Protecting Our Elders: A Comprehensive Look at Social Engineering Threats and Proactive Steps for Families

As our parents get older we will often find our roles reversed. Us (adult) kids aren’t just tech support, now it’s our responsibility to parent our parents through monitoring their online activity and protecting them from scams.

Social Engineering Scams

It’s not just tech. Criminals know it is easier to trick a person than to hack a computer.

From the age old ‘don’t talk to (internet) strangers’ to ‘don’t click suspicious’ links, here are the seven social engineering psychology principles scammers will use (which I learned from studying for the CompTIA Security+ Exam), the possible scams they’ll try to pull, and how to thwart or prevent the scams.

Psychology Principle	Scam Example (Targeting Senior Citizens)	How to Thwart or Prevent the Scam
Authority	IRS or Social Security Impersonation: Attacker calls claiming to be from the IRS or Social Security Administration (SSA).  They state the victim owes back taxes or that their benefits will be immediately cut off unless they pay a "fine" via gift cards or wire transfer. (Utility Scams follow the same modus operandi.)	Know the Policy: The IRS and SSA never call, email, or text to demand immediate payment via gift cards, wire transfers, or cryptocurrency. Hang up and call the official government number yourself (e.g., the SSA number on the back of your card or from the official government website).
Intimidation	Tech Support Extortion: Attacker calls or a fake pop up warning appears on the victim's computer, claiming a virus has locked their files or exposed their financial accounts.  They demand immediate remote access or payment to "fix" the manufactured crisis.	Shut it Down: Never grant remote access to an unsolicited caller.  If a pop-up appears, immediately power down the computer (hold the power button). If your files are truly locked, contact a known, trusted local technician or your family's dedicated tech support person.
Consensus (Social Proof)	Investment Seminar or Testimonial Scam: The victim is invited to a free luncheon or webinar where fake "peers" or "successful investors" give glowing testimonials about a high-risk or non-existent investment opportunity (e.g., fraudulent annuities).	Validate the Advisor: Never make an investment decision based on peer testimonials. Check the license and registration of any financial advisor or firm with your state's financial regulatory body (e.g., FINRA or SEC). If it sounds too good to be true, it is!
Scarcity	Limited-Time Health Insurance/Medical Equipment Offer: Attacker offers a "one-time, exclusive" deal on a required medical device, supplemental insurance, or prescription drug that is "only available today" to force a quick decision and extract Medicare/personal data.	Don't Be Rushed: Real offers do not expire in 10 minutes. Refuse to decide immediately. Tell the caller you need to check with your primary care physician or your insurance provider first. Legitimate health companies will allow you time for consultation.
Urgency	Grandparent/Emergency Scam: Attacker calls claiming to be a grandchild, niece, or other relative who is in immediate legal trouble (e.g., arrested, car accident) in a foreign country.  They plead for money to be wired immediately for bail or hospital bills, often asking the victim to keep it a secret.	Establish a Code Word: Before a crisis, set a secret family password or question with immediate relatives. If someone calls with an emergency, demand they provide that word. Verify the Story: Immediately call the relative (or their parent) back on their known, verified cell phone number—DO NOT call the number the scammer provided.
Familiarity	Cemetery/Funeral Plot Fraud: Attacker calls claiming to be from the victim's church or a local funeral home they've used before.  They solicit funds for a "pre-arranged" but suddenly necessary expense, or try to sell unnecessary or non-existent services.   Bank Imposter Scams: An automated message or live person warns of "fraudulent activity" on an account and asks the user to "verify" information or a PIN by pressing a button or entering it.	Call the Source: Ignore the phone number on caller ID. Hang up and independently look up the phone number on the official website for the known church, funeral home, charity, or financial institution. Call the official number to verify the fundraising or expense request. NEVER pay over the phone for unexpected expenses.
Trust	"Sweetheart" or Romance Scam: Attacker creates a detailed, sympathetic online persona (often on dating sites or social media) and spends months building a personal connection.  Once trust is established, they request money for a sudden, urgent crisis (e.g., plane ticket, medical procedure) to finally meet the victim.   Advance Fee Scams or ‘Prince’ Scams: The victim is told they've won a large lottery prize or settlement, but must first pay a small "tax" or "fee" to release the funds.  Or the scammer claims they are a crowned prince in exile and will also request an ‘advance fee’ with the promise of receiving a much larger sum later.	Refuse Financial Requests: Never send money to someone you have not met in person. Scammers will invent endless crises to keep the money flowing. Share details of the relationship with a trusted family member or friend; an objective outsider can often spot the red flags a victim misses.

So what can your parent or grandparent do? What can you do?

Prevention

Step up that tech support!

Install and Maintain Defenses: Install ad blockers on browsers and implement call blockers on landlines and mobile phones to filter known scam numbers and malicious robocalls.

Keep Systems Updated: Ensure the Operating System (O/S), antivirus, and antimalware software are always set to auto-update to patch security vulnerabilities.

Configure Email Filters: Maximize the effectiveness of email spam filters to catch phishing and advance-fee scam attempts before they reach the main inbox.

Monitor for Intruders: Periodically check device settings to maximize privacy and look for any unauthorized devices or unknown connections on their home network or email account.

Verify Network Access: If the internet seems slow or suspicious, check for unauthorized devices on the network.

Here’s a quick guide on how to check for unauthorized devices:

Feature to Check	Steps to Check for Unauthorized Access	What to Look For	Immediate Action If Unauthorized
Home Wi-Fi Network (Router Admin)	1. Access the Admin Page: In a web browser, enter your router's IP address (e.g., 192.168.1.1 or 10.0.0.1).	A list of connected devices, often labeled "Attached Devices," "Connected Clients," or "DHCP Client List."	1. Change the Wi-Fi Password.
	2. Log In: Use the router's username and password (you should have changed this from the factory default!).	Each device should have a: Name (e.g., "iPhone," "SmartTV"), an IP Address, and a MAC Address.	2. Change the Router Admin Password.
	3. Find the Device List: Navigate to the appropriate section (see column to the left).	Unrecognized names (e.g., "Unknown Device") or duplicate names that you know only one of (e.g., two "Dad's Phone" entries).	3. Block the device (if the router supports it) using its MAC address, and then change the Wi-Fi password again.
Email Account (e.g., Gmail, Outlook)	1. Go to Security Settings: Navigate to your account's main Security or Manage Your Account page.	A section labeled "Your Devices," "Sign-in Activity," or "Recent Activity."	1. Immediately change your email password to a new, strong password.
	2. Review Signed-in Devices: Look for a list of devices currently signed into the account.	Any unrecognized device type (e.g., "Android Phone" if you only use Apple), location, or sign-in time.	2. Select the unauthorized device and click "Sign out" or "Remove Access."
	3. Review Activity Log (Optional): Some providers have a "Details" link (like in Gmail) to see the last 10 sign-ins and their IP addresses.	Look for "Unusual activity detected" warnings or failed sign-in attempts from strange locations.	3. Turn on or confirm Two-Factor Authentication (2FA) immediately.

Pro-Tip for Identifying Unknown Devices:

If you see a MAC Address (like AA:BB:CC:D1:E2:F3) you don't recognize on your router's list, you can search the first six characters (AA:BB:CC) online. This is the OUI (Organizationally Unique Identifier), which usually tells you the manufacturer of the device (e.g., "Samsung," "LG," "Microsoft"), which can help you determine if it's one of your known items.

Password Vault

Use Strong, Unique Passwords: Ensure all banking, email, and social media accounts have complex and unique passwords to prevent account takeover.

 

This is a common issue everyone faces: Where do you keep all those unique, complex passwords? The safest solution is to use a trusted password manager such as 1Password, Bitwarden, or NordPass, which encrypt and secure your data digitally.

If your family members are truly old-school and refuse digital options, the compromise is a physical password notebook. If used, this notebook must be treated as a vault—it should contain no identifying account numbers (only the website name) and must be stored in a locked safe or secure, hidden location at all times.

Keep An Eye On the Money

For all your financial accounts:

Set Transaction Limits: Work with banks or credit unions to set daily withdrawal or transfer limits to prevent large losses from successful, high-pressure scams.

Set Up Transaction Alerts: Most banks allow you to do this directly through your online banking portal or mobile app. You can enable text or email alerts for any transactions exceeding a specific, low dollar amount (e.g., $100). If a scammer attempts a transfer, the alert will notify you immediately.

Shred Documents and Mail

Physical mail is a common source of stolen data. To prevent dumpster diving identity theft, you must shred any paper mail or documents that contain sensitive personal information before throwing them away.

This includes:

• Statements, expired bills, and credit card offers.
• Documents containing your name, address, date of birth, or Social Security number.
• Use a cross-cut or micro-cut shredder—strip-cut shredders are easily pieced back together. Treat your trash like a vault!

Social Security – Emphasis on Security

The Social Security Number (SSN) is the master key to a person's identity and finances. Protecting it is the single most important step in preventing long-term identity theft.

Security Focus	Actionable Advice
Physical Storage	Store your Social Security card safely: Never carry your card in a wallet or purse. Keep it in a secure location at home, such as a fireproof safe, locked drawer, or lockbox.
Limit Sharing	Only provide your SSN when it's absolutely necessary and you are certain of the recipient's legitimacy. Always ask for alternatives on forms (e.g., at healthcare providers) before writing it down.
Digital Lock-Down	Create a "My Social Security" Account NOW: Set up an account on the official Social Security Administration website (SSA.gov) immediately. Creating this account prevents identity thieves from creating one in your name to redirect your benefits or monitor your records.
Monitoring	Use the online account to monitor your earnings and activity. If you are concerned about identity theft, you can use the account tools to block electronic access to your record entirely, preventing new credit applications.

Put the Care in Medicare

Medicare fraud is a form of medical identity theft where criminals bill Medicare for services or equipment your loved ones never received. This can jeopardize their coverage and benefits.

Monitoring Task	What to Look For (Red Flags)	Action if Fraud is Discovered
Review Claims & Statements	Bills for services, supplies, or equipment you never received (this is medical identity theft).	1. Call 1-800-MEDICARE immediately to report the suspected fraud. 2. Report the activity to the HHS Office of the Inspector General (OIG).
Check Online Account	Log in to your online Medicare account (MyMedicare.gov) to review claims data before the official statements arrive by mail. Any unfamiliar provider, date of service, or charge amount that doesn't match a service you actually received.	See above.
Protect Your Card	Never give your Medicare ID number to anyone except your trusted healthcare providers. Medicare will never call you out of the blue to ask for your number, bank account information, or Social Security Number.	Hang up on such calls.

Scammed! What do we do?

If your family member was duped, the immediate priority is to limit the financial damage and secure all personal accounts. Speed is critical.

Step	Action	Details / Why
1. Stop the Money	Contact the bank/financial institution immediately.	If money was wired or sent digitally (e.g., Zelle, Venmo, gift cards), call the bank/service provider right away. Banks can sometimes recall transfers if caught within minutes.
2. Freeze Credit Reports	Freeze credit with all three major bureaus:  Experian,  Equifax, and  TransUnion.	This prevents identity thieves (who may have gotten information during the scam) from opening new credit cards or loans in their name. This is free and essential.
3. File a Report	Report the scam to local police, the FTC, and the FBI's IC3.	Filing official reports aids law enforcement, helps track scammers, and provides documentation needed when dealing with banks or credit bureaus.

The strategies covered here—from shutting down social engineering threats and mastering password security, to the non-negotiable step of shredding sensitive documents—are essential to keeping our loved ones safe.

Ultimately, our parents’ (and grandparents’) security is a proactive, team effort. By setting transaction limits, claiming their online SSA/Medicare accounts, and having a clear "Scammed! What to Do" plan, we create a financial guardrail that protects them, their information, and their savings. Do not let embarrassment or fear delay reporting. By staying vigilant, communicating openly, and acting fast, you can worry a little less when your family members continue to navigate the modern digital world.