The holidays are here. With this comes parties, family gatherings, and work functions
It’s also the time of year when those special unwanted gifts like phishing emails, credit card fraud and identity theft start their annual resurgence of popularity. Granted they are always present year-round, but there’s nothing like an upswing in digital shopping and online spending to spur their growth.
The personal habits and hygiene that people learn at home are naturally brought to work with them. This is true of cyber hygiene as well. In taking advantage of the holiday shopping season, and every other day throughout the year, the security posture of your company is only as good as the habits of your staff.
To enhance corporate cyber wellness and add some security to your season of joy (indeed, all seasons), we’re revisiting the topics covered during the recently celebrated National Cybersecurity Awareness Month. This is the first of two installments designed to impart cheerful guidance for your online experiences at home and at work. In this installment, we cover Part 1 – Secure IT.
Part 1 – Secure IT
Use a Strong Passphrase
Strong passwords or passphrases are one of the easiest ways to bolster personal cybersecurity. You are encouraged to create custom passwords that are unique to each of your accounts and applications. The longer a password or passphrase is, the greater the number of possible combinations there are in order for a hacker to guess the correct password.
Seriously, who can remember that? Make your password a passphrase. Keep it fun and friendly, something like this: “I love chocolate ice cream with sprinkles!”
When it comes to passphrases, it’s best to mix it up. Don’t use the same passwords or passphrases at home and in the workplace. Use favorite movie or book lines, inside jokes, stuff you don’t post online. Keep them fun, easy-to-remember and don’t reuse them. Passphrases should be just like YOU – fun and unique!
Use Multi-Factor Authentication
Sometimes even long and strong passphrases aren’t enough. No matter how long and strong your passphrase is, a breach is always possible. So, add layers in order to access your accounts.
Online banking and other financial web sites, your email accounts, file sharing web sites, online calendars and social media sites all have (or should have) multi-factor authentication (MFA) settings as a normal means to provide you secure access.
You can make it significantly harder for cybercriminals to access your online accounts by enabling MFA on all sites that ask you to log in to use them. MFA ensures that the only person who has access to your account is YOU.
Those Dreaded Security Questions
Some web sites still use a set of questions to either verify it’s you when you log in, or to help you recover or reset your password if you forget it. When you set up your access for the first time, you may be asked to choose and answer a set of these canned questions.
You do not have to answer truthfully: LIE! Oh boy, did a security professional just say that? Yes. Your mother’s maiden name is not that hard to find out, just ask any genealogy search site.
The key is to provide an answer in the same fashion as your passphrase, something that you will remember but will be extremely unlikely to guess. For example:
- What street did you grow up on? I own a king-size bed.
- Your mother’s maiden name? Japanese maple
- Your best friend’s name? Why should I tell you?
If you can create your own question, that’s better than using a preset selection. But for your own sake and to secure your personal info, fake it.
Let’s Go Shopping
Online shopping is fun, exciting, full of wonderful things to see, and convenient. It can also be a trap for the unwary and novice shopper.
Cyber thieves are skilled at tricking users into shopping on look-alike sites, shoppers who are looking for the best deals and lowest prices. Maybe it’s a scam like selling fake, counterfeit, or even stolen goods. Often the goal is more nefarious: to steal the shopper’s personal credentials, user ID and password, credit card or banking information, even payments for items that will never be shipped. There are ways to protect yourself from this kind of theft or fraud.
Look for obvious warning signs, like deals that are obviously too good to be true. When possible, purchase from websites that you already know, trust, and have done business with previously. Reviews can be a useful source of information about other shoppers’ experiences, especially from “verified purchasers” as marked on the website. A little extra time reading them before making your purchase can save a possible headache later.
Verify the website has a legitimate mailing address and a phone number for sales or support-related questions. If the site looks suspicious, call and speak to a human. If you can’t get a hold of someone to talk to, that is the first big sign you are dealing with a fake website.
Be suspicious if the web site’s domain in the address line of your browser is slightly different. For example, Amazon is https://www.amazon.com. If you find yourself at web sites pretending to be Amazon, such as http://store-amazoncom.com, watch out!
Before purchasing any items, make sure your connection to the web site is secure and encrypted. Most browsers show a connection is encrypted by having a padlock and/or the letters HTTPS (sometimes in green) right before the website’s name. Web sites like the one above that only use HTTP are NOT secure, so don’t go there.
Speaking of Buying, Use a Credit or Payment/Gift Card
When you are ready to make the purchase, using a debit card is very risky because it directly connects to your bank account. Using an electronic check even more so because you are providing your actual account number and routing information.
Using a credit card gives you better flexibility in the event of fraud or theft. A good method of protection is to ask the card provider to verify with you all purchases (usually by phone or email), or any purchases over a set amount. While you can do this with debit cards also, they are still connected to your bank account. If fraud is suspected or theft happens, it’s a lot easier to change a credit card than a bank account and less disruptive to your other payment activities like direct billing or direct deposit. If you find fraud or theft, contact your bank or card provider immediately. If you’ve experienced identity theft, contact law enforcement for help.
Finally, consider purchasing a gift card for yourself to use as your online payment option. Gift cards are easy to purchase, can sometimes be refilled, and are easily disposed of when expended.
Regardless of how you pay, regularly review your credit card statements and bank statements to identify suspicious charges, especially after you make many online purchases or used a new site. Confirm purchases with all others who have shared cards or are joint account owners.
For the novice or those less experienced, it’s very easy to be fooled by the fake emails known as phish.
Cybercriminals cast wide nets with phishing tactics, hoping to drag in victims. They may offer a financial reward, threaten you if you don’t respond or engage, claim that someone needs your help, or ask for confirmation of your order or payment info. They may provide a link, an attachment to download, a fake invoice or receipt, ask you to reply to the email with specific personal info, or even ask you to call a phone number to provide that information.
Play hard to get: If you’re unsure who an email is from – even if the details appear accurate – do not respond, and do not click on any links or attachments.
- Check the FROM address, be wary of perceived reputable companies with GMAIL or foreign domains. Look for generic names, names with random characters, and display names that don’t match the sending email address.
- Look out for mismatched URLs – hovering your mouse over any link or URL will pop up the real destination, compare the address. If it’s a link that doesn’t match the sender’s domain, a link with random numbers or letters in the domain, a short-cut link like “bit.ly” or some other kind of shortened link, be very suspicious.
- Using a search engine, look up the phone number separately for the company or person “sending” you the email and call to verify or report it.
- Keep your antivirus software up to date.
- Click on any links or attachments unless you have verified separately it’s from a trusted source, especially if it’s unexpected.
- Click or call listed phone numbers from a suspicious email or ones that are included in pop-up ads.
- Give out personal or private information through email. Don’t give it over the phone unless you have made the call and verified the party speaking on the other end of the call.
- Forward a phishing email to other people, except to report it. Do not reply to phishing emails or click the link to unsubscribe (if there is one).
Additional things to look for: It’s most likely a phish if…
- You haven’t bought anything from a web site that is emailing you about your purchase;
- Poor grammar and spelling are used in the message;
- There is a request for personal information, or worse, asking for money, especially with urgency;
- An offer that appears too good to be true (it probably is);
- Unrealistic or unlikely threats. The IRS, FBI or other law enforcement are not going to contact you by email.
As the adage says: If it looks like a duck, walks like a duck, quacks like a duck, it’s probably a phish – well… you know. If the content just doesn’t look right – trust your gut.
Happy Holidays from Micro Strategies and the MSI security team! Look for the second installment of this series next week where we cover Part 2 – Own IT and Part 3 – Protect IT.
In today’s digital landscape, no one’s data is safe.
Cybersecurity awareness can’t be overlooked by organizations; it’s essential
for every employee. Teaching your
employees how to recognize cyber threats can turn them into one of your best
defenses against cyber-attacks.
Interested in learning how Micro Strategies can help? Contact us today.