Why Smart People Still Fall for Fake Messages – and How to Protect Yourself
Thinking up passwords is a chore. Two factor authentication is complicated. And hacking and data breaches? They’ll never happen to us. That’s for the biggest of the big companies. Wrong on all counts. The practice of securing passwords, accounts and devices, is straightforward and easy. It’s also vital. Not just at work, but at home, too. We are all connected – like a global game of six degrees of separation, and the bad guys count on you being the weak point that will help them go wherever they want. This 10-minute episode looks at why we feel it is such a chore, and what we should all be doing right now to patch up the security holes that affect us all.
Listen to the podcast at our podcast host, Blubrry.com, or find it on your platform of choice, including iTunes, Spotify, Amazon, Audible, iHeart, and YouTube.
Transcript
Just a couple of days ago, I received a text from my 75-year old mother. It read literally as follows: “I just received a message from Netflix saying an error had occurred during my last payment. Please verify you [sic] payment method by following this link. I followed the link, but it is asking for information regarding my credit card. Do you think this is a scam?” She followed up with a second text where she highlighted the fact she noticed the grammatical error of “you” instead of “your.” Of course, I texted her back immediately and told her this was a scam. “You didn’t click on anything did you?” I asked. “Yes,” she replied, “but I only entered my email address and password. Was that OK?”
Hello and welcome to CoolTimeLife. I’m Steve Prentice. Each of our CoolTimeLife podcasts focuses on a topic dealing with people, productivity, technology, and worklife, and each offers ideas and facts you need to know about to thrive in today’s busy world. An index of our episodes is available at cooltimelife.com under the podcast link.
So, I spent the next hour on the phone with my mother, showing her how to change her Netflix password, and admonishing her gently once again about the danger of clicking on these types of messages.
Why does this continue to happen? Why are people still being seduced by stories of too-good-to-be true crypto scams or text messages and emails that appear to be from people who know you? Why do people click on badly written notifications of frozen bank accounts, missed courier shipments or random, “hi. How are you?” messages? Or AI generated familiar voices claiming “I’ve been in an accident,” or “I’ve been arrested?” And why is the most common password in use still PASSWORD123?
It’s because criminals are getting progressively more sophisticated while honest people generally are not. But that’s not our fault.
Bad guys relentlessly and actively focus on devising new ways to steal. That’s their primary occupation in many cases. But ordinary people have other pressing matters to attend to. Emails. Meetings. Groceries. The kids. Phishing and deepfakes are distraction crimes, and people have too many things occupying their minds whereas the bad guys do not. It’s still easy for these messages to slip through our wariness no matter how badly they are spelled because people don’t have their guard up.
I had a fascinating chat recently with an ethical hacker who goes by the name of FC – he is famous for physically breaking into buildings and banks at the request of the company president – basically a real world pentester. He said, quite simply, you can’t blame people for falling for scams like that. We are built to react to danger, and for almost all jobs, we have been trained to click on links. That’s what email is all about. It is exceedingly difficult to un-train that kind of thing, he said, and it is unfair for organizations to blame people and call them the weakest link. The system has to change, he said, because people can’t.
Anyway, back to my aged mother, and all the people of the world who she represents. As much as cybercrime relies on the deception of the moment, there is also the notion of trust. My mother comes from a generation in which there was some degree of trust based on a common and more localized culture. In the 1960s and 1970s, before voice mail and robocalls, it was likely that anyone who called your home phone already had a direct relationship with you. To answer it was a common courtesy. And this is another tradition that is now exploited by scammers every day.
Their motivations are obvious. Everything leads to quick money, whether it’s the obvious, like credit card numbers, commodities like data that can be used for hacking, or straight up extortion like ransomware.
We all know that, but still so many people simply dismiss the threat or go blissfully unaware that a threat even exists. “My company is too small to get hacked,” you might say. Or “I’m just a junior employee, I don’t have anything of value,” or “I don’t have the time for this,” or “I work from home,” which they assume would not be a target. Consequently there seems to be little in the way of personal motivation to get strict on password management or cyberhygiene when the stakes appear to them to be so low. It is common for people who hate changing passwords to oblige and change their passwords when promptd by IT, only to change them back to their old one a few minutes later.
Every company and person is connected to every other company and person through the internet. As a criminal, I could easily pair up a common password, like Password123 with low tech approaches such researching your mother’s maiden name on Facebook to correctly answer a challenge question. I always remain incredulous when I see so many smart people announce their birthday on LinkedIn. I have to assume they’re smart enough not to use their real birthdates. This is raw hacking data, waiting to be collected. Every additional piece of personal data that a thief can steal from an organization – a home address here, a challenge question answer there, a medical record, all pull together to form a stronger and clearer collection of pieces of data about you, and also about people connected to you, which is basically anyone and everyone.
Complacency. Ignorance. Optimism. These are dangerous things to have when all of your security is at stake.
Even though you personally are obviously not a hospital or a nuclear power plant, a simple infected document inadvertently sent to an HVAC contractor – a contract for some work at your house, for example, can easily infect the contactor’s own systems. If this contractor’s next job is working on the HVAC system at a nuclear power plant, the infection propagates. Yes, these large places have extensive IT and cybersecurity resources, but it’s always a cat and mouse game, as the frequent stories of data breaches related to third party vendors will attest.@@
When was the last time you change the password on your home Wi-Fi router? Do you know how much your home assistant software, your phone, or your new big screen TV are listening to you? Do you know how easy it is for hackers to gain access to your new smart doorbell or nannycam – not only to steal data but to listen in and in some cases communicate with family members?
Your Password Manager
What brand of password manager are you using? Most people will look blankly at you when you ask them that question. To me that’s like someone saying, “What’s Ebola?” basically, as the expression goes, if you’re not part of this solution, you are part of the problem. And yes, Ebola can happen anywhere.
So, a lot of gloom and doom here? No not really. So much of this is eminently preventable. Criminals might be everywhere, but they are also very lazy. They want the easiest way to break into something, and basically, you are it.
One of the easiest ways to do this is to ensure the sanctity of your passwords by using two strong tools: a password manager and Two Factor Authentication.
A password manager is a software app like LastPass or Sticky Password, that generates passwords for you. These are long strings of characters, numbers and symbols that you could not possibly memorize and that bad actors could not possibly guess. Every time you log on to a website that requires a log on, the app will help you generate a password or replace the existing one. It will never create duplicates. Where do these passwords get stored? Not on your computer, and not on the servers at the app itself. Not even in transit on the wires of the internet. The password only reappears when you, as a logged-in user of the password go and visit a page where a password is needed. The password manager sends an encrypted message to an encrypted file on your computer, and only then will the actual password reconstitute itself from its encrypted state. It’s a little like alchemy and is more involved than the way I describe here, except to confirm that your passwords do not actually get stored anywhere. They get scrambled, like scrambled eggs and will only re-appear when your circumstances allow it.
The point here, as with much of what I write and speak about, is that the technology and techniques for effective cybersecurity exist. But it’s people that get in the way. Yes, it’s a hassle having to change your password every two weeks, but there’s a reason why that has to happen, and and app like LastPass makes it easy and effortless, and much more secure
The same applies to Two Factor Authentication or even Multi Factor Authentication. This technique is becoming just as vital as password management software since it broadens your defenses by an order of magnitude. IN short, Two Factor Authentication, called 2FA for short requires a second password sent to a second physical device that only you have. In most cases, that is your phone.
Whenever you are given the opportunity to use 2FA, take it. Yes, the few seconds of delay required waiting for the passcode to appear on your phone is worth it. It’s like putting a deadbolt on your door.
Why is Cyberhygiene so hard?
Cyberhygiene is a hard because it demands two things of you: time and comprehension. In a age of instant satisfaction, a delay of mere seconds can be enough to make an online consumer abandon a shopping cart or happily ignore the warnings and log on to public WiFi unprotected. Or click on “accept” to every Cookies warning that every website now presents. I mean have you ever read the terms of those things? Of course not.
Secondly, learning how to create secure passwords has a perceptual barrier. It appears difficult so it is passed by.
It is easy to assume that as an individual you are too small, too insignificant to be of interest to a cybercriminal. But you would be wrong on two counts. Firstly, your personal data, including name, address, social security number and everything else, can be used by thieves open credit card accounts, buy houses, or create fake identities to be used in an infinite number of ways, and second, you, I, and everyone else is connected to everyone else in a global game of six degrees of separation, meaning we all become conduits to security breaches and crime at even the largest and highest levels.
If you want to boil it down to three simple rules, I would propose these three.
1. Use a password manager for everything that you connect to, including home devices.
2. Never answer the phone unless you know who it is. Phone scammers need you to answer.
3. Never click on any link that comes to you through email, even if it looks legit. If it’s something that might be a real transaction, go to the source directly – log in to your account through the website and password you have on hand, but never through the email itself.
Cyberhygiene is both a learned physical skill and a mindset, and both are vital to your existence both on and offline. Just like stopping off to get gas for your car, it’s something you have to do in order to keep going.
Thank you for visiting. Do you have comments or thoughts about this episode? Feel free to get in touch through our Contact page.
Keywords: cybersecurity, email scam, social engineering, Nigerian prince, password, cybercrime, phishing, cyberhygiene
CoolTimeLife 