She is not alone, of course. The FBI has issued an advisory on the grandparent scam, and CBS News did an interview in mid-April with a jailed con man who said those who know how to do the scam well can make $10,000 in a day.
4. Hi, this is Jim from accounting ...
A multi-stage scam that Hadnagy calls "Multi-stage SE," is aimed at planting malware on the networks of enterprises. It uses both email and phone, hoping to snare careless or unwary employees.
"A typical attack goes like this," he said.
Stage 1: An email is sent with an attachment that looks like it's from someone internal.
Stage 2: Moments later, a call is placed from a spoofed number. "Hi, this is Jim from accounting. I just sent you a report that I need your comments on ASAP. Can you open it please?"
"Jim I see it, let me..." as clicking occurs. "Uh, Jim, it just crashes, not sure what is going on..."
"Dang it, I probably sent you the wrong version. It is end of the day, can you give me till the morning and I will send you an updated one?"
"Sure no problem."
Stage 3: Now malware is planted and the network is hacked.
Hadnagy said that, as is often the case, the scam works because people don't, "stop and look. Most of the time there are tells' in the email, as the URL is wrong. Do I know Jim from accounting? Why is he sending me this report? There are a lot of things that can throw red flags, but one needs to think critically to understand that and catch the hacker."
5. We're here to help ... ourselves to your files, your money, your identity
The "tech support" scam is another well-established attack that remains popular because it is so effective cybercriminals calling or emailing, claiming to represent tech support or the "Helpdesk" of enterprises ranging from Microsoft, PayPal, Verizon, Netflix and others.
Theresa Payton, president and CEO of Fortalice and a former White House CIO, said scammers sometimes, "offer support and service for a low monthly price that really don't provide any support at all, or worse, takes enough information from you to commit ID theft."
Or, they try to get victims to click on a link to download security updates and bug fixes, "that allow the cybercriminals to place spyware or malware on your computer," Payton said.
Fincher cites a report from Ars Technica estimating that tech support scams have made tens of millions of dollars.
The Verizon scam is similar, Fincher said. "The scammers call cell phones and direct customers to navigate to a special website to get a rebate, but instead, collect credentials.
Sign up for CIO Asia eNewsletters.