Cybersecurity best practices for elders introduction

As the internet becomes increasingly accessible to individuals from diverse backgrounds and through various devices, it is crucial to consider cybersecurity best practices for elders, specifically tailored for older adults. Safeguarding their online experiences requires careful attention and proactive measures. While this enables more people to expand their knowledge and communication with loved ones, it also opens the door for cyber criminals and malicious actors to try to steal private data and money. It is crucial to follow cybersecurity best practices for elders to protect themselves online.

According to data collected by the Internet Threat Research Center, 294 million people had their data compromised in 2021. More than 3.5 million seniors are victims of financial exploitation and online scams each year.

It can be stressful to ensure that older adults and younger loved ones can enjoy the benefits of the internet while staying safe from risks. Below are ways that you, who is more technically savvy, can protect a loved one who may be newer to technology.

Immediate actions to help protect elderly & disabled loved ones

To do quarterly:

• Go to www.haveibeenpwned.com and enter your email and/or phone number. You will get a list of all public breaches affecting your information, including what type of info was found:
  • Review if anything strange has happened on those accounts and change your passwords for them.
• Go to any sites/apps that may have financial data and view your recent logins to get an idea if there is anything fishy:
  • If you think something has been breached, it’s also a good idea to log out of your apps on all devices ― this is for any apps that don’t require a password/fingerprint/face every time you log in like Spotify and Netflix.
• Ensure that multifactor authentication (MFA) is enabled on all accounts.

To do when creating an account:

• MFA
  • Enable MFA on all important sites, such as banking and credit cards. This will prompt an extra verification whenever you log in. The verification can be through an app like Google Authenticator, through a code sent via text or email, or through a security question.
• Security questions
  • Don’t answer them truthfully unless it’s super-specific! Anyone can find out your mother’s maiden name or the street you grew up on. Try to avoid security questions in general for account management but if you need to use them, make up random answers that don’t have anything to do with the question and add them to your password manager. Ideally, you will not rely on these either way.
• Phone numbers
  • When signing up for things that may require a phone number, you can use a Google Voice number. It’s a free telephone service that will help you avoid getting spam calls or avoid someone who might be creepy having access to your real phone number.

Guardrails to help loved ones

On computers

• Make yourself the computer admin and set your loved one up as a regular user. As the admin, you can determine the user permissions and can make it so they can’t download software.
• Switch from a laptop to a tablet
  • Tablets are more secure than typical laptops, and there are some tablets that are “locked down” for seniors, such as the Grandpad.
• Install antivirus software
  • Some are definitely helpful, but there is a trade-off as they may require high-cost or frequent maintenance. If the software is too difficult to maintain, it might be turned off or cause confusion to users, making it unhelpful. Windows Defender, which is installed automatically on all computers that have Windows 10 and above, has a high level of protection. Macs are also typically well-protected by default. Below are some highly regarded options for additional security:
    • Malwarebytes: https://www.malwarebytes.com/for-home
    • Norton antivirus: https://us.norton.com/products
    • McAfee antivirus: https://www.mcafee.com/en-us/antivirus.html
  • There are apps like Hiya, which are good at blocking spam, but there is a monthly cost: https://www.hiya.com/
• Turn on auto-updates: Make sure that computers and smartphones are automatically updated regularly (this can be set so the devices get updated when the latest update is available without too much user interaction). The latest updates often have security fixes.

On phones:

• Keep a list of all customer support numbers handy like internet provider and banks. This way, if your loved one gets a potential scam call from a company they can hang up and call the legitimate number back.
• Disable location services on social media apps. This can be done in smartphone settings.
• Silence unknown callers on your loved one’s smartphone
  • iPhone: https://support.apple.com/en-us/HT207099
  • Android:  https://www.businessinsider.com/how-to-block-unknown-numbers-android
• If your loved one is receiving unwanted text messages, block and report the senders
  • iPhone:  https://support.apple.com/en-us/HT201229
  • Android:  https://support.google.com/messages/answer/9061432?hl=en&co=GENIE.Platform%3DAndroid&oco=1
  • You can also forward messages to SPAM (7726)
• On messaging apps like WhatsApp, use settings to ensure that you can only be added to groups and messaged by people in your contact list.
• Use the family security features of your mobile provider:
  • https://www.verizon.com/solutions-and-services/verizon-smart-family/
  • https://www.att.com/shop/wireless/features/smartlimits-parentalcontrols-sku7080286.html
  • https://www.t-mobile.com/offers/t-mobile-family-mode

Cyber Defense Group's best practices to prevent elder scams

Important security tips

• Passwords for all accounts should be different.
• Longer is stronger! Passphrases (16+ characters) with just letters are more effective than shorter passwords with tons of special characters. “CarolineIsMyFavorite1” is a safer password than “S3cR3t!*”

• Use a password manager to store all your unique passwords
  • Options: There are some software options ― KeePass, 1Password, and LastPass ― that have free versions. iPhones have password managers as well. You can also use a notebook that you keep in a safe place and do not carry with you.
• Use MFA on ALL accounts ― especially accounts with precious data like bank account numbers, credit card information, or Social Security numbers.
  • MFA can usually be set up in settings. Here is more information from CISA: https://www.cisa.gov/mfa
• Be careful what you share on social media. There is no need to share your location on social media ― ever.
• Do not download apps from websites. Only download apps from the App Store (for iPhones), Galaxy Store (Samsung Phones), or Google Play store (Android Phones).
• Do not access any sensitive information (like a bank account) on a public computer or public wifi network, like the ones available at coffee shops or airports.
• When you go to a website, the site should start with https:// and have a little lock symbol at the top. A website starting with http:// is not secure and will have a little lock symbol with an X or a slash through it. Below is a picture of what is a safe website vs an unsafe website.

Things to be aware of when you receive a call, email, text, or message on social media

• Caller ID, phone numbers, and email addresses can be faked
• Links can be faked (for example, a link that looks like Google.com can lead to a different website when clicked). Be very careful if you want to click on a link someone has sent via email, text, or Facebook message.
• Beware of emails or calls that say you’ve won something. If it seems too good to be true, it probably is.

If you get an unexpected call from a company

1. Ask for the person’s name and job title.
2. Do not answer any questions. If they are calling you then they do not need to verify your identity.
3. Tell them you will hang up and call them back using the customer service number. You can even lie and say you have a bad connection or there’s a caller on the other line.

If you get a suspicious email or message

Do not click any links or respond until you have reviewed it thoroughly.

Here is what to check:

Format: Are words misspelled or is the grammar incorrect?

Am I addressed by name?

Emergency: Is this email more urgent than usual? An attacker may be trying to scare victims into acting without thinking thoroughly.

Example: If my friend needed a wire transfer of money, would they email me?

Is there a reason I would get an urgent email rather than a call?

Authenticated: Did this really come from the person that it says it came from? Is not just someone doing it from a different email address than I am used to?

Example: Instead of “@bankofamerica.com” the sender is “@bankofameria.com”

Seeing a friend’s name in the “sender” field but when hovering over the name, it is a different email address

Can you authenticate that the message is real by contacting your friend through a different method and confirming that they sent it?

Relevant: Is this message relevant or expected?

Example: Would the IRS email me about a tax return in October?

Does this friend ever message me links on Facebook?

Legitimate companies will never ask for personal info over email.

Common scams targeting elders

The medicare scam

Some attackers pretend to be Medicare representatives saying there are issues with payments, medication, or a doctor’s visit. If you get a call from a Medicare representative, ask for their name and title then tell them you will hang up and call back. The Medicare number is (800) MEDICARE (800) 633-4227.

The funeral scam

After there is a death, some people may take advantage of that by calling the other family members of the deceased and saying that the person who died had unpaid debts that need to be paid immediately. They are hoping to take advantage of people who are stressed and emotional. Debt collection agencies have federal laws they must follow which are listed here: https://www.consumer.ftc.gov/articles/debt-collection-faqs. They must be able to provide you with information like how much money the deceased owes, the name of the creditor they owe it to, how to get the name of the original creditor, and what to do if you don’t think it’s their debt. Legitimate debt collectors do not need money wired to them.

The tech support scam

An attacker will call pretending to be customer support for your computer, internet, or phone service. They will ask for your personal personal and financial information, or usernames and passwords. Legitimate customer support will never call you to ask for your password, Social Security number, or private personal information, over the phone. Tell them you will hang up and call them back using the customer service number.

The family member in need scam

An attacker will call, pretending to be a grandchild or family member needing money. They will ask you to not tell anyone and say that it is urgent. Think to yourself ― has this family member ever called me for money before? Do they sound like themselves? Is there a way to verify what they are saying with another family member?

The romance scam

On online dating sites, criminals may create fake profiles and strike up a “romance” with people. After building trust, the criminal will pretend to need money for debt, medical expenses, or other urgent situations. You should never send money to a romantic partner you have not met in person.

The ‘I’m already in’ scam

In this online scam, victims will receive an email stating that the email sender has already placed a monitoring device on the victim’s own computer screen. The email will state that there is evidence of the victim going to inappropriate websites and if the victim doesn’t pay, the attacker will send this evidence to their whole contact list. In this case, the attacker is lying and trying to use an embarrassing situation to make someone pay them quickly. Do not respond.

If you think you’ve been the victim of a scam

• Do not blame yourself or be embarrassed. You are the victim and everything that happened is the attacker’s fault, not yours.
• Know that this happens to millions of people. Companies of all shapes and sizes fall victim to cyberattacks. People with years of experience in the technology industry still make mistakes and may accidentally give up information.
• Tell someone in your family who can help you through the following steps if needed.
• Change your passwords on all devices and applications. Make sure to record those passwords in your password manager (app or notebook).
• On most websites and apps, there is an option to “sign out of other devices.” Make sure to do that.
• Check your bank statements and call the bank if the scam may have involved your bank account. Continue to keep an eye on your bank statements for a few months after the scam.
• If you fear your Social Security number may have been compromised, you can put a freeze on your credit.
• Contact the Internet Crime Complaint Center: https://complaint.ic3.gov/

FAQ: For more information and learning on this topic

• Digital Learn: https://www.digitallearn.org/
  • Learning resources about computer and security software basics and other topics. It has some informative and short presentations.
• CyberSecurity & Infrastructure Security Agency: https://www.cisa.gov/publication/stopthinkconnect-older-american-resources
  • Resources for folks who might be new to technology.
• Stay Safe Online (Provided by the National Cybersecurity Alliance): https://staysafeonline.org/stay-safe-online/
• Stop, Think, Connect (Developed by the Anti-Phishing Working Group and National Cybersecurity Alliance): https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice