myrmepropagandistSep 28, 2025

I think we should treat people who get scammed and come out and talk about it like heroes. And this is important: no matter how "obvious" the scam might seem in retrospect or from the outside of the community it prey'd on.

The more I look at scams the more I think this is major factor in how they keep going and keep coming back.

Show threadBitslingers-R-Us
@futurebird I've spent a good bit of time studying why people fall for scams and why they don't listen to advice.

Some people are genuinely lazy and don't want to be bothered, but luckily they're in the minority. Most people, I think, just need better information.

Large companies, unfortunately, are actively working to make phishing easier by moving away from having real humans and by behaving more and more like phishers, which makes even good information less helpful to people.

Big businesses want people to be OK with getting phone calls from automated systems where we can't talk with humans and the "bot", if we can even interact with it, is dumber than a log. They expect us to authenticate ourselves to them when they call us. They make it either impossible or extremely time consuming to even talk to a human.

So when you tell people to never believe caller ID, to not believe any calls, to call a company back if you think they're actually trying to call you, it's understandable that they don't want to spend (sometimes literally) hours doing that.

The same goes with email. I tell people to not click links in email if they can help it. If they have reason to think the email might be legitimate (that is, they're expecting the email), I tell them to copy and paste the link in to a browser window and look at the URL. But what are people supposed to do when a link says "Walmart" (because email clients these days are basically web browsers), yet the URL actually starts with "walmartbpr.srvys.io"? Are people supposed to know how to deal with this?

This happens with banks, medical institutions, stores...

So how do we educate people to be careful when it's the opposite of what businesses are doing? Why should it be incumbent on users and not corporations to be more careful?
Sep 28, 2025 at 4:45pmWeb
Show threadRich Puchalsky ⩜⃝Sep 28, 2025

@AnachronistJohn

The reason why people fall for most scams is that, as you write, we have an entire business ecosystem set up to encourage scams. This isn't a design problem: it's set up this way because business scams us at every level.

When someone pushes on a physical door instead of pulling (or the reverse) it's not because they are lazy, it's because the door is badly designed. But not all doors are. For business, all doors are because it's purposeful.

@futurebird

Show threadK M LawrenceSep 28, 2025
@AnachronistJohn @futurebird I also think there are probably some good technical solutions we can use to improve the situation, but the people in big tech corporations either don't want to do them (because they cut into advertising revenues), or are too eager to do them in ways that benefit them but disadvantage smaller players and increase their own monopoly powers.
Show threadsahqonSep 28, 2025

@AnachronistJohn @futurebird The only way to be (reasonably) sure is to call back and for emails to go to their page and interact from there. Every other solution, you are taking a risk. If people don't know this, they should be told. If people know this and risk getting their money stolen, then when it gets stolen, we are entitled to a "told you so".

Yes, there are things businesses should stop doing/do differently, but in the meantime, ignoring your safety just cause it's not fair that you need to go to all this trouble is just plain stupid.

Btw if people stopped responding to cold calls en masse, businesses would stop doing it. I'm not getting any by now because I probably got on a list of "don't bother, doesn't take calls". Mum gets at least one a day. Last time I actually picked one up (was waiting for a call), I told the caller I'm not interested right after the intro, and she got snarky saying "what you don't have two minutes" to which I replied "what the fuck" and put it down. I can count on one hand the number of people I know who would "dare" put it down like that, which is a major fucking problem, esp with the older, polite generation, who fairly blanched at work when I complained of it. But if it happened more often, the harassment would stop.

Show threadMostlyTatoSep 28, 2025
@AnachronistJohn @futurebird
I tend to have a problem with unsolicited texts and emails that are actually genuine (I've checked by talking to them) but look very much like a scam.
If companies want to interact with their customers better they need to look less like scammers and stop spamming them with links to click.
These days I actually never respond directly to any communication that comes out of the blue.
Show threadwyngmanSep 28, 2025

@AnachronistJohn "Most people, I think, just need better information."

This is also a good argument for teaching people to look at domain names (+HTTPS) before clicking.

"yet the URL actually starts with "walmartbpr.srvys.io"? Are people supposed to know how to deal with this?"

Because no one is reminding them of its significance and that the spelling matters.

"Why should it be incumbent on users and not corporations to be more careful?"

Because HTTPS (TLS+PKI) was meant to be the verification scheme for end-users to verify who they are communicating with. The user gains a great deal of power (verified Internet communications!) in exchange for a few seconds of acting responsibly – looking at the domain. You seem to be asking why a corp can't be in the middle being responsible for us; well that role sort of belongs to CAs but if you want it to be more convenient than that then you're asking for legalized MITM (and being treated like a child).

Most Internet security schemes meant to replace or wallpaper over PKI are trying to remove some element of irreducible complexity in the problem, with the goal of reducing remote communications to an invisible, mindless process.

Show threadBitslingers-R-UsSep 28, 2025
@tasket "You seem to be asking why a corp can't be in the middle being responsible for us"

I am not talking about corporations in the middle - I'm talking about the corporations themselves.

That example was in an actual email from Walmart. I'm saying that Walmart should know better and shouldn't be sending email with URLs that have hostnames like that ("walmartbpr.srvys.io").