This week is International Fraud Awareness Week, and there's no better time to brush up on your skills to make sure you don't fall for online trickery designed to fleece you or convince you to give up sensitive personal information. Here are some tips to stay safe.
Learn to Identify Phishing And Spear Phishing Attempts
Phishing attacks cast a net wide with generic offers and promises in the hope of luring you into providing personal information before you realise there's a problem. Spear phishing uses targeted attacks to try and get additional information from individuals who may be at risk because their account at another organisation has been hacked, their employer suffered a data breach, or some other information is already available about them. In both cases, the most beneficial skill you can learn is a healthy sense of internet scepticism.
As always, give out the minimum amount of information when required and nothing more when asked by companies or businesses that present you with forms to fill out, and never give out information — even if the requester is legit — unless you understand why they need the information and what they'll do with it. Any reputable organisation will be able to answer your questions. Trust your instincts, and remember that if it sounds too good to be true, it probably is.
Beware Suspicious Emails And Attachments
It should be common knowledge at this stage, but you should never open attachments from untrusted sources, and even if you get one from a trusted source, you should pay attention to the file extension of the attachment before downloading and opening it. If you get an official-looking email from your bank, credit union, or another company you do business with telling you to log in and review your account, be careful. Even if it's legit (and the chances are high that it's not), it's always safer to visit the business' web site by typing in the URL instead of clicking the link in the email.
Most companies will never email you to say you need to "verify your account information" and beg you to click a link in the message. If your email client supports it, you can hover your mouse over the link in the suspicious email to see where it really leads. Odds are it's not actually your bank's website. Don't click; visit your bank's web site manually or call them instead. Remember email addresses can be very easily spoofed, so even if you get a note from a name or business you trust, it could be spoofed and the URL could lead you to an unexpected location.
Photo by Jeff Nelson.
Keep Your Anti-Malware Software Up-To-Date
Even though viruses and trojans don't make headlines as often as they used to doesn't mean you can get away without some anti-malware software installed on your system. Once installed, it's equally important to keep it up to date. Out of date antivirus and anti-malware suites are effectively useless. Besides, with options like Microsoft Security Essentials for Windows and ClamXAV for Mac out there that are free, light on system resources, and both scan and update in the background without your help, there's no reason not to have something installed. If your school, office, or ISP offers an anti-malware package to you for free, make use of it.
Use HTTPS Everywhere (Or At Least Everywhere You Can)
While it's not foolproof, making sure you're connected to as many of your favourite sites over SSL is the best way to make sure you're actually talking to the site you think you're talking to, and to make sure your communications with that site are encrypted. You can use the previously mentioned HTTPS Everywhere extension for Firefox to force hundreds of sites to HTTPS, enable HTTPS on Facebook, do the same at Twitter, and check to make sure to look for the lock or the green box next to the URL in your browser's address bar to make sure the version of the site you're on is secure. If it's not, try the site address with https:// in front of it to see if it works.
Use Strong, Secure Passwords And Different Ones On Different Sites
Good password management is a topic we've covered several times but if you're still using the same password on multiple sites or you're still using a dictionary word or your dog's name as your password, there's no time like now to make the change to a strong password that uses letters, numbers, caps, and special characters if possible. Still, even though you have a good strong password it's worthless if you use it on multiple sites and one of them is compromised. Use a service like Keepass, LastPass or another similar password manager to create, keep and manage multiple strong passwords for all of the sites and services you use on the internet.
Be Sceptical, Be Informed And Be Careful
That sense of internet scepticism we mentioned earlier will serve you well in many regards. It may be more inconvenient to pick up the phone and call a business that just emailed you asking for your credit card number to process a payment than it is to just reply and email it to them, but speaking as someone who used to work in corporate IT, we paid close attention when our network monitors noticed outbound emails with credit card numbers in them. Don't do it — if we could see it, others can as well. When someone asks you for something that just doesn't seem right, set it aside until you can clear up why they need the information.
If you get an message promising something — anything from a multi-million dollar cut from a foreign prince's international investments to a discount code to your favourite online retailer just for filling out a survey — learn to second-guess the offers and promotions you see on the internet and double-check their sources. Often a quick Google search for the sender or the general gist of the message with the word "scam" at the end will reveal what's really going on.
Photo by Yi Chen.
Do you have tips for avoiding fraud and identity theft online that we missed? How do you protect yourself on the web without completely disrupting your normal activities? Share your tips in the comments below.