So, the closest I ever got to being scammed was while I was sleep deprived working on Loop Thesis shortly after leaving Oracle. A door-to-door salesperson came to my apt from one of the 3rd-party energy sourcing companies that are really scummy trying to act like they were from PECO, and they were acting like they were trying to get me through some administrative process that would have moved my PECO account over to them, where presumably they would over-charge me. I was sleep deprived and half delirious and was halfway through the transfer process before I figured out what was going on.

What saved me was a couple of things:

A) they had me call up PECO to start the transfer and when the person on the line asked about stuff, I noticed that they really didn't want her to be on speaker phone while I was answering and asking my own questions. They kept kind of angrily gesturing for me to mute the phone. And it's really hard to manage multiple people in a scam at the same time, especially when one of them is just a random PECO employee.

B) PECO asked questions. They were like "here's the process you're going through", and then I immediately said, "huh, well that doesn't make sense, I thought I was doing Y" and then the scammer was like "don't tell them that!"

C) At the point where I stopped trusting them, I just told them to go away and I would look things up myself and I stopped engaging. I stopped saying "but why would X happen, you said Y, that doesn't make sense." And just said, "no, I'll look this up later, sorry" over and over again until they left.

and that was shortly before I made a policy of just, even if someone makes me think I want something, I still wait 24 hours to do it. But to me, that emphasizes that not having a situation be in control of the scammer is important. If I lived with anyone else, getting them on the line would have blocked the scam. The PECO person asking any questions at all could block the scam. Being like "there is never a legitimate reason for you to stand next to me and coach me while I do a thing" would block the scam.

My point being, you don't actually need to know what's real and what's not, that's not the defense against scams. The defense against scams is:

A) Not letting them start the conversation -- ie, you always call back, schedule an apt, write an email.

B) Not letting them control the conversation -- ie, you always have someone else there, you always research without them present, you always force them to use a medium like text, you never let them stay on the line for too long or walk you through things step-by-step.

C) Not making impulse decisions period -- you have a universal policy that you wait before you do a thing, because then you have moments of clarity while you're waiting. And you never break that policy even when it seems like you should, because the whole point is that you don't trust yourself to know when to break the policy.

And I really genuinely believe those steps will work in many cases regardless of how savvy someone is or isn't, and it feels like the approach to scammers right now is that we tell people to just be smarter, and it's like saying "why are people dying in cars? Should we add airbags and make people use turn signals or should we just yell 'be more aware' at them?"

I still feel like who the heck cares. I mean, I get the instinct to want to know that your weaknesses aren't unique, but it just doesn't matter. Where was all this tribalism and need to confirm normalcy while you were being told not to talk to your husband?

I don't know, maybe I'm being mean about that.

I mean, this is a throwaway line, but I'm kind of upset that there are no real tips here. Like... don't. Don't answer your phone if you can avoid it.

That's not a haha funny line at the end, tell people not to answer their phone!

YES!!!

Yes!

Thank you banks for continuing to use this information for account security, giving people the impression that it is secure and private. Your contributions are always appreciated /s

I don't think this is helpful anyway, everyone wants everyone to tell each other that they're smart. Who hecking cares, good security practices and security habits work for everyone and anyone, regardless of what ablest terms you want to label them with.

Freeze credit anyway. Long conversation, everyone's credit should always be frozen.

run anti-virus

Thank you banks, your contribution to the world of security is always appreciated /s

As opposed to doing things like adding proper 2FA or training your tellers to not randomly hand people 50,000 without asking followup questions that would very quickly shake someone out of a delusion.

This is the issue, like.. I don't want to be mean about it because this is exactly what hecking happens, and people don't talk about the scams because they get embarrassed and talking about what's happening is how you avoid losing your grip on reality for long enough to prevent them.

So it's like... I don't want to be mean because susceptibility to scams is not a character flaw, and it is so obvious outside of scams what's going on and all you need is anyone outside of the scam to look at it and laugh and say "what the heck are they talking about." And embarrassment isn't helpful for that.

Okay, the rest of this is going to be depressing.

Just 10 minutes off of the phone, that is all it would have taken.

what the heck

you said you were a financial expert though...

Be respectful of your partners and their privacy, but also if something like this ever happens, #$&@ing GO WITH THEM.

Some casual talk before you're investigated for money laundering and before the cartel kills you.

This is also why Michael is just keeping her on the phone for hours and hours. It's just painful to read. Like, there's no defense at this point, just hang up the phone for 10 minutes and this would come crashing down, but she can't.

Right. I mean, no shame, but literally this is what's happening. And this is why habits -- so you always do 3rd-party confirmation, you always get someone else's perspective, you always wait a day before doing something.

Because human beings lose their grip on reality sometimes, and then you have a habit that stops you from losing 50,000 dollars when you do lose your grip on reality.

There's something insulting about a scammer being like, "no, we're not going to make a fake badge to show you, stop being so needy, how far do you expect us to go to get your 50,000 dollars?"

You said you were financially savvy!!!!!!! You said it! You said you talked to experts!

So close, come on.

Don't ask them the questions, you think about the questions yourself. If you don't trust someone, you don't ask them questions to justify things. You research externally. Always externally.

But you DO

Right? And you'll do something with that information?

Now we're back to the people trying to kill your kids. Are you being investigated by the government, or is the cartel after you, or was your Amazon account hacked. You are not obligated to believe all 3 simultaneously.

Case in point

You don't argue with them and you don't ask open-ended questions. YOU set up the standard.

Otherwise they get to decide what the proof is.

AAAAAA So close!!!

When you have that moment of clarify, call someone else!! Not the original person!

This is why we wait! Clarity comes with time!

I'm sure he was.

No.

I wonder if this is like an angle of susceptibility here, she keeps saying that she needs to fix everything. You're not going to fix a CIA investigation and a cartel and stalkers in an evening. That is not a thing.

But like, what happens to get someone into the position where they think, "well, but I need this resolved this evening before trick or treating?" What is going on that someone immediately jumps to that line of reasoning, and she keeps mentioning it -- I need to just fix this quickly.

I feel like that's the trap maybe? Sort of goes without saying, but waiting 24 hours to just do anything is also a really good defense here, and it feels like that defense got bypassed by playing into a "I need to solve the problem right now" part of her personality.

Agreed. I don't mean that in a nasty way, just like... oof.

Wha? This is the thing you get hung up on?

I don't know that I can keep reading this, this is just escalating to a wild degree, there's nothing to add.

This again. Why the ever-loving heck not, what time don't you have?

I understand why they're doing this, I understand why it works, it's just frustrating to read.

Ah, #$&*X

Yes, yes.

Come on.

I mean, no that's not true, at all, but we've already established that she doesn't know that.

"It's so lucky that Amazon forwarded your case number, or else you would be dead this very night."

I'm sorry, do you believe you are being investigated for federal crimes while the cartel monitors your every movement, or not? Like, I can't believe I'm arguing for the scammers here, but you ostensibly believe people are trying to kill your family, right? Like...

I cannot figure out whether she's terrified or not.

"A raid would be very inconvenient right now, is there something else we can do?"

wfeoefwiohafjdsfkjlewoihewio

She's just fully pulled in now, nothing is getting through, it's too late. This is not how ANYTHING works.

PUBLIC PHONE CALL!!!

Since #$&@ing when!?

You need to be more derisive about the world around you. You're not stupid, why are they asking you to jump through hoops. How come you can't do your job without me lying to my husband. I demand to speak to your manager, who I assume is the president.

meh, not a thing. Nothing to add here, they're just going to lie to her in quick succession.

They can be spoofed, but sympathy here because "they just move on" is a way to get caught. This is why text-based communication is preferable in situations like this, I don't want to be on a phone call where someone can just push past a point. I want to be able to sit and obsess about it for 3 hours and then send an email.

But sympathy on this point, you're either assertive enough to say, "no wait, we're not moving on" or you're not. And like... I'm not. That's why I stay off the phone.

Good instinct!

See above, phone number spoofing. This is exactly the scenario I was talking about.

Come on, good instinct but like... You don't ask "how can I believe you." That gives them the opportunity to suggest what the proof is. Which is exactly what happens next.

YES!

If you have a contact number with the hecking CIA, then give the police that information. What are you talking about?

You're so close.

They transferred your call, asked for your bank information, and gave you another number.

When people ask you to click on things, what they're doing is saying "here is the location of a thing, you can totally trust me that the thing is what I say it is."

That is just like phone numbers! Phone numbers are links! Calling a phone number is clicking on a link!

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

You were so close, you were right next to the finish line all you had to do was step over the line, and then instead you hacked off your leg with a table saw instead.

I'm sorry, go back to "my communications are being monitored and I'm going to be killed by the cartel."

I mean... okay, less actionable advice than above, but like... if someone from Amazon calls you and then somebody says that your life is in danger and then says "we need to protect your 80,000 dollars" and uses very weird language like "you must have worked very hard for that money" which is the type of thing that only a scammer would ever say about money, because normal people don't think "I bet you earned your money legitimately" is a compliment... that person might be a scammer!

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

And then he was killed by the cartel!

Two things:

A) our financial system is a mess and that actually contributes to scams, because people get confused about what's possible to do. It's true that identity theft can be a nightmare, and that makes people more scared of it than they should be, and the problem because reinforcing. Mostly because banks are terrible at security and credit unions don't care about protecting data or correcting mistakes.

B) Just because This American Life reported it was her boyfriend does not mean that the vast majority of ID theft isn't random. Most of it's random, this American Life just picked up on it because it was noteworthy and a more dramatic story, which is irresponsible on their part if they didn't try to clarify the reality for most people.

Drug PSA except for public wifi.

"Shaunda used public wifi once at a bar, and then her family was killed by the cartel. Wifi, not even once."

Side note, this isn't a thing.

If someone is surveilling you, you can not just delete a text message. This is too long of a conversation to get into.

My brother in Christ, you are on a #$&#) public phone call!

"You are being surveilled, so I made sure to call your personal phone number on an unencrypted network after being transferred by Amazon."

AAAAAAAAAAAAAAAAAAAAAAAAAAAA

She's getting like... pulled in. By saying "my husband isn't a drug smuggler" she's conceding that there might be a drug smuggler.

Also holy heck, please take a step back and realize this started with an Amazon ref saying, "mind if I refer you to the FTC" When was the point you suddenly started believing you were on a call with the FBI?

This is not how identity theft works. This isn't child kidnapping, identity theft is usually someone you don't know.

Always text someone else, having someone else in the loop is the defense against irrational behavior.

No it's not, public wifi is not as dangerous as many people believe. And I'm more cautious about public wifi than most people. We all use HTTPS now, there are reasons why I don't like to connect to public wifi, but identity theft isn't one of them.

Good instinct.

Absolutely wild escalation.

This is not a thing anyone would do. When I got into a car accident and the other person wrote down a fake phone number and ghosted me because they didn't have insurance, the insurance company that they used to have would give me zero information about them. Which... they shouldn't have! They did the correct thing in that situation, you don't randomly give information out.

The FTC would not just text you a photo of someone's ID even if that person was a criminal. Companies don't do this, government agents wouldn't do it.

I'm empathetic to not catching the red flag here, but "here's your identity, can you confirm that it's correct" is a big red flag. That's not how confirmations work, you would need to give that information to him, not the other way around.

But again, shouldn't be in this call to begin with. Never give any information unless you initiated the call to a number you looked up.

No, extension. He doesn't get to give you a phone number, he gives you an extension and a name, and you call back using the number on Google and ask for that name/extension.

I realize I'm hammering this and preaching to the choir, but like.. bullet-proof way to avoid a large number of phone scams. But it has to be habitual, it has to be a policy that you always do.

See above, Krista does not transfer the call. Krista gives you an extension or case number, you hang up and you look up the number for the Federal Trade Commission online.

Now see, the mistake here is assuming that Amazon would willingly work with the Federal Trade Commission :)

You don't check this information with them on the phone, not if they called you. Check it separately, then call Amazon customer service back using the number on the website.

This is something to do universally -- not when a call feels suspicious, just as a general policy always initiate the call yourself. What's bad is that not all businesses will tell you to do this, but if I tell a business "for security I need to hang up and call you back" I have never had a business be upset about that, they all understand. Should be universal practice even if you're 100% sure it's not a scam, it's about forming a habit.

So first real red flag here, and actual practical advice beyond just "be suspicious" -- getting a call to say "did you do X" is fine. But the moment that you start looking into account details, you should start the call.

So what I would want someone to do in this situation is say "no, I didn't make those purchases." Then when you go to check the account or say "where did they come from" -- even if the call is 100% from Amazon, you end the call and call Amazon back. That's part of what the case-ID number is for. You never go into account details over a phone call unless you made the call.

So ideally, in a situation like this you say, "no, I didn't make the purchases. Go ahead and feeze the account, and I'll call back for more details."

Then you hang up, look up the phone number yourself online and call that number. Don't use a phone number you're given, you get the number yourself and you initiate the call -- basically this is an almost sure-fire way to avoid impersonation attacks for businesses. There is very little most scammers can do to counter this strategy.

Okay, good advice time which hopefully the article goes into: caller IDs can be faked, they're self-reported. I'm not privy of the full technical details, but you should never look at Caller ID as a trustworthy signal of who a caller is, think of them like return addresses on envelopes -- they often are accurate, but they don't have to be.

is this necessary?

This is light teasing, I understand the frustration trying to say "I'm not the person who you think about when you think about someone falling for scams."

So not trying to seriously criticize, but "I wouldn't fall for a scam, I vote and floss" is really funny to me.

"Oh yeah? If my life wasn't put together, then why am I flossing?! Could a lonely person do that?"

Wait, didn't you say you were financially savvy?

You're about to describe a very embarrassing event in your life, so maybe hold off on starting out by insulting other scam victims?

Also true

This is true

[citation needed]

So this I'm just straight-up sympathetic to because "why didn't I do X" has to feel pretty awful.

Sometimes when people use these phrases to talk about social interactions they're exaggerating, but "your family might die" does actually feel pretty cruel and violating as far as scams go.

So this is less of a traditional scam and more of an extremely wild "they're going to kill you" scam? Which may make me a bit more sympathetic because I feel like if I was actually worried that my family was going to die I wouldn't be thinking rationally either. I have literally never been in that position.

That being said... how in the actual heck do we go from "Amazon scams" to "the terrorists are closing in on you right now"?

This is the concerning part, assuming that he didn't just guess.

None of this is surprising, this kind of stuff is easy for criminals to find.

NO TALKING! But do say thank you, being a driver is hard. So many criminals are just using Uber now.

When you learn how to interact with scam victims by watching Die Hard.

Most evidence I've seen online indicates that there's been a fair amount of fake filings from everyone, with the majority of spam likely coming from the "against" side.

This is (one of the reasons) why it's better to do controlled studies rather than asking people to voluntarily submit their own opinions. Most of the studies I have seen suggest that both Republicans and Democrats broadly support a data agnostic Internet.

That is quite literally the opposite of what Network Neutrality does. A common carrier, by definition, does not prioritize or punish any content.

Net Neutrality advocates want the exact same thing you do - an Internet where no one, even the government, can arbitrarily decide that one website or service gets an artificial competitive advantage over another.

That is a heck of a large privilege to grant a site just so it can avoid showing you a popup on the page itself.

Which is why this needs to be taken with a grain of salt. These numbers are frightening until you realize how little impact the actual vulnerable parts of code are going to have on most websites.

Of the jQuery vulnerabilities linked, 4 are XSS attacks and 1 is a denial of server attack against sites that use jQuery to compile templates on the server.

In all cases, the site is only vulnerable to the extent that it accepts user input and uses it either serverside or clientside across multiple users.

Do you really think that all of these libraries are doing that? Absolutely, some of them are. But most sites are using jQuery because they don't know how document.querySelectorAll works, not because they're loading user-submitted comments from a server.