So just hours after I posted the last entry about the scam phone calls, I was reminded of another problem by an acquaintance in full blown panic.

The text that makes no sense.

There many variations of this scam, but the bottom line is that you receive a text from a random phone number or short code that informs you of an urgent problem that you must address with urgency.

A package that can’t be delivered.

A past due invoice or payment.

A shipping confirmation for an item that is between several hundred and several thousand dollars.

A problem with a transfer out of your bank.

A problem with a transfer into your bank.

A problem with a specific service or website order, PayPal, Amazon, etc.

And…they all have a link in the text.

That link screams to you, “please click me.”

Your brain has processed enough to know what you are looking at isn’t right.

You aren’t expecting a package.

You didn’t buy the item.

You don’t use that service.

Or the one that they count on to get you, I have not used that service or ordered form them in years, that account must have been hacked.

And, lets be honest, it’s the reference to money, specifically your money disappearing, that that creates the best weapon a scammer has.

FEAR.

They are counting on that fear for you to make an irrational decision to click that link or just as bad, reply to the text.

DO NOT DO EITHER THING.

In general, just ignore it, or do as I do and ignore it and block the sender.

The fear is natural, but if you give it five minutes, and calmly think about it, then look at it again there will be obvious signs that were obscured by that initial fear.

Read it out loud to yourself and listen carefully to the words.

Look at the spelling.

It’s “off".

It reads like someone who has no understanding of English and the nuance of how we communicate.

A complete miss of what American consumer culture is like.

There are words that don’t belong.

Is PayPal really going to send you a message that starts with “Hello Dear” ?

If you are at all concerned, connect directly to the supposed source, Amazon, PayPal, Best Buy, your bank, your credit card.

Log into that website. If there is something you ordered, it will be there. If you missed a payment, it will tell you. What won’t be anywhere, is this mystery that you just hadbut what sent to you.

But what if it got you? What if you replied or clicked the link?

If you replied, they asked you to download something. If you clicked the link, it downloaded something. At that moment when you install what ever you download, you gave that software whatever permissions you agreed to the install.

Unfortunately in that moment until you fix it, you potentially have a major problem.

You don’t know what you installed really does.

You have to assume worst case scenario.

Every password for every app, email address and webpage that you have stored on that phone has been compromised and uploaded to the criminal.

Immediately get on A DIFFERENT DEVICE and start changing passwords.

Start with your email. A compromised email account will defeat a good deal of protection you get from 2 factor authentication. If they get control and lock you out of your email things could get real bad, real fast.

Then you hit things like iCloud, Samsung.com (your phone backups) and your bank and any money apps like CashApp, PayPal, Venmo, etc. New passwords for all. And not your last password with an ! or a 2 added. A real password you have NEVER used before. It’s a pain, but you MUST do it.

Once you have critical items address work through the rest.

Now, here’s the really painful part.

Factory reset your phone.

If you have the phone backed up to the cloud, you should get back your pictures, texts, contacts, maybe ever your apps.

Once you have your phone back in your control, it’s time to evaluate any and every password on sites you regularly use. If you have used the same passwords over and over on every site, you have to change them all. Most people will tell you that you should have a unique password for every site. I get it but does anyone REALLY do that?

Here are my rules.

Have a nice long super secure (greater than 8 characters, contains upper case, lower case, symbols and numbers) that you use for your important accounts, email, banking, or anything tied to your bank account that can pull money out.

Your password on your email account should be 100% strong and only used on your email account.

Anything that would give someone the ability to take your money should follow the same rule.

Outside of that consider your risk and have a personal password policy that makes sense for the level of risk and consideration of what the worst outcome could be.

For example there are stories or people having their Kroger account compromised. They discover that someone has had hundreds of dollars or groceries ordered for pickup or delivery by or to an unknown 3rd party. For most people that would be a serious for problem, for some people that could be utterly devastating.

1. Is your bank account stored on that website? Think making a payment to a credit card.

2. Are your credit cards stored on that website? Given that there are other methods to make “remembering” credit card numbers easier and the number of data breaches that make the news, I strongly recommend NOT storing credit cards on a website when you can avoid it.

3. What would be the financial pain if someone had control?

4. What would be the effort and stress to recover if it was compromised?

For example, say someone got your password for Nextdoor or Reddit, is that the same risk to you as Twitter, or Facebook, etc.? Are those the same risk as Amazon or Best Buy? If you aren’t blindly using sparky123 as your password on everything and you have put thought into what you use where, it’s okay to re-use some passwords. Just know the risk you are taking and what the possible outcome could be.

I recommend that you consider a password manager rather than paper or “saving to the browser.” It makes changing passwords and keeping track easy. Samsung has a great one built in to their phones, Norton 360 security has one I used for years before the one on my phone just became easier and better. They key is knowing what password is used where. That way if a password is compromised you know exactly what sites you have to secure.

And no, P@$$w0rd! is not the slick password you think it is. Be safe and protect yourself.

Check back for more content!

Be clear, be confident and don’t overthink it. The beauty of your story is that it’s going to continue to evolve and your site can evolve with it. Your goal should be to make it feel right for right now. Later will take care of itself. It always does.

First things first. No.

That should be the first word that comes to mind when faced with a phone call offering help with a problem that you either didn’t know you have or a problem that has suddenly appeared. There are no pro-active, altruistic initiatives from any reputable software companies to ride up on a white horse and save you from anything. It doesn’t happen.

It will never happen. It is a lie designed to prey on someone that is uncomfortable with computers, doesn’t truly understand how to secure their computer and has a fear of doing or clicking the wrong thing. That voice on the phone sounds so helpful, it sure sounds like it knows what it is talking about. The voice is a con. The voice is a criminal.

Imagine this scenario, you get out of your car and someone walks up to you and tells you someone stole your wallet. You look in your purse, you check your pocket, your wallet is there, you can see it. When you tell them, no, it hasn’t been stolen, they ask you to hand them the wallet to make sure nothing is missing. Would you hand them the wallet?

It’s a crazy question right? Of course, there are so many alarm bells in this situation that you can sense the danger. It’s the same con. Only the pleasant voice on the phone is helpful, where as someone approaching you in parking lot is uncomfortable or scary.

So what do you do? First hang up. Second, walk away from your computer and put down your phone. Now it’s time to think. What have you done recently on your computer or phone that would have served as an invitation for this phone call.

All of these questions apply to both your computer and your cell phone.

Did you visit a website you don’t normally go to?

Did you click a link in an email from a friend or business associate?

Did you get an email that seemed odd when you read it? Could be a single odd or misused word, or a tone that seemed unlike the person it was supposedly from.

Did you get a “security” email from a site you use that you immediately clicked but in the end, there was no security issue?

Did you add a “browser extension?”

Did you install a new application?

Was there a random popup that told you you were infected with a virus?

Somehow, something you have done as has made you a target and it’s time to take precautions. At a minimum you should have virus software on both your computer and your phone. It can be a free version if it’s from a reputable company. Use this software to do a scan of both devices.

You should also run an “on-line” scan. Sometimes your installed virus software will miss something, especially if it’s a new attack or you haven’t let the machine do it’s updates and reboots as it has requested. An online scan helps identify an issue that your installed software can’t see. I recommend Trend Micro’s Housecall. It’s free and reliable.

There is a decent chance that you will find nothing infected. In many cases its what’s known as a browser extension that is causing the issue. In simple terms, a browser extension is something that either knowingly or unknowingly a user added to their browser of choice. This happens most often when something is installed or a popup from a web page is blindly accepted. It is extremely important that you read everything before you click accept or next. As a user your click is granting permission for whatever the application or page tells you it’s going to do. Sometimes what you read is truthful, other times it isn’t, but only you can protect yourself.

Stay tuned for more detailed posts on some of the topics mentioned above.