Practical Cyber-Safety Tips

M. E. Kabay, PhD, CISSP-ISSMP

Professor of Computer Information Systems

School of Business & Management, Norwich University

I.                  Reducing the Risk of Identity Theft

A.   NEVER use a debit card for anything other than withdrawing money from an ATM. If crooks compromise your debit card number and PIN, they can withdraw money by wire from your bank account – and you are likely to be entirely responsible for the charges (no coverage from the bank).[1]

B.   If you want to use your credit card for buying stuff on the Internet, establish a PayPal account. You register your card there but PayPal never reveals your card number to the merchants.[2]

C.   ALWAYS sign up for immediate notification of all charges on your credit-card account. Find out if this service is available, and then have the notifications sent to your e-mail if you use that a lot or to your e-mail and your phone via SMS (text messaging) if you tend to prefer being notified by smartphone.[3] Check every charge immediately and call the security office at your card provider if you do not recognize the charge – like for example if it is a $700 invoice for escort services in Bangkok....

D.  If you use online banking and credit-card maintenance, see if there is an additional security feature available such as requesting a security authorization code to be sent to your phone by SMS before you (or a thief) can log into your account.[4]

E.   Check your credit-card and bank statements the day they arrive by mail or you can access them on your card’s Website. Investigate anything you do not recognize.[5]

F.   Identity thieves can use your name to establish loans – and then you are responsible for repaying them! Contact your bank to ask about preventing any unauthorized loan application in your name so that you are notified immediately to see if you authorize the loan.[6]

G.  Look carefully at your ATM before putting your card into it. If there is a new piece of equipment that projects out of the surface of the device where you are supposed to put your card in, call the security office on the nearby phone – it may be a pirate card-reader that records or broadcasts your card information to criminals.[7]

H.  If your credit card includes a choice for using RFID (radio-frequency identification), DON’T SIGN UP for RFID.

I.     If you do use RFID-equipped cards, look into protective sheathing that will obstruct access to the information when you are not using the card. Unfortunately, though, the moment you take the card out of the sheath to use it, you will be vulnerable to RFID-snarfing by nearby criminals.

J.     If you accept a credit-card-sized passport with RFID features, be careful to keep it in the foil-sheath to prevent the information from being collected by criminals overseas. Prevent yourself from being identified as a citizen of the US or Canada by surreptitious access to your passport information when overseas.

K.  ALWAYS stand as close as you can to the keyboard of the ATM (automatic teller machine) you are using; do not let anyone “shoulder-surf” your PIN (personal identification number) from behind you. If someone gets within a couple of feet of you when you are entering codes into such a keyboard, either stop or, if you can swing it, tell the person politely to back away (you can say that close contact makes you nervous).

 

II.              Respond Immediately to Identity Theft

A.   Be aware of the warning signs that you may be subject to identity theft < https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft#Clues >.[8]

B.   If you receive information that your personally identifiable information (PII) has been compromised (e.g., by an online site such as AMAZON or by a company, non-profit, or government agency you have done business with), immediately take appropriate steps to prevent exploitation of your PII.

C.   Use the instructions from the Federal Trade Commission’s Website to respond to specific types of compromise
< https://www.identitytheft.gov/Info-Lost-or-Stolen >.[9]

III.           Protect Your System Against Disaster

A.   BACK UP your system regularly.[10] Copy all of your valuable files onto an EXTERNAL DISK DRIVE.

B.   For important systems you care a lot about, daily “incremental” backups that store everything you have changed since the last incremental backup can be stored on your external drive.

C.   DISCONNECT the external disk drive as soon as your backup is complete.

D.  Store that backup device in a fire-proof safe if you have one or at least in a different room of your home or office. Lock it up if possible.

E.   If you are using WINDOWS 7, 8, or 10, your system already has local backup available. You can use the Control Panel | Backup and Restore function to create a complete system backup – once a month is good.[11]

F.   If you are using Apple systems, consider the iCloud function for automatic backup to external servers.[12]

G.  A general and highly popular cloud-backup system is Carbonite.[13] It costs about $5 a month for unlimited storage.

IV.            Prevent Malware from Ruining Your System

A.   ALWAYS run up-to-date, reputable antimalware (used to be called “antivirus”) software. Highly recommended products from vendors such as AVAST, BitDefender, McAfee, Norton, Sophos, and others frequently reviewed in security publications update themselves frequently (sometimes several times a day) and silently to keep you protected against new threats.[14]

B.   NEVER click on a popup that appears in your browser (e.g., Internet Explorer, Chrome, Opera, Firefox and so on) screen claiming that you have a virus or worm and that clicking will clean your system.[15] This kind of fraud is known as “scareware.” Absolutely no legitimate company will EVER do such a thing – these popups are actually going to either (a) fake a terrifying FALSE report about hundreds of viruses on your system and ask you to pay LOTS of money to criminals or (b) install actual malware, including the dreaded ransomware.

C.   Ransomware can strike anyone who is careless, but if you have proper backups you can ask a technician to wipe your system and restore all your files from your backups. You will be unable to replace whatever was encrypted by the ransomware after your last backup.[16]

D.  NEVER click on an attachment (which may look like a file that is a DOCX, DOC, PDF, JPG, PNG, ZIP and so on) to an email that you are not expecting, even if it seems to be from someone you know. If it’s unexpected and especially if the message doesn’t instantly prove to you that it comes from your known contact (e.g., the message is completely generic, such as “You might like this,” then contact the person you know using their own email address or phone number – don’t just REPLY to what may be a fake email with harmful software in the attachment.

E.   ALWAYS show file extensions on your system (e.g., DOCX, EXE etc.) and do NOT click on executables such as .COM and .EXE files unless you know for sure that they are safe.[17]

V.                Enable a Firewall on your System

A.   Windows and Apple operating systems include firewalls that prevent hackers from entering your system. Be sure they are enabled.[18]

B.   Some antimalware also includes firewall functions; consult a technical expert to decide which firewall to implement.

VI.            Use Good Passwords[19]

A.   NEVER use the same password on multiple Websites.

B.   By using a different random password for every Website, you prevent an attacker who discovers one of your passwords from opening many other Websites where you used the same password.

C.   Generate random passwords that include uppercase and lowercase letters, numbers, and special characters (assuming the Website allows those). For example, you could create a password with random typing that looks like this: j&Rn4Uy4k=a for a particular Website.

D.  You can use a free password generator online if you don’t like random typing.[20]

E.   ALWAYS use a password-safe function.[21] These products use one master password to encrypt all your other passwords for safety. They automatically type each Website’s password when you need it. Certain browsers[22] and antimalware programs[23] have a similar password-protected master-password lists.

VII.        Don’t Fall for Phishing Attacks[24]

A.   NEVER click on a link in email from a stranger. Always hover your cursor over the link and look at the bottom of the screen to see exactly what the link points to. If it has weird elements such as large numbers of incomprehensible characters or numbers (e.g., http://bankofamerica.5793v.ru/%20ygheng8/wer089yv/bv3yhhna ) DO NOT CLICK ON IT! It is very likely a Website run by criminals.

B.   NEVER respond to messages that claim to come from your bank, your hospital, your email provider and so on that claim that your account has been compromised and that you have to log in to a link in the message to provide your user information and password. If your password really were compromised, typing it would be meaningless. If you have any doubt about your account, log in yourself using the URL you already know and use. You can also call your bank (and so on) to ask about the message.

VIII.         Don’t Fall for Email
Frauds

A.   NEVER communicate with a Nigerian prince, a Brazilian government official, or a Vietnamese bank official  (and so on) who offer to put $23 million from abandoned money into your bank account so you can keep several million. These are “advanced-fee frauds” in which gullible people (idiots) agree to cooperate with people who have self-identified as criminals and who then suddenly announce that there’s a hangup in the process and they need a few hundred dollars to get moving again. When the idiots agree and wire the money, the criminals turn around and ask for 10 times that amount the next time – and so on until the idiots finally realize they’re being played for the fools they are.

B.   NEVER do business with “companies” that send you unsolicited commercial email – the fact that they are doing that is evidence enough of their dishonesty. Don’t buy anything from them, don’t invest in wonderful offers, and don’t sign up for free ANYTHING from companies you’ve never heard of.

C.   NO, you have not been given a large donation from a total stranger in Uganda who addresses you as Dearly Beloved and claims to be dying. It’s another advance-fee fraud.[25]

D.  NO, you have not won a lottery you never bought a ticket for.[26] The Irish Sweepstakes, the El Gordo Spanish lottery – these cannot offer you million-dollar prizes when you never registered for them – and in the US, it is ILLEGAL to participate in non-US gambling!

E.   NO, you are not about to be arrested by the FBI for filing an incorrect IRS tax submission. Government agencies (police, tax collectors, inspectors…) NEVER communicate with people they are charging with a crime by sending an email announcement![27]

F.   DON’T use the UNSUBSCRIBE function for any sender that you are not absolutely sure about. For example, if you sign a petition sponsored by a reputable organization (e.g., Amnesty International, National Wildlife Federation, and so on), you may receive a thank you note that includes a clear, obvious link for being removed. That link should be to the Website of the organization itself, not to a random-looking URL.

IX.            Don’t Fall for Telephone Scams

A.   NO police force will call you to announce that you are being arrested.

B.   NO police call comes from Caller ID 911.

^C.     NO IRS official will threaten you by phone and insist that you immediately send a wire transfer to a company address.²⁹

D.  NO legitimate company will phone you to offer to extend your automobile warranty – these criminals will steal your money and provide no services.[28]

E.   NO ONE can improve your credit rating magically by having you pay money to someone who phones you to offer that service.

F.   If you receive a scary message by phone insisting that you log on to a “special Website” to fix a problem with your bank debit card or with your credit card, hang up and phone the regular number documented on your card to find out if there really is a problem.

G.  NEVER continue your conversation with someone who sounds angry and threatening on the phone. Just hang up.

H.  NO, Microsoft (or Apple) does NOT phone you to tell you have a virus on your system.[29] The person with the thick Indian accent is a criminal who wants to (a) log on to your system remotely; (b) install malware on it; and (c) demand payment for completely bogus “antivirus” or “technical support” services that sometimes go as high as $1,000. If you ever DO provide a credit card to pay for the fake services, the criminals instantly suck money out of your account up to the credit limit.

I.     If your young nephew, niece, grandson, granddaughter or friend sends you a desperate phone call of poor quality claiming that they are in prison or kidnapped in a third-world country and need several thousand dollars to be set free, phone them at their home to find out; chances are, it’s a fake call designed to trick you into sending money to crooks.[30]

X.               Don’t Fall for Mail Fraud

A.   NO, you will not earn large amounts of money for remailing products to other addresses. The criminals who trick victims into this scam are actually mailing products to innocent people who then forward them to members of the criminal ring. And the victims of this scam may be charged with federal crimes.[31]

B.   No, you cannot earn $50,000 a year by visiting stores to evaluate them.

C.   NO, you cannot be the winner of huge prizes at your local auto dealer by matching one of the numbers to a number concealed by wax you have to scratch off. Lots of the fliers have “winning” numbers – but they are solely to trick people into visiting the dealer with the bogus certificates.

D.  NO, that official-looking printed sticker (“EXPEDITED DELIVERY” or “SECURE DELIVERY” or “PRIVATE” or “CONFIDENTIAL” on the envelope you have received that has no return address on the front or back is NOT from the US Postal Service. It’s designed to look official but actually suggests that the senders are trying to trick you into something fraudulent.

XI.            Don’t Fall for Rumors

A.   NEVER believe or forward an alarming story you’ve received from a friend or read on a social media without checking it on SNOPES.COM.[32]

B.   NEVER forward ANYTHING that includes promises, threats or warnings about failing to forward the message: these are chain letters and they are all nonsense.

C.   Microsoft does NOT and cannot keep track of whether you forward a message, and they certainly do not hand out free prize money for forwarding email, contrary to the claims that you will see in some chain letters.

XII.        Use Email Properly[33]

A.   NEVER put lists of people in the TO or CC field of an email message you are writing unless (a) it is essential that everyone see who is receiving the email; and (b) they have all agreed to have their email addresses made known to everyone else.

B.   NEVER use REPLY ALL unless there’s a good reason to. If you receive an announcement from your synagogue or department chair in which there are 52 addresses in the TO or CC field, don’t write “Thanks” and REPLY ALL: 51 other people than the sender are going to see your response for no good reason.

C.   DON’T leave copies of copies of copies of copies of copies of old messages in your reply. Delete the old useless stuff, keeping only a specific quotation if necessary.

D.  Don’t send a link to someone without at least a bit of text that demonstrates that the message is really coming from you. Use a recipient’s nickname, include a warm greeting obviously from you, refer to a recent event or conversation, and so on.