I was recently asked what I thought should be the most important resolution for consumers going in to 2014. A resolution in the context of improving the individual consumers personal and financial security. Since the request was for publication in a magazine article, I gave a relatively brief answer. Since I think this particular resolution is very important for everyone, I decided to expand upon it here on my blog.
Each and every consumer who uses email and the Internet (that’s pretty much all of you) should make the following resolution this New Year’s.
I resolve to change my online behavior in order to not be a victim of an evil doer.
Yes, the people who steal money, financial data and personal data by email and websites are evil doers. They are worse, by far, than the guy holding up 7-11. That guy is lucky if he gets away with $100 and he put himself at significant risk to get that money. He did not dupe, trick, deceive anyone. He didn’t take advantage of a trusting elderly person and steal their life savings. Contrary to what movies like “Dirty Rotten Scoundrels” and “Hackers” portray, con artists are not some sort of underground hero that you should like. Indeed, online con artists … social engineers in the world of information security …. cost society horrible amounts of money. They steal people’s life savings, drain their bank accounts, max out their credit cards, compromise their financial and health data and much more.
These guys are really good and they are, mostly, safe from law enforcement. They are anonymous online and live in countries where US and Western European police forces have a difficult time getting cooperation.
What can you, the individual, do to protect yourself? There’s five easy changes in your online behavior that you should make. Almost all people I talk to about their online behavior do at least one of these things on a regular basis. By doing so, you are putting yourself at serious risk. Why? Because the above mentioned evil doers KNOW that you do this and they are taking advantage of your behaviors. So, let’s change them and avoid the risk posed by these guys.
Don’t click on links in email sent to you.
One of the simplest ways for someone to attack you is to put a malicious link in an email. They do something like creating an email that pretends to be from Microsoft and tells you that you need to verify your email address. And provides a very convenient link in the email to do the verification. In fact, I just got one of those emails from another large company that urged me to verify my email and make sure and change my password.
I checked the link that the email wanted me to go to and lo and behold, it was not actually from the computer company named after a fruit. Had I gone to that website and entered my email address and changed my password, they would have had a good chance at being able to compromise my email account. Which is a really critical first step for a nasty financial attack against me. As I point out in the next behavior change.
Do not use the same password for your email and your financial accounts. Ever.
You need to make sure that your email and online financial accounts use different passwords. Why? Because if you goof on #1 and give away a password, you don’t want it to be the same as your bank account password. The first thing the bad guy tries is hitting major financial institutions with your ID and password. Most of us are lazy by nature, and we use the same ID and password on all our online accounts. And our evil doer’s odds are decent that you bank at Wells Fargo, Chase, Citi, PNC or Bank of America since as recently as 2009 over 40% of all consumer deposits were at the top 5 banks.
If you have given away a password, but it is your email password, then the criminal must put more effort in to his attack on you. He will have to try logging in to all of these different banks and then saying he forgot his password. When he does, of course, it sends an email to your email account asking for confirmation. Since the bad guy now controls your email account (cause in #1 you gave him your password), he can confirm that he is you and change your password to one he wants it to be. But it was harder than if you use the same password for both.
Remember that behavior by friends and acquaintances that isn’t normal is suspicious.
Emails, ecards, etc from acquaintances that are out of character should generate suspicion. A friend who never sends you an e-card is unlikely to have suddenly decided to start sending them. Much more likely is that your friend’s email account was compromised and is now being used to initiate a social engineering attack on you.
Of course you trust your friend. Of course you want to see this funny card that your friend sent you. Of course you click on the link. And, of course, the e-card website has malicious software (a “virus”) on it and it is able to insert it on to your computer. Depending on the goals of this bad guy, many different things can happen. Often you will never even realize it, but your computer is now being used as part of a botnet that can attack many other computers and networks. Or, perhaps, there is a secret keylogging software on your computer now, recording every keystroke you make. And so on.
Enable anti-spam technologies in your email client.
Your email client has technology that enables it to filter many of those social engineering email attacks. Whether it is an online email client like Yahoo! or Google, or it on your computer, like Apple’s Mail or Microsoft’s Outlook. Seriously. All you have to do is turn it on and it works. It looks at your email, decides what is malicious and then sends that email to a junk folder.
Some of the email that gets filtered in there is pure spam. You know, offers for viagra, cheap home loans, pornography. But some of the email that is filtered is from the guy trying to get you to “reset your password”. So use the technology and make your life better. No ads for viagra and far fewer malicious attacks get in your inbox.
Be aware of offers that are too good to be true.
If you receive an offer in your email that is really good, like REALLY good …. delete it. If it is too good to be true, it’s a trap. If someone wants to pay you $20/hour to work from home and the work is “easy” and you have never heard of them before in your life …. it’s a con artist. You will become a mule for financial crime and not even realize what has happened. The money going through your account that you are earning $20 an hour to transfer around the world? Yep, you guessed it … it’s stolen. They are playing on your desperation, greed, etc to get you to help them commit a crime.
Just delete that too good to be true email.