Telling elders scary stories about online scammers is not the best way to keep them safe. Olga Gavrilenko/EyeEm via Getty Images
Recently, the U.S. Social Security Administration sent out an email to subscribers of its official blog explaining how to access social security statements online. Most people know to be suspicious of seemingly official emails with links to websites asking for credentials.
But for older adults who are wary of the prevalence of scams targeting their demographic, such an email can be particularly alarming since they have been told that the SSA never sends emails. From our research designing cybersecurity safeguards for older adults, we believe there is legitimate cause for alarm.
People are also reading…
This population has been schooled in a tactical approach to online safety grounded in fear and mistrust – even of themselves – and focused on specific threats rather than developing strategies that enable them to be online safely. Elders have been taught this approach by organizations they tend to trust, including nonprofits that teach older adults how to use technology.
These organizations promote a view of older adults as highly vulnerable while also encouraging them to take gratuitous risks in defending themselves. As information technology researchers, we believe it doesn’t need to be this way.
Older adults and online safety
Older adults may be at heightened risk of cybersecurity breaches and fraudulent behavior because they lack experience with internet technology and represent a financially attractive target. Older adults may also be more susceptible because they struggle with their confidence in using technology even as they recognize its benefits.
We have been developing technology tools that help aging Americans maintain their own online safety no matter what challenges they may face, including cognitive decline. To do so, we needed to understand what and how the people we study are learning about cybersecurity threats and what strategies they are being taught to reduce their vulnerabilities.
We have found that older adults attempt to draw on personal experience to develop strategies to reduce privacy violations and security threats. For the most part, they are successful at detecting threats by being on the lookout for activities they did not initiate — for example, an account they do not have. However, outside experts have an inordinate amount of influence on those with less perceived ability or experience with technology.
What ‘experts’ are telling older Americans
Unfortunately, the guidance that older adults are getting from those who presumably have authority on the matter is less than ideal.
Perhaps the loudest of those voices is the AARP, a U.S. advocacy group that has been carrying out a mission to “empower” individuals as they age for over six decades. In that time, it has established a commanding print and online presence. Its magazine reached over 38 million mailboxes in 2017, and it is an effective advocacy group.
What we found was that the AARP communiqués on cybersecurity use storytelling to create cartoonish folktales of internet deception. A regularly featured diet of sensational titles like “Grandparent Gotchas,” “Sweepstakes Swindles” and “Devilish Diagnoses” depict current and emerging threats.
Much of the cybersecurity advice given to elders fosters the cartoonish misconception that flesh-and-blood scam artists lurk in their midst. 5m3photos/Moment via Getty Images
These scenarios appeal to readers the way crime shows have historically appealed to TV audiences: by using narrative devices to alarm and thrill. Ultimately they also delude viewers by leaving them with the misconception that they can use what they’ve learned in those stories to defend themselves against criminal threats.
Folktales and foibles
One job of folktales is to spell out the hazards that a culture wants its members to learn in childhood. But by presenting cyber-risk as a set of ever-evolving stories that focuses on particular risks, the AARP shifts attention away from basic principles to anecdotes. This requires its members to compare their online experiences with specific stories.
Readers are implicitly encouraged to assess the plausibility of particular scenarios with questions like, Is it possible that I have any unpaid back taxes? And, Do I actually have an extended warranty? It requires people to catalogue each of these stories and then work out for themselves each time whether an unsolicited message is a real threat based on its content, rather than the person’s circumstances.
No, it’s not personal
Through this inventory of stories and characters, we also found that the AARP was personalizing what is, at root, a set of structural threats, impersonal by nature. The stories often characterize scammers as people in the reader’s very midst who use local news to manipulate older adults.
Real threats are not “sweepstake swindlers” or “Facebook unfriendlies,” with a live scam artist sensitive to the needs and foibles of each intended victim. There is rarely a human relationship between the cyber-scammer and the victim — no con artists behind the notorious “grandparents scam.” The AARP bulletins and advisories imply that there is — or, at least, implicitly foster that old-fashioned view of a direct relationship between swindler and victim.
Don’t engage
Perhaps even more worrisome, AARP advisories appe
ar to encourage investigation into scenarios, when engagement of any sort puts people at risk.
In one post alerting people to “8 Military-Themed Imposter Scams,” they discuss “prices too good to be true,” when the very concept of buying a car on Craigslist, or an “active-duty service member” urgently selling a car, should be a red flag discouraging any form of engagement.
Internet users of any age, but especially more vulnerable populations, should be urged to withdraw from threats, not be cast as sleuths in their own suspense stories.
Protecting older adults in the age of surveillance capitalism
In order to reduce everyone’s risk while online, we believe it’s important to provide a set of well-curated principles rather than presenting people with a set of stories to learn. Everyone exposed to threats online, but especially those most at risk, needs a checklist of cautions and strong rules against engagement whenever there is doubt.
In short, the best strategy is to simply ignore unsolicited outreach altogether, particularly from organizations you don’t do business with. People need to be reminded that their own context, behaviors and relationships are all that matter.
[Get the best of The Conversation, every weekend. Sign up for our weekly newsletter.]
Because, in the end, it’s not just about tools, it’s about worldview. Ultimately, for everyone to make effective, consistent use of security tools, people need a theory of the online world that educates them about the rudiments of surveillance capitalism.
We believe people should be taught to see their online selves as reconstructions made out of data, as unreal as bots. This is admittedly a difficult idea because people have a hard time imagining themselves as separate from the data they generate, and recognizing that their online lives are affected by algorithms that analyze and act on that data.
But it is an important concept — and one that we see older adults embracing in our research when they tell us that while they are frustrated with receiving spam, they are learning to ignore the communications that reflect “selves” they don’t identify with.
Nora McDonald receives funding from the National Science Foundation.
Helena M. Mentis receives funding from the National Science Foundation.
How to tell you’re being phished and 9 other common online scams to watch out for
How to tell you’re being phished and 9 other common online scams to watch out for

The internet can feel packed with scams sometimes, especially for anyone who’s had their credit card or other information stolen. But most scams fall into a small variety of types that are easy to identify and avoid once you know about them.
There are only so many ways to reinvent the wheel—scammers will usually fall into a set number of categories. Twingate assembled a list of common online scams that internet users should be wary of, drawing on research from government organizations, payment processors, and tech companies.
One of the major categories of scamming is called social engineering. An old-fashioned method that still works surprisingly well, social engineering is any fraud where a human being communicates with you to obtain information in person, online, or over the phone. Scammers will use manipulative, deceptive, or psychological tactics to get someone to reveal confidential information.
As our lives increasingly have shifted online, scammers have followed, posing as everything from fake online boyfriends to made-up charities. So the next time you get a voicemail claiming to be from Microsoft, an email that says your antivirus service is out of date, or a pop-up ad from “newy0rktimes.com,” take a few seconds and think about whether it’s a genuine message before doing anything. Continue reading to learn about the most common online scams today.
Phishing

Phishing is one of the most common online scams. It’s a form of social engineering, meaning a scam in which the “human touch” is used to trick people. One offline form of phishing is when you receive a scam phone call where someone claims to be calling from the fraud department at your bank and requests your account number as verification.
With online phishing, scammers do the same kind of thing but use emails and links to fraudulent websites to fool users. In your spam folder, you’ll often see messages claiming to be from Bank of America and others. These links lead to imitation bank sites designed to capture your personal banking information.
Advanced fee scam

These email messages are notorious—and the stuff of internet legend: “Hello sir, I have a huge sum to send you!” In this scam, a forlorn prince, bank manager, church reverend, or otherwise reputable-sounding stranger has a large amount of money that they need you to hold for them. All you have to do is send them several hundred or thousand dollars to cover some kind of transactional cost upfront.
Never believe any stranger who wants to send you money, and listen to your gut. If something sounds too good to be true, it is highly likely that it is a scam.
Romance scam

The scam comes in when, eventually, a series of misfortunes befall the romantic partner. They might plan a visit to finally meet—but suddenly won’t have money to pay for the plane ticket. Then they’re hospitalized with a mystery illness and need money to pay the bill. This continues until the victim grows suspicious of the mounting costs.
Formjacking

Formjacking is a web scam that works the same way as a credit card skimmer does in real life. You go to a website to place an order and enter your information as usual. The transaction even goes through and seems to be fine, except that some code hacked into the website has copied your financial data to someone else.
The owners of the website may not even realize something is happening because they don’t pay close attention to their infrastructure. Make sure the websites you deal with are secure.
Phony tech support

Phony tech support is a form of social engineering. This scam may come as an email or a phone call, claiming that your computer has been compromised in some way and that you must call a number or visit a website to fix it.
From there, the scammer may install malware like keyboard capture software (or worse). On the phone, they may request remote access to your computer to help you. These scammers often claim to be from Microsoft or Apple as a way to establish legitimacy.
Ransomware

Ransomware is a kind of malicious software that is installed without your knowledge. This is usually from an email or fraudulent site, meaning it also uses phishing to imitate your bank or another institutional website. Someone calls or emails with a link that installs the ransomware on your machine. What makes ransomware different is what comes next.
The software locks certain kinds of information on your machines, like your saved documents, photos, and other files. You have to pay to unlock the data and get your files, although the FBI cautions against actually paying.
Scareware

Scareware is a form of manipulative scamming that threatens users by making them believe they need new software on their machines. One of the common forms is to tell users they need new antivirus software and to offer that software from a fraudulent source.
It’s often easy to tell these websites or emails apart from real ones: Look closely at the URLs or email addresses, which usually have strange spellings or other clues that signal you’re not dealing with legitimate companies.
Sextortion

Once someone has this material, they can use it as a way to demand more and will threaten to share info or post photos publicly if their target refuses. Unlike the other crimes on this list, sextortion doesn’t always have financial goals.
Charity and disaster fraud

Crowdfunding and mutual aid are becoming more common as a way for people to share resources and help others pay for medical bills and other costs, or to donate following natural disasters. Unfortunately, this well-meaning way to help others in the community has also been targeted by scammers through charity and disaster fraud.
Scammers can make fake Twitter accounts to imitate people in need. They’ll even set up bots to make new accounts that look like your friend’s account to reply with Paypal links that redirect to the scammer. If you aren’t sure about the credibility of a group or crowdfunding page, it is always best to seek more information.
Work from home

This scam is simple and it’s a variation of an age-old, real-life scam. Think of those signs you see on street corners that say, “I make $16,000 a month working from home!” When you call, these people want you to buy training materials to become a real estate agent or something similar.
The same is true of many online ads that say you can work from home and make $500 a day or some other attractive amount. The best advice is also the oldest: If it sounds too good to be true, it probably is.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.