How to Avoid Getting Scammed Online Part 1 with RCMP Officer Brian Ferguson

How to Avoid Getting Scammed Online Part 1 with RCMP Officer Brian Ferguson on Astra Financial

In an era where digital threats loom large, understanding cyber security has never been more crucial, especially for retirees. In this eye-opening episode of our podcast, we sit down with RCMP Officer Brian Ferguson, a seasoned expert with 20 years of experience in tech crime to learn how to avoid getting scammed online.

Officer Ferguson pulls back the curtain on the evolving world of online scams, from heartstring-tugging romance frauds to cunning tech support schemes. With his unique insights, we explore how these scams specifically target retirees and why they’re so effective. But more importantly, we equip you with practical, easy-to-implement strategies to protect yourself and your loved ones from falling victim to these digital predators.

Show Notes: How to Avoid Getting Scammed Online

Zena: Hey there, welcome back. Summer’s pretty much near the end. I’ve taken some time off to spend with family, so I’m back at it, returning and kicking it off with a guest. Brian Ferguson is with the RCMP and working out of Regina, Saskatchewan right now. He is an expert in tech crime. He has worked in that field in Regina and has run a tech crime division in Saskatoon.

Today is part one of a two-part series. Over the course of a 20-year career, Brian has investigated and learned a lot, and he’s going to share with us some gold. We’re going to talk about common online scams targeting retirees and everyone, steps for protecting personal information and securing devices, safe online financial practices, social media privacy, responding to cyber incidents, and staying informed about cybersecurity. These are some of the topics I asked him about, and he shares quite a bit with us. I loved hearing about it; it’s a great reminder, and I think we’re going to learn a lot. So let’s dive in.

Brian, thanks for joining. So we’ve been chatting a lot before I hit record here, and I had to stop and say, whoa, let’s get this on the record because there’s some really good stuff flying out. You’ve been in the RCMP for 20 years. I imagine you’ve seen an increase in the popularity of scams. There are so many common ones. Share with me some of the most popular ones you’ve seen and worked on.

Brian: Well, thanks for having me on here so we can discuss this. During my time in the RCMP and in the technological crime unit, we were subjected to seeing a lot of people who had just been taken advantage of. That was, to me, aside from all the other types of crimes we had to deal with, this one always seemed to hit me the most because it always involved someone who was very vulnerable and trusting, and they would be caught up with someone who would literally trick them out of their money.

Even in some cases, when we confronted them with the truth that this person might not exist, you’d be amazed at how adamant people were. They’d say, “I’ve talked to this person for years, like a year and a half. I’ve had conversations with this gentleman down in the U.S.” So there were some strong emotional attachments. For me, these were the most difficult cases to deal with because of the human element—someone really trusted somebody and then got taken advantage of.

The ones we saw, as I kind of prefaced earlier, were the “lonely hearts” or romance scams. What happens is someone, feeling lonely and seeking companionship, goes online and sparks up a conversation with someone. Things are going well—lots of good conversations back and forth, and it seems like they’re having a good engagement. Then, at some point during that conversation—and it may not be the first time they talk, it could be the hundredth time—the person says, “Hey, I really want to come see you, but I just don’t have any money right now. It’s all tied up in investments, or I’m on a fixed income, so I just can’t afford to come, but boy, oh boy, I sure want to see you.” Then, being a nice person, the victim might say, “How about I buy you a ticket? You can come up, and we can spend some time together.” That would be great. So they send them a ticket, and that ticket gets refunded immediately, or they use some excuse, asking the victim to send money instead because they supposedly have a discount code or some other reason. They somehow convince the victim to provide financial assistance, and it just goes on from there—house problems, a child needing healthcare, etc.

Zena: I had a text message come in that said, “Hi mom, I’m using a friend’s phone because I lost mine. How are things?” And I’m thinking, well, my daughter was sitting right there with me, just happened to be. I was thinking, you know, this would have worked if we lived in a different city, and I might have started a conversation. I imagine these scams take time to develop. Is it a long relationship that gets built, and is it mostly older people or all ages? Because I mean, it had me for a second.

Brian: It affects all ages, to be honest. If you got that call, like you mentioned, and your daughter hadn’t been sitting right next to you, you might have thought, “Oh, really? What’s going on?” and replied back. That’s the engagement that online scammers are looking for—some feedback indicating there’s another person on the other end willing to engage with them. They could have 50 people they’re interacting with at the same time.

As a police officer, I question everything now. If my daughter sent me a text from someone else’s phone saying, “Hey, my phone broke, so I’m using my friend’s phone,” I’d ask, “What’s your friend’s name?” or immediately call my daughter’s phone to see if she’d answer and say, “Someone just sent this text message.” I confirm everything. I never trust random messages; they call it “smishing” for SMS text scams, similar to “phishing” for emails. Have you ever heard those voice scams where they call and say your social insurance number has been tagged with warrants for arrest or something ridiculous like that? That’s called “vishing,” which stands for voice phishing.

There are tons of ways people try to separate you from your money. If I had 500 people on the line as an online scammer, all I need is two or three to fall for it. I maintain these constant relationships, and there are literally rooms of people, both inside and outside this country, doing this every day. They’re always trying to find someone willing to engage with them. Once they get that first bite, that’s all they need—a thread to start pulling on. Sometimes it’s a slow game; it can take a long time before they finally ask for money.

Zena: But I love the fact that you said to ask questions back. Can you do that for vishing and smishing? I’m using all the terms, you know, for the voicemail and the emails. Can you do that?

Brian: For the voice ones, not so much because that’s an automated process. They set up an automated dialer with an automated message. Hang up. If you get an automated message saying there’s been fraudulent activity detected on your account, press one to find out more—no, hang up. Your bank is never going to call you with an automated dialer for any of that. Even if they do, call them. You go out and find their phone number and call them directly. Don’t ever respond to one of their messages. You should initiate contact with a known number, not some random one sent to you or an email that claims to be from RBC Security. A friend of mine just posted something saying RBC Security sent them an email, and I said, “Really? Well, did they?”

Zena: They’re getting really good at making them look authentic. I had, yeah, you name it—they’re coming, and it’s really, really hard. So with my daughters and my mom, I’ve been saying, you know, for my mom, I say, “Take a screenshot, send it to me first before you do anything.” And for my daughters, it’s, um, just ignore it and contact the company directly that you’re supposed to deal with. Is that your advice then?

Brian: A hundred percent. If your bank or the Canada Revenue Agency or anyone is contacting you, then go and find their direct line numbers and call them directly. If there are any issues with your accounts, then you’re dealing with them. Don’t call the 800 number in the email; independently look up whatever bank or institution it is, find that direct number, and call them to say, “I just got a message saying this—is this correct? Is this accurate?” Those are really the key points. I always say, trust no one when you get something—an attachment in an email, my goodness. My wonderful mother sends me notes all the time: “I just got this email, and it’s got this attachment.” I told her, “I have a post-it note in front of your computer: Don’t open any attachments at all.” If someone sends me an attachment, I literally call them and say, “Did you send me something?” If they say, “No, I never sent you anything,” delete it. It’s gone. I never open them, I don’t preview them, nothing. If it’s meant to be sent to me, especially ones that say, “Hey, take a look at this,” with the subject header like that, and then it’s a picture or a PDF or an invoice, it will always have something tempting for you to try and click on—like, yeah, in lots of places it’s a refund or a sexy picture, you know, “Let me open that,” or “What a great sunset,” or something to draw you in. The moment you open that file, you’ve now opened up whatever system you’ve opened it on to being infected by something. Hopefully, your malware protection will kick in to catch something like that launching, but never, ever trust anything that gets sent to you unless you’ve expressly asked for it. You know, I confirm everything before I open it.

Zena: That’s great advice. Yeah, absolutely. Even when, you know, we’re talking to clients in our office, we have passwords on everything we send, but we’re never going to send something that wasn’t communicated beforehand, whether by phone or we’ve already talked and they’re expecting it. Anything that does come as a surprise to anybody, yeah, contact that person and find out—good advice. What’s the most common, if you were to pick some of the common scams out there? I mean, there are so many, it might be hard.

Brian: Well, the tech support one has always been a staple. It’s been around probably the longest, where something pops up on your computer and says, “You’ve been infected. Please call us. Microsoft has detected something wrong with your computer. Please phone us to get it sorted out.” And then you make a phone call. It sounds official, and that person will log into your computer, and they will devastate it. You won’t see it until they leave, but they will have gone into your computer, copied absolutely everything, locked your system down, and stolen every credential you have for all your online banking. Anything you have on your system, they will have full access to. They’ll even try to trick you into logging into your online banking, and then they’ll literally pop up a screen in front of you that’s a dummy screen. In the background, they’re actually going in and transferring money out of your accounts. So yeah, you can lose everything.

And I take it, you know, I know lots about computers, so it’s easy for me to say, “How can anybody believe this?” But I liken it to something that maybe I don’t know about, like, say, fixing the engine in my car. I don’t know anything about car mechanics. If I went to a mechanic and he told me something very technical about my car, I’d say, “Okay, I don’t know what that means, what do I do?” So I always put myself in the shoes of someone who doesn’t have that technical knowledge and would think, “Well, I don’t understand this, and I don’t want my computer to break because I need it for everything I do, so I really need to get this fixed.” They talk to somebody, and I’ve seen some scams get quite aggressive, where the scammer will start yelling at the person: “You will send me this money to fix this computer—you do it right now.” It’s amazing how aggressive they can get because this is their livelihood—getting into your system to get all your money is how they make money.

Again, anything that pops up on your screen—lots of times, if you’re browsing on some websites, something might pop up and lock everything else out. It might say your computer has been infected, and you can’t do anything, you can’t close anything, and it says, “Click here to get tech customer support.” Well, if you click there, you’re actually executing a program that will allow something else to get into your system. The whole point is, if that screen locks up and you can’t do anything else, I always tell everybody, press and hold the power button for five seconds—your computer will turn off.

Zena: When in doubt, turn it off.

Brian: When in doubt, hit the power button. Kill it, right? That way, you aren’t clicking on anything, you’re not executing any programs. When you reboot your computer, everything should be the same. There shouldn’t be any issues with it. Now, if you execute a program, that might change the circumstances where you may not have access. You mentioned that malware attack. The way that works is somebody executed a program inside that computer network, and what it did was encrypt the entire network. So, it locked everyone out, locked all the screens, locked all the data—encrypted everything. Now you have no access to any of your stuff, and then they send you a nice note saying, “Great, for $1,700 U.S. in Bitcoin, I’ll send you the key that will unlock all your software and computer systems.” And that’s the only way you’re getting it back. There’s no way to break that encryption. Once it’s in and locked, unless you have a protected backup somewhere else, whatever is on there is gone. And nothing is saying these people have to give you the key once you pay them, right? So, you could give them the money, and they say, “That’s not enough. We need another $5,000.” It’s a progressive thing. For me, I’d say the most common scams we’ve dealt with are probably the tech support scams and the romance scams—they’re almost on par, where someone is being manipulated by someone else.

Zena: Yeah, I think we all know someone who’s been hacked in some way, whether it’s a romance scam, fraud, or even a tech scam. I’m thinking of someone right now that I know. A few years ago—or maybe a couple of years ago, it doesn’t matter when— I went onto online banking, used a saved site usually used, and logged in. My online banking looked exactly the same. Suddenly, I saw an e-transfer to a random, awful email address—not a person, but some sort of outside source. Someone had somehow gotten onto the computer. This is how my brain works, because I’m not a techie. Somehow, they were on live, and as I was online, they were online at the same time in my banking, and they sent themselves an e-transfer. Because it was all live and I was there, I canceled the transfer since I was in there looking at statements or whatever, taking a look at previous things. I canceled the e-transfer, logged out, shut down the computer, and called the bank right away. Nothing had been sent. The transfer was canceled. How does that happen? And of course, since then, I called tech support for my laptop and my personal bank, and we changed passwords on everything. We deleted cookies and went through the whole thing and wiped everything. Is that a thing?

Brian: Yeah, unfortunately, yes. You hear about it all the time. Think about all the different sites you use, right? You save credit card information, or now, especially, debit cards can have Mastercards or Visas attached to them as well, so they can be used as credit cards. Those could also be stored in the systems, even with the companies you deal with. Just recently, I got an email from Ticketmaster saying they had a data breach, and “Here’s some free marketing.” And surprisingly enough, at three o’clock in the morning, my phone pinged, and I got an alert from my credit card stating that someone was using my credit card in Texas to purchase firearms. They made a purchase at Golf Galaxy for $5, and suddenly I started seeing all these online purchases starting to kick in. Now, the good part about credit cards is when you make that phone call to them and say, “Hey, these are fraudulent,” they say, “For sure, yes, they are.” They cancel everything. I wasn’t out anything. The bad part is you have to wait five days to get another credit card in the mail. But again, if that was the worst that happens to me, it’s not really the end.

Zena: Not out any money. Actually, I’ll share—this just happened. We talked to one of Ian’s uncles. He has his credit card on his watch for Apple Pay, and it was breached. Somehow, there was a $1,500 charge that wasn’t his. It was sent over in Japan, and it’s not covered under any insurance with the credit card because it was used with Apple Pay. So, because it was on his iWatch through Apple Pay, the credit card is no longer covering it; it’s up to Apple Pay to cover it, and they’re not covering it.

Brian: Oh no.

Zena: Yeah, that was new to me.

Brian: That’s right. And, you know, when it comes out of your personal bank account, now you’re going to be out that money until you discuss it with the bank, and then it’s determined that, yes, this was a data breach or whatever it was. Then they can reverse the charges and do all that for you. On a credit card, it’s automatic, right? You know you’re not out anything. Now, you’re not down any money. Trust me, as a financial institution, they’re going to make sure their money is protected, so they will reverse those charges without delay. I think it was literally that same day all of those charges that were added up on my card were automatically reversed, and they were gone. But had that been my personal bank account, I’d be out that money until the bank decided what that was.

Zena: So, interesting just for listeners. This is something we use in our cash flow planning, and the same in our family—we have our debit card, and in our debit card, we do not keep our entire lump of revolving savings in there. We keep a small amount—usually under $1,000 or $2,000. We just transfer in there whatever timeline that is, whether weekly or as needed, to use the debit card. In a separate savings account is all the revolving savings, where all the fixed expenses and all the pay goes into. What it does is it adds a little bit of a safety net. If the debit card gets hacked, lost, or tapped, or if the same happens with Apple Pay on our watch, we’ll never be out a large amount. It will always be under a certain amount. So that’s one thing that, in cash flow planning, is a bonus when we talk with clients about having that separate operating account for just spending, without having everything—savings and revolving money—in there. It works well for us anyway.

Brian: Yeah, exactly. And again, if the well isn’t very deep, you don’t lose a lot of water.

Zena: Hey, listeners, stay tuned for part two coming out next week. Our conversation will continue in the next episode.