Discuss these cybersecurity lessons and threats with your family...
In This Article
This article originally appeared in Issue 10 of our magazine.
Does this sound familiar?
SUBJECT: HELP! STUCK OVERSEAS
I’ve contacted my bank and the embassy, the embassy is willing to assist me but my funds are depleted to pay for a new passport fees and other miscellaneous expenses. I don’t have access to my account over and My bank said it would take 5 working days to access funds from my account. Please can you lend me some funds? I’ll pay back, as soon as I return home.
I desperately await your response,
You may have received phishing-type emails like this before. Fred Jones is just a pseudonym in this case, but used as an example to show you that it’s interchangeable with any name. If you’re on that hacked individual’s list of contacts, you may be the recipient of a fraudulent email like this and not be aware that it’s bogus.
Of course, being the compassionate person you are, you want to help, right? So you continue on this conversation until you wire money or perhaps some other personal information. Then you eventually discover that you’ve just fallen for a scam and may have provided the imposter with data that may further compromise your identity and finances.
From the cyber breach at the Office of Personnel Management to the Sony Pictures Entertainment hack, there are thousands of nameless, faceless criminals out there who have enough knowledge to tap into state-of-the-art data infrastructure systems to retrieve information. So if they can invade the networks of companies with staff members tasked with stopping a breach, how is the average citizen safe?
“One of the biggest misconceptions people have is that they won’t be a target of a hacker. Everyone is a target,” says Amy Baker, vice president of marketing for Wombat Security, a provider of software that helps organizations educate their employees on how to avoid cyber attacks. “Many people think that if they haven’t seen evidence of hacking or malware that they haven’t been attacked. We see examples of high-level breaches where companies didn’t know for months that they’d been hacked, but that goes for individuals too. They may have revealed information to a cyber criminal and just not known it. Just because there’s no evidence of a hack doesn’t mean that a cyber criminal doesn’t have your information and intend to use it at a later date.”
Unfortunately, cyber crimes are rampant, come in many guises, and what’s even worse is the offenders often go unprosecuted because people are too ashamed to admit they fell for this type of crime or don’t know who to report it to. Whether it’s malware, hacking, scams, or any other type of cyber crime, the reality is that buying certain kinds of software or hardware doesn’t protect you from your own ignorance.
Like owning a car, parking in a bad neighborhood still invites theft no matter how good your alarm is. Nothing takes the place of recognizing signs of potential threats. Here we’ll break down how to recognize common forms of cyber crimes, give you some preventative measures, explain how to report these crimes, and dispel common misconceptions.
An attacker intent on accessing your personal information will do everything they can to avoid raising awareness of their breach. While large companies and wealthy individuals are certainly targets, the average citizen still has money, an identity, Internet access, and the potential to be misled through false pretenses.
These attacks can be disguised as emails, messages, or websites masquerading as your bank, cellphone provider, a government agency, acquaintance, or service you use (such as eBay). While the source still may appear legitimate, wrongfully assuming that it is can allow transmittal of malware (viruses, spyware, worms, etc.) that can damage your computer, allow access to sensitive information, or trick you into paying for something spurious.
Cyber attacks are perpetrated through a variety of methods. Phishing is the most common way people fall victim to cyber attacks because it is geared toward personal manipulation. It’s most often delivered through unsolicited email delivery, texts, or instant messaging, and poses as a trustworthy source to trick you into revealing information or downloading malware that may damage your system or allow criminals to gain additional intel.
These emails, messages, or websites may ask you to:
Although these are common forms of phishing, it’s really limitless in how phishers engage potential victims. It can happen over the phone or even in person, although these offline interactions would be categorized under the broader term social engineering.
Unsafe web browsing is another phishing method to be aware of. Just visiting a site that isn’t mainstream can be a trap to invade your computer. Pop-ups can also be a phishing attempt that can still compromise your computer and personal info.
Most cyber crimes are financially-motivated to steal information, allowing someone to take money or property; however, some forms of hacking and transmittal of malware are used solely for destructive purposes. “There are three main areas of cyber crime,” says Dan Vesley, CEO of Web Precision Internet Services, who has 20 years of web design, marketing, and IT services experience. “Cyber piracy: Using computer technology in unauthorized ways to steal, copy, and redistribute software or other proprietary information; Cyber trespass: Using technology to gain unauthorized access to a personal or business computer system or website; and Cyber vandalism: Using technology to disrupt networks and destroy computer data and system resources.”
Don’t think that your mobile device is impenetrable to malware and information theft either. Since so many people store information, communicate, and conduct business through their phones or tablets, there are thousands of methods to invade them. Anything from unsafe Wi-Fi connections to receiving a text message and clicking on an unsafe link to unknowingly downloading a nefarious app can compromise your device and info.
People often put too much stock in the notion of being impervious to theft by buying certain hardware or anti-virus software, but these commodities won’t keep a naïve user from being fooled into taking an action that’s to their own detriment. No amount of money spent on the best computer and security measures will prevent you from potentially clicking on a website that locks your computer and tells you that you are delinquent on your IRS payments, only for you to give your credit card information for fear of arrest. The police and IRS don’t call ahead or communicate online to warn you of an impending arrest — they come to the door. The first step is knowing how to avoid the problem.
If something looks suspicious, too good to be true, or is asking you for money and personal information, it’s likely a hoax. Do not open unsolicited email. Delete it immediately. While malware cannot be transmitted in a plain body of text, the contents of the email such as links and attachments can lead to an infection.
If you receive an email or text asking you to confirm personal information or provide financial info, even from a trusted source you use regularly such as Amazon.com, your bank, or another company where you pay for services, do not assume it’s genuine. The terms of service these organizations offer spells out their policies regarding information disclosure.
Assume someone pressuring or threatening you with legal action as a way of getting your info is doing it under false pretenses. Legitimate sources will usually not use tactics like this and the ones you’ve done business with before already have your information so there’s no need to verify it. If someone is claiming to represent an organization, call it directly yourself so that you can substantiate the accuracy of requests being made for your personal info. Responding to the email or message in question is only going to perpetuate the scam.
Some common indicators of fraudulent URLs are those with hyphens, numbers, or symbols in the address, or a URL you don’t recognize. Some fraudulent URLs contain words you might recognize (e.g. “ebay.com”), but are structured to redirect you elsewhere. Also, legitimate services that shorten URLs can also obscure the final destination, so be careful clicking on those if you’re not sure of the source. If the URL contains characters such as these or is unfamiliar, do not click on it. You can do a web search for the dubious URL to learn additional information from other sources and verify its legitimacy. “Over 50,000 websites are hacked daily around the world and many are replaced by the hacker with a site that looks like the original, but contains a malicious site. Also, web pages that attempt to trick the user into updating plug-ins such as Java or Flash are common ways for hackers to gain access to your PC. You must be extremely careful when installing any such updates,” Vesley says.
Job applicants should verify whether or not companies they’re applying to actually exist by searching their name, checking what other websites say about them, and looking for a mailing address and phone number you can call or possibly visit in person.
A way to ensure you do not fall victim to a malicious pop-up or website that doesn’t allow you to click the “go back” button is to close or force quit your entire browser session. Even if you try to click on the “X” or “Close” button to exit a pop-up window, you may still enable a malware infection.
While app stores try to eradicate malicious software from their inventory, free applications are common ways that malware can be downloaded to your phone or mobile device. Research the application before you download it.
Anti-malware software is another viable preventive measure to install on your computer. Getting the most recent version available is recommended since new threats are constantly being discovered and anti-malware programs do their best to keep current with the latest recognized forms of attack. Update your software and operating system as often as possible and make sure any spam filters are kept on.
On the hardware end of things, products such as encrypted hard drives can be installed as an enhanced safety measure, but do take some training for the average person to install and become familiar with. Find a good computer technician, ask your sales associate, or contact the computer company’s tech support group on how to maximize your computer’s safety features.
Although certain software and hardware components are better than no protection at all, these built-in or off-the-shelf safety measures are not foolproof. Anti-malware programs are engineered to block threats with a known design. The criminals out there generating malware are also doing their best to create workarounds to circumvent the software’s safety protocols.
“These kinds of programs would not stop a targeted attack,” says Baker of Wombat Security. “The last line of defense against the cyber crime is the individual.”
Your friend’s “stuck overseas” email may have coincided with a vacation they were actually on because they publicized it online. People divulge a great deal of information through social media without understanding how much they open themselves up to becoming a target. If you receive an email from someone you feel may be posing as an acquaintance, call them directly or ask them a question that only they would know the answer to so that you can attempt to verify if it’s sincere. If the response sounds desperate, accusatory, or out of character for what you know about this person, assume it’s “phishy” and avoid any further conversation. If the average person encountered trouble while traveling, they should know enough about resources in their location who can help them and would not need to reach out to someone through email for help.
Myth 1: Macs Don’t Get Malware
Steve Jobs fans argue that Macs are better than PCs partly because the latter are petri dishes for digital viruses — but both are susceptible to malware. Attacks such as phishing are targeted toward the user, so your choice of operating system becomes a moot point if the person on the keyboard falls for a scam. Hackers and cyber criminals tend to focus on the most popular systems for a higher success rate, so no matter what cellphone, tablet, or computer you buy, you cannot solely rely on its built-in safety measures to protect you.
Myth 2: Emails From Known Individuals Are Safe
People have their emails, messaging accounts, and social media profiles hacked or impersonated frequently. Clicking on a link in an email or message, downloading an attachment, or providing personal info online to someone you know is risky. If emails and messages appear to be random or unsolicited, even from people or companies you know, do not click on any links, open any attachments, or respond. Contact that person directly to verify if it’s legit.
Myth 3: Visiting Reputable Sites Is Always Safe
While avoiding questionable looking sites is good advice, there have been instances where even legitimate, reputable websites can be compromised. This may happen by receiving an email to visit a website that appears to be something you use regularly such as your bank, but is really a façade to record your information or deliver malicious code to your computer. You must exercise caution in visiting all websites.
Myth 4: Infections Are Always Obvious
Cyber criminals do not want to alert users to their presence. While some malware is designed specifically to disrupt an operating system and has obvious signs of infection, hacking and spyware can remain hidden indefinitely to record keystrokes for passwords, send spam through your email, or use your computer to attack websites.
Myth 5: Phones and Tablets Do Not Get Malware
Mobile traffic is quickly increasing and so has malware specifically designed for smartphones and tablets. Malware protection for mobile devices is available through many providers and is a good safety measure to implement. In general, be very cautious about the apps and games you install on your device, especially if they're from unknown publishers and have few reviews.
You may be in the habit of using the same password for most, if not all of, your system access needs so it’s easy to remember. While that may make your life more convenient in the short term, cyber criminals feed on this predictable behavior, and once they have your password to one site, you can bet they will try it with everything else. Here are some methods to mitigate having your information accessed by another party:
Choose a strong password: Do not use something simple or predictable. Many websites have generic security questions to verify the user by asking for information that’s easily extrapolated from various sources like social media, such as “Where did you go to high school?” Use something at least eight characters long made up of numbers, symbols, capital and lowercase letters. Do not use personal information such as your pet’s name, mother’s name, or birthdate. Use something no one could easily figure out.
Use a different password for each account: This may seem like a huge pain, but it may mean the difference between having your info stolen or not. Keeping a written ledger or some other record in a safe place with your current passwords will help if you feel you can’t remember them. Saving a list of your passwords on your computer or smartphone is not recommended. There are also applications available for your computer and mobile devices which generate unique passwords and help you use and manage them all.
Change your passwords often: Changing your password every 60 days is a good rule of thumb to ensure safer account access. Reusing a password is acceptable, but wait at least a year before changing your password on a particular account back to a previously used password.
Password protection: Be sure your devices offer password protection and keep that feature activated so you aren’t spelling it out for the world to see.
We all have those friends — the ones who can’t live without making some announcement about themselves every 20 minutes on Facebook, Instagram, or Twitter. While you may want all your friends to know what an interesting life you live, your vanity and need for attention may cost you more than you realize. Sharing photos while you’re on vacation, checking in at your favorite locations, and showing a photo of the new home you just bought are things that invite disaster.
What you reveal about your personal life may be all that’s needed for someone to accumulate enough info about your relatives, hobbies, friends, pets, age, and workplace to impersonate you, guess a password to access your personal information, steal property, or potentially harm others you know. Here are some good tips to safely engage in social media:
Stranger Danger: You may be getting friend requests from people you don’t know and feel flattered that they have taken an interest in your life. However, since you don’t really know what their intentions are, it’s best to avoid this. Don’t interact with people you don’t know, regardless of how cute they may look in their photograph, how nice their message seems, or if you have a mutual friend.
Over-Sharing: If you want to share vacation photos, do it after you’re home. Checking into a restaurant may get you a discount, but that cheaper meal won’t taste so good when people monitoring your posts know you’re away and burglarize your home. Posting pictures of your kids and how proud you are that they got honor roll at XYZ school could potentially invite a kidnapping. The less you share, the safer you are.
Public, open WiFi is a feeding ground for cyber criminals. There are many ways they can monitor and breach these connections. Using a secure network that has a password will minimize your chances of revealing information. Visiting only secure websites with “https” in the URL prefix during a WiFi session is another way to reduce the information you share in an open network. Utilizing a VPN service (virtual private network) can also be done to keep your browsing hidden. Free and paid options are available for VPNs on various devices. Doing a web search for VPN systems and their ratings can help you select and set up a VPN for your operating systems.
Installing updates to your devices should not be done on public WiFi since it can sometimes be a false prompt that can trick you into downloading malware. Log off any services that you were signed into during your browsing session and deactivate any “connect automatically” features that your device may have that would connect you to that system again if you’re in range.
You can also enable a two-factor authentication feature on websites you commonly access, such as your email where a password can easily be sniffed out. This is not a perfect solution, but does offer another layer of security, as well as a potential early warning text message if someone tries to access your account.
Infiltrations can still happen even if your browser is not open. When you have finished using your device, don’t just leave the computer on or log out. Shut off the computer completely as an added safeguard measure.
Perhaps George Orwell was right. Although we enjoy the convenience of being easily connected with the rest of the world in so many ways, it’s not without its drawbacks. Our digital world continues to grow and, with it, our privacy continues to not only be violated, but things such as social media have also magically convinced us that privacy is an old idea that we no longer need.
We can, however, mitigate our own exposure by practicing good cyber security skills. When setting up your computer, research cyber security tips on what safeguards you can activate to increase your level of privacy while online. Ask your mobile device provider what safety features you can implement on your and your children’s cell phones and tablets. Use discretion when communicating with unknown individuals or being asked to reveal personal information online.
Cyber security education is one step toward a safer digital world.
Here are some resources you can visit to learn more on cyber incidents, how to protect your computer, and to get educated on common Internet scams:
How to Protect Your Computer
How to Protect Your Kids
IC3 Crime Prevention Tips
Recognizing Internet Fraud
Tips, Tools, and How-to’s For Safe Online Communication
If you’ve been the victim of some sort of cyber attack, the likelihood that your local law enforcement agency has jurisdiction or can provide much help is low. So what’s your recourse? Sharing this information publicly is the first step toward a solution. The less that gets reported, the more these criminals are free to continue their onslaught. Here are some resources to report crimes:
Department of Justice
The DOJ categorizes various cyber crimes and can direct you to the proper reporting agency.
Federal Trade Commission
If you feel you’ve been the victim of identity theft, the FTC has resources to report the crime.
Internet Crime Complaint Center
The IC3 was established as a partnership between the FBI and National White Collar Crime Center. You can visit their site to file a complaint if you feel you’ve been a victim of some form of cyber intrusion or e-scam.
United States Computer Emergency Readiness Team
A division of the Department of Homeland Security, US-CERT also provides publications, alerts, and tips to consumers and allows reporting of cyber crime incidents.
Anti-Phishing Working Group
The APWG publishes reports on cyber crimes, allows reporting of phishing and other cyber crimes, and provides educational resources on avoiding cyber crimes.