Elder Fraud: The Cautionary Tale of ‘Thelma’
by Rebecca Taylor, Threat Intelligence Knowledge Manager
Social engineering threats to older individuals have found their way to the silver screen with the release of the film, Thelma. The movie tells the story of a 93-year-old female, played by actress June Squibb, who falls victim to a social engineering attack, unknowingly sending $10,000 to a scammer impersonating her grandson on the phone. Thelma experiences self-doubt and victim-shaming, with her own family questioning her judgement and capacity to care for herself. She decides to flip the narrative and track down the ‘bad guys’ herself.
Although this poignant story prompts a smile and some laughs from the audience, it reflects the harsh reality of elder fraud. According to a report by the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), more than 101,000 victims aged 60 and over reported elder fraud in 2023, compared to 18,000 victims under the age of 20. The report notes the five most common types of elder fraud as “tech support scams, personal data breaches, confidence and romance scams, non-payment or non-delivery scams, and investment scams.” The FBI further added that these criminals “gain their targets’ trust and may communicate with them directly online, over the phone, and/or through the mail; or indirectly through the TV and radio.”
Despite Thelma’s daughter boldly claiming in the film that she wouldn’t have been fooled by the scam, social engineering attacks can convince even the most tech-savvy and cyber-aware individuals. The scammers exploit human psychology to gain access to personal information, systems, or data. Attackers represent themselves as someone the victim would be inclined to trust (e.g., a bank official, trusted vendor, insurance representative, lawyer, colleague) or want to help (e.g., a family member, someone in need), and they use emails, phone calls, social media platforms, or direct messages to urge victims to divulge sensitive information or perform actions such as making a payment. While some social engineering attacks target specific organizations or individuals, many attacks involve scammers casting a wide net to see who will respond.
Aging populations may not be as digitally savvy as younger generations, making the subtleties of well-crafted social engineering attacks more difficult to recognize. Scammers often create a sense of urgency (e.g., a medical, legal, or financial emergency) and prey on a victim’s fears to elicit an emotional response.
In addition to potential monetary losses from these attacks, the stigma attached to falling for a scam can be devastating. Victims often lose trust in their capacity to detect future threats and experience feelings of embarrassment and shame. Seniors may feel particularly vulnerable. While Thelma focuses on elder fraud, the reality is that people of all ages and technical sophistication can become victims of social engineering. Anyone can mistakenly click a link or be manipulated by a skilled scammer.
The following tips can help you and your loved ones avoid or recover from social engineering attacks:
- Educate yourself and others: It is important to normalize the conversation around social engineering and elder fraud. Awareness programs, workshops, and conversations with real-world examples can be beneficial, especially for seniors who might not be as familiar with these scams. Maintaining a non-judgmental and calm environment encourages potential or actual victims to raise concerns and report suspicious activity.
- Trust your instincts: If an offer sounds too good to be true, it probably is. If a request from a relative seems unusual, you probably have reason to be suspicious. Always approach unexpected requests for personal information or financial transactions with a healthy dose of skepticism, and ask yourself “Does this feel right?” If you have doubts or discomfort, stop the conversation and walk away.
- Verify the source: Always confirm the identity of the person or company contacting you and do not just accept what they say. You can end a call or conversation and then directly contact the person or organization yourself. Independently look up phone numbers or official websites rather than using the contact information the individual provides.
- Protect your personal information: Be cautious about requests for personal information. Scammers can use small pieces of information posted online to build a profile of victims and gain trust. Never share your Social Security number, passwords, PINs, or other multi-factor authentication codes with anyone. A legitimate provider will never ask for them.
- Use strong security measures: To protect against unauthorized access to your accounts, use strong passwords, implement multi-factor authentication, and keep software up to date. For individuals who are intimidated by these tasks, technology and service providers, such as banks, can often help individuals add account protections in person. Organizations such as Cyber Seniors and AgeUK also offer support.
- Report crimes as soon as possible: If you have been a victim of a crime, contact the appropriate authorities. In addition to reporting the crime to your local police, cybercrimes can be reported to the following organizations:
If you gave the attacker credentials or financial information, escalate the issue to the appropriate organization, such as your bank or financial provider, and always change your password.
- Consider additional support: Charities and organizations such as The Cyber Helpline and Mind can help victims process the mental toll of these crimes and support victims as they process what has happened.
Thelma illustrates the growing elder fraud threat. While it’s best to let law enforcement pursue the criminals directly, knowledge of the evolving social engineering tactics enables us to protect our senior population and ourselves from these cybercrimes. Awareness, education, vigilance, and simple kindness can make a significant difference.
Learn about other types of social engineering and fraud campaigns investigated by Secureworks® Counter Threat Unit™ (CTU™) researchers: