About

This is a simple guide to help protect you and the people you care about from common online scams.

This guide is broken into the following sections:

• Preventative Steps to Take Now
• Recovering from an Online Scam
• Additional Resources
• Helping out this Project

Preventative Steps to Take Now

Online scammers continue to evolve their tactics to take advantage of individuals but there are a handful of preventative steps that can be taken to help limit exposure of the people you care about from scams.

1. Raise Awareness
2. Artificial Intelligence Scams
3. Install a Web Browser Ad-Blocker
4. Enable Multi-Factor Authentication
5. Use a Contemporary Email Provider
6. Manage and Use Passwords Securely
7. Block Incoming Phone Calls That Don’t Have a Contact
8. Practice General Secure Computer and Phone Hygiene

Raise Awareness

🟢 Low Difficulty Level

One of the best ways to help protect against scams is to raise awareness about the dangers out there. Talk to your loved ones about the most common types of scams today and let them know how they typically work. These include a scammer calling or emailing about these topics:

• Outstanding bill that needs to be paid for a service immediately
• Unsolicited message about wanting to get into a romantic relationship
• Impersonating a loved one

Two good rules of thumb are:

1. If you personally don’t know an individual or are not expecting to be contacted about this topic, don’t engage with them.
2. If you have never used or heard of a product or service before then you don’t owe them money.

If you are skeptical about the interaction try to gather the name of the individual contacting you and a case or service number. Then search online for the official website of the organization to find a posted phone number or support email address to reach out to. If this person is calling from a bank, your credit/debit card will have an official phone number on the physical card.

The Consumer Financial Protection Bureau [1] and AARP [2] have good lists of common scans that are a good read to help drive a conversation. During that conversation it would also be good to review common phishing scams, which the Federal Trade Commission has a good walk-through [3].

[1] https://www.consumerfinance.gov/ask-cfpb/what-are-some-common-types-of-scams-en-2092/

[2] https://www.aarp.org/money/scams-fraud/

[3] https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

Artificial Intelligence Scams

🟢 Low Difficulty Level

With the rise of Artificial Intelligence (AI), the scam landscape is rapidly evolving and scammers are using this technology for bad intent such as cloning voices of loved ones [1]. One way to help prevent such attacks is to create a “safe” word with your loved ones. If there is questionable interaction not in person, you can verify that the other person in the discussion is who you think they are by confirming with the “safe” word. Ensure not to share this word with anyone!

[1] https://www.npr.org/2023/03/22/1165448073/voice-clones-ai-scams-ftc

Install a Web Browser Ad-Blocker Extension

🟡 Moderate Difficulty Level

Lots of times scams can come from ads throughout the internet. Installing an ad-blocker in their web browsers helps to reduce that attack surface for scammers. If possible, try to install an ad-blocker on all of the web browsers available to the device, not just their default browser. The most trusted ad-blocker is uBlock Origin which can be installed for all browsers but there are other alternatives as well.

• uBlock Origin
• Privacy Badger
• Ghostery

Enable Multi-Factor Authentication

🟡 Moderate Difficulty Level

Multi-factor authentication, also commonly known as two-factor authentication, is key for ensuring that if account credentials are compromised (e.g. scammers manage to use or guess a password) then it will be harder for a bad actor to get access. Nowadays all major websites have some form of MFA available but there is a handy website called 2fa.directory that aggregates websites where you can enable MFA.

There are multiple different forms of secondary authentication methods so choosing one is better than none. Below are the most common methods in ranked order, beginning with the most secure, of these methods.

1. Hardware security token such as a YubiKey or Titan Security Key
2. Time-based one-time password (TOTP)
3. SMS and email tokens

Use a Contemporary Email Provider

🔴 High Difficulty Level

While it is still common to utilize email addresses provided by telecom companies like Comcast or SBC Global or ones provided by an employer or school, it is a good idea to migrate to a more modern provider like Gmail, Outlook, or Apple mail. The benefit is not having an email tied to a specific service that might change in the future. This future proofs you when there is a physical move to a new city or change of employment. This is also introduces an opportunity to have a clean start and reduce the spam messages that are most likely being sent to an old email address.

There are reasons to keep the old email address around, specifically if there are old accounts and contacts points that need to be kept. However, that email can be regularly monitored for those sorts of messages while the day-to-day messages can be migrated to new email address.

Manage and Use Passwords Securely

🟡 Moderate Difficulty Level

While “secure passwords” means different things to different people, the Cybersecurity & Infrastructure Security Agency (CISA) has three straightforward tips [1]:

1. Try to use at least 16 characters in a password
2. Either make them totally random characters or use passphrases
3. Do not reuse passwords across different accounts

A couple more things to emphasize with your loved one is to never share any passwords with anyone else. No-one from a reputable organization will ever ask you for your password.

[1] https://www.cisa.gov/secure-our-world/use-strong-passwords

Use a Password Manager

🔴 High Difficulty Level

Nowadays there is a class of tools called password managers that as the name suggests, help manage passwords. As these tools become more common at work and at home you can have a family plan where you can also help share login information and passwords across groups trusted of people. A couple of options include:

• 1Password (Paid)
• Bitwarden (Paid)
• Keepass (Free)

Block Incoming Phone Calls That Don’t Have a Contact

🟡 Moderate Difficulty Level

One of the best ways to protect against spam calls is to just block all calls to your loved one’s cell phone if there isn’t an existing contact.

Blocking calls has the potential to impact daily life in ways that might be unforeseen. There are legitimate scenarios where a phone number not saved as a contact in their phone should be able to get in contact with them. For example, a doctors office who is trying to get in touch about an appointment or a financial institution checking in on a transaction.

• iPhone’s & iOS Devices
• Android Devices

Practice General Secure Computer and Phone Hygiene

🟡 Moderate Difficulty Level

It is a good idea to do a regular cleanup of computers and phones.

1. Review all installed apps and remove any that are unnecessary or suspicious
2. Ensure that a passcode or passwords to access the actual device are setup
3. Apply operating system patches and update to the latest version. Enable automatic updates where possible. If updates are not possible then it might be time to get a new device
4. Update all of the installed apps to the latest versions
5. Install and run Malwarebytes Adware Cleaner and Malwarebytes to cleanup any potential malicious programs

Recovering from an Online Scam

If you believe that a loved one is actively being scammed online, the FTC has a very good guide [1] for reference. Immediate steps that you can take include:

1. Ask them to turn off or unplug their computer. Typically, a scammer will request some sort of remote access. Turning off the computer is the best way to stop the connection that allows the scammer access.
2. Call their banks and let them know this is happening so they can freeze accounts
3. Warn them to not interact with any additional phone calls, emails, or text messages that may come

These are critical steps to try and stop the scammers in their tracks.

[1] https://consumer.ftc.gov/articles/what-do-if-you-were-scammed

Next Steps After a Scam

After the immediate risks have been mitigated it is time to try to recover from this scamming incident. One of the key steps is to empathize with the victim in this scenario. They are probably feeling very self-conscious right now and have a wide range of emotions. The least you can do is go in with a good attitude, not shame them, and try to uplift the mood, if possible, especially if this is their first incident.

1. Reset all passwords for critical accounts and enable MFA
2. Search for Installed Remote Software
3. Review Email, Phone Calls and Text Messages
4. Review Browser History and Disable Notifications
5. Cleanup of Computer

Reset All Passwords for Critical Accounts & Enable MFA

For all banking, email, and other critical accounts it is best to immediately reset all account passwords and enable MFA where possible. It is difficult to track down what they might have had access to and for what period of time if there was a remote software tool involved.

Search for Installed Remote Software

This is the primary way that a scammer will gain access to a computer of a victim. There are many free tools that are used and can be installed very easily. While these are legitimate tools, they can be used maliciously.

Below is a list of tools for desktops and links for how to uninstall them.

• TeamViewer
• Splashtop
• AnyViewer
• Zoho Assist
• LogMeIn Rescue
• ScreenConnect
• AnyDesk

Review Email, Phone Calls and Text Messages

By reviewing these sources of communication with the victim you can understand the potential impact or intentions of the scammer. Review all emails that may have come from a bank or money transfer tool like PayPal to see what was exactly stolen. Also review phone calls and messages on the victims phone, if that was used to communicate with the scammer, to gather more information.

Review Browser History and Disable Notifications

To try and “replay” the attack it is a good idea to review the browser history of all of the victim’s installed browsers. This way you can try to piece together a story and potentially determine any other accounts or actions that might need to be taken. Also, a common way to persistently try and scam individuals is by using browser notifications [1] to send alerts to the victim in an attempt to get them to click/engage with the scammer. It is best to review those as well.

Review history:

• Chrome
• Firefox
• Safari
• Edge

Review notifications:

• Chrome
• Firefox
• Safari
• Edge

[1] https://www.malwarebytes.com/blog/news/2019/01/browser-push-notifications-feature-asking-abused

Cleanup of Computer

While you are doing cleanup it is a good time to go through and review all of the installed apps on the victim’s computer. It is also a good idea to run a cleanup tool.

1. Review installed apps and remove any that are unused or suspicious
2. Install and run Malwarebytes Adware Cleaner and Malwarebytes
3. Install all operating system updates and updates to other primary tools like Adobe Acrobat Reader and Microsoft Office

Additional Resources

There are tons of great resources out on the web to use to help protect your loved ones and other individuals from scammers. Here is a short list of what’s out there to review:

• FDIC - Avoiding Scams and Scammers
• AARP - How to Keep a Loved One With Cognitive Decline Safe From Scams
• USA GOV - Scams and fraud
• Meta - Scam prevent

Helping out this project

If you have any feedback, suggested changes, or just more curious about this project head over to its Github page. We will continue to update and improve this website so please check back again.