Just about everything cool these days is online. Staying safe online can be a bigger challenge than you might expect. The clever people at advertising have figured out ways to get you to click an ad, criminals are paying attention to those lessons. Here’s some tips on good online hygiene to stay safe online.
PS: This is a long article – if you’d like to watch the video version, look for it here!
What are they after?
Criminals are after your data. Your identity, passwords, and your device. Once they have one or more, they can get money from you, your boss, co-workers, friends and family. Knowing this gives us a good basis on how to stay safe online. Knowing what to protect and how it might be stolen.
How can they get my data?
The best way to get your information is to ask you for it. Yes, that’s right. They’re going to ask, but they’re going to ask AS someone you might trust. They pretend to be Facebook, Gmail, your bank or some other service you know and trust. They’ll send a private message, email, or text, have a link on a trusted website. They may even pretend to be a friend who sends you a link.
First you need to know how to check a link. In most web browsers on your computer or your mobile device, you can look at a link before clicking. Using a mouse, hover over the link and you can see the address on the bottom of the window. On mobile, press and hold on the link and you should get a popup which shows the address. If it isn’t crystal clear as to where the link is going to take you, then don’t go there. If it’s important, try opening in a safe browsing window (like incognito or InPrivate) so you minimize the risk.
The biggest scam, and one of the oldest, is to pretend you’re someone you aren’t. Using a trusted identity, you can ask whatever you want and you can get it.
You may get a message from a boss, friend, family member or someone else you might trust and they’ll ask you for something. The address might say “Mom” but when you click on the address or hover a mouse cursor over it, you’ll see it’s not Mom’s address. Check before hitting reply, and double check before pressing “send”.
If it still seems legit, but they’re asking for something uncharacteristic. Call them (and not by using a phone number they provide), and ask to confirm what’s being asked for.
Let me tell you that social media companies are NOT interested in stopping impostors. I’ve done social media management for over 10 years and there’s a reason that there are more impostors than ever. It’s not easy to stay safe online with social media!
Impostors add to the user counts they report to shareholders. Impostors create content. Impostor’s activities create content. There are so many impostors, social media companies are slow to respond. Impostors are very effective at scamming people because victims trust the social media company to protect them.
In fact Facebook (among some others) allows an impostor to create an identical Facebook OR Messenger account (they don’t have to be linked). They can copy a user’s photos, send invitations to friends, and send private messages suggesting they were hacked and this is the new account to follow.
When a social media user learns there’s an impostor, they’re usually told that they’ve been hacked. It’s assumed that since the impostor’s account is so similar that it is the same as the real account, and the password must have been compromised. It can take days or weeks before the truth is known; meanwhile the impostor is busy sending private messages, links and requests for money, and learning all they can from the true individual.
It’s fairly easy to tell an impostor. Click on the profile and see if the friend count is low or the posts are unusual. If so, immediately report the profile as an impostor. Reply to the impostor’s posts letting others know they are not who they say they are. Encourage others to report the impostor right away.
A popular scam directed at small businesses and the elderly is fairly simple and yields big payouts for criminals. They will go online to Facebook or some other social media, and look through the information that the target shares publicly. They focus in on things like relatives, work history, and other information. Using that info, they call claiming to be someone the target might know and then make an ask.
A common approach is to find grandchildren and call the grandparent to ask for money in the grandchild’s name. In some cases the grandparent may not have heard from the grandchild in some time and may provide that financial assistance. I’m sorry to say I know a few victims of this scam and it’s heartbreaking.
Have you heard about “deep fakes”? A criminal will record a few words from a target, process it through AI software and impersonate someone’s voice. They’ve been known to get enough recording from just a voicemail greeting. More powerful tools now can even do video, and in some cases with little more than a photo.
Deep fakes are being leveraged by criminals targeting big businesses and the wealthy. However, as the tools become cheaper and easier to use, anyone can be a target for these scams.
Again, be skeptical, and ask questions. Challenge the caller with knowledge only they should know. Ask for a callback number and verify the number. Call someone who knows the potential impostor and see if you can verify the story.
There are some great tips in this article specific to phone scams: https://www.sans.org/newsletters/ouch/stop-phone-call-scams/
Protect Your Data
There are several things you can do to protect your data and stay safe online. These are essential tips to reduce the threats posed by the many threats I’ve shared already.
Authentication to Protect Access
We use authentication to prove who we are and get access to our data both online and even at home. Typically authentication includes a user name (often an email address) and a password. The password is considered a “factor” of authentication.
Other factors of identification include getting a text (SMS) on your cell phone, or having an authentication app, which produces a 6 digit (or more) number on a timer. The authentication app is generally regarded as a very good form of authentication in addition to a password, and I would strongly urge people to use it when possible.
Special forms of authentication can include a bio-metric like a fingerprint or a retina scan. These are pretty uncommon and you might not run into them too often.
You might see the terms “multi-factor authentication” (MFA) or “two-factor authentication” (2FA), offered by the service you sign in to. Using these is highly recommended.
The password is one of a few “locks” to protect your data. It is a form of authentication It’s not a very effective lock if any of the following are true about a password:
- Password re-used on another site. Kind of like using the same key for your house, car, padlock, etc. One key gets into everything.
- Password is simple. Password123 is pretty easy. That’s like having a bobby pin or a toothpick for a key. It doesn’t slow anyone down at all.
- Password is never changed. You might wonder what the harm is here; but consider that the site or service which stores your password can be compromised. Have you heard of the hacks at Twitter, Equifax, Telegram, or many other mainstream sites? This is especially dangerous if point #1 above is also true.
Using SMS (Texting) authentication is an easy way to add a level of security to authenticating access to a service. It is fairly common in use, but you might notice it’s falling out of fashion. The reason is that mobile phone hackers have made great strides in copying a person’s mobile device.
They have figured out how to duplicate a SIM (which contains the unique identification of a mobile device), and reproduce it to intercept and place calls and texts. Many people who thought they were safe to get a text to log into email were surprised to find the SIM in the phone they had was compromised and successfully registered with their carrier.
I would only recommend SMS for low-risk sites (which have unique passwords!).
This manner of authentication has an excellent balance between being easy to use and being secure. I can highly recommend this method to stay safe online.
The authentication app (and you can get the app on your mobile device) generates a code which you enter in to complete your login to a service. The code changes regularly and it’s based off a cipher which was secretly shared between your device and a provider.
It is important to save your copy of that cipher when you set up the authentication app in the event your mobile device is replaced, or becomes lost or stolen. Forgetting those codes can take a long time to recover from the different services you have secured by an authentication app.
The security key is typically a very small USB device you plug in which helps ensure your identity when logging in. While this is extremely secure, it’s not as common to use as other methods. I would recommend security keys to those where security can not be compromised and exposure could be catastrophic.
VPN to Protect Communication
When you connect to your email, the authentication data which goes between your device and the email server may or may not be encrypted (that means if someone saw the data, it would be scrambled and unreadable). This doesn’t sound like a big deal until you understand public networks (wifi).
A public network is usually an open network that everyone uses and for ease of connecting there are no passwords and little security. The network might be over an Ethernet cable or WiFi connection. Each device on the public network may be able to “see” each other. The manager of the public network may be able to intercept the data traveling between the devices and the services they’re authenticating to.
Sometimes a criminal will set up an impostor network with no security to entice people to connect. The criminal then can harvest the data people transmit.
Virtual Private Networks are a way of encrypting the communication between your device and the service you are authenticating to. Only the ends of the communication can read the data; nobody in the middle can. VPN is a great way to stay safe online.
With that said, it is always best to connect to networks secured by passwords to get the best security, and if you aren’t at home or at work, use VPN to connect.
If you’d like to know which VPN to choose, please ask or join a livestream and get your question in the Q&A!
Encryption to Protect Data
I want to briefly touch on what encryption means in regards to protecting your data. When I talk about this, I’m talking about encrypting (making unreadable without a cipher) the data on your device.
Most commonly it is recommended to encrypt the data on any mobile device such as a cell phone or laptop. Some cell phones have built-in encryption by default. Most laptops do not.
The question on doing it or not really boils down to risk. While any device can be stolen; what kind of data is on it and what is the risk if it falls into the wrong hands?
In this article I’ve discussed a great deal on how to stay safe online. It’s important to know what your data is, and why criminals are trying to get it. I also the methods criminals use and the ways you can protect yourself against them.
The security landscape is ever-changing and every year we’re faced with new threats. I hope you’ve gotten some basics that can stand the test of time for a while!