For your continued awareness;
The email address is genuine, the name of the Legion beneficiary is correct. The emailer knows my first name. I was suspicious on the first email because of the spelling of "favor". Ian is a 90yr old British veteran. He is unlikely to write "favor". However, one never knows, I have to deal with people in need quite often and Ian can't use a phone because of deafness.
I do know, however, that Ian does not have a niece and would never use USD so the second e-mail blew it.
=================================
From: Ian ***** <***.******@hotmail.com>
Sent: Sunday, August 22, 2021 4:38:16 PM
Subject: CHECKING IN???
Hi Mark,
Can i ask a quick favor from you please?
Thanks,
Ian
________________________________________
Subject: Re: CHECKING IN???
Of course
M.
________________________________________
Thanks for your quick response, It's my Niece birthday and I need to get her Steam Wallet or Google play gift voucher for her as a birthday gift, but I am having problems purchasing online and I'm traveling right now.
Can you help me get it at any supermarket, or shops & stores close to you? I promise to pay it as soon as I get back. Kindly let me know if you can handle this on my behalf ? So, I can let you know what to do with the gift voucher once you have them. Am only looking to spend $200, I promise to pay back as soon as i get back. Please let me know if you can handle this.
Awaiting your kind reply.
Thanks,
Ian
________________________________________
i would really appreciate it if you can send the money directly to my niece through PayPal account so that she can purchase the gift card on her own please. Kindly let me know if you can handle this now so i can forward you her PayPal address. Your ability to help with this will be highly appreciated, i look forward to hearing from you soon please
Awaits your kind reply
Many thanks,
________________________________________
Hello Mark,
How are you doing today. I would really appreciate it if you could help me purchase the gift card today, please because i promised my niece i will be sending her the gift card today and i don't want to fail the promise please. Kindly let me know if you can get this done for me today, please. Your ability to help with this will highly be appreciated, i look forward to hearing from you soon please
Awaits your kind reply
Thanks,
Ian
|
I would guess Ians email & address book has been compromised. Warned him yet?
Last edited by: Zero on Mon 23 Aug 21 at 16:39
|
Oh yes, but warning a 90+ yr old Vet and explaining to him what has happened and what to do about it is a process rather than a single action. Especially this one who, nice chap that he is, regards all technology as a black box which mere mortals are not intended to understand.
I assume that they must be actually in his email since replies to/from work and they are certainly not spoofing the address.
|
>> I assume that they must be actually in his email since replies to/from work and
>> they are certainly not spoofing the address.
I would guess the email password was an easy one to crack and they have access to the account.
|
Difficult to know as Ian has no clue what it was and in fact swore his account didn't have one.
Of course it does, and his computer is newish so he must have known it a year or so ago. When asked he said he'd been told not to write it down.
I may weep.
Last edited by: No FM2R on Mon 23 Aug 21 at 17:00
|
Oh, and when asked if he'd written his banking password down he said that he had not but had emailed it to his daughter for safety.
[sigh]
|
It's been going on for many years but I heard something about this on R4 only 2 or 3 weeks ago.
againstscammers.com/why-do-scammers-ask-for-gift-cards-as-payment/
|
I need to send out an email to a bunch of older people.
Please read / critique / edit / change this for me.
Thank you.
===================
How do people get into your email?
Perhaps you have registered for something of no importance. Maybe a newsletter, maybe an internet forum, maybe a comedy site, who knows? But something of no importance.
And it gets hacked. Of course you don’t know that, perhaps you don’t even care since you’d stopped reading it years ago.
But the hackers now have the username / password that you used on that account. And of course you have used the same password for your Bank, Facebook, Email and goodness knows what else.
So now they go around trying them all and they get in. And once they are in then they block you out. They send emails to your friends asking for money as if they are you. They access your internet banking and buy gift cards that they send to themselves. They find out all sorts of personal information about you and start taking out loans and credit cards in your name.
It can get worse that you imagine.
• Use long and complicated passwords
• Use a different password for every account
• Consider using two-factor authorisation. You may need help with that of you may feel it is too much for you. But it is safe.
• You don’t need to change passwords regularly, that is bad advice and will just make you forget them. Just make them difficult to guess
• If you do need to write them down, then disguise them and put the piece of paper somewhere hidden. Perhaps write them down, photograph the piece of paper, hide the photograph on your phone and destroy the paper.
If in doubt, ask us.
|
I received the same email a few weeks ago apparently from an old colleague. He is about 80 but very Internet savvy. I went round to see him right away and he was already on the case.
What made it potentially convincing is that it is his email account but the scammer had put a divert on replies. The account's owner doesn't see these. I think this is a secretarial function in email?
Last edited by: martin aston on Mon 23 Aug 21 at 17:34
|
I assume that the scammer does not change the password to avoid alerting anyone.
I am trying to persuade Ian to change his, but it's hard. It's a fair old drive as well, but I am guessing I shall have little choice.
|
>> I need to send out an email to a bunch of older people.
>>
>> Please read / critique / edit / change this for me.
>>
>> Thank you.
>>
>> ===================
>>
>> It can get worse that you imagine.
Typo? That for than?
Perhaps insert 'can' between 'you' and 'imagine'?
Or have I got my pedants hat on again?
|
Another typo
that if you may feel it is too much for you
|
My comments. Worth what you paid for 'em.
You need to scratch the "no importance". Old folks can take things literally and focus on the "no importance" part. The problem is that too many sites that should know better have had user data stolen. Yahoo, Talk Talk, BA, FB, T-Mobile, Marriot etc. As well as councils and charities in the UK.
Scratch the "block you out" bit. Doesn't always happen. I'd put something like 'Once they are in they can start to impersonate you'.
I'd add "or credit card accounts" after "internet banking".
Don't say "long and complicated" say "longer but easy to remember". Don't use dictionary words, they're easy to crack but combining words and adding uppercase, punctuation and numbers is OK. eg. "Big3in.Bolt", "Litre-of0il".
Best not to write them down but they can write down something innocuous to jog their memory. ie A shopping list in a kitchen drawer with "Large bolts 3.99 each", "Small Castrol GTX".
Explain what two-factor authorisation actually is (in simple terms or call it something different), don't frighten them with jargon. Tell them that's it's just a way to try and stop the bad guys by confirming that it really is them.
Tell them that if they install a good password manager they would only need to remember one password but they should ask for more info if interested. (They won't).
And don't let a browser store important passwords please.
Your biggest problem is keeping it simple and avoiding information overload. Otherwise they'll just switch off. Been there.
|
Thank you, excellent comments.
|
On passwords, I’m sure I read advice recently saying the best passwords were to use three random words? Something like walltableroad
Advice above suggests not using dictionary words?
|
And I remember years ago getting my email password hacked. To this day I still believe it was to do with a hack on the HJ website.
But the person had accessed my webmail and diverted all my emails to another email address so I wasn’t getting the replies to the emails I was allegedly sending out.
|
AIUI, using dictionary words allows hackers to just concentrate on combinations found within a dictionary, making brute force hacking much faster.
|
nope words of any kind are a no no.
Completely random using upper. lower case, and numbers and punctuation. And accents, lots of lovely accents. At least 12 characters.
2t^dYyLxCj)NGT@?
Like that
|
Although I have a fairly reasonable algorithm for operating a unique passwords policy I could probably do with tightening it up.
But surely you don't use complex ones for sites like here do you, and other unimportant stuff?
And, if you use a password manager, can you share it with your other half on different Microsoft/Google accounts?
|
>> Although I have a fairly reasonable algorithm for operating a unique passwords policy I could
>> probably do with tightening it up.
>>
>> But surely you don't use complex ones for sites like here do you, and other
>> unimportant stuff?
I dont even have a valid email for this site.
|
>>I dont even have a valid email for this site.
I know, but I still use it to email you. I like the peace and quiet and lack of smart a*** responses. I also win all the arguments you don't know we're having.
|
>And, if you use a password manager, can you share it with your other half on different Microsoft/Google accounts?
I use Bitwarden and yes, you can share credentials between members of a group or Organisation as they call it. So Mrs Smokie could share your credit card details with you if she approved of why you wanted it.
|
Thanks. Rather than pollute Marks original thread too much, I've started a thread in Computing about password managers. It's here
www.car4play.com/forum/post/index.htm?f=6&t=29243
|
>>But surely you don't use complex ones for sites like here do you, and other unimportant stuff?
I have a useless email address and a crap password that I use for everything I don't care about and duplicate all the time. Both the email address and the password have been hacked a gazillion times and I haven't changed them in years.
Everything else (around 100 accounts I think) has a long, complicated and unique password, unknown to me, managed by a password manager, with a 29 character password of upper and lower case, numbers and special characters. I maintain two different password managers, both backed up, and 2FA access on everything that allows it.
My phone is encrypted and you would need two different passwords and my fingerprint to use it. I can't stop someone resetting it if they try hard enough, but no normal thief will get any data off it.
I don't know if my password managers would share credentials with someone else because I don't, and wouldn't ever, do it.
I still worry.
[all pretty simple to use and maintain, somewhat of an a*** to set up)
|
>> Everything else (around 100 accounts I think) has a long, complicated and unique password, unknown
>> to me, managed by a password manager, with a 29 character password of upper and
>> lower case, numbers and special characters. I maintain two different password managers, both backed up,
>> and 2FA access on everything that allows it.
>>
>> My phone is encrypted and you would need two different passwords and my fingerprint to
>> use it. I can't stop someone resetting it if they try hard enough, but no
>> normal thief will get any data off it.
OOH! Is that a challenge?
|
>> 2t^dYyLxCj)NGT@?
>> Like that
Ok. Then how do you memorise/store that password - and all the others?
Last edited by: VxFan on Tue 24 Aug 21 at 12:36
|
>> Ok. Then how do you memorise/store that password - and all the others?
You have it tattooed on your willy. Of course that means you can only have a 4 letter password.
It also has the advantage that pedants cant whine about the spelling
Last edited by: VxFan on Tue 24 Aug 21 at 12:36
|
>You have it tattooed on your willy. Of course that means you can only have a 4 letter password.
I already have "International Business Machines United Kingdom, Public Limited Company" on mine. Did you have to go for "IBM"?
|
>> >You have it tattooed on your willy. Of course that means you can only have
>> a 4 letter password.
>>
>> I already have "International Business Machines United Kingdom, Public Limited Company" on mine. Did you
>> have to go for "IBM"?
Been a while since you saw more than "int" tho.
|
>> >> Ok. Then how do you memorise/store that password - and all the others?
>>
>> You have it tattooed on your willy. Of course that means you can only have
>> a 4 letter password.
>>
>> It also has the advantage that pedants cant whine about the spelling
>>
You're wasted here, Z.
:-)
|
>> >> 2t^dYyLxCj)NGT@?
>> >> Like that
>>
>> Ok. Then how do you memorise/store that password - and all the others?
I keep mine in an encrypted password storage file that I access using a proprietary password program that keeps the file in the cloud and syncs with devices. I can access it from my phone or laptop and I keep a fairly recent back up to limit what I would lose if the cloud file became inaccessible.
You can of course set up so that you only enter a master password and the program completes the password for you but I don't like that idea. Some passwords I allow the browser to save, but not email and financial ones or my phone account (having your phone number stolen is a problem with 2 factor security).
My passwords are now all unique and contain upper and lower case letters, numbers and symbols.
The single point of failure is if somebody finds my password file and cracks it, then boom it's all gone. 4 digits would get you into my phone, and you could find the app, but you need the strong master password to get in. And it won't allow more than 10 attempts.
Nothing is totally, unbreakably secure, nor was it prior to the internet and personal computing.
It's ridiculous for banks etc. to say to people "don't write your password down". Anything you can remember easily is unlikely to be very secure.
Last edited by: Manatee on Tue 24 Aug 21 at 14:17
|
>>Some passwords I allow the browser to save
I don't for anything other than my rubbish email/password.
>>Anything you can remember easily is unlikely to be very secure.
I think to have a single, unique and complex password is ok. Perhaps even a couple, but loads? Never going to happen. Not with me, anyway.
|
"2t^dYyLxCj)NGT@?"
You hear that a lot in Glasgow.
|
>>
>> 2t^dYyLxCj)NGT@?
>>
>> Like that
>>
....well, that's a coincidence....
|
>> ....well, that's a coincidence....
Not really, I got it from your machine.
Last edited by: VxFan on Wed 25 Aug 21 at 03:06
|
>> On passwords, I’m sure I read advice recently saying the best passwords were to use three random words? Something like walltableroad >>
But that's not what the TV advertisements suggest...:-)
tinyurl.com/4yw3v5xb
|
Zero, what email password do you refer to? I'm not aware that I have one, unless you refer to the passwords for access to a particular organisation such as Amazon or Car4play?
|
>>what email password do you refer to?
In the absence of Zero...
The password that stops me or anyone else reading your email.
Your password will have been saved at some point to the device you are using which will be signing you in when you open your email program or web page.
You will definitely have one. It's one of the important ones because access to it will not only give access to your emails but will facilitate the resetting of many other website passwords.
|
If you use an iPad all your passwords are saved in Settings. You only need your four digit device code to access them. I assume you can stop it saving passwords but I find it useful and my iPad seldom leaves the house so the risk is low.
|
Well it getting lost or nicked is indeed one risk, but what about if it just breaks? You might not be able to get it repaired, and even if you can it might get factory reset, and even if not you might need to send it away to get it done at which time the repair engineers can go for a romp through your life.
|
>> Well it getting lost or nicked is indeed one risk, but what about if it
>> just breaks? You might not be able to get it repaired, and even if you
>> can it might get factory reset, and even if not you might need to send
>> it away to get it done at which time the repair engineers can go for
>> a romp through your life.
>>
>>
>>
I believe if you have an Apple account, and tick the appropriate setting, the iPad will save your passwords to the cloud and download them to all your IOS devices.
(This was explained to me by an iPhone expert so apologies if I have it wrong.)
Last edited by: zippy on Tue 24 Aug 21 at 21:33
|
I'm sure you're right. The last, and only I think, Apple product I've owned was an iPhone 4.0 I think, and I hated that after 5 days and got shot.
|
Work are using a pattern of numbers for passwords on an increasing number of non-core applications. For example
445832211
234959059
203949506
945983453
234839403
230349435
249448384
234958434
923428232
The numbers always change whenever you use the application. The numbers can also be letters.
Your password is a pattern. So if your pattern is a "T", you would enter 44583221154834452.
Next time it would be a different set of numbers based on the same pattern.
As the numbers / letters constantly change it seems pretty secure to me but I'm sure one or more of you will put me right.
|
Looks pretty secure to me technically.
But talk about giving your staff incentive to try to find a way to lessen the impact or bypass it.
Talk about trying to give It a bad name. FFS. If that isn't for nuclear launch codes it's insane.
|
All of the grids are images of characters, not text so there is no cutting and pasting and one image rather than 81 with names that could give clues to the numbers (I've looked at the code).
|
So all anyone needs to know is that Zippy is a 'T'? Or am I missing something?
|
>> So all anyone needs to know is that Zippy is a 'T'? Or am I
>> missing something?
>>
LOL, I'm not that silly!
|
No - I'm trying to work out how this works. Is it like this:
When you fire up an application you enter your login-id and it then presents you with a picture of a grid of numbers/letters. You then have to choose the numbers/letters that would make up the shape of your personal alphanumeric character and enter those numbers/letters as a password.
Have I got that right?
|
Sort of.
The shape can be anything, not necessarily an alpha numeric character. Could be a snake, every 3rd number, a low res giraffe etc.
Plus of course two factor authentication to work's mobile.
|
You've got me intrigued now.
How do you know which shape to use at each login time?
How are you presented the number matrix?
Is this measure primarily aimed at ensuring that a real person is entering, like an enhanced captcha type thing, is it it aimed at preventing unauthorised entry?
|
>> You've got me intrigued now.
>>
>> How do you know which shape to use at each login time?
You set up a shape for each app first time it's used - so I might use a horse for one app and a number 3 shape for another app. The process authenticates who you are with data known about you and TFA. I use a memory based word map (a made up story to remember my passwords) to remember the shape for each app.
>> How are you presented the number matrix?
>>
On the log on page, you enter your user name for the app and the grid is generated with a password box for the number.
>> Is this measure primarily aimed at ensuring that a real person is entering, like an
>> enhanced captcha type thing, is it it aimed at preventing unauthorised entry?
>>
The latter. The grids are time sensitive, i.e. they expire after a minute or so, so if you don't complete the log in you have to start again.
Last edited by: zippy on Wed 25 Aug 21 at 19:06
|
Not trying to challenge, just understand;
So all you need to remember to enter the account is your shape for that account; horse, '3', whatever and everything else you can work out from the screen in front of you?
I think I'm not getting it, because that doesn't sound much different to a simple password.
|
Yes, but its much harder to shoulder surf or trap using key loggers than a normal password would be and with the rise of staff working from all sorts of locations at the moment, that's considered to be important.
|
Thanks for you posting Manatee. I don't know what my email password is. How do I find it?
Do others share my ignorance?
|
I should have said that I use a desktop only. I don't have an iPad or smart phone.
|
Ambo - I have sent some detailed info in an email which hopefully will help.
|
>>I don't know what my email password is. How do I find it?
I'm sure there are plenty of others who are unaware or have forgotten how something was set up years ago.
I'm guessing your password is saved to your browser. If that is Chrome, it will show your passwords - open "Settings" via the 3 dots to the far right of the address bar, and search for "passwords". They are shown starred out but can be viewed by entering your windows password or PIN (what you use when you log in to your PC). Microsoft Edge works the same way.
(It follows that passwords saved to your browser are only as secure as your PC and its windows password!)
Last edited by: Manatee on Wed 25 Aug 21 at 10:11
|
Just out of curiosity I did a quick into using biometric (facial, fingerprint) security For Gmail/Chrome on Windows. Easy on android, not easy or straightforward on windows.
Bit of a missed opportunity I feel.
|
I use Chrome but don't use a windows password (didn't know I had one) or a PIN. I just open Outlook for emails, select a site from Favourites for websites or do a Google search for new sites.
I clicked on the three dots etc. and found only two passwords, one live and the other abandoned over 10 years ago.
Smokie, thanks but I didn't get your email.
|
"Smokie, thanks but I didn't get your email."
I replied to your last email to me, subject "RE: Your address list problem" at 09:46 today, so it should have reached you. It would have come from smokie_mod@car4play.com
I'll resend but it may be superseded anyway.
Did you check your SPAM folder?
Last edited by: smokie on Wed 25 Aug 21 at 12:54
|
Smokie, I don't have a Spam facility unless it is what my computer labels "Junk". Following Junk/Junk-Email options/Safe Senders I can see your email listed but can't open it. The only option offered is "Export to file" but what file? Normally I would use one I have labelled Computer containing numerous others but that doesn't work.
|
Can you drag and drop it to your inbox?
|
>>I use Chrome but don't use a windows password (didn't know I had one) or a PIN. I just open Outlook for emails, select a site from Favourites for websites or do a Google search for new sites.
Outlook remembers the password. I think you will be able to retrieve or reset the password but somebody who is more familiar with Outlook can probably help you better than I.
|
If you mean Outlook the desktop program, then when you first install it each account as to be added. Sometimes that requires some technical details but it 100% required your email address and password.
I suggest you resolve this now because if something goes wrong in the future (PC dies, account hacked, etc. etc.) that will be the wrong time to do it.
Are you sure you don't know the password, haven't got it stored or written down somewhere, told the wife or something?
You need to log into your email account using a browser, essentially using the web interface. Type in your email address and then it will ask for your password. If you know it, all well and good, but if you don't then you will have to go the "forgot my password" route, which involves knowing the answers to your security questions and perhaps access to your phone.
It is also possible that you set a recovery email address.
Perhaps you should do this when your IT expert is visiting. It's not that it is difficult but there are many possibilities and he'll know what he is looking at easily.
One thing to be aware of is that in the throws of trying to recover a password if you don't know the answers to the security questions, don't have a recovery email address and don't have a telephone number stored it is possible to cause yourself significant problems.
Perhaps you should set up a second email account that you do know the password to and start transferring stuff to it and advising people.
You could carry on as you are and perhaps the chances of something going wrong are small. The concern is that if they do go wrong you may have insurmountable difficulties.
|
>>Do others share my ignorance?
No.
:o}
|
Indeed, some have a whole 'nother brand and degree of ignorance.
|
Incoming Payment
paycenter@workmail.co.za
UNITED NATIONS ORGANIZATION FINANCIAL REGULATORY OFFICE
METRO PARK BUILDING
351 FRANCIS BAARD STREET
PRETORIA
SOUTH AFRICA.
Dear Beneficiary,
Compensation Payment of $2,200,000.00 USD (Two Million Two Hundred Thousand United States Dollars) payment Via VISA PREPAID DEBIT ATM CARD.
NOTE THAT YOUR EMAIL ADDRESS HAS BEEN LISTED AS ONE OF THE BENEFICIARIES.
This is to inform you on the outcome of our 7 day meeting with U.N International Financial Investigation Unit and the Association of Better Business Bureau to compensate online scam victims and other victims upon due verification, we have jointly approved $2,200,000.00 USD (Two Million Two Hundred Thousand United States Dollars) for every confirmed victim. Your E-mail address was automatically generated through the computer ballot system as one of the selected victims to receive this compensation. However, adequate arrangements have been put in place to upload the approved payment compensation into a Visa Debit Card that can be accessible at any inter-switch cash machine anywhere in the world. Note that 50 beneficiary emails were automatically generated and 100 beneficiary emails were listed as potential victims of online scams.
The United Nations and the International Monetary Fund (IMF) has chosen to pay out all the compensation funds to 150 Beneficiaries from U.S.A, Europe, Canada, United Arab Emirates, Bahrain, Qatar, Saudi Arabia, South America, Australia and Asia and Africa Continent through VISA DEBIT ATM CARD as this is a global payments technology that enables consumers, businesses, financial institutions and governments to use digital currency instead of Cash and Cheques.
We have arranged your payment to be paid to you through VISA DEBIT ATM CARD which will be issued in your name and shall be posted directly to your address via DHL or any courier services available in your country. Upon your contact with us, the sum of $2,200,000.00 USD (Two Million Two Hundred Thousand United States Dollars) will be credited into the VISA DEBIT ATM CARD and this will enable you to withdraw your funds in any ATM Machines.
The cards are available in Sterling, US Dollars, Euro and Australian Dollars, you can use your debit card to shop in over 28 million outlets worldwide, wherever you see the Visa mark* or MasterCard mark*.in this regards, you are to contact and furnish the requested information to the Directorate of International Payment and Transfer with the followings;
1. Full Name:
2. Postal or Residential Address:
3. Mobile Number:
4. Country:
5. Age:
6. Sex:
Kindly provide the above information to our paying agency below for the issuance and delivery of your ATM Card:
Mr. Thato Moree,
E-mail: unsasa@exclusivemail.co.za
Your urgent response to this email as directed to avoid any further delays.
Yours faithfully,
Mr. Timothy Harris.
UNITED NATIONS
Public Information Officer
Regional Office South Africa.
For, United Nations Congress compensation fund.
|
>>Upon your contact with us, the sum of $2,200,000.00 USD (Two Million Two Hundred Thousand United States Dollars) will be credited into the VISA DEBIT ATM CARD and this will enable you to withdraw your funds in any ATM Machines
That would take 12 - 20 years to get out of an ATM going every day. I think you should say no, it's unreasonable and ridiculous to expect you to do that much work. Do these people think you have nothing better to do than traipse to an ATM every day?
|
Perhaps the money can be used to bail me out? Apparently there is an international arrest warrant out for me because I misused my social security number. I'm doomed.
|
>>That would take 12 - 20 years to get out of an ATM going every day. I think you should say no
Aw shucks, bang goes the Mulsanne, the villa in the Côte d’Azur, the yacht, the trip into space etc. etc.
|