You Can’t Scam A Mindful User

As the old saying goes, you can’t con an honest man. The claim is that every successful confidence game depends on the mark being greedy. This smacks a bit of blaming the victim but there is certainly an element of truth to it: many con games depend on the victim being hooked by the possibility of getting something for nothing. 

This saying is on my mind after a recent attempt to scam me on my phone. It occurred to me that the modern version of this saying should be that you can't con a mindful user. Many scams depend on panic because panic short-circuits your ability to focus and mindfulness is your best defense against a scam.

The scam that I was subjected to is not new; it was very like this one. I was watching YouTube on my phone when an official-looking dialog box popped up. The pop-up warned me that my phone’s storage was full and offered me a link to clean up my phone. 

There were a number of things about this incident that were not right.:

• The dialog box was very nice looking but it was not in the format used by the operating system.
• My phone is never even close to full, as it happens. 
• The dialog box offered me a link to fix the problem but that is not how system software works; system software generally offers you buttons, not links. 

I was highly confident that this message was bogus. I rebooted my phone and the dialog went away. Out of an abundance of caution, I checked my phone’s storage level and as expected there was tons of space still free.

This happened again a few days later, also while using YouTube. I think that YouTube may have a problem with at least some of the videos it hosts. But YouTube is not the real problem here: the real problem is that we are bombarded with these kinds of scams through a multitude of channels. If your first reaction is "I don't use YouTube" or "I don't use YouTube on my work phone" then you might be part of the problem. The point is not to rely on avoiding being attacked, which is nearly impossible. The point is to respond mindfully when you are attacked.

This is why I try to be mindful of how I use technology in general and my phone in particular. While I am a fan using software tools to protect me, I struggle to imagine software tools ever replacing mindfulness in the arms race of scammers versus systems programmers.

At Pythia Cyber we stress mindfulness over low level training because simple rules—don’t click on links in emails—just don’t cut it any longer. We now live in a world where scammers are trying to craft attacks that push our buttons, trying to take advantage of the simple rules, trying to leverage your best intentions to hurt you. 

What will work to protect your workforce is to go deeper than conditioning users to follow some basic rules. We don’t train your people, we educate them. We don’t condition them to comply with quickly outdated rules, we guide them to a commitment to cybersecurity. This is what we mean by mindfulness.

Consider going beyond rules and regulations. Consider a commitment to making cybersecurity a priority in everyone's every interaction with any computer system.