Again, a thank you to everyone willing to participate on this subject. If I can read the room correctly, I am seeing a mixed participation: people who post case-specific questions and suggestions, and people who provide suggestions beyond my listed boundaries / wishes. This last group likely has the intention and desire for a generalised topic on this matter for wide-spread (future) use.
Continuing with the spirit of that last group, I think it will be useful and more clear if I compile a list of options, based on posted suggestions. I will add to this list for any subsequent posts after this one. Or, if desired, you may split this post into a new topic, Mr or Ms moderator.
If you’d like to contribute, propose changes or point out errors, please let me know its placement and description as you envisioned (so I don’t have to guess in case it is beyond my level of comprehension or judgement).
Please correct me if my categorisation, terminology, description or division conditions are incorrect or insufficient; I can handle myself PC-wise on a hardware level and some above-average user Windows stuff, but administrative policies or OS variations, thát I am not really acquainted with.
Changing or increasing barriers and fail-safes within Windows environment; none to passive user influence or input
- Enable and increase User Account Control sensitivity
- Create a password protected user (optional for password) and admin account (password mandatory); user for daily usage, and admin for admin stuff. Any user-account interactions, e.g. installing remote desktop software most scammers will request you to install, will always require entering admin password
- Lowering and limiting aforementioned user account’s permissions in Group Policy
- Increasing email program spam sensitivity level
- Disabling non-text email auto-downloads (enabling text-only email, disabling auto-attachment downloads, etc.)
- Contacting ISP for increased filtering / protection
- Enable automatic updates for installed programs and services
- Installing more invasive / protective / fail-safe-heavy computer protection programs with most secure settings enabled (either freeware or paid), whatever provides real-time quarantining, scanning and protection. Also check your ISP, some offer fairly elaborate and well-reviewed protection programs and services, often already part of your subscription and thus free (at least, in my country).
^ Comodo (firewall + HIPS, the rest seems out of date according to the internet), Malwarebytes, Bitdefender, some Norton stuff (?), Hitman Pro, Avast (One) or Kaspersky, … etc. - Active monitoring programs (also see above), but also including chat interactions (facebook, also mobile)
- Installing spam-, ad-, tracking- and malware-blocking services:
^ Webbrowser: Adblock, Adblock Plus, Ghostery, HTML5 autoplay-blocker, DuckDuckGo Privacy Essentials, … etc.
^ Any VPN-included services (e.g., I have PIA MACE enabled)
^ Any additional services from anti-virus and anti-malware programs (freeware or subscription) - Not storing passwords on the system desktop in a Notepad or Word file, or desktop sticky with WV or W7…
Additive processes or products; active user input
- Scanning and/or quarentining (downloaded) files or volumes with use of right-click Windows Defender, any intervening and quarantining installed third-party PC protection program, PeStudio, … etc.
- Encourage 3-2-1 backup rule, or at least a 2-1 rule on external HDD or flash drive, or even cloud. This is not preventative, but a clean install of Windows after a superficial infection is no problem then (apart from any licensed programs and product keys)
- Use of third party 2FA / TTP (if needed), either physical (Yubikey) or digital
- Frequent change of passwords, especially for critical stuff
- Non-conventional password generation, or in case a system for creating and remembering / looking up passwords is difficult, make use of password manager
- Secondary email for non-critical sign-ups or potential marketing-mail enlisting etc. (hard to judge, but most often online purchases, social-deal websites, group-on, facebook opt-ins etc. This will have to be explained to the user, preferably with a guideline on when to choose which email)
- Inform about search engine shortcomings and pitfalls. E.g., searching for very common (national) requirements involving tests and payments may bring up malicious websites, that pose (or spoof) as the official source. I tell users to avoid the promoted ads with Google / Bing etc., I’ve seen scams happen once or twice from that. And also, to cross-reference with other official sources for correct URLs, emails or phone numbers, preferably with physical paper forms
Change in work and interaction process, change in OS (process)
- Installing Linux variants (either amnesiac, like Tails, or ‘normal’ (?))
- Installing Linux with Windows as VM (either amnesiac, like Tails, or ‘normal’ (?))
- Any form of Deep Freeze / clean reboot concepts for Windows
- Installing ChromeOS Flex
- Switching to Chromebook
Please note: interpretation and depends on the situation, capabilities and environment of the user. And as expected, the more intense or disruptive a change will be, the more (negative) side-effects and downsides are likely to accompany that solution.
Social engineering aspect; awareness and hardening
This is the subject that is probably hardest to address. Even with including additional barriers, such as user-admin account split with severe limitations for user or external 2FA, can be nullified if the user ‘forgets’ or is influenced / coerced into by external parties.
I tend to educate clients by providing a (short) list of indications of potential bad actors, as well as what information they should limit themselves in promoting to external sources (either by right or as leak- or malicious-intent prevention). This has a wide range, but includes topics on email, webbrowsing, chat-based interactions, website and webshop judging, password generation and storage, file storage and backups, file and attachment downloads, personal information distribution, telephone interactions and sometimes even physical interactions (stores, doorbell scammers, etc.). Furthermore, research your local or national critical organisations, such as banks. In my country, most banks offers free webinars, FAQs and info-pages on scamming and spoofing for all age groups (mostly on banking, but tips can be applied conceptually to other environments and situations as well).
This probably also includes the subject of ‘protecting people from themselves’, be it naive in origin or plain computer illiterate / technophobic. Likewise, the aforementioned research on local initiatives for elderly tech-support may provide a good organised, central and trustworthy solution. I know my country has several, local, regional and national, either organised by municipality or charity-like organisations.