The random, weird, text that makes no sense.
So just hours after I posted the last entry about the scam phone calls, I was reminded of another problem by an acquaintance in full blown panic.
The text that makes no sense.
There many variations of this scam, but the bottom line is that you receive a text from a random phone number or short code that informs you of an urgent problem that you must address with urgency.
A package that can’t be delivered.
A past due invoice or payment.
A shipping confirmation for an item that is between several hundred and several thousand dollars.
A problem with a transfer out of your bank.
A problem with a transfer into your bank.
A problem with a specific service or website order, PayPal, Amazon, etc.
And…they all have a link in the text.
That link screams to you, “please click me.”
Your brain has processed enough to know what you are looking at isn’t right.
You aren’t expecting a package.
You didn’t buy the item.
You don’t use that service.
Or the one that they count on to get you, I have not used that service or ordered form them in years, that account must have been hacked.
And, lets be honest, it’s the reference to money, specifically your money disappearing, that that creates the best weapon a scammer has.
FEAR.
They are counting on that fear for you to make an irrational decision to click that link or just as bad, reply to the text.
DO NOT DO EITHER THING.
In general, just ignore it, or do as I do and ignore it and block the sender.
The fear is natural, but if you give it five minutes, and calmly think about it, then look at it again there will be obvious signs that were obscured by that initial fear.
Read it out loud to yourself and listen carefully to the words.
Look at the spelling.
It’s “off".
It reads like someone who has no understanding of English and the nuance of how we communicate.
A complete miss of what American consumer culture is like.
There are words that don’t belong.
Is PayPal really going to send you a message that starts with “Hello Dear” ?
If you are at all concerned, connect directly to the supposed source, Amazon, PayPal, Best Buy, your bank, your credit card.
Log into that website. If there is something you ordered, it will be there. If you missed a payment, it will tell you. What won’t be anywhere, is this mystery that you just hadbut what sent to you.
But what if it got you? What if you replied or clicked the link?
If you replied, they asked you to download something. If you clicked the link, it downloaded something. At that moment when you install what ever you download, you gave that software whatever permissions you agreed to the install.
Unfortunately in that moment until you fix it, you potentially have a major problem.
You don’t know what you installed really does.
You have to assume worst case scenario.
Every password for every app, email address and webpage that you have stored on that phone has been compromised and uploaded to the criminal.
Immediately get on A DIFFERENT DEVICE and start changing passwords.
Start with your email. A compromised email account will defeat a good deal of protection you get from 2 factor authentication. If they get control and lock you out of your email things could get real bad, real fast.
Then you hit things like iCloud, Samsung.com (your phone backups) and your bank and any money apps like CashApp, PayPal, Venmo, etc. New passwords for all. And not your last password with an ! or a 2 added. A real password you have NEVER used before. It’s a pain, but you MUST do it.
Once you have critical items address work through the rest.
Now, here’s the really painful part.
Factory reset your phone.
If you have the phone backed up to the cloud, you should get back your pictures, texts, contacts, maybe ever your apps.
Once you have your phone back in your control, it’s time to evaluate any and every password on sites you regularly use. If you have used the same passwords over and over on every site, you have to change them all. Most people will tell you that you should have a unique password for every site. I get it but does anyone REALLY do that?
Here are my rules.
Have a nice long super secure (greater than 8 characters, contains upper case, lower case, symbols and numbers) that you use for your important accounts, email, banking, or anything tied to your bank account that can pull money out.
Your password on your email account should be 100% strong and only used on your email account.
Anything that would give someone the ability to take your money should follow the same rule.
Outside of that consider your risk and have a personal password policy that makes sense for the level of risk and consideration of what the worst outcome could be.
For example there are stories or people having their Kroger account compromised. They discover that someone has had hundreds of dollars or groceries ordered for pickup or delivery by or to an unknown 3rd party. For most people that would be a serious for problem, for some people that could be utterly devastating.
Is your bank account stored on that website? Think making a payment to a credit card.
Are your credit cards stored on that website? Given that there are other methods to make “remembering” credit card numbers easier and the number of data breaches that make the news, I strongly recommend NOT storing credit cards on a website when you can avoid it.
What would be the financial pain if someone had control?
What would be the effort and stress to recover if it was compromised?
For example, say someone got your password for Nextdoor or Reddit, is that the same risk to you as Twitter, or Facebook, etc.? Are those the same risk as Amazon or Best Buy? If you aren’t blindly using sparky123 as your password on everything and you have put thought into what you use where, it’s okay to re-use some passwords. Just know the risk you are taking and what the possible outcome could be.
I recommend that you consider a password manager rather than paper or “saving to the browser.” It makes changing passwords and keeping track easy. Samsung has a great one built in to their phones, Norton 360 security has one I used for years before the one on my phone just became easier and better. They key is knowing what password is used where. That way if a password is compromised you know exactly what sites you have to secure.
And no, P@$$w0rd! is not the slick password you think it is. Be safe and protect yourself.
Check back for more content!
Be clear, be confident and don’t overthink it. The beauty of your story is that it’s going to continue to evolve and your site can evolve with it. Your goal should be to make it feel right for right now. Later will take care of itself. It always does.
