Alison Giordano just wanted to help out a friend, but instead, she almost lost her Instagram account.
The scam was pretty sneaky: A friend messaged Giordano (who, full disclosure, is a friend of mine) on Instagram asking if she could help her win a contest. The friend would send her a text with a link, and all Giordano had to do was take a screenshot of the text and send it back to her friend. Giordano did as instructed. Moments later, she got an email from Instagram saying someone logged into her account from a different location on a different device.
A screenshot that causes your account to be hacked sounds like a lower-stakes but higher-tech version of The Ring, but what happened to Giordano is actually quite simple. There was no contest, and the text didnât come from her friend. Giordanoâs friend (or, almost certainly, someone who took over her friendâs account and was pretending to be her friend) went to Instagramâs password reset page and requested a reset link for Giordanoâs account. That prompted Instagram to send a text to Giordano with a link to access her Instagram account. The URL of the link was in the text, so when Giordano took the screenshot and sent it back, the scammer simply entered the URL in their device, and that let them access Giordanoâs account â no password or supernatural curses necessary.
Fortunately for Giordano, she saw Instagramâs email almost immediately and was able to get back into her account before the scammer took it over. She blocked her friendâs account, changed her password, and enabled two-factor authentication.
âI was just very naive and trusting,â Giordano tells me. âI felt pretty stupid when all was said and done.â
She shouldnât have. The Instagram messages came from what appeared to be a friend, and Giordanoâs other friends have asked for her help with (real) social media-based contests in the past, so of course she didnât think much of it. She certainly didnât think sending a screenshot could compromise her account. Until we spoke, she didnât even know how it happened â it took me a while to figure it out too, until this tweet warning about this kind of scam clarified things. If Giordano hadnât seen that email from Instagram, her account might have been lost to her forever, probably going on to try to scam all of her friends.
Weâd like to think that scams happen to other people who arenât as smart or savvy as we are. Many people who get scammed believe this, which is why the vast majority of them will never report it: Either they donât know they were scammed or theyâre ashamed to admit that it happened to them.
But it could happen to anyone, including you.
âThe reason why these scams work is because some of them are good,â Yael Grauer, content lead for Consumer Reportsâ Security Planner, tells Vox. âEven though I think education is important, thereâs a reason social engineering is a thing. You canât be perfect and on guard all the time.â
Scammers prey on our biggest fears and strongest desires. They get better all the time, so itâs worth your time to learn how to recognize their tactics. The mediums scammers use may change, but many of the underlying strategies stay the same â which means the recommendations for how to protect yourself from them do too.
Donât panic …
When I got an email saying there was a new login to my Twitter account from Moscow, my initial response was abject terror (My checkmark! My DMs! My reputation!). At first glance, the email looked a lot like the login confirmation emails that Twitter actually sends. Even the email address it was sent from was very close to the one Twitter uses for such notifications. I admit that I almost clicked on the account restoration link. Then the adrenaline wore off, and I realized that the email came from âtwitter-act.comâ and not âtwitter.com.â It was sent to my work email, which isnât attached to my Twitter account, and it had a typo. Most importantly, I remembered that some of my co-workers had gotten similar phishing emails only a few days before. I actually knew to expect this one, but all of that fell out of my head for a few seconds â which was exactly the point.
âItâs really, really hard for us to access logical thinking when weâre in a heightened emotional state, and itâs so hard to get out of that state once youâve engaged,â says Kathy Stokes, director of fraud prevention at the AARP. âIf you feel an immediate sort of visceral, emotional reaction to something coming your way, try to let that be your red flag.â
Scammers know that emotions make their job easier. People get careless or let their guard down, which is why so many scams start with urgent messages asking you to do something immediately: dispute an erroneous charge on your Amazon account, fix your hacked social media account, avoid being arrested by the IRS police by settling a bill that for some reason can only be paid off in gift cards. In almost every case, a legitimate message doesnât need you to respond within the next 30 seconds. So take that 30 seconds to calm down and think before you click anything.
⌠and donât engage
If you get a message or call you werenât expecting and donât know, the best thing to do is ignore it. Even what appears to be a perfectly innocent wrong number text could be something more insidious: someone trying to scam you by starting up a conversation. Iâve gotten a few of those wrong number texts, and while Iâd like to think they kept texting me back because of my sparkling wit and impeccable conversation skills, that almost certainly wasnât the reason.
âSomeone texts something important enough for you to tell them itâs a wrong number and suddenly theyâre like, âYou sound like a great person,ââ Grauer says. âFor the most part, itâs almost always a scam.â
Find your meet-cute somewhere else.
Thatâs especially true for the texts and calls you know are scams. You may think itâll be cathartic to respond to those by cursing out the people who are trying to steal your money, but the best thing you can do is block the number and move on with your life. Engaging with a scammer tells them your phone number or email address has a real person on the other end of it, which will only set you up to get more texts and calls and emails.
âThe basic rule of thumb is simply hang up, and call whatever enterprise you think called you directly,â Alex Quilici, CEO of robocall-blocking software company YouMail, explains. For example, if your âbankâ calls, you should hang up, find the number of your bank on your debit card (or another official source, like its website), and call that number back. âThatâs the 100 percent safe way to deal with the issue.â
Even better is stopping scam calls and texts from reaching you at all. Phone companies now offer free spam-blocking services, which can identify and stop potential scam or spam calls. Some services can block potential spam texts: iOS devices have built-in text filters, and Googleâs Messages app can warn you if a text seems suspicious.
Donât give out your password
This should be obvious by now, right? Clearly not, since itâs believed that 90 percent of cyberattacks are the result of successful phishing schemes, where a hacker or scammer tricks victims into thinking theyâre a trusted or known source to give their sensitive information to. Some are better than others. Iâve seen some knowledgeable people in my own life fall for email-from-your-employer attacks (they clicked the links, but I hope they all stopped short of giving out their passwords).
Thatâs why most businesses will tell you that they will never ask for your password, and authentication texts will usually say something like â[Company] will never ask you for this code.â Also, you should really stop using two-factor authentication with texts, which are much less secure â use an authenticator app instead. Google makes a popular one for both iOS and Android.
Scammers love to use social media to find victims, too. If youâve ever so much as tweeted the word âhack,â youâll get a series of what I like to call Twitter Scam Reply Guys, who will usually recommend that you contact someone they claim to know who can get your account back, as long as you give them your login credentials and/or pay them (donât do this).
Know where links are taking you
A common way people get hacked or scammed is through malicious links, often in their email, texts, or DMs. Always check where a link is taking you before you click on it, and only go to websites you trust. Thatâs easier said than done, of course; it can be hard to see where a link is directing you on a smaller mobile device, and shortened link services may make it impossible to know where youâll end up. If you get a text from FedEx about a package delivery with a link, for example, you may not realize that the website itâs sending you to isnât FedEx.
The best thing to do is go to a companyâs website directly, rather than through a random link in a text you werenât expecting in the first place. If you get a text that claims to be FedEx or Wells Fargo, go to FedEx.com or WellsFargo.com; donât click the link on the text. And definitely donât enter any of your sensitive information â like your credit card, social security number, or your password â on a site if you arenât absolutely sure that itâs the site you think it is.
Be very careful with payment apps
Overpayment scams â when someone sends you more money than you were expecting and then asks you to give them back the difference â have stood the test of time. Once it was paper checks and wire transfers. Payment apps have made it even easier.
In fact, peer-to-peer payment apps like Venmo, Zelle, and Cash App have made a lot of scams easier because itâs fairly seamless to send money through them, and those transfers are instantaneous. Thereâs a reason why those apps tell you over and over again to be sure that the person youâre sending money to is who you think they are: Once your money is sent, you often canât get it back. These services donât have the same protections as, say, a credit card or, in some cases, PayPal.
One example of how scammers exploit these apps (and human decency) is to send money to random accounts (like yours), then claim they sent it to the wrong person and ask you to please send the money back. Being nice, you send the money back, only to later discover that the money that was sent to you came from a stolen credit card. Now you have to pay it back â all of it.
If youâre the recipient of extra or unexpected funds, donât just send the money back to wherever it came from, even if the sender gives you a convincing sob story for why you should. The best thing to do is contact the payment app and deal with the matter through them, rather than directly with whoever sent you the money.
There are ways to protect yourself to a certain extent on these apps. Most will give you a way to verify that youâre sending money to the right person by confirming their email address or phone number first. Use these safeguards. Consumer Reports suggests connecting your peer-to-peer payment apps to a credit card instead of a bank account, as credit cards have more protections for fraudulent transactions. If the app wonât protect you, your credit card company might, though most payment apps make you pay a 3 percent fee on credit card transactions.
Itâs also a good idea to put a PIN code on those apps, so even if someone gets into your phone â say, if they ask to borrow it to make an emergency call â they canât get into your apps and send your money away. This will add an extra step to using your payment app, but an easily remembered four-digit PIN takes about a second to enter and could save you a lot of money.
Donât use crypto
Even in the best of circumstances, crypto is a loosely (or barely) regulated market thatâs as volatile as it is hard to understand. That has helped make it a prime target for scammers and hackers. The decentralized aspect of crypto may be part of its appeal, but itâs a lot less appealing when you check your wallet one day and discover all your apes are gone. Maybe youâll get lucky and OpenSea will freeze trading of your stolen NFT in time, or Coinbase will reimburse you if your crypto was stolen through its own security flaw. But donât count on it.
âThe advice I give people is that if you donât understand how it works, donât get involved in it,â Sean Gallagher, a senior threat researcher at Sophos, says. âConsidering that many people who consider themselves educated about crypto still manage to get scammed, itâs probably not a good idea for most people to get into cryptocurrency investing.â
While crypto is relatively new, many people are getting scammed through some of the oldest tricks in the book. Stokes, of the AARP, says she has seen âa tonâ of scams where someone gains a victimâs trust and claims they can help invest their money in crypto for a big return. The Federal Trade Commission recently reported that consumers lost $1 billion to crypto-based fraud between January 2021 and March 2022, with most of those losses coming from bogus investment scams â and most of those came from social media posts or ads. And those are just the losses people told the FTC about; again, most people donât report being defrauded. These days, itâs easy enough to lose money in âlegitimateâ crypto investments. Why make it even riskier?
Protect yourself from yourself
One way to avoid getting scammed is to preemptively protect your accounts from your mistakes as much as possible. If Giordano had two-factor authentication on her Instagram account, the scammers wouldnât have been able to get into it through the URL â theyâd need the code from her authenticator, too.
There are a few ways you can protect your accounts from getting hacked, including setting up two-factor authentication and using different passwords for everything via a password manager. You can lock things down even more by using hardware authenticators and anti-malware software, which you can get for mobile devices too.
âThatâs what security software is supposed to do,â Mark Ostrowski, head of engineering at cybersecurity company Check Point, says. It should protect you from âa lapse in judgment or if the scam is really, really, really, really good.â
At a certain point, your security measures might feel like more trouble than theyâre worth. I have to admit, things were easier when I didnât have to juggle my password manager, two different authenticator apps, and text messages for the accounts where authenticator apps arenât available. But Iâd rather have to take an extra step to log into an account than go through getting hacked and (temporarily) losing $13,000, like I did that time hackers got into my bank account. You never know who has your password or how they got it.
âThereâs an ongoing usability versus security thing where itâs not fun, itâs time-consuming, itâs annoying,â Grauer, of Consumer Reports, says.
Itâs up to you to decide where the balance between usability and security should be, keeping in mind what you would lose if someone took over your accounts. After that, all you can do is try to keep these tips in mind, hope for the best, and donât be too hard on yourself if you fall victim to the worst.
âHaving a healthy paranoia, I think, is important,â Ostrowski says, before confessing that even he has slipped up and clicked on a few links he shouldnât have. âI hate to admit it, but I think everybody has, right?â
Source by www.vox.com
