But he keeps getting scammed. He usually recognizes it after the fact, he’ll fill out a phishing form and call me right away, “I did it again.” He always feels embarrassed. They find him through emails and text messages. He ignores many of them (I know because he tells me, “Another one came through!”) but there seem to be so many that some get him.
I had to help him with something on his phone the other day and when I went to open a new tab in Mobile Safari, I saw no fewer than six different scam pages up. Fake Amazon, fake UPS, fake credit card. It was frightening. I’m worried he’s inching towards something catastrophic like sharing bank account information. It’s also making him afraid to use technology. He doesn’t want a credit card anymore, he’s so tired of having to change the number.
I don’t know what to do. He’s found so much independence thanks to technology, he’d be isolated if he stopped using it. He struggles with the most basic user interfaces, details that I take for granted are invisible to him, so I don’t think he’s likely to learn all the tricks of scammers. I can’t look over his shoulder all the time.
Does anyone have any advice for this? Any experience?
- in iOS -> Settings -> Messages, enable "Filter Unknown Senders." Go through recent SMSes/iMessages and create contacts for short codes and numbers that he has communicated with.
This option won't block the messages, but it'll make them harder to find and make their links much harder to click on (AFAIK it's impossible unless he copies and pastes the URL or creates a contact for the sender).
- install uBlock Origin, which makes it much harder to reach the phishing scam sites that back a lot of these campaigns. They're often hosted on sites that are on malware filter lists. In uBO, enable all optional malware filter lists.
On iOS, do the same using AdGuard.
- in addition to the malware detection mentioned by others, consider enabling Google "Enhanced Safe Browsing": https://support.google.com/accounts/answer/11577602?hl=en
- for phone calls, install his carrier's robocall/fraud detection and blocking app. For AT&T, it's "ActiveArmor" (https://www.att.com/security/). If he has a landline, pay for caller ID and consider a phone that speaks the caller's ID (example: AT&T TL96273).
- depending on how his bills are paid: only put a small amount of money (a month or two of expenses) in accounts that are accessible without physically visiting a bank branch. If an account has no online access, no checks (nothing to read the account number off of), and no debit card, at least the maximum possible damage from a scam is limited. Either visit a branch one a month to transfer money or use a credit card for expenses.
Teach him to not click links in emails. Amazon wants him to do something? Easy. Go to the Amazon app. Amazon app not showing it? Maybe it was a scammer. This isn’t easy, and it isn’t foolproof. But just using the apps directly will help ensure he is interacting with the company he intends.
Make activities contextual to hardware. Buy things on the Amazon app on his phone, even if he browses on a desktop. The phone has the app, so there’s no uncertainty that this is Amazon. In a way it is less convenient, but in a way it is far more so.
Have the hard conversation. Maybe Dad needs a little extra oversight. Not because Dad is weak, but because Dad has already been strong enough to do the same for you when you were in need. (I’m being presumptuous here, apologies if that doesn’t track.) Maybe Dad needs shared accounts. Not because you don’t trust Dad. Because you don’t trust the internet, and it is a scary place.
A different way to look at it is that right now your description sounds like reactive support. Something goes wrong. You try to help. I’m not assuming you haven’t attempted proactive support, but it sounds like it might need more of it. Especially with family members, it is easy to inadvertently do too little to avoid doing too much.
Also have a small chat with him about not clicking on e-mail attachments, & not installing extensions. As an extra measure, turn on 2FA for all his accounts too.
Changed his desktop pc so his account is no longer admim (can't install software). Additionally, the websites he can visit are now allow-list only with everything else blocked.
Would he be willing and able to follow a strict rule "never give your bank account info without me"? That need should be a rare occurrence.
As for credit cards, maybe you could set up an account for him and don't even tell him the card number. Sign up for everything legitimate yourself, Netflix, Amazon, etc. If those accounts need to be updated for whatever reason, he calls you, just like with the bank.
And then if he insists that he still needs a card for one-off purchases, give him a prepaid card with limited funds, or "virtual number" that you can change. That way if it gets compromised he has a lot fewer, if any, places to change the number.
Cause they aren’t basic, only to the inside group of “UX designers”. I struggle with it every time I have to show my grandma how to do basic things on her devices. Buttons that don’t look like buttons, arrows that blend into background, icons that mean nothing, visual effects not followed by an action. This bullshit has no end.
Back to the subj. One of my concerns was to explain that nothing out there can make you lose money unless you pay explicitly. Because I see it as the only possible attack vector, like “oh, you just entered paid/illegal site, please do … to cancel”. Otherwise, she is completely aware that her cardnum/cvc/pincodes are secret and doesn’t buy ads and baits (mostly). Another great rule is to use apps only, not sites. She only goes to her bank and services through the home screen. And searches through “google” app. Browser is something she avoids. That said, I too have to turn off non-essential notifications very often. She ok-clicks away anything incomprehensible and god there’s a lot of it even in non-scam UX.
I think it’s worth to dig what drives your dad to make mistakes rather than guarding him from endless tricks. Analyze why. Some uninformed anxiety about how it all works or something like that.
Set it up on all devices + aggressively make it filter crap (there are block lists you can leverage)
Ublock + privacy badger + https anywhere
Other more extreme approaches: get him a router that has these capabilities and/or if friedly to running a custom firmware on it. Filter at router level.
Set up an always on vpn through a server you control. Filter the traffic.
That will need some fine-tuning at first (and also another device at his house) but especially with a daily update of the adlists this should prevent him from going to the most common scam URLs...
If he's using his phone on the go, maybe throw in Wireguard/OpenVPN into the mix and make sure that it connects as soon as he leaves his home Wifi...
I've done a ton of things here but the latest that has actually given me some piece of mind is setting up a financial aggregator app with all her accounts + some basic notification rules for withdrawals >$X connected to my email. Obviously this requires a lot of trust from your parent, a lot of trust in Plaid (which I hate and worry about), and doesn't fully protect against the worst cases since it's reactive not preventive. But it's felt like a good backstop at the very least.
This entire process has been so frustrating and nerve-racking that I'd happily pay quite a bit for a "digital security for seniors" service if something like that existed.
Good luck!
What I did was (a) got financial & medical power of attorney (b) got my father's long time doctor to provide me a Letter of (in)Competency which states my father cannot make financial/medical decisions on his own. That letter is ammunition for me, if I have to fight a scammer who somehow tricked my father to assign financial power of attorney to them. (c) I also had several discussions with my father's priest so in the worst case scenario, I can rely on my father's doctor and priest as witnesses if I have to go court, file legal motions, etc.
What this experience taught me, is that when it is my turn to become senile, the best strategy is to transfer my assets before hand as much as possible. So that the damage scammers can do is minimized.
The place to look for is certainly 'parental control' apps and set-up where you can put enough guards and notifications. More or less acting like a parent to old parent and hone on things based on their usage patterns.
Both options cost money but all the free solutions I know of would confuse or frustrate an elderly person that recently got into using computers and Gmail's spam detection has gotten significantly worse in the last few years.
I wonder if there's room for a service that does something like this; rent/buy a laptop which is locked down and has recommended extensions preinstalled, and a phone service (or maybe even in-person) when the user needs help.
I'm probably describing something that already exists, I just don't know it. Or maybe it isn't profitable at all.
Edit: May be available for free with DNS changes: https://adguard-dns.io/en/public-dns.html (I haven't tried this)
Oh the sub also comes with 1password (quite complex) and malware bytes which might stop some after the fact damage.
For email: could you maybe handle his email for him? I dunno how much he uses email.
I would set him up with a credit card with a provider that can generate temporary numbers. Or just have multiple accounts; one is a very low limit, another higher. Keep cash in one or two different bank acts, one of them just enough to pay bills.
Some wifi routers have parental controls (lol, the irony) that let you whitelist URLs. I would whitelist the common websites he uses and block all others.
I'm actually totally on board with his anger towards tech. If I didn't do tech as a living I would eliminate all my internet connections. It is just a distraction. There is so much more to life.
And lately it's the same sort of shit... My dad will get a text message on Facebook from a "friend" (usually a dead friend) and it'll say something like, "I'm Joe's kid, and things are hard since Joe died and we need some money or we'll have to pull our kid out of school..." paraphrased, but that's generally the angle people take. And the scammers will send hundreds of messages... it makes it so hard.
I'll ask, "Dad, why did you have a 200 message conversation with this person?"
"Oh, I thought they were a scammer, but you never know... and after a while they just seemed legit." Again, paraphrased. Dad can't talk for less than 30 minutes at a time. =P
So what do I do?
1) I lock his devices and home router. I turn off data on his phone so he can only make calls when he's not on Wifi. I block ads (since those can take him to sites he doesn't need to be on), and I block fake news. https://github.com/StevenBlack/hosts
2) I sit down with him once a month and delete people on his Facebook account. I want to delete the whole account... but he uses it to talk to some of his friends... and it's important for him to keep connections. That said... FUCK Facebook for not doing more to prevent scammers. On some level, there's just no way to stay clean there. We delete anyone who died, or anyone who he hasn't spoken with in 1 year, and anyone who he has had any sort of falling out with. And man... the most frustrating thing is how many of these people we delete that just keep re-adding themselves. Facebook really should not re-suggest a friend if you delete them. It's such a sticky cancer with how it operates.
3) I sit down with him once every 2-3 months and we delete everyone in his phone and make sure contacts are up to date. I tell him to never take a call from a number he doesn't recognize, and to call me immediately if there's ever any doubt.
4) I run all the updates on his computer every month. And I check for programs that he doesn't need. Dad only has "User" access on his laptop, and I've toyed with the idea of taking away his ability to install any programs... but when we did that it meant he'd call me a lot more because someone had a Zoom meeting and he needed me to run an update. It's always a cost vs. benefit analysis with restrictions.
5) I have his phone paired to an old Tablet so I can keep tabs on him... I hate that I have to do this, but he's lost over $50k in the last 10 years to scams. And it's not the money that even matters... it's how down and how he cuts off connections with everyone once he gets scammed. The las time he lost like $5k... he wrote a check and mailed it, and somehow the person was able to cash it even though they weren't the name on the check. Anyway Dad really beat himself up over that, but it's not healthy for old people to be shut-ins. They need to talk with other people every day or the risk of dementia goes through the roof...
6) While not a perfect protection... we keep like $2k in his debit card, and we don't use credit cards. He has protections on his debit card from his bank, and that way he's got minimal exposure to online spending and credit card fraud. We just transfer over money every month from his savings / retirement accounts. And now that Dad is in his 80s, I mostly manage those for him.
7) I love for him to interact with people. Every time he goes to the dog park or gets out and meets a new friend... I'm happy and I want him to have conversations with people. But fucking hell, I swear 90% of the people who want to talk to the elderly are scammers. And at some level too... Dad doesn't mind being scammed if someone is willing to talk to him for 30 minutes... just listen to his stories. That's the hardest part. I tried hiring a nanny, just a local kid who was a baby sitter... to go and talk to him. It was OK. I tried Better Help, and tried to find a shrink that would work with him and not tell him she was a shrink... not be so overt about the whole process, but that was a disaster. Once Dad found out it was a "mental health" related call he got really mad... past generations don't have good opinions on that sort of thing. It's hard... I don't have a great solution. I got Dad a personal trainer, and a maid, and a nanny... and between them he has enough random people to talk to every week. He looks forward to it, and that helps him avoid being lonely and talking to scammers online I guess. I don't know, it's sad and it's hard.
8) I try and go grocery shopping with him, so that way random people don't "offer to help" and then hit him up for payment. One other thing I noticed is that Dad literally has no concept of money. On one hand, "Candy bars cost a nickel!" and on the other, "Oh that Uber ride to the VA at peak hours just cost you $155..." or "The dentist wants $8,500..." and like... it's hard to have any sense of what things should cost. He doesn't want to be seen as cheap, so if someone drives him to the grocery store he normally gives them like $100... and then, if that person is shady they'll start offering to drive him other places... and like I said I don't know the answer here, at some point he will need to be put in a home away from people. It's hard. Right now he lives in an apartment near me, and there area all ages there. He isn't sick, he walks 5-10 miles a day with his dog... he's active, likes to go dancing, but he's just so SO very lonely. Desperate for anyone to talk to... but he can't hear, and he only wants to talk about things he's an expert in, and only to people who want to listen to him with a lot of respect... so it's hard. The moment someone scoffs at a story, or doesn't just sit attentive and focused... Dad will get mad. He just wants to be relevant, and he's not. Right? Like that's the core problem is how do you gracefully allow yourself to be comfortable with not being relevant? All of his friends are dead. Most of his knowledge is really old. It's all part of the dying process I guess, but it sucks. And I'm sure it'll suck for me too if I ever get that age.
9) Dad has coverage through the VA -- and just real quick, we're all so screwed if we don't fix health care. The only thing that makes any of this possible is that it's "free" and there aren't insurance companies sending bills... I can't hardly deal with my insurance companies now, and if I have to do this when I'm 80... well, fuck... I'm sure I'll just not bother going. It's all so damn complicated. I have no clue how much money something will cost -- and while that's "ok" for me now, for someone on a fixed income that would be debilitating. I just don't know... I feel like we're all really sunk if we don't get health costs under control in the US. It's a total shit show.
10) "Use the app" -- fuck this for the elderly... every time someone is like, "Please use this call system, that changes the volume every recording..." (those just blow out his hearing aids) or someone tells him to "download an app to book an appointment!" I want to scream. Accessibility issues are real, especially for the elderly. And nobody takes any of it seriously. His phone uses 250% font size. Guess what apps work? Like none. And still everyone wants him to use an app. I hate it. I end up installing all the apps for him on my phone and just doing it for him.
11) Fuck all the people who sell data about the elderly. Looking at you, American Airlines. Not 30 seconds after I booked a flight where I requested "Sky Cab" (the golf cart service) they called him to offer him some sort of emergency medical alert device, that comes with a monthly service fee. AND they told me it was "to help with your upcoming flight" -- Dad totally would have bought this if I hadn't gotten the call. And this sort of shit is all over... it's not just people scamming the elderly, it's all these shitty companies. Highly recommend using your phone number for a few months to get a feel for what it's like for the old folks. It's really bad out there to be old. Any sort of predatory advertising to the elderly... I wish I could just zap the people doing it in the balls. It shouldn't exist. Makes me so mad... and like I said, it's all over. The scammers sales people know where to find data on who is old, and AI is just going to make spotting the real messages that much harder.
That was a rant, sorry... this shit is hard. And I wish it wasn't.
And... don't get me started on how child care has a tax break, but elder care doesn't. And how shitty workplaces generally are about taking time off to help elderly parents, vs. someone just calling in, "My kid is sick." I don't want things to be harder for parents with kids, but I do want things to be easier for adults to who take care of their parents. It's all just really shitty and a ton of work. Dad has PT once a week, and he had some other health issues that were once a week... and let's be honest... my boss at the time was a real See You Next Thursday about me taking time off to help Dad, meanwhile she never gave anyone flak for cutting out early to have to pick their kids up from school. Having older parents who need a hand... it all just sucks. But it beats the alternative.
My dad's Yahoo account was 90% spam. As somebody who gets maybe one message a year miss my filters, I found it really alien looking at a wall of drug and investment scams.
Possibly go one further and find a provider that only allows a whitelist of senders, that you can manage for him.
And per the other comments, a good ad blocker. Again, the raw internet feels pretty alien to anyone using a good blocker.
Follow up question - how are we going to keep ourselves safe in the future? What are you putting in place now to help your future self be ok?
Credit card, ID, passport and so on
Just tell him to not give these and it should be fine
In the specific case of credit card, when buying stuff online one might give them but if he keeps getting scammed, better to either not buy online or check with you before buying
- uBlock Origin [0] in every single browser in every single computer in the household. This is non-negotiable in my opinion. It's the single best deterrent of scams and malware you can set up for anyone.
- NextDNS [1] as the router DNS, as the system DNS for every device, and as the DNS for every browser. This allows you to control more blocklists remotely for your father if he finds any issues. It also provides dynamic DNS-level blocking through AI and heuristics, along with the usual blocklists.
- Not used to macOS, but you likely can set up the user account to not be able to install applications (i.e. no root), this should help a lot. Using macOS or Linux is a huge win in security, simply due to distribution repositories or the app store being way more secure than downloading random EXE files from the internet.
- You will not manage to get him to use a password manager, or at least won't get him to use one correctly, so set up SMS 2FA in all of their accounts. "SMS? Isn't that insecure?", well the truth is that they will have awful passwords, you won't be able to change that, and they won't bother TOTP codes, so SMS 2FA is the next best thing. SIM swaps shouldn't be in their threat model.
-- Regarding password managers, you may be able to set one up to autofill, change password to generated ones, set up TOTP in the password manager. However, the big thing is to not expect your father or anyone else to actually bother with the password manager when creating new accounts. If you do set it up this way, tell them about it, educate them on how to use it, but make sure to nail on your father's head to NEVER type a password that's in the password manager, and instead always rely on autofill. If you're not sure which password manager to set up, take a look at Bitwarden [2] (FOSS) or 1Password [3] (which I hear is very simple for "normal people").
- Regarding credits cards, tell them to set up strict spending limits. I'm not in the US, so I don't know how's the situation there regarding virtual credits cards, but I personally choose to create a new credit card for every purchase I do. If your father has any subscriptions they have to pay, you could help him set up these virtual credit cards and assigning them to different services. Don't even take note of the password, the only use they should have is to be cancelled, you shouldn't use them to spend on anything else.
- Regarding phone security, set up caller ID and maybe even block unknown callers. For caller ID I personally have them set up with a Samsung phone which ships it by default, I'm also aware in the US some carriers may provide that service to you for the landline too apart from an app in the smartphone.
- Last, but not least, set up an email client or email service which is excellent when it comes to blocking spam. Gmail ain't it, unfortunately. I can't give you many pointers regarding this though because I'm not sure how often email will be needed nor what applications exist for macOS email clients, so you'll to search more on this.
Overall, these are the tips I'd give, so you can get started. Be aware this won't solve all issues, but it should make your life and your father life orders of magnitude easier. Best of luck and godspeed.
[0]: https://ublockorigin.com/
[1]: https://nextdns.io/
- a proxy app of some sort to bundle communications w/ family (with you firmly MITM to verify).
- run a few of the scam email texts by an LLM. See if it can flag them accurately. If yes, you can ~automate the review.