Nothing is 100% safe—and the sooner you understand that when it comes to all things on the Internet, the safer you’ll be. In Cybersecurity 101, we discussed the 3 ½ things you must do for personal cybersecurity: using a password manager, protecting your email, monitoring your accounts and auto-updating devices. Review the Cybersecurity 101 education module here.
However, vigilant cybersecurity doesn’t end there. There are several things you should try to avoid, limit your exposure to or at least be aware of to protect your computer and networks, regardless if you’re at home or at work.
We’ve structured this program into four parts:
- Video Overview
- Definitions
- Written Content
- Additional Resources
While we suggest going through each piece, if you are pressed for time, we recommend watching the video and completing the checklist.
Bottom Line: While there are bad things and bad people using the internet, by following these two set of guidelines, you can use the Internet in (relative) safety. Don’t let the FUD factor (Fear, Uncertainty, and Doubt) keep you from using and enjoying the world of technology.
Definitions
Phishing: the fraudulent practice of sending emails claiming to be from someone you know or reputable company to induce you to click on a link that will take you to a website asking you to reveal personal information, such as passwords and credit card numbers.
Smishing: a form of criminal activity using social engineering techniques via a text or SMS message when someone tries to trick you into clicking a link that leads you to giving them your private information.
Vishing: the telephone equivalent of phishing. It is described as the act of using voice calls to scam the user into surrendering money or private information that will be used for identity theft.
Read: Detailed Information
- Be Wary of all Links
The primary way the average person gets into trouble on the Internet is by clicking on links within emails. Security researchers say that ‘phishing’ accounts for over 80% of all problems. Some of the most devastating Internet attacks started with nothing more than a simple email containing a link that someone clicked on. When you click on a link it may appear that nothing happened, or it can open a seemingly harmless page on a website. However, ‘under the covers’ and unseen, malware has taken over your computer.
The best advice is to be selective in your clicking. Links are common on web pages, emails and even text messages. They’re a convenience, not a necessity. You simply click the link and it takes you to exactly where you want to go. That’s so much easier than typing in (Read: Cybersecurity 101) —that is true. However, you cannot trust every link you come across. That’s not to say you should never trust links. You just need to be aware of who sent you the link and where it really goes.
Most every major website pulls in advertising and a lot of the time that advertising is specific to you. If you searched for motorcycle boots on one shoe website, chances are next time you’re on Google, MSN or Yahoo, you’ll see an ad for those same boots. However, you may also see ads for other things related to those boots—perhaps a matching leather jacket or maybe an ad for low-cost motorcycle insurance. These “related” ads have identified you as someone who would be interested in their products or services based on something you’ve confirmed you are interested in. Before you go clicking on these ads, take a moment and really think about why you are seeing them and where they may take you on the Internet.
The link for leather motorcycle jacket may take you to the same website as the boots you were looking at, but the link for the cheap motorcycle insurance may take you somewhere else. And then, the site may ask you to enter your address to help find you a quote; maybe even ask your household income. Stop and realize that’s a lot of personal information you’re potentially giving up without even researching this company. While many legitimate sites operate this way, there are also plenty that is less than ethical. At best, some will sell that information at the first chance they get, and at worst, it is a complete scam to get you to enter detailed financial information. Unless you directly typed in the link to the insurance company and are applying online for low-cost insurance, you should think twice about readily giving up personal information. If the ad sounds like something you want to check out, make sure your security software is up-to-date and includes a site checker that scans the URLs and determines if the site is safe. We recommend Webroot. Your best bet is to type in the URL of the company listed on the ad and visit the site directly, bypassing the link shortcut.
If you’re going to click on links, look closely at the link. If the link starts with https:// that S indicates you’re on a secure site and the info you transmit to that site is encrypted. If a website’s security certificate doesn’t match the company’s domain name or is invalid, your web browser may give you a warning that your connection is not private. We recommend you do not visit that site or send any information to that site.
Links in emails need to be treated with the same scrutiny. Just because the email says it is from your mom, your boss, or your bank doesn’t mean it actually is. Spoofing an email address is one of the easiest things to do online. The use of fraudulent emails to induce you to reveal personal information and/or click on links, also known as phishing, is the primary way crooks exploit the average user.
If you are not expecting a link from your boss—don’t click on it! If your bank is emailing to tell you “there is a problem with your account…click here to verify”—don’t click on it! Assume all links are dangerous until proven otherwise. You can call your mom or your boss to verify they sent you an email with a link. If you use a password manager, you can use that to log into your bank account to see if there is indeed a problem. You can also use a third-party site like BrightCloud or Virus Total to check the links sent to you. If you insist on using the link, first hover your mouse over the link. The mouse cursor should change to a hand and show what domain the link is actually taking you to. “https://www.secure.firstbank.com” is a different site than “https://www.secure.com/firstbank.”
Notice how both go to secure websites. You can see that because of the https://. You need to pay close attention to the word that is before the final domain extension. The first link in that example goes to firstbank.com the second goes to secure.com, which may not be a legitimate site.
Finally, you should avoid shortened URLs like “bit.ly.24Xp3” or “tiny.url.xYp33r.” These are common on social media or in text messages. You have no way of knowing where those links lead to, even if you hover over them. A URL shortener uses redirects to forward a user from the short link location to the destination URL location. Even third-party sites like BrightCloud or Virus Total cannot generally see past the redirects.
- Avoid Downloading Files
Again, just because your mom, boss or bank sent you a file to download doesn’t mean the file is safe. Files with .exe, .app, .inf, and .osx extensions are examples of executable files that instruct a computer to carry out a command. While your anti-virus, internet protection, or spam filtering software should flag these files as high risk, some may still make it through to your email. And if they are on a website, there is no filter to prevent you from downloading them. For example, you receive an email from your Uncle Lou that simply directs you to download a file from Dropbox. You may likely have an Uncle Lou. Dropbox is a site you recognize. However, if you are not expecting shared files, be safe and skip the download. If it is important, Uncle Lou will call you to ask if you received the files.
Furthermore, many common file formats like, .doc, .zip, or .pdf can hide malicious code that can infect your computer with programs that will log your keystrokes, lock your hard drive or hijack your email to replicate itself. If you are not expecting a file attachment, you should call whoever sent you the file to verify they actually sent it. Unless you are purchasing software from a reputable company, never download executable files from the Internet.
To make matters even more complicated, the shortened URLs, which you cannot discern where they will take you, may automatically download an executable file from the Internet. And if the shortened URL comes from a spoofed email address claiming to be your mom, you have a prime opportunity for disaster.
Make sure your operating system, browsers, and plug-ins are up to date. Software vendors often provide patches to rectify any security vulnerabilities that can be exploited. Consider turning off your web browser plugins like Flash or Java or setting them to ask before playing. This may prevent malicious ads found on reputable websites from exploiting an autorun environment. Finally, close your browser once you are finished using a secure website, like your bank or email.
- Say no to Public Wi-Fi
Using public Wi-Fi is the high tech equivalent to having unprotected sex. You do not know who has been there, what kind of protection they’ve used (if any), and while it may look clean, it may not be. Sure, it’s very easy and convenient to go to Starbucks and use the free Wi-Fi to check your email. It’s tempting to stay and work on your computer when there is the lure of a scone and a latte a few feet away from your table. This is why crooks scope out these places. They know the convenience and comfortable atmosphere will draw people in. You don’t know who is sitting next to you watching what you are doing on a public Wi-Fi network.
Disable the “auto-connect” option on your tablets, laptops, and phones. Make sure your electronic devices are set to “Ask to Join” networks. Especially when traveling, disable Wi-Fi and Bluetooth on your devices. Instead, opt to use your cellular connection. Many of the cellular plans offer unlimited data packages, which can allow you to turn your phone into a Wi-Fi hotspot for your other devices.
If you must use public Wi-Fi, use a virtual private network (VPN). A VPN creates a secure tunnel between your device and the website you are visiting. VPN software encrypts your data, even before Starbucks’ Wi-Fi provider sees it. The data then goes to the VPN, and from the VPN server to wherever you’re visiting online. The websites you visit see your data coming from the VPN server and its location, not from your computer and your location. We recommend Nord VPN.
Furthermore, when traveling, avoid using computer kiosks or open computers in business centers. While libraries, hotels, convention centers, and airports offer these stations as a convenience for the business emergency, the reality is you don’t know who was there before you. Even the Wi-Fi at a five-star hotel is risky because you’re sharing that network with every other guest in the hotel—so when we compare public Wi-Fi to unprotected sex, we’re not that far off!
Questions?
If you have questions, please email them to cybersecurity@hensslerfinancial.com
Additional Resources
Recommended Products
Password Manager: LastPass
VPN for Travel or Remote Access: NordVPN
Security/Anti-Virus Software: Webroot
Caller ID/Phone Security App: Hiya
Cybersecurity 101 Education Module