image

SecurityTip: Create a Secret Password With Your Family

Scammers are out of control. Every year, fraudsters and cybercriminals make billions by tricking people into parting with their cash. Romance fraud, business email compromise, investment scams, sextortion—the list of ways criminals prey on people is virtually endless and constantly changing.

Add to that impersonation scams, where a criminal pretends to be someone known to their target and extracts money. There have been increasing calls for people, and particularly families, to create passphrases or passwords with each other. At the start of December, the FBI issued a recommendation that people create a “secret word or phrase with your family to verify their identity,” and British bank Starling has also published guidelines on creating safe phrases with others.

It’s a simple, if not new, approach—one that can potentially be effective. For instance, if you receive a message or call from your “son” or “daughter,” and they’re urgently asking for money to get out of a jam, asking them to provide a pre-agreed passphrase can reveal whether it’s really them.

“Fraudsters will use manipulation tactics to put the victim in a vulnerable state where they act out of panic, urgency, or a strong desire,” says Erin Englund, a director of threat analytics at fraud-detection firm BioCatch. “Having a passphrase or similarly prepared strategy enables victims to quickly validate legitimacy of an unusual interaction and take control.”

The calls to create family passwords or passphrases have come because scammers are increasingly adopting AI. Machine learning has allowed criminals to create deepfake videos impersonating people and to clone voices with only a few seconds of audio. Scammers have used these voice clones to pretend family members have been kidnapped and demand ransom payments for their release.

“AI is creating a large amount of risk for businesses and families,” says Rachel Tobac, CEO of SocialProof Security. Tobac says companies she has worked with have been on the receiving end of AI voice-cloned calls, which also use spoofed phone numbers, that try to impersonate business executives.

“I also hear about a few families every day who have received AI phone-call attacks voice-cloning a nephew, grandchild, or sibling in hysterics about being kidnapped or being involved in a car accident where they hit someone pregnant and need money for legal fees and bail,” Tobac says.

Making a Good Family Password

As with your online passwords, there are things you should and shouldn’t do when it comes to creating a shared passphrase. For starters, you shouldn’t make a passphrase the same as any of your passwords, and they shouldn’t be things a scammer could easily find—such as street names, birthdays, pets, or other personal information that may be shared online.

“Consider anything that you or your loved ones post online as data available to scammers,” Englund says. “Even if you keep all social media private, your data is available to your connections and followers who can be hacked.”

A good family passphrase, according to Starling Bank’s advice, could be anything that is unique, easy to remember, and can ideally be “shared with friends and family in person.” The guidelines give some hypothetical examples, such as a short phrase like “cheese puffs” or “rainbows and dragons,” or a mnemonic like ABC, which stands for “ants bake cakes.”

“Avoid joking about your code word in your text messages, social media posts, et cetera,” Tobac says. “We see folks make a family code word and then it’s hashtagged in their Instagram post. That's not a great idea—it’s got to be kept private.”

Tobac says that while family passwords can be useful, it’s crucial to be aware of their potential limitations. “We have to remember how human beings actually act in an emergency,” she says. For instance, if someone has really been in a car accident, Tobac says, it’s likely adrenaline would kick in and they may not remember a passphrase.

Tobac recommends using a method she calls “Being Politely Paranoid,” which at its simplest is trying to verify the identity of the person who is contacting you by a second method. “If you receive a call from a nephew who says they are in an accident and need money for legal fees, you can say, ‘100 percent I can help you. I just texted you a word, go ahead and read that out to me.’”

Ultimately, nobody is infallible to scamming, even if they know the steps they should take when receiving a potentially suspicious call or message. “If you do fall victim to a scam, report it to your bank or the authorities,” Englund says. “Often victims feel shame and fault and do not report scams. There are options available to protect yourself and get resolution.”