This why I always go to the actual website. If I get an email that says its from my bank and there's a problem, I log directly into my bank account and don't click in any links in the email. The same for any phone calls. And thank you for helping people avoid these kinds of traps.

Rather clever. I'd add that there are also call centres set up to get personal information off you with a seemingly legitimate company call, asking you to verify some personal information. NEVER give out personal information to an incoming call. Get the company name and look up a number on the internet to phone them back so you know if it's legitimate.

5:25 it literally says "PayPal will never call to ask for this code"

Simplest advice to always follow still stands: If you did not start an interaction do not follow through with it - just “hang up”.

Holy crap, I thought I was pretty wary of most scams, but I could see myself falling for this. Thanks Joe! You rock!

Thank you!

Well good for me. Because I basically changed the method of multi factor authentication, from sms to app authentication on all of my accounts that support it. Because sms messages come unencrypted (basically they come in plain text).

Or, if you get a request (call, SMS, email, etc…) about “security” that you did not initiate (for example, by logging in and changing your password), it’s pretty much guaranteed to be a scam!

At 7:35 "I'm not qualified to explain" and that's when I subscribed. Great job :D Edit: typo in the timestamp

Extremely informative video. GREAT VIDEO Joe! 👍👍

Wow, that method I didn't hear of yet. In my country we currently have a pretty smart scam as well, someone calls you and the caller phone is recognized as one of the credit card companies, the person on the other line is speaking Russian (they particularly call to Russian people as I've seen) and he says that they saw an unrecognized charge from your credit card (which you obviously didn't do) then in order to make sure you are the owner of the card they ask you to tell them your credit card details, which confuses people cause the phone call was recognized as from that company... BTW, might be a great idea to show how to set yubikey on multiple sites etc. (upcoming video??)

Thanks Jo. This is top notch support right there. The news don’t even talk about this or have a segment for it and cops where I live don’t have a KZbin channel to share stuff like this.

If only you could send cognitohazards to the scammers.

Thanks! This is one of your best videos in a while!

That's why many banks are already migrating from OTP SMS codes to Secure Authenticator APPS - basically a virtual version of the security key you just showed.

Great video Joe very informative

A simple thing which i always do. If you receive a phone call from a bank or any other corporate that ask for a specific information Bot or Human, just hang up on them and call back the direct number you know for same company/bank and clarify. If you open a website you know from a link that ask for credentials, close the website from the that link and type the website address on a new tab and login from there.

the best is to call back using a known number, never give information to anyone who calls you no matter who they say they are from and how real the call seems to be.

It’s worth adding that some password managers such as keychain on Apple devices also have a feature that lets you know if the password has been leaked. It then gives you the option of going onto the website to change the password. I can’t comment on how accurate it is as I’m just an every day iPhone user. Just thought I’d post in the hope it would potentially help someone.

So impressed with Joe when he is explaining how Yubi keys work and adds "encrypted in a special way I'm not really qualified to explain" rare humility for a Tech KZbinr and BUY a Security Key! They WORK

Thanks Thio, your videos are always so informative and you do cover a wide range of things, thank you, please keep up the great work you do.

This is why you use separate emails for separate things. I have one email I use for banking and web pay accounts (e.g. paypal, google pay, credit score sites etc), which are secured with very lengthy passwords. I have another email for semi-secured things, like Nexus Mods, or Reddit, etc, which I might use with the same password for ease of use, and yet another email and password non-secured things like junk, surveys, petitions, etc. That way my secured and semi-secured sites are far less likely to get hacked and distributed.

The thing that I find funny about scammers is that if only they'd put that much thought and effort into a legitimate means of making money, they could actually make a lot of money

There are 2 great antiviruses for every electronic device of yours. They're called Common Sense and Responsibility. They're awesome, light and preinstalled most of the time in brains

Wow dude thanx for the info bro. I am going to pick up one of those physical keys now. 🔥🔥🔥 🤜💥🤛

6:15 this happened to me in discord server. A bot asking for my steam account because it detected some unrecognised login etc and the fake website looks 99% like steam so I never suspected it! The email verification is also very similar! I only realized it was fake after I entered my details and couldn't login to my steam. Pretty smart if you ask me. Thankfully I have not saved my credit card info on Steam. So they got nothing but my saved games progress..

I have decided to instantly click because it just appeared now

When I get a notification in my messages for something I don't know what it's for, I always report it as a spam and block it.

Thanks for the info. Haven't thought of that scam. Scammers are very creative.

Thanks a lot for creating videos like this. It will save a lot of unassuming people from the cunning scammers/hackers. Love your work. God Bless.

I wish google would enable feature that only allows to login from country your phone is logged into

Thanks for the great explanation, hopefully these videos save lots of people from being scammed! Great job Joe!

i’m curious about number spoofing, which wasn’t mentioned here: as recently pointed out by linus and others, sms authentication is not considered safe because your phone number can be spoofed in order to receive an sms on your behalf.

Are there really banks that do not use two factor authentication? In Finland that has been the norm since the beginning. The bank provides you a list of single use codes that you give either in order or as requested. In addition you have pin code that only you know. Nowadays they are switching to apps or specific electronic devices.

Wow, that's a good one. I bet lots of people will fall for it. I might have been one of them. Thanks Joe, this is the first I'm hearing of this one

The weakest link in any security is any place where a human is involved. The scammers know this . The security key is a great idea but unless we have a way to secure things that does not require human involvement at all, things like this will keep happening.

Sometimes scammer can hijack your phone features, like once I've accidentally sent something to a random scammer, and then it used my own caller id to call me. Always be vigilant of these scams, stay safe and don't always try to troll those scammers..

Thank your for the info Joe. Now I really have to be more careful. Although in my country I don't usually see that type of scam that smart but sometimes they would call you and pretend to be the police department. This is a very informative video thanks.

Being aware of this issue, might actually be good for one's security. If I ever get one of these calls, I'll know that it's definitely time to change the associated password

Had a call this morning claiming to be from Amazon re someone else using my credit card. Told them right away that I thought them a scammer. They rang off.

This just happened to me today. Robot voice telling me my Amazon was charged a certain amount and if that is correct then to just hang up. If it is a false charge I was to press 1. I just stayed on the line for a minute or two and it disconnected. Went to my Amazon account and of course there was no such charge. I am learning!

Someone tried to do this with my UNEMPLOYMENT Visa card! LOL I knew there was no money on it, so that scam never happened. I RARELY answer ANY calls from a number that I don't know, and I delete ALL unknown text messages. My actual phone number is not under my screen name and my screen names are not my actual name as well. I also do NOT bank online ever. Just sayin' This is an AWESOME channel. Glad I found it!

Thank you. Where do you get a usb security key?

Thank for the tip man. What a coincidence that just now I received a text saying if i made a purchase of $450 to a Chase account and to click the link.

Thank you, but I never about the security keys instead of the "two-step authentication " where does one get these security keys? Always seems the scammers are always one step ahead 🤐

5:10 "PayPal will never call to ask for this code."

I've been getting spam text messages recently which I've never used to get, rather annoying!

Being mindful is the key

Can you make a video where you explain how physical security key works?

This is why SMS 2FA should never be used, and companies that still offer it as the only option should be heavily fined. Scammers can't trick you like this if you need to retrieve the code from an app on your phone instead of a text message.

One of the best fraud prevention actions is to have all your bank and credit cards linked to your cell number so that they can send a text anytime there is a charge.

If i ever get a call like that from paypal bots.,, i always go directly to the main web site to see if anything is charged on my account, I will not give any info over the phone

What you describe is "2 step authentication" NOT "2 factor authentication" All the information you provide is good. And applicable to all types of "2 step authentication". i.e. always susceptible to "man-in-the-middle". The "key" you show at the end of video is, in fact, "2 factor authentication". Could also be a hardware token or app that provides a numeric code to enter.

Great content, love this series on educating us on such new scams, appreciate this alot

There is feature that lets you pair your account to a device/phone, as a virtual key I think, for google and microsoft accounts that I'm aware of. So whenever you login from an unfamiliar pc or device, it asks you on your phone if it's actually you logging in. How secure is that? Video topic maybe.

This is why more companies need to support physical security keys.

thank you for telling me about this thanks Thiojoe😀

Appreciate the heads up very much. These heads ups are super valuable to know about. Thanks

I literally never read my email nor check random messages so GL to them.

yep, love those Yubikeys. I have two of them, like you're saying, one to use, one as backup. What I haven't done yet is set up Google to REQUIRE the hardware key (e.g., disallow all other forms of 2nd step auth). Too chicken for that so far.

Don't forget about sim swapping which can override two factor. Best options is use an authenticator or yubi key.

I did get an email saying Thankyou for your payment for Norton virus of 449.00 !! It said three different credit card options

if something is saying there is a charge on your account then u should check the account B4 u think about any codes

That's very clever, honestly impressive on the scammers part.

My security protection is to not pick up calls from unknown numbers . Then Google the number . If you pick up the bots will put you on a list of active numbers for these scumbags to use.

I don't trust AI phone call's anyway as I hate all of them. Great information but I do not trust anyone calling me on the phone asking for any information. I always talk to my bank as it is a small Credit Union so I know most of them. I gave my health insurance a bunch of questions proving that it was really them. If in the least bit of doubt MAKE THEM PROVE IT. LOL. If they do not understand than TOUGH, they will just have to like it. When one asked for my DOB, I made them give me part of it than I told them the rest. When they ask for your DOB and your in doubt. Make them tell you the day before giving them the month and year. They have a 1 in 30 change in getting it right the first time or make them give you the year you were born, than tell them the month and day. If they ask for your SSN then make them tell you the third number before you give them all four numbers. Point is to make them prove how they are, not the other way around and make them prove it first.

Lmao, I wound never give code over the phone but thanks. Also it's crazy to hear there's banks with passwords. I need login number and banks own generator to login mine.

I think more companies need to start adding context to the SMS they send. My bank does this here in Australia. They will send a SMS which says like "Your security code to transfer $500 to is xxxx

Thanks for the education about scams.

Thanks for the heads-up. I'm pretty good at catching scammers, but not perfect. Good to know about this scamming BS.

Thanks! I’d been wondering exactly, specifically why they always say not to give out these PINs! I had been imagining that they could reverse engineer other account info from it, but that seemed incredibly unlikely, even if they’re using extremely naïve algorithms to derive those codes from passwords.

I've had a lot of scammers try to do this but I've never like pressed any numbers on my phone I usually hang up on them before they even get a chance to even get any information or any at all I don't give out any information that's hilarious though good to have that out there so people know

Yeah when I got a bot call, I didn’t press to talk to someone, instead I logged into my own account and checked and saw nothing wrong. They don’t get anything from me. One from Verizon and one from Amazon and neither heard from me. I’m not trusting a robot.

Best way to get around this, if you are the type of person to panic out of fear rather than logic (hi there rone). Wouldnt it be to check your actual account, see if there is a payment pending or locked / in dispute frozen.

Thankyou very much for the information. Much appreciated.

I'm guessing this is why now google and amazon send a link to my phone I need to click then approve a login instead of sending codes now.

Have you done a video on the most preferred password manager? If not, can you make one.......

These scammer alert videos are great! Thanks you!

When it comes to banking services and login I only here that problem occurring in the states. Here in Sweden we have a secure login via bankID and you can't use anything else to gain access to your account.

Aren't we so lucky to have all this technical bs to cause us more problems as if we don't already have enough on our plates LOL...thank you so much for your videos I appreciate all the help I can get with the computer and scams I think in the past I have been hit with all these scams × 10 at one time or another I just no longer answer my phone inless I know who is on the phone other wise they can leave a mess. Thanks again for your info.

I HAVE 2-FACTOR IDENTIFICATION and they were able to get in and bypass it COMPLETELY as well as the 6-7 email notifications i should have received.

In previous video "The hero the viewers didn't want(or do they) but the hero content creator needed In this video "The hero everybody needed"

This hasn't happened to me before, but now I know how to avoid it, I'ma go watch your other videos about these scams

My bank does not use username/password, but token ID and generated one time password valid for a minute or so. then I nave to sign my transaction using the same cryptographic token. The tokens come in two flavours: a phone app and a physical tamper-proof device (enve the battery cannot be changed - you get a new token if it runs out, but it lasts for at lest five years.) tokens are, of course, protected by PIN stored only in the token itself. I think this should be a minimum for e-banking. The same token can be used to access various government functions online (e.g. query into land registry, passport renewal etc), but high sensitivity operations require personal certificate on ID card that is technically a smartcard.

Thanks for another great info video. 😊

The weak link in 2FA is your mobile phone. They can port it over to a new phone they have and by the time YOUR phone turns into a brick, they have hacked your accounts and now have everything. Setup good passwords with your carrier, multiple if possible. Crypto accounts are particularly vulnerable. Banks move too slow for scammers most of the time.

Very good information & just subscribed. You mentioned that "they" will call to ask for the SMS text code....how do "they" get your phone # to call? Have you done a video on the hardware security key? Thanks

Great video! can you also make a video of the hack where people install malware on your computer and rob the cookies from your browser after they do this they can access any website you were signed in to without password or 2fa

Dude you are totally right!! Them sobs did that to me a couple months ago… Talk about a low blow man… i’m smarter than that but I guess I wasn’t smart enough to subscribe to you before it happened… Thanks for all your help!

I love my password manager. It allows me to make long unique passwords that there is no way I’d remember otherwise

do the password managers work with logins on applications? a launcher for example. mine only works on browser making using different passwords extremely impractical.

Hackers Be Like: We hate You ThioJoe Us be like: Thank you ThioJoe!!

Eh, being scared of social situations pays off sometimes. I don't like talking to people on the phone at all so unless someone's given me their number beforehand and I've put it in my phone book, I've set my phone to auto-reject the call. If someone wants me and I don't know them, they can figure out a different way where it is easier to identify them. If they don't want to, then they didn't want to contact me in the first place, sucks to be them. I just wish that Google released their Call Screen stuff here in the UK...

My daughter had this happen while delivering food for a popular service. Sent verification codes, four of them from the delivery company... Had to change everything!

Had one that claimed there was a problem on my bank account and all I said was, "OK, I'll go into X building to have this sorted out!" Where X is the location of one of their actual buildings, and they had stated, "No, no, no, you don't have to come in, I can help you with that over the phone!" But I state(which is partly a lie) well I was told if there was a problem with my account, I had to come in due too the type of account I have, and I get hung up on normally after I state that a few times! I've not had the robo voice call yet but I know to never enter anything if I get a call/text asking so...

Thanks for the warning. Part of the takeaway for me is that unless I am in the process of logging into a site and I get the expected code to enter, fuggedaboudit. So I guess using Password1 is out of the question? (Kidding, some places won't even allow that.)

You're awesome Thio.

Curious at @ThioJoe if you have addressed the side tangent at this point, it now being five months in the future? 💫

i have a question is a 10 character password good with unique letters that i can memorise non generated by the bot whatgenerates passwords for u or do i need to make longer ones

You should have added in information regarding the 2 factor physical authentication directories that can be searched to see what sites and services currently support physical hardware keys. Other than that it seems you covered everything pretty well.