with something of value in return for an anticipated pay-off.   This con exploits a victim’s greed, who is expected to believe that a foolish foreigner is willing to trust them with a fortune. Inevitably, the transaction gets held up by an infinite succession of fees, payable only through irreversible means such as bank drafts and wire transfers.  This extraction method continues until the mark gets wise, or goes broke.   In spite of typographical and grammatical errors, this scam has been wildly successful, and has even led some poor victims to financial ruin, and even death. In 2006, a report cited that Nigerian letter scams defrauded individual victims for a median amount of $1650, estimating the value of all such frauds to be worth $198.4 million.  Today, that same market is estimated at $16 billion worldwide.

 


This kind of financial bamboozle has evolved in recent years.  The Guardian reported last year on a more nefarious variant, labelled the “Stranded Traveller Scam”.   In this scheme, the fraudster capitalizes on social bonds and trust between people by posing as a relative or friend in distress. It begins with a message received via email or social media, originating from an acquaintance with a compromised account.  The conman devises an intimate and personal masquerade, leveraging relevant information gleaned from online platforms associated with the hacked account to impersonate the relative or acquaintance, making the desperate-sounding pleas for cash much more difficult to ignore.   For the scammer, the ideal reaction is an impulsive act of compassion by a gullible party.

“In 2006, Nigerian scams reportedly defrauded victims of a median amount of $1650.”

I encountered this scam second-hand via Facebook.  One of my relatives made a status update on their Facebook profile lamenting how person X was stuck in location Y.  Moments later, person X’s mother expressed her surprise, as they were sitting across from one another at the dinner table on the other side of the planet.  Crisis averted.  This reaction exemplifies the best possible reaction to such an appeal:  reaching out to others for confirmation and support.  After all, nothing is lost by getting more people involved.

Interestingly, once X regained control of their email account, they discovered the contact list to be wiped clean.  Incoming messages were forwarded to an alternate account, ostensibly to prevent efforts to warn others of the fraud that was taking place.  I once mentioned the importance of strong passwords to my own grandfather this past holiday, who expressed an unwillingness to keep and change an increasingly long list of obscure passwords.  The capacity to remember situation-specific abstracts like passwords diminishes as one gets older.  As luck would have it, there’s an app for that. Password management software acts like a locked diary, storing and encrypting multiple passwords onto a local machine, rendering them inaccessible without a single authentication which can range from password to a biometric signal (e.g., fingerprint).  There are many such products, of which the Kapersky offering is a top contender.

“Password management software acts like a locked diary, storing and encrypting multiple passwords onto a local machine”

As the population ages and the competition for our attention intensifies, a growing contingent of seniors are becoming increasingly vulnerable to online predators who employ mediums that are as essential as they are unfamiliar.  The cognitive realities of aging are no less kind.  The brain begins to lose volume at a rate of 5% per decade after age 40 [9].  Evidence suggests that volume loss is not evenly distributed; the frontal lobes and hippocampus, broadly responsible for reasoning and learning respectively, are disproportionately affected by this change.  To make things worse, the rate of volume loss appears to increase significantly after the age of 70.   Older populations are also faced with an increased prevalence of cognitive maladies, ranging from mild cognitive impairment to full-blown dementia.   Many such afflictions are kept secret (see ‘signs of cognitive impairment’), as they can precede a significant loss of personal agency.  Doctors can and will revoke licenses; adult children can seize power of attorney.   Combine these vulnerabilities with a large pension or nest egg, and you’re left with the profile of a mark ripe for the unscrupulous internet con artist.  Across the globe, con artists actively seek such people, and in spite of numerous campaigns to educate and litigate, scams targeting vulnerable populations persist for the simple reason that they are successful.

Phishing attacks exploit the online habits formed by frequent users who lack a healthy dose of information skepticism.   All of us are undoubtedly related to someone who enjoys sending garbage emails in the form of chain messages (send to 5 people or else…), offbeat media (10 ways to…), and wacky pics (Look at THIS dog!) to all and sundry.  The notion of a hyperlink is particularly appealing to this modern day pamphleteer, as a simple click tells a story better than they ever could.  Adopting a similar approach, a phishing attack often encourages a user to click a hyperlink leading to either a clever facsimile of a trusted site (e.g., an online banking portal), or the download of malicious software. This attack typically requires some form of human-user error, but since it is automated and widely distributed, the attack is capable of reaching thousands of users, of whom only a small percentage are expected to fall victi.

Encryption scams typically begin with a hyperlink.  Using this hyperlink, which initiates the download of malware, the scammer can gain sufficient control of a device to encrypt valuable data, rendering it unusable without a secret code.  After letting the victim sweat it out, the adversary reaches out to the victim, offering to de-encrypt the data – for a price.  The target can be institutional, such as this year’s attack on Lakeridge Health in Oshawa.  The targets can also be personal users, for whom their media and contacts of loved ones are held hostage for a modest payout.  A recent attack, involving malware known as CryptXXX recently held a ‘holiday sale’ where personal users could regain control of their data for a ‘discount’, but only if they acted fast.  This may have been a response to a fix that was put out by Russian-based Kapersky labs, a cyber security group who cracked the encryption, and provided a free decryption tool.  This group has a blog where security professionals and laymen alike can discuss issues of cyber security.

 

“A phishing attack often encourages a user to click a hyperlink… leading to a clever facsimile of a trusted site”

The first line of cyber defense is always education.  For a start, inform potential victims that service providers do not ask for login credentials over the phone or by email.  One can provide further protection by making simple modifications to a browser.  Toolbar buttons for oft-accessed websites can be used to ensure the security of your own vulnerable senior family member or friend.

Data perturbation, that is, the use of phony names, addresses, and burner email addresses, is another worthwhile exercise (Ms. Makanda alluded this practice in her May column).  This practice bears some similarity to a cryptographic technique known as differential privacy, a method that Apple recently announced it would be employing to protect user privacy.  It has been my experience that creating these online alter-egos for fun and profit can be a great creative exercise that you can work on together as you educate.  The less reliable information scammers have about a person, the more likely they are to make a mistake in crafting their narrative, and pulling back the curtain.

“Data obfuscation, that is, the use of phony names, addresses, and burner email addresses, is another worthwhile exercise.”

New online scams will continue to surface to replace those that people get wise to.  As the evolution of the Nigerian Prince Scam demonstrates, many of these attacks will be new takes on old hustles, such as the “Nigerian Astronaut Scam”, a hilariously ridiculous twist on an old classic.  At the end of the day, these predators are looking for the easiest mark.  To keep the cyber predators at bay, keep yourself and your loved ones informed on the latest scams, set up some basic fail-safes such logging in to online banking only through saved bookmarks, communicating with others when receiving unusual messages, and maintaining a healthy skepticism toward everything on the internet.

References

[1] https://www.nytimes.com/2014/01/05/magazine/who-made-that-nigerian-scam.html?mcubz=1

[2] http://www.historyhouse.co.uk/articles/spanish_prisoner_swindle.html

[3] http://www.ultrascan-agi.com/public_html/html/pdf_files/Pre-Release-419_Advance_Fee_Fraud_Statistics_2013-July-10-2014-NOT-FINAL-1.pdf

[4] http://www.dailymail.co.uk/news/article-2287774/Lonely-widow-Jette-Jacobs-dead-South-Africa-sending-50k-Nigerian-boyfriend-met-online.html

[5] Longe, O. B., Mbarika, V., Kourouma, M., Wada, F., & Isabalija, R. (2010). Seeing beyond the surface, understanding and tracking fraudulent cyber activities. arXiv preprint arXiv:1001.1993.

[6]  https://www.cnbc.com/2017/02/01/consumers-lost-more-than-16b-to-fraud-and-identity-theft-last-year.html

[7] https://www.theguardian.com/money/2013/nov/13/stranded-traveller-phishing-scam

[8] https://usa.kaspersky.com/password-manager

[9] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2596698/

[10] http://jamanetwork.com/journals/jamaneurology/fullarticle/784396

[11] http://www.cbc.ca/natureofthings/features/ten-warning-signs

[12] http://www.econinfosec.org/archive/weis2012/papers/Herley_WEIS2012.pdf

[13] http://www.cbc.ca/news/canada/toronto/oshawa-hospital-cyberattack-1.4114758

[14] https://blogs.forcepoint.com/security-labs/merry-cryptmas-cryptxxx-ransomware-offers-christmas-discount

[15] https://noransom.kaspersky.com/

[16] https://www.kaspersky.com/blog/

[17] https://www.mindthismagazine.com/you-cant-escape-data-exhaust-but-you-can-understand-it/

[18] http://www.patentlyapple.com/patently-apple/2017/07/apple-expands-their-work-on-differential-privacy-to-safeguard-next-gen-health-record-solutions-beyond.html

[19] http://www.anorak.co.uk/428124/money/nigerian-astronaut-lost-in-space-needs-3m-to-get-home-could-be-a-scam.html/