How scammers reach you

Typically in our region scammers reach you via a phone call or a fake website. Phone calls usually pretend to be from a service provider of some description - ie; bank, Netflix, NBN, Telstra, Microsoft, Apple. Usually people report the scammer had an Indian accent. Everyone usually says "Oh they were so convincing".

The fake websites are a bit trickier. When you open your web browser the first page you see is your homepage. Often this homepage is a "news provider" like news.com.au. The trouble with these news providers is that they sell ads to just about anyone including scammers. The bad ads link to the scammers site which looks like an often scary system error message. The page is meant to induce panic and contains a 1800 number for a quick - easy fix. The 1800 number leads to one of the call centres as described earlier. From there in the process is the same as if you had been called by the scammer.

What happens next

Once the scammer has you on the phone they try to convince you to download there remote control software which lets them "drive" your computer. Once installed the scammer can then do anything on your computer that you can do. The next step is to try and gain access to your bank account.

Would you like to save that password?

Normally when you sign up to a service on the Internet your browser asks you if you'd like to save the password and I think this is a bad thing. I think you should never save your password, however it's just so damned convenient that I don't blame you for saving it. Password management is a big problem.

How to manage your passwords

How you manage your passwords depends on how tech literate you are. If you're not at all tech literate then I advise keeping a password book. Every time you create or change a password you write it in your password book and put a date next to it. If you're replacing a password rule out the old one but not in a way that you can no longer read it.

If you are tech literate then consider using a password manager like KeepassXC. Password managers still represent a single point of failure but have some very useful features like generating ridiculously secure passwords.

Password guidelines

If you're generating your own passwords the rules are;

  1. Don't use names
  2. Don't use real words
  3. Do use a mix of uppercase, lowercase, numbers and other characters
  4. Never use the same password twice

Don't use names or real words

If you get scammed or "hacked" (not the same thing) often the scammer already knows your name. If your name is Glen and your password is Glen1 then that's super easy. You have to remember that scammer is not just a human they are using Technology to assist and some scammer tech calculates potential passwords based on known information about you. You're a human and you behave like a human in a completely predictable way.

Use a mix of characters

I'm not sure how pertinent this advice is anymore because I don't think there are too many sites that will let you get away without following these rules. One of the techniques that hackers use to gain access to passwords is a "dictionary attack". A "dictionary" in this sense is just a large list of possible passwords to try. The more complicated your password is the less likely it is to appear in one of these dictionaries.

Never use the same password twice

If you have a count of how many services you have signed up for over the years you might get a surprise. A cursory glance at my list of saved passwords adds up to about 200. You may have more or less. The problem is that not all the sites you have signed up to have stored your password in a safe manner. Some sites store passwords in plain text. If the site gets hacked, it's likely the hacker has your name, email address and password for that site. With that information they will then try and access other sites with the same details. The obvious candidates are your email, bank account and Facebook.

If you want to see if any of the sites you've signed up to have been compromised checkout haveibeenpwned.com.

What if you've already been scammed or hacked

You really probably should call someone to go through your computer with a fine tooth comb and dig out any problems. You may even have to have your computer completely wiped and setup from scratch. You'll have to change all your passwords, especially if they've been stored on your hacked device. Your bank should be notified as they will need to block access to your cards and account and issue you new cards.

Two factor authentication (2FA)

Scary term that shouldn't be. It's a great security enhancement, basically everytime you go to use a service a code gets sent to your phone as well. That way a hacker has to have access to your computer as well as your phone in order to access your service. Don't get me wrong this is still possibe but really hard. There are other forms of 2FA that are even better but more complicated. If you're interested learn how to use an Authenticator like Google Authenticator on your phone Android (Samsung etc) | Apple).

Time is the fire in which we all burn

It's my intention to improve upon this article and advice changes over time. It's like trying to hit a moving target. I will add and alter and correct advice as is prudent so check back from time to time. If you have any questions or comments feel free to contact me.