Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware?

First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"

Think up a meatspace analogy

[The+MAZZTer]

In this case, let's say your uncle mails his letters by leaving them in his mailbox (I think some places let you do this) for the mailman to pick up. Now let's say a shady guy comes along and copies the names of people your uncle is mailing letters to, including yours, then sends him a letter purportedly from you asking him to loan you money by wiring it to a specific bank account or whatever.

Your NAME was involved but you had nothing to do with it, and the scammer found out your name from him.

Re:Think up a meatspace analogy

[houghi]

With email, I also always use the snail-mail analogy.
Everybody can send your name on an envelope.
Everybody can write my name on the back.
There is no way of telling where it was then send from, except the country where the person put it in the mailbox.

That will help most of the time (some people just don't WANT to understand), yet I can go further:
Email is like a postcard, everybody can read it. If you encrypt it, it is like an envelope.

An email has two parts. The part before the @ and the part after it.
The last part is the address. Street, and city/country. The part before it is your mailbox. It can have your name, but can also be a mailbox or anything that you put on the mailbox.

Your email program puts it in the mailbox. That is emptied by the post people. Then it si put in trucks to the postal dispatch. That will sort it and send it with a lot of others to another dispatch, where it will be sorted again and given to the postman. He will put it then in your mailbox.
So it is not like a fax where the machine speaks directly to another machine. It takes a lot of steps and on all those steps there can be a delay. That is the reason your email might not arrive in the 7 seconds you have been waiting for.

Just make shit up

Seriously. Show him a segment in the e-mail header and say that's proof his shit was hacked. He won't know the difference anyway.

Tagged as funny, but makes a point.

[mark-t]

Really, I can't think oi a good reason to presume that either account was actually hacked. What's evidently happened, however, is that both parties have had their email addresses harvested, using one (falsely) as a sender and the other as recipient.

Re:Fake one yourself.

[toygeek]

I did this once to prove the point to my wife. I made up some ridiculous email and then called her and asked her if she got it. She had. When I told her it was from ME, she finally got the point. The email was telling her she was a winner of free tickets to a concert for an artist that hasn't performed in a VERY long time. And I didn't have to telnet into a server to do it. I just set up my mail program.