Now for the seriously weak link – you.We busy little bees rush in, skim-read, ignore warnings, know better than everyone else, are highly suggestible, insatiably curious and when on-line, generally risk-blind.
And that’s on a good day. The rest of the time we go skipping through the online minefield with gay abandon and the kind of blasé wilfulness that would get us killed crossing the street.
Then we whine a lot when we fall victim to the latest social engineering scam.
Always Check Email Attachments Before Opening Them
Whether or not you asked for it, recognise it, or want it; decide ‘do I need to open this?!?! Opening attachments is not mandatory.
Second, check ALL email attachments for viruses. You email client may do this for you. You anti-virus software may have a plugin to do this automatically. If not (say you’re on web-mail) save attachments to your hard disk first, then, in Windows Explorer, right-click the file and select Scan With [your anti-virus software] before you open it. It will either come up clean or be quarantined as a threat. You can then go back to the sender (if it’s someone you know) and check that they intended to send this and you can warn them they have a possible infection.
If the carrier email came from some unknown recipient it is probably part of a phishing attack. Blacklist and block that sender and move on.
We all know what spam is? Yes? We mentioned phishing last time. Phishing emails claim to be from a real retail,insurance, bank or credit card company asking for personal details of policies and accounts, often directing you to log in to a website. No legitimate company operates this way. I’ve seen some very convincing Barlcaycard and Paypal fakes. Examine the addresses and look for the string of sub-domains surrounding the company name, you’ll spot that the site doesn’t belong to that institution at all. Fake.
Never click on attachments and links unless you know it to be safe. I know, we all get links sent us all the time and curious beings that we are, we follow where we are led. Most of the time this is fine, until you get hit with lots of ‘download now’ buttons screaming in your face. Even ‘reputable’ (full debate later) websites, such as YouTube, gets viruses posted disguised as video codecs and other attachments. The rule is; if in doubt, don’t touch it.
When banking or shopping on-line, look for the padlock icon in-browser which tells you the site uses HTTPS (you will see this in the web address), which is an encrypted data connection using a valid security certificate. The padlock may be in different colours and in different positions on the screen depending on the browser you are using. You will also get warning messages if the HTTPS and certificate cannot be verified.
Only give private personal information when absolutely necessary. Banking and shopping demand identification to complete transactions for sure. But many other websites seem to want personal details for no valid reason. Most of it is for spamming – sorry, marketing purposes. Some if it will be for repeat-charging your credit card. At worst it may be for outright identity theft. Consider carefully which details you are giving away and if necessary, abort your visit to the site, or at least, be as sneaky as they are and give some reasonable-looking but invalid information that will prevent actual abuse.
Dispose of old devices carefully. When your devices comes to the end of their life with you, be sure to erase anything that could be used to identify you or commit identity theft using your details. This includes hand-me downs to children with a habit of buying in-app goodies on Candy Crush. This goes for PC’s, tablets, smart-phones; these are all computers with storage that we use to shop, bank, pay our taxes and stay social. Clear them down before you discard, pass on, or recycle them.
The best thing to do is download a utility that will erase the storage by overwriting the contents several times, so as to prevent data reconstruction. If you can, remove the storage – hard drive, SSD, SD card – and dispose of it separately from the device.
In Part III we’ll look at some types of social engineering, which is where security can be seriously compromised by the weak link behind the keyboard. AJS