Mastodawn

myrmepropagandist Sep 28, 2025

I think we should treat people who get scammed and come out and talk about it like heroes. And this is important: no matter how "obvious" the scam might seem in retrospect or from the outside of the community it prey'd on.

The more I look at scams the more I think this is major factor in how they keep going and keep coming back.

Show thread

Bitslingers-R-Us Sep 28, 2025

@futurebird I've spent a good bit of time studying why people fall for scams and why they don't listen to advice.

Some people are genuinely lazy and don't want to be bothered, but luckily they're in the minority. Most people, I think, just need better information.

Large companies, unfortunately, are actively working to make phishing easier by moving away from having real humans and by behaving more and more like phishers, which makes even good information less helpful to people.

Big businesses want people to be OK with getting phone calls from automated systems where we can't talk with humans and the "bot", if we can even interact with it, is dumber than a log. They expect us to authenticate ourselves to them when they call us. They make it either impossible or extremely time consuming to even talk to a human.

So when you tell people to never believe caller ID, to not believe any calls, to call a company back if you think they're actually trying to call you, it's understandable that they don't want to spend (sometimes literally) hours doing that.

The same goes with email. I tell people to not click links in email if they can help it. If they have reason to think the email might be legitimate (that is, they're expecting the email), I tell them to copy and paste the link in to a browser window and look at the URL. But what are people supposed to do when a link says "Walmart" (because email clients these days are basically web browsers), yet the URL actually starts with "walmartbpr.srvys.io"? Are people supposed to know how to deal with this?

This happens with banks, medical institutions, stores...

So how do we educate people to be careful when it's the opposite of what businesses are doing? Why should it be incumbent on users and not corporations to be more careful?

Show thread

"Wish the sun to stand still.." 🌞Sep 28, 2025

@AnachronistJohn "Most people, I think, just need better information."

This is also a good argument for teaching people to look at domain names (+HTTPS) before clicking.

"yet the URL actually starts with "walmartbpr.srvys.io"? Are people supposed to know how to deal with this?"

Because no one is reminding them of its significance and that the spelling matters.

"Why should it be incumbent on users and not corporations to be more careful?"

Because HTTPS (TLS+PKI) was meant to be the verification scheme for end-users to verify who they are communicating with. The user gains a great deal of power (verified Internet communications!) in exchange for a few seconds of acting responsibly – looking at the domain. You seem to be asking why a corp can't be in the middle being responsible for us; well that role sort of belongs to CAs but if you want it to be more convenient than that then you're asking for legalized MITM (and being treated like a child).

Most Internet security schemes meant to replace or wallpaper over PKI are trying to remove some element of irreducible complexity in the problem, with the goal of reducing remote communications to an invisible, mindless process.

Show thread

Bitslingers-R-Us

@tasket "You seem to be asking why a corp can't be in the middle being responsible for us"

I am not talking about corporations in the middle - I'm talking about the corporations themselves.

That example was in an actual email from Walmart. I'm saying that Walmart should know better and shouldn't be sending email with URLs that have hostnames like that ("walmartbpr.srvys.io").