How would you advise a novice computer user not to get phished

So. Pretend you’re writing an email to a 70-year-old relative who’s had email for a while but doesn’t use the web much. They’ve heard that they can get their identity stolen by emails but don’t really know much about it. How would you advise them to avoid phishing schemes and otherwise not get their passwords stolen?

Here’s 4 bullet points:

  • Always be suspicious of emails asking you to make changes to a bank account. If a bank emails you to tell you your account could get cancelled, call them on the telephone to ask what’s up.
  • Never follow a direct link from an email unless it’s from someone you know and they tell you what it is. If you want to go to a bank or other site, type in their address in your web browser.
  • If you’re going to enter sensitive information into a web page, be sure it’s secure - it should say “https://” (with an S) in the web address and there should be a little padlock somewhere on the screen.
  • never ever use an important password or credit card info on a public computer (in a cyber cafe or a hotel lobby, for instance).

What am I forgetting?

Never click on anything in your spam mail folder. Delete it without opening. Fake mail doesn’t show up in junk 100% of the time, but often enough that if it does, it’s a fake.

Also anything addressed to “Dear Customer” is pretty likely to be fake. Genuine emails should have whatever name you have given the merchant. If your name is John B. Smith, it should address you as John B. Smith.

If something sounds too good to be true, it is. Any email that starts out: “I am giving away $10 million and have chosen you…” or “You have won a $5 million lottery…” can be deleted withou further notice.

One time, I did receive a genuine email from my bank. They had tried calling, but I was away (they were mystified by a couple charges from Hawaii, when I had booked neither airfare nor hotel–both gifts from my son). Their instructions were very clear. Please call the number on the back of your CC. Which I did and it was all explained.

Actually, it is not a bad idea to ignore any email from someone you don’t know. And be careful from people you do know since sometimes the spammers take over a computer and use its address list.

I would add that if you call a back, use the number on the card or from the branch office, not the number that may be included in the email.

To add to what I said, here is an innocent-sounding email that I rec’d less than a half hour ago. I have deleted the URL because I don’t want anyone trying it and changed the recipient. Note that it purports to come from my time zone, but nine hours in the future. But I only just noticed that. The main giveaway is that the sender of this purported greeting card is identified only as an old friend. But even if the sender were actually identified, I would be very leery of it. Also, I just noticed (or STD editor noticed) that “received” is misspelled. Not fatal, but suspicious.

Does Hotmail ever e-mail its users? I’ve always assumed that any e-mail with a sender name like “Windows Live Hotmail” was a scam and immediately deleted it, but that doesn’t explain why so many e-mails like that keep getting through the junk filter. I’d expect them to be the easiest kind of junk mail for Hotmail to filter out.

I’d add:

[ul]
[li]Get to know your bank and/or credit card provider’s domain name, and check for it in the address bar before you type anything important. Also note that “securevalidation.chase.com” is a very different domain from “chase.securevalidation.com”.[/li][li]The bank already knows your account number, SSN, date of birth, &c. A bank might legitimately ask you for one small non-sensitive bit of info to confirm that you are who you say you are (e.g. Birth date, Mother’s maiden name, **part **of your SSN) , but if they are asking for all of it, there is something wrong.[/li][/ul]

Rule #1: Never give anyone your password for any reason. Never!

o not trust an email becausue it came from somebody you know. Just because it *looks *like your brother or son in law sent it does not mean that is true. It could easily be a bad guy who’s masquerading as your brother or son in law.

The above is written in grandma-speak. We know the actual likely scenario is either the relatives’ email was hacked, their PC was pwned, or some 3rd party’s email was hacked and their contact list harvested & (ab)used.

If someone with minimal computer experience is thinking of using it for banking/other sensitive purposes, why not set up shortcuts on the desktop computer that go directly to the correct bank landing/sign-in page. That way if they get an email from ABC Bank, they can be told to always go to the Desktop and go to the bank that way, as it’s pretty much guaranteed to be safe. You can set up the icon to be the logo of the bank, make sure the name is very clear, etc.

My FIL used to believe the only way to get on the internet was through Internet Explorer, but my husband wanted him using Firefox. So he just changed the name of the Firefox icon to “Internet Explorer” :slight_smile:

Thanks for the advice, all. Mnemno: this is more of a general-advice column I’m gearing toward an (imagined) naive user; that would be a good idea if I was helping a specific user (and in a position to mess with their computer).

Don’t use Internet Explorer and don’t use Outlook (Express or otherwise). Make sure Windows is fully up to date.

A 70-year old who isn’t IT-savvy shouldn’t bank online at all.

Even if you have only one PC, use a router rather than connect directly: NAT is a powerful anti-malware device in itself. It also makes it easier for visitors - like you - who have computers.

Download “Noscript” and keep it up to date (once you download it for the first time, updates come automatically).

Try not to mouse over banner ads (I’ve heard of people who’ve gotten infected from merely mousing over ads without even clicking them–rarely a problem, but better safe than sorry. (if you run Noscript, the ads won’t even show)

If you have a router, make sure you’ve changed the default password.

(moving away from email just a bit:) If you do Facebook, don’t run any applications (this includes games). Don’t click on the ads on the sides of the page. If you get any messages from your friends saying strange things (like they’re stuck in England and need money), they’re fakes. Be very careful when clicking on links to “interesting” videos posted by your friends–if it doesn’t seem like the sort of thing that particular friend would post, it probably means he/she has been hacked and you’ll be next if you click the link.

Do not use the same password for every site that needs one.

I disagree. Email addresses can be spoofed and don’t mean a thing.

Never, ever send even your birth date or mother’s maiden name unless you went to the site on your own. My mother’s maiden name gives access to all sorts of things.

This. I would have them only use Firefox probably.

It’s important to keep Java, Flash and Adobe Reader updated regularly, since most computer infections come through those sources. You don’t usually have to actively do anything, though, since they update automatically. Just make sure you shut your computer down every few days or so, as that’s required to finish the updates.

But the URL in the address bar of your browser can not (at least not easily). That’s what I’m referring to.

A classic phish I get a lot (trying to get the password to my World of Warcraft account, which I haven’t played in years) is a message from “Blizzard” (and yes, the From address on the e-mail is spoofed) telling me my account is compromised and linking me to a site to get it “verified” by entering my ID/password. That site is never battle.net, and even if I fell for the rest of the phish, a careful eye on the address bar before typing in my info would prevent me from giving my stuff away.

One bit of advice which is a bit counter intuitive, and has several conditionals is, write down your passwords on a piece of paper. It is better to have a strong password, and different passwords for different sites, all written down on a piece of paper in your desk, than weak passwords and the same weak password for both your bank, and random web forums.

The conditionals are that the paper itself is reasonably secure. By that I mean, you don’t expect non-trustworthy people to have access to it. Or, the paper is kept locked in a convenient place with other sensitive papers, such as a locking file cabinet or drawer.

Writing your password on a post-it stuck to your monitor in a cubicle farm at work: stupid. Keeping your password on a piece of paper in your den that only you and the faithful spouse have access to, not stupid.

okay folks, now I’m confused. (Well, actually, I’m not . But if I were a 70 year old inexperienced computer person, I would be be really, really confused.)
There are a couple dozen rules listed upthread: codes to read , icons to look for , updates to install, things to download, things to click on, things NOT to download, and things not to click on.

This is all very confusing, so let’s simplify it for our elderly OP, just as I simplified it for my own parents in their old age home:

There is only one rule:
** never type your bank info, your credit card or your soc. security number into ANY web site. never.**

IF you want to buy over the internet, use a pre-paid credit card from the rack at the supermarket. yeah, it’s wasteful. But it’s perfectly safe. You lose about 10 bucks on those cards.-but that’s a small price to pay for sleeping well at night