How to Protect Yourself from Scammers

CheapAzChips on 08/07/2023 - 09:05

Yesterday I posted a reply on this discussion, but I really feel that scam prevention as a whole might be best separated and emphasised in its own topic.

This is a topic that I'm very passionate about so forgive me if my zeal gets in the way of the message, but my fellow Cheapies, I'm sure you'll all agree that the only thing better than saving a heap of money on a great deal is not losing a heap of money to a scammer when you might have.

So rather than getting lost in the comment section of another post, I'm reposting my comment here for discussion:

With all the news recently and the TVNZ Nigel Latta doco coming out, I have had some discussion with my son and wife about scams. They both have, I suppose understandably, got the message from the media that to protect yourself you simply "Don't click links". While it's a nice soundbite, sadly I feel that's the wrong message and it won't appreciably stop people being scammed, it'll just slow the scammers down a little until the next wave hits.

So what's the key message that should be getting out there? Three words: VERIFY, VERIFY and VERIFY.

1) Independently verify that the person who called you or sent you X is who they say they are. Don't trust anything they have given you until you do: don't click their link, don't call the number they provided, don't give them anything and don't do what they say. It doesn't matter if the message looks like it came from them, and it doesn't matter if you recognise the voice on the other end of the phone. If they are asking you to do something risky then STOP and VERIFY. Somewhat counterintuitively you should especially take time to verify if there's a sense of urgency involved.

2) VERIFY that websites you are using to enter sensitive details (logins, etc) are legitimate before you type a thing.

3) If you are making a legitimate substantial transfer (say paying a supplier or putting down a house deposit) VERIFY through two independent channels that the recipient is correct. Don't just "trust" the trust account details that your supplier/lawyer has just sent. Call them on the number from their website (and again, don't click a link in their email to get to their website!) and get them to read it out to you.

Let's have a discussion: what else do you do to keep your hard earned coin from going to scammers? What experiences have you had? What can business and government do to prevent scams?

General Discussion

Comments

  • Alan6984 on 08/07/2023 - 10:03

    As per my post(s) in the other thread, I completely agree that you need to verify.

    If you get called by anyone at all, you need to somehow verify their authenticity (displayed phone numbers can be faked) which is why it is crazy for your bank or the IRD (for example) to ever call you. The fact they might say to call them back after verifying the number, still gives credence to the possibility that you could get called by them in the first place especially with people that are more likely to be a bit clueless.

    Everyone needs to take personal responsibility for their actions, and think about the implications not only for themselves of being lazy / thoughtless / selfish, but also for those around them if / when they get scammed.

    Many scams are using greed (of the victim) to try and scam them (pretty much all investment scams for example), so curbing your greed, and taking the time to think through what you are doing with your money is always a good idea.

    What do I do to avoid getting scammed: Just be cautious about anything I get, whether online or not, and authenticate the other party at all times.

    What experiences have I had: I've never been scammed myself. I have some experience of fraud, albeit mostly in corporate settings, as I used to do fraud investigations for corporates who thought (or knew) they had been defrauded by employees.

    The world has always been this way, nothing has changed - there were scammers around thousands of years ago, and there will be forever. It is only the medium of communication that changes.

    • Alan6984 on 08/07/2023 - 11:56

      I guess you need some IT knowledge to detect scams

      Not really - you just need to be careful to always go to the site yourself, ensure that you have a valid certificate (perhaps the most technical thing), and ensure that the device / browser you are using is clean, which means not being stupid in the first place.

      I just can't believe how come people don't recognise real bank websites.

      That's a bit harsh - many people could make a perfect copy of any website, so I don't think you should place any reliance on 'recognising' a real bank website against a fake one as it won't necessarily help you.

      If you get any malware at all, you should always wipe the machine completely, and re-install the OS and all app from scratch. Personally, I do this on my machines twice a year or so, but that is to keep them running smoothly as much as anything, and once you are in the habit, it is really just something you can do over a weekend (I try to aim for Easter and Labour Day long weekend) without too much hassle.

      Device security is everything:

      If your device or browser is compromised, then obviously all bets are off. You could correctly go to the real website address and get a secure connection, but once a machine is compromised, nothing at all you are seeing is necessarily real, including the results of malware scans, file listings - anything could be altered before being displayed to you.

        • Alan6984 on 08/07/2023 - 12:11

          Faking website addresses is trivial, especially if your device or browser is compromised (or indeed potentially any other device on your network).

          The analogy with a physical street address is not particular useful in that it is easy to recognise a physical location, whereas you could be seeing (www.westpac.co.nz) in your browser address bar, and not be there at all even if the site you are seeing is a perfect copy of Westpac's actual website.

            • Alan6984 on 08/07/2023 - 12:32

              @acrobat: Not sure how that is relevant to the address showing in your browser address bar?

              With email, the only thing you can generally rely on, is the last hop (IP address) before it was received by your server (assuming your mail server is secure). Almost everything else can be easily faked.

              Also, whether a single example of a dodgy email was 'well executed' by a potential scammer, tells you nothing about how well any other potential scammer will do in that, or any other regard,

              Amazing that was your 'first scam email' - I have been getting them almost continually since around 1997 or so, and if you count 'joke' emails when people were faking things to their friends saying they were from someone famous, then from 1990.

            • Alan6984 on 08/07/2023 - 12:33

              @acrobat:

              your point is indicating the third tip is not helpful

              Not sure which tip that was - perhaps you could more explicitly reference it, but as I said above:

              With email, the only thing you can generally rely on, is the last hop (IP address) before it was received by your server (assuming your mail server is secure). Almost everything else can be easily faked.

              For example, the sender of an email is completely trivial to fake.

                • Alan6984 on 08/07/2023 - 12:50

                  @acrobat:

                  If dhl.com is in my brower's address bar, and you're saying I might not be there at all.

                  Yes - that is exactly the issue, most especially if your device or browser is compromised, or if another device on your network is compromised (especially your router).

                  I'll say luckily those scammers do not have the ability to fake email addresses and URLs.

                  If only that were true, but it is not - scammers most definitely have that ability,

        • Alan6984 on 08/07/2023 - 12:13

          You also need to make sure your own device is secure, including from threats on your own network if you don't have complete control over everything thereon.

      • Drcspy on 09/07/2023 - 07:15

        "If you get any malware at all, you should always wipe the machine completely, and re-install the OS and all app from scratch."

        I disagree. There are many ways to check for and remove malware. Malwarebytes ADW Cleaner for example ……

        Most ordinary computer users have NO idea how to wipe their machine and then reinstate it to a usable state.

        As for doing this twice a year to keep your machine running well, again probably 90 % of owners wouldn't have a clue, and it's superfluous. A quick once over by a tech once a year will be of great help if you want the device to be running in good shape. Think of this like a WOF for your PC…

        • Alan6984 on 09/07/2023 - 09:49

          Good for you - at least you won't whinge when you get taken to the cleaners, as you have made an 'informed' decision for yourself, and knew the risks.

  • Kiwi on 08/07/2023 - 12:39
    +1

    Everyone should go and watch Jim Browning on YouTube, guy is a legend.

    We see this shit all the time at work, some emails are so close to real that you have to take a magnifying glass to the headers to actually tell they're fake. We've spent many hours increasing our email security to help with the increase in attacks. A recent one contained 3 registered .com domains with the recipients full name followed by 1 or 2 random characters in the body of the email, very targetted and intentional.

    You're right, vigilance is the key here, be weary of anyone claiming or offering anything, and everything that comes out of the blue. Use a password manager, rotate your passwords, never give out your MFA codes, use biometrics, etc. go a long way to protecting one from most attempts.

    Even just enabling MFA and not just relying on credentials goes a long way.

    Cool post, hot topic at the moment, and awareness is important.

    • CheapAzChips on 08/07/2023 - 19:25

      Definitely. He and Mark Rober teamed up to take down some Indian scam call centres, a good watch. And for a more humorous scam baiter, check out Kitboga.

      And yes, good password management is essential. I don't pay for much software, but 1Password is one that I consider essential. MFA and biometrics wherever they are supported is also really important.

  • Surreal on 10/07/2023 - 09:48
    +1

    "Don't click links" is a good start, another summary I'd like to see is - what are the ways that you can lose money/something to a scammer in NZ?

    Because a common question seems to be "I wondered if it was a scam, but how would they get anything from me?"
    And in the USA they still have the fake cheque scam and many people seem to be unaware that their bank will clear funds from a cheque and later reverse that money as fake.

    So what happens in NZ?

    • Passing on any verification code that was sent to your device - could give access to some account of yours. (Really sites/apps should stop sending sms codes for anything without a full header of what the code is for).
    • Sending any intimate photos to someone online - Scammers can be very good at pretending to be someone, or may steal and use a convincing real account to contact you
    • Transferring any money deliberately somewhere without verifying it as legitimate - postage/delivery or insurance fee website, fake crypto apps etc, or convincing investment scams
    • Revealing personal details, generally over the phone I guess
    • In general, being 'sent' more money than you were expecting, or receiving it earlier than would make sense, such that they can get you to send or pay the excess somewhere else

    What else?

    • CheapAzChips on 10/07/2023 - 10:46

      So true, that would be a great summary to get across!

  • Rubenite on 10/07/2023 - 10:06
    +1

    The banking text scams seem to be most prevalent at the moment, but some others that I have heard people fall victim to:

    • Text from a random number that says 'Hey Mum/Dad, my phone is broken and this is my new number' - with the intent for the victim to guess it is one of their children. Several fake texts down the line they will start asking for money. My Dad fell for this :/

    • Facebook Marketplace is an absolute hive of scams. Always ALWAYS pay/accept cash on collection, NEVER bank transfer or anything else. Common scam I have seen is seemingly genuine well-priced game console (e.g. Nintendo Switch) that just so happens to be in a location several hours drive away from a city (e.g. Hanmer Springs to Christchurch) and that they are 'happy to post' - you'll bank transfer the money and never see it again.

    • Trade Me has similar scams going - decent account gets compromised and scammer uses it to post a well-priced buy now of nintendo switch + games, immediate payment by bank transfer required and then they're off with the money. Can be hard to spot, if deal seems too good to be true check to see when account was last active and any 'immediate payment or I relist' instructions are a major red flag.

Login or Join to leave a comment
Login Join