The voice on the phone was warm and reassuring. He gave a name, and said he was calling from Medicare to check in on how she was doing — if she'd been sick recently, if she was having any difficulties managing her health issues. And before my mother-in-law ended the call, she'd already given a stranger her Medicare number, her Social Security number and her address. Maybe some other information, too. She was so distressed by the time she called us, she couldn't quite remember.
The elderly have long been favored targets for frauds and scammers, but the coronavirus has increased their vulnerability in a multitude of ways. New, virus-specific cons have emerged. Older people, already isolated and potentially ailing or grieving, can find themselves more susceptible to the overtures of seemingly concerned hucksters. And their families, often geographically distant, find themselves ill-equipped to help them fix the problem.
My mother-in-law generally prides herself on her street smarts. Her easygoing nature and petite stature make her look like an easy mark, but in more normal times, she'll call a cop on anybody who attempts a dropped wallet swindle, or tell a caller hitting her up for money that she knows they're not her grandchild. But this time, she was already several weeks into a quarantine that had cut her off from her family, from her church group, from virtually everyone but the helpful neighbor who brings her groceries. She played easily into the hands of the affable sounding man who skillfully coaxed information from her, someone who seemed somehow credible because he was talking about a real public health crisis that has ravaged her peer group. Could she just confirm a few numbers and her address? Was she having any problems with her… ongoing condition? Yes, yes, the arthritis. Did she need someone to send her another… back brace, right, a back brace?
"Like anything, the most vulnerable populations are the ones who are going to suffer the most consequences," says Neill Feather, Chief Innovation Officer at cybersecurity company SiteLock. And a crisis is always catnip to the frauds. Feather says, "Since this has started, we've seen a significant increase in the amount of phishing attempts targeted around the pandemic and resources. One is around medical testing and that sort of thing, where people are trying to get sensitive information." Just like the scammer who snagged my mother-in-law.
But there's more. Feather says, "There's also a lot of targeting around scarce items. People email about these hard-to-find items, and the email will be fraudulent, trying to get you to log in… so that people can perform account takeovers and other types of attacks against unsuspecting users."
Mom would later say she couldn't tell exactly when she started to feel uneasy. Her account is a bit muddled. He might have asked for a credit card number, to "secure" a shipment. She might have given it. She was tired. He'd asked so many questions. So she got off the line, hurriedly telling him she'd call him back. Of course, the number was a fake.
Chief among my mother-in-law's immediate reactions when she put that phone back down was a sense of deep shame and self-blame. But the back brace scam is a sophisticated and common ruse, one that just happens to have morphed recently to suit the current crisis. And when it comes to fraud, anyone can be a victim.
Neill Feather says that whether it's individuals or small businesses, "most people don't expect to be targeted." But scammers "cast a broad net, and they're happy to perform compromises against almost any type of entity. There's going to be a financial reward of some kind that they can extract from that. If you do it over enough repetition, it becomes pretty lucrative. There's very little cost to trying to get the information. Because so much of the attack and the compromise is carried out in an automated fashion, you don't need to catch one really large victim. You can get a thousand small victims, and that adds up quite a bit."
The Federal Trade Commission (FTC) reports nearly 50,000 COVID-19 related complaints already this year, totaling over $36 million in losses. And there's no end in sight.
Bill Versen, chief product officer at data service provider Transaction Network Services, says it is important to remember that scammers are "confidence people." As he puts it, "They're trying to use topical information to seem more plausible, more real, to convince the intended consumer that this is a legitimate call. When they get you on the phone, they can tailor their script to make it very believable, [so] you, I, or our elderly parents are like, 'Well, that sounds reasonable. Why would I not trust that person that's claiming that in this situation?'" And once that trust is established, things can get very complicated very quickly.
I already know what it takes just to help an elderly flip phone owner place an Amazon order. My mother-in-law uses her computer to occasionally check her email and her compose her Christmas letter. She has difficulty using her hands. On both a cognitive and physical level, navigating the world of fraud protection and recovery — much of which exists largely online — without a literal helping hand beside her made an already stressful situation exponentially more anxiety-riddled. Filing a police report, putting a freeze on her credit cards, alerting Medicare, all of these things demanded time and patience and a lot of work from her whole family, work that was all the more difficult because of social distancing. Several weeks later, the damage appears to have been minimal, and yet we are still hip-deep in trying to fix it all.
In retrospect, the conversation we had as a family after my mother-in-law was targeted was the one we should have had long before it happened. Versen says, "The first thing you do is educate yourselves and your loved ones." He advises checking on the FTC and other trusted sites for updates on common scams. He also suggests robocall blocking, which many consumers don't even know is an option. It can usually be done via your phone carrier or a simple app. "This seems like common sense, but don't answer calls from people you don't recognize," he adds.
Adhering to that advice can be tricky, especially now, because many of us are getting calls about contact tracing or lab results. But as Versen notes, "Legitimate callers will leave you a voicemail or find other means to get a hold of you... Don't answer calls from numbers you don't recognize and don't call back any numbers you don't recognize either because it could be a one ring scam." And Neill Feather adds, "It's hard because people don't want to be rude, and we don't want to seem mistrusting. But that's what the cyber criminals and these folks count on is, that people aren't going to question what they're doing."
Beyond basic awareness, it's also worth it to try to get our older friends and family to adopt at least a few modern security practices. "If the service you're using offers two-factor authentication," says Feather, "I would always advocate to do that. As long as that person also didn't steal your phone or take over your email address or whatever, you've always got that [backup]."
"The other thing I know that folks are sometimes reluctant to use, but really does help, is a password manager," Feather added. "There are a lot of them out there, especially for consumers, and a lot of them are free. You don't have to remember fifteen different passwords. You remember one and once you're logged in, you can utilize that."
These are not always simple concepts to explain, but they're valuable to implement, and easy to adapt. For example, my mother-in-law's two-factor authentication number is now mine. That way, if something fishy goes down, the person more likely to notice the notification can spring into action first, and head off trouble at the pass.
The wide net system of scamming is enormous and random. Yet the person who called a widowed, arthritic women and made her feel, in rapid succession, cared for and then duped, was a real human being. I'm angry at him. I wish I'd done more to protect my mother-in-law before this ever happened. It's not easy, undoing damage. It's not easy, trying to explain password managers to someone accustomed to writing birth dates on scraps of paper, especially when I don't know when I'll be able to see her in person. But it seems very possible she will be targeted again before this is all over. And next time, I want her to be prepared.