A lot has been said about secure passwords and ways to create them. Some people recommend three random words, some password managers and others a random mixture of letters, numbers and “special characters”. I deal with all kinds of people on a daily basis, some who are computer literate and some who only just know how to turn a PC on and who definitely wouldn’t want to use a password manager. I know of one person who insists on writing all his passwords in a book he keeps on a shelf by his PC. That’s the real world, not an idealized one we’d all love to see. So what can we do for people like him? Let me demonstrate a way to use three random words that takes it a step further to make what appears to be a completely random mix of letters, numbers and special characters. It’s simple enough, yet also allows you to tweak it any way you want. those who insist on writing their passwords down can still use this method too, as the final result looks nothing like the three words written down. Let’s start with three random words. Actually, let’s start with “three random words”. Look at your computer keyboard. Notice how the letters are spaced in such a way that if you go up one line and to the left or the right, there’s a corresponding key. If I wanted to type my password going up and to the left, three would become 5y433, random would become 4qhe9j and words would become 294ew. Put those together and you have 5y4334qhe9j294ew. Let’s switch it up and go to the right this time. Now we get 6u5445wjr0k305re. Some passwords require a capital letter, so let’s change the first letter we see to a capital. 5Y4334qhe9j294ew. How about special characters? There are three words, with two spaces between them that we didn’t use. The first word has five letters, so let’s put a special character in place of where that first space would go and use the special character that corresponds with the number 5. That’s a % for those paying attention. Now our password looks like 5Y433%4qhe9j294ew. Random is next with 6, and that gives us 5Y433%4qhe9j^294ew. Finally, words has 5 letters, so we put a % at the end to give us the final password of 5Y433%4qhe9j^294ew%. And how do we remember it when we need to use it again? “Three random words”. The method can be tweaked if needed, so for example the first and third words are to the left, but the second one is to the right. It’s easy when you know how.
If you enjoy Youtube, you’ll likely have stumbled upon “Life hack” videos at some point. Most are utterly pointless, dangerous or nothing more than “tips” people have been using for years already. Want to keep stop your cat from bringing in dead animals? Simply hot glue a car horn and battery pack to him. Keep losing your car keys? Leave them in the car door where they’re easy to find. You know the kind of crap I’m talking about, right? https://dictionary.cambridge.org/dictionary/english/hack describes the word hack as “to cut into pieces in a rough and violent way, often without aiming exactly” which is what I’d like to do to some of the people who put out the truly dangerous “life hacks”, but that’s a whole other thread for another day. The other thing you’ll see is people boasting in their video titles about “hacking the scammer’s PC”. How can I describe this practice? How about – and you can quote me on this – “absolutely moronic, dangerous and a complete nightmare for any self respecting anti-scam advocate to have to deal with the consequences of”. Think of how much damage to a criminal investigation some script kiddie can cause by removing vital evidence from a computer because they saw a video and decided they want to do it as well. Consider the damage to the anti-scam community a well intentioned but clueless person can do due to outsiders assuming that’s what we all do. There are times we work with law enforcement on cases, and when we explain to them how we obtained the information we have, it’s essential we can prove to them that it was done using perfectly legal methods (usually a little lateral thinking when doing standard searches is all that’s actually needed). If it’s assumed we hack into computers, then the evidence we share would be compromised and the real bad guys could get away scot free. Think before you ever consider hacking into a scammer’s computer. You could be doing much more harm than good.
After a recent incident, I wanted to clear up exactly what our stance is regarding posting up a person’s private details on the site. It’ll be in two parts, to cover the person’s details and their images.
Firstly, regarding images. If an image is received from a scammer, we’ll post it up. If the image contains a child, we’ll obscure their face. If we can find the real person whose images are being abused by scammers, we’ll let them know and offer any help we can if they reply. We won’t post up any images that weren’t received from a scammer, even if there are others of that person available online. That’s important to us.
Sometimes we receive an email claiming to be a particular person/entity. Again, we’ll post it as is and try and let them know about the scammer abusing their name as part of their scheme. If the scammer mentions another person/entity partway through the scam (for example, telling the person to send money to them via Western Union, Moneygram etc.) then that simply gets posted up. Where it gets more tricky is when the scammer uses banking details that belong to someone else. Here’s how we deal with that. If the information is in the first email, then we post it as that’s the script hundreds or thousands of others would also have received. If however, a scammer shares banking information further into the script, then none of that will be shared with the public. We have contacts in various banks’ fraud departments that we send the information to, and leave them to deal with it.
So in a nutshell, we’ll post up images used by scammers, as well as emails/names where they pretend to be other people. Where we can, we’ll let the real people know about it. If a scammer mentions other organisations, then they sinply get posted with no further action taken. When it comes to bank details, if it’s in the initial email we’ll post it, but simply pass it on to the banking authorities if they arrive partway into the dialogue with the scammer. Hopefully that clears it up for everyone.
Those who know me, will know that I suffer from occasional panic attacks. They’ll also know that I have to avoid certain stimulants such as caffeine like the plague. No morning cup of coffee for me, only caffeine free cokes and Dr Pepper is completely out of the question which is a shame as I used to love that stuff. Something else was added to that list a few weeks ago. To treat a sinus infection, I was given a steroid spray. The day after, I woke up to one of the worst attacks I’ve ever had. Now usually when I get a panic attack, it’ll fade off within 15-20 minutes. Not this time. This damn thing lasted a week non stop! This is the second time I’ve had a reaction to a steroid spray or cream, but this was the one that confirmed it’s the cause. I was OK for a day or so after that week long episode, but then it came on me with a second wave that lasted on and off for two whole weeks. When these happen, it’s pretty much impossible to function. I can’t sit down, can’t sleep, can’t concentrate on anything and am generally no use to man nor beast. If you’ve never had the misfortune to suffer with a panic attack, think yourself lucky. At times it physically feels like you’re dying, and at other times you would welcome death to put an end to the suffering. I have enough experience to know what was going on, but even that’s small comfort when you’re going through it for the fifth day solid with no respite. Thankfully it’s been a week now since the last episode, so I’m hoping things are back to “normal” here. What I’d like to say is that, while all this was going on, the rest of the crew stepped up to cover me. For that I’d like to say thank you. The small group that work on this site are people I genuinely consider some of my closest friends, and times like this only reinforce that feeling. Now let’s hope the next attack is a long way away as there’s scammers to deal with!
I’ve had some time to think about this . If you’re unaware, Facebook has supposedly made it easier to report fake ads, and donated £3 million to a UK charity after being taken to court by a UK celebrity over misleading ads featuring his image. Now, here’s my thoughts on it in no particular order:
3 million pounds is the equivalent to 90 minutes’ worth of revenue. It’s chump change to them, and my guess is that it’s garnered them millions in publicity anyway seeing as the story was pretty much everywhere. How much do you think that much media exposure would have cost them otherwise?
One report I read claims the amount was ” in cash and Facebook ad credits “. Many, many years ago, I worked in a camera shop. A couple came in and bought several hundred pounds’ worth of equipment for a “once in a lifetime” holiday they were going on. It was around the £5-600 mark if I remember. They asked if there was any chance of a discount, and I offered them 10% off, or £100 worth of films and developing. They took the films, happy that they’d managed a good deal and made the right choice. Here’s the thing though. That £100 I gave away only cost the company about £35. How much of this 3 million is in ad credits that likely cost Facebook a fraction of what they’re selling them for?
The service is only in the UK. Elsewhere, nothing has changed. Ads will still appear, Facebook will still charge to display those ads, just now UK users can report them easier to get them removed.
The money went to set up a service called Citizens Advice Scams Action (Casa). Once that 3 million has been used, what happens then? Do we think Facebook will give more, or walk away leaving a service having to beg for money elsewhere in order to continue running.
Is it a good thing? On the surface, yes. Look a little deeper though, and maybe it’s not quite as good as it’s been made out to be.
This week we appeared in a documentary about sextortion. It’s actually a pretty good one that came so close to being great. To watch it, you can go to https://www.channelnewsasia.com/news/video-on-demand/the-dark-web/queen-of-sextortion-11679252
So what was missing? I mean, they talk about the scam, explain how it works, talk about the person who they claim created it, interview the scammers themselves, what more could you want? Let me explain it with this analogy. You take your car to the garage because it’s making a weird noise. The mechanic talks to you about the history of the car, its good and bad points, what things are likely to go wrong with it and then – nothing. He missed out the one most important thing, what to do to fix the problem. There’s the crux of the matter. For all the good the program did (and I actually did enjoy it), it really needed a “what should you do if the scam happened to you” section. Briefly explain the steps needed. That would have made a good documentary into a great documentary in my eyes.
Scammers pretend to be anyone and everyone. It doesn’t matter if it’s a bank, soldier, politician, government agency or courier company. They don’t care what damage it does to their reputation. Hell, they don’t even care if the person’s even alive. Good looking soldier? That’ll do nicely, even if the picture has come from an obituary. I wish I was making that up, but it’s true. When we receive an email from a scammer, we post it up word for word. If we can find the person they’re pretending to be, we try to let them know. That’s where the problems can arise. A number of times, I’ve received requests to remove information from the forum. Sometimes the requests are polite, sometimes I’ve received screamed abuse down the phone. Remember this though. All we’re doing is copying what the scammer has said to us. Not only what he’s said to us, but what he’s said to tens, even hundreds of other people. Scammers have their scripts that they send out en masse. If we’ve posted an email from a scammer claiming to be a company, many others would have received it too. We’re simply relaying the information so others can be warned. Don’t take it out on us just because we’re saying what the scammer has said. It would be like complaining to your local news station when they’ve shown footage of someone saying something you don’t approve of. They didn’t say it, nor do they necessarily agree with it. They’re only letting people know what was said. Same with us. If you want to get angry at someone, how about the person who said it originally. Don’t bite our heads off, we’re just sharing the facts.
One of the tricks scammers use to make themselves appear more legitimate is a fake, or “spoofed” email address. A while back I demonstrated a spoofed phone number being used by calling myself up with the number of the White House. This time around I’ll show an example of an email address and the corresponding name being sent with nothing but three images. The first is the software needed, the second how it appears in an inbox and the third is how it looks when opened. I’ve used obviously faked details here, but any name and address can be used. I could have made it look like the Dalai Lama had written to me if I’d wanted to simply by changing the details.
Oh, but those were simpler times. They were times of butterflies, roses and people not asking questions that were already answered. It was that sweet spot just after I finished answering every “what if….” question people could ask about sextortion. So what happened? People decided not to read what I’d spent hours upon hours writing, but instead just ask questions that were already covered. You want an example, right? Sure you do. Here’s one from today that came to me in our feedback form:
|Do you have any comments about our steps?:|| Wondering if Facebook messenger applies to not being used as it is my main form of communication |
Those steps I wrote clearly already cover this. Don’t believe me?
8. Skype, Facebook and any other accounts you have online need to be deactivated for AT LEAST TWO WEEKS. Double this time if you paid money or your scammer is from West Africa. Double it again if both are true. Paying counts whether you canceled it or not. These are the MINIMUM times needed. The longer you leave them deactivated, the better.
See, I told you. Even if you ignore “Skype, Facebook”, you have “and any other accounts you have online”. That HAS to cover it, right? ANY OTHER ACCOUNTS covers everything, right? Right? Apparently not. And that’s why I can look back at photos of me just 5 years ago and see just how much grayer I’ve become these past few years.
Every year, several members of the ScamSurvivors team meet up to share 10 days together by the sea. This year, when doing the booking, I spotted that a 2 week booking was a better deal than a 10 day one, so my wife and I spent a few days at the place before collecting the rest of the crew. A fun time was had by all, many laughs were had, many drinks were drunk and so on and so forth. That’s not the important thing, plus I can’t show you any snapshots from it. During those 14 days, I did my best to leave my laptop in its bag and enjoy being on holiday. When I got back, there was a huge backlog of work to be done, including over 270 scam emails to be filtered through and posted up. Now, this is where the point of this blog post is finally reached.
Usually I work through my catcher account and post the scam emails I receive as and when they arrive. The most one may sit in my inbox is 12 hours. This time however, I got to see a much larger selection at once. I noticed a few things that I’d like to share with you.
Firstly, +4470 numbers. For those unfamiliar, these numbers are “follow me” numbers, and until recently were treated like premium rate numbers. Skype point blank refuses to let me even call them, knowing how much they cost. These are a throwback to before things like Skype numbers became popular, when scams were simpler. As I was plowing through the emails, I saw several still being used. I also saw +23470 numbers being used, probably in equal amounts. These are from Nigerian mobile networks. This led me to wonder if some scammers are still using the +4470 numbers due to their familiarity with the +23470 ones. I can’t say for sure, but it’s certainly a theory that’s worth keeping an eye on. How many of the +4470 users are Nigerians rather than scammers from elsewhere in West Africa?
Secondly came the emails that arrived during the weekend. The number would drop to probably half over the weekends, but what I also noticed was that the amount of “repeats” doubled. Typically, around 20% of the emails I receive are ones I’ve received before. However, over the weekends that number would double. So why would this be? Is it because the scammers who work weekends are newer/more desperate and simply sending out their script to the same sucker lists several times? Are the more successful scammers taking the weekends off to spend their ill gotten gains, leaving those lower on the ladder to continue trying to collect the scraps left?
Truth is, I don’t know the answer to either question. Right now they’re just theories that are worth keeping an eye on. If you’ve noticed the same, please let me know so we can put our heads together to try and work out the bigger picture.