The New Oil

Like most readers who've spent some time online, I've seen my fair share of scams. However, a few weeks ago, a friend sent me a screenshot of a phishing email that his friend received, and this one was surreal to read. It started off by addressing the friend by name, then followed up with “I know that calling [their phone number] or visiting [their home address] would be a convenient way to have a chat with you in case you don't take action.” Despite not being my phone number or address, I could feel my anxiety spiking. Just for good measure, the email went on to include some technical jargon like “RDP” and “Pegasus spyware,” things that any average person can Google and verify are real – which might result in a panicked non-expert ascribing validity to the email itself.

Scams are getting really good.

The Damages

In order to understand why any of this matters, we have to backtrack a bit. I'd say at least half of my job as an educator in the privacy space is convincing people why anything I say matters. Scams are probably the easiest sell, but just in case you're not convinced, here's a few statistics:

In 2023, there were more than 2.6 million reports of fraud in the US, totaling over $10 billion in losses. (Source) These numbers have risen steadily every year, impacting more and more people – though interestingly, the amount of losses has risen far faster than the number of people impacted. (Source) That means while the number of people impacted is slowly rising each year, those people are losing more and more each year. As another interesting note, while people ages 34-44 tend to get scammed more often, people ages 18-24 tend to lose more in scams (Source). This counters the idea that only tech-illiterate old people fall for scams, or that you can be too poor to be targeted.

It's critical to note that these are only reported numbers. The actual numbers are likely far higher. People may feel disincentivized to report scams for a wide range of reasons. They might feel ashamed or dumb for falling for such scams, or they may feel that law enforcement may be unable to help them for a number of reasons.

The damage isn't always monetary, though. Some scammers may coerce sexually explicit images or videos out of a target and then blackmail them to keep the content secret. In a previous blog post, I covered a scam in which the scammer claims to be underage so as to blackmail the target for being an alleged sex offender. As noted, many people who fall prey to scams feel a sense of shame, which may impact their mental health, relationships, or even jobs. Employees who fall for phishing attacks (which one could argue is a type of scam) may get fired for their lapse in judgement. In a few extreme cases, some targets have lost their life savings or felt so embarrassed, they've taken their own lives.

Scams can be serious stuff.

Recognizing Scams

In order to avoid falling for scams, one first has to know how to recognize the signs of a likely scam. While some scams can be incredibly tricky to identify and avoid, they almost all have a few consistent hallmarks in common:

First, most scams are unsolicited. Very rarely will you call into your doctor or tech support and get scammed – at least, in this sense (although, hold that thought).

Second, there's nearly always some kind of extreme prize or problem. For example, they may be offering you a job that's both remote and pays unusually well (eg “you can make an extra $4000/month working from home a few hours a week”) or they might be claiming you owe the IRS money.

Point number two is usually followed up by some sort of sense of urgency or pressure tactic, like “we have other candidates so this job opening won't stay vacant long” or “if you don't pay within 24 hours, you will be arrested.”

Last but not least, payment is nearly always something unusual. It's rarely “go to irs.gov and pay,” and almost always “pay in gift cards/Bitcoin/Western Union.”

It's also worth noting that nearly all of these scams – whether by phone or email – include some sort of contact information, such as a link or a phone number to call. This isn't a red flag in and of itself because official correspondence will also typically direct you to a place where you can get more information or resolve the issue, but it's worth noting because that will come into play later.

Why Are Scams So Effective?

If nearly every scam displays nearly all of these flags (and if these flags are so clearly defined and common), why do people keep falling for scams? The main reason, I think, is the sense of urgency. When you get a phone call that says “you owe $500 or we're gonna start garnishing your wages and possibly arrest you” and you don't have $500, the panic sets in.

But perhaps what makes them even more effective is the fact that they're so well crafted. Suppose you get that classic “you owe the IRS” call. The person on the other end usually rattles off a badge number. They almost always have your name – yours specifically – along with other information like your date of birth or address. And since we all deal with the IRS every year, an agency that – I would argue – has a very toxic relationship with taxpayers (“get it right or there WILL be serious consequences even if it was an honest mistake”), it's not a far stretch to imagine the idea that you made a mistake and Uncle Sam's financial arm isn't exactly known for being “chill.” Even removing the IRS as a specific example, it can cloud your judgement when you get a call from someone who seems to be in possession of all the right information.

There's also a new type of scam that's quickly becoming prevalent, and it boosts the efficacy dramatically: voice scams.. On the low end of the complexity scale, it works by simply having someone imitate your loved while an accomplice demands the money. On the higher end, they can use AI to clone your loved one's voice.

Where did they get all this information? The two most likely culprits are people search websites (who in turn gather that information from a vast array of sources like public records and social media accounts) and data breaches. Most people have the mistaken belief that because they're not interesting – they aren't famous, they aren't rich, or they don't work for the CIA – they must not be worth the time and attention of a hacker or scammer. But this betrays a fundamental understanding of just how easy it is to gather all this information. For a sufficiently skilled scammer, gathering this data is no harder than checking your email: type a few commands, go get a cup of coffee, and see what's waiting when you get back. So what can you do about it?

Avoiding Scams

There are two ways to fight back against scams: proactive and reactive measures. If you're currently in a situation where you think you might be on the receiving end of a scam message, start by rereading the signs I shared above. If the message you received was unsolicited, has a sense of urgency, and is demanding unusual payment methods, it's almost 100% certainly a scam.

If you're still unsure, you can verify the claims of most scams by going straight to the source. For example, if you got an email claiming to be PayPal charging you for a new iPad Pro, don't click the link in the email. Instead, go straight to PayPal.com and log in from there (assuming you have a PayPal account at all, and if you don't, well then that settles that).

Now, remember earlier when I said “hold that thought” about most scams being unsolicited? And shortly after that when I talked about how most scam messages include links or contact info? This is where things can get tricky if you're not careful. Scammers are experts at gaming the system, which means if you go to Google and type in “PayPal support phone number,” there's a non-zero chance that the top result will be an ad for a fake website with a fake support phone number. In some cases, this fake number even shows up in the AI summary. Make sure you're going to the actual, real website you're looking for, not using the AI summary or an ad. (Bonus tip: using a password manager can help here in some cases, since it won't autofill on fake websites, preventing you from accidentally handing over your details to a scammer.)

Proactive Measures

I strongly believe that being proactive can prevent most scams from ever happening in the first place, in part by by simply removing you from their radar altogether. If their stolen list of phone numbers doesn't contain yours, how will they know to call you? The few that still get through this first line of defense will be less likely to be effective because they'll be missing crucial data to be convincing. And the even fewer still that manage to be successful will cause less damage than they otherwise might've. Here's how to craft these layers of defense.

The easiest and most common cybersecurity advice – particularly the use of two-factor authentication – will ensure that even if you fall for a phishing attack, the scammers won't be able to log in.

Using data removal services, email aliasing services, and disinformation can help remove or falsify data about you that scammers would otherwise attempt to use to craft more convincing scams.

I also strongly recommend checking all your online account settings to see what information you're sharing publicly and how you can make it harder to access so it's less likely to be used against you. For example, set your posts to “friends only” so would-be scammers can't tell where you went on vacation last year.

Finally, in the case of voice-cloning scams, many experts are now recommending code words to use with your loved ones to verify that it's you. If the scammers claim to be you – or with you in some capacity – you can ask them to verify with the code word. If they don't know it, it's almost certainly a scam. Just to be sure to pick a code that someone would remember in a stressful situation. (You could also verify with things that wouldn't be public knowledge, such as a childhood nickname or where you guys went the last time you hung out together).

Evolving

Safety in our modern era is a constant game of cat-and-mouse. Gone are the days of the poorly-worded Nigerian prince scams (mostly). These days, AI can craft a grammatically-perfect message, and data found in seconds online can be used to convince you that hackers really are in your devices and accounts, even when they're not. Add into this a bunch of technical jargon that sounds real with a quick Google search, and it's easy to see how these scams are becoming more advanced and easier to fall for. This low level of effort combined with the possibility of a payout is a huge incentive for criminals – and they only need a few people to fall for it to make it worthwhile. It's important that we evolve to stay on top of these scams, to learn how to recognize them, and – where possible – hinder or defeat them before they ever even get to us.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...