This month, we are going to talk about social engineering scams and how they target the elderly population. I know anyone in all age groups can be a target of attackers and any age group can fall for attacks. As a professional social engineer, I see many different targets from different demographics both fall for or remain resilient to attacks we perform for our clients. I am interested in bringing to light some of the common and widely used attacks targeted at our older population and provide some useful tips on how to protect yourself or a loved one. The reason for this is, it may be very difficult or even impossible for them to recover from financial loss if they are already retired and no longer generating income. When a financial scam targets a younger person still in the work force, they may have a better chance to make up that money over time, while retirees may not. That is not true in all cases, but I think it is safe to say someone in the work force has more potential to make money than someone who has left it and is living on the previously acquired income. Some states have put together reports on elder abuse by financial scammers and the numbers they report are staggering. The US Justice Department recently released information about an elder fraud sweep in which “the charged elder fraud schemes caused losses of more than half a billion dollars.” The financial loss alone can be devastating, but the psychological effect can also have a significant impact on the target which can sometimes be worse.
What are we seeing?
As professional social engineers we employ 4 main disciplines, those of vishing, phishing, SMShing, and impersonation, all of which are used versus elderly targets.
Vishing (or voice phishing) tends to make the news much more frequently and is seen in the form of common schemes known as “Lottery Phone Scams,” “Grandparent Scams,” and “Romance Scams.” In each of these, a caller attempts to convince the target they have won something, that the attacker is a relative in need of financial assistance, or that the attacker is an admirer in need of financial assistance traveling to see them. Attackers can leverage feelings of loneliness or lack of contact with others to keep in contact and build seemingly meaningful relationships with the victims. The attackers can then use this relationship to gain the trust required to steal vast amounts of money and other resources from the targets.
Phishing and SMShing are a problem for all age groups, and seniors are no exception. They can receive emails and text messages from common institutions asking them to update or verify personal information or even pretexts related to IRS refunds that do not actually exist. This threat is further exacerbated if the recipient in not technologically fluent.
Impersonation is also reported, where attackers will go to retirement homes or common gathering locations of seniors and use pretexts related to surveys, Medicare and other health insurance representatives, and, even worse, debt collectors at funerals and cemeteries. The goal here is to collect enough personal information to file fraudulent medical claims or attempt direct access to financial accounts.
What can we do about it?
Many of the mitigations to combat these threats are taught in corporate security training programs. Unfortunately, the targets we are discussing here are mostly retired and do not have access to that training to teach them how to avoid becoming victims to these scams. It is up to those that are security-minded and aware of these attacks to inform potential targets on how to protect themselves. Here are some techniques that can be easily communicated and employed to protect ourselves, our loved ones, and our friends of any age if they are not exposed to formal training.
- If you are being asked to provide any type of information either over the phone, in person, or on a website, verify the requester is who they say they are before disclosing anything. Ask for a company name and number that can then be called back, if necessary. Ask for a business card to schedule a follow-up meeting. Visit a known good website and seek assistance. All of these actions delay the attack and allow for critical thinking by either the target or a caregiver to ensure the request is legitimate.
- Be aware of the information that is available online about you or your loved ones. Social media is a great place for an attacker to gain enough information to pose as a family member or friend. If you are aware of the information that is available, when that information is used as a pretext you are at least conscience of the fact that it is public knowledge.
- Participate in public service programs for education on the risks and mitigations of elder fraud. The Department of Justice has partnered with the Corporation for National and Community Service to provide free education on the topic in more than 30,000 locations nationwide.
In addition to these points, consider putting a freeze on all the major credit reporting services if you or your loved ones are not in immediate need for credit. Brian Krebs has a very useful post, originally posted after the Equifax breach that he covered extensively, which directly addresses how to apply credit freezes and also addresses many common questions about them.
If you are aware of current and common threats, take some time to tell those you know are not as aware and you could potentially save them the long and painful “adventure” of recovering from financial scams that exist and are frequently used.
Written by: Ryan MacDougall