3 Ways to Protect Yourself from Cybercriminals
Securing your online accounts and protecting your personal information from cybercriminals is increasingly important. We are living in a time of unprecedented connectivity and we are all putting our personal information on the internet more and more. Adage approaches security as an ongoing effort that includes educating clients and employees. This article discusses recent data breaches and their aftermath, types of cyber fraud, and most importantly, how to protect your personal information and prevent cybercriminal activity.
Recent Data Breaches
All organizations, large and small are subject to data breaches and the possibility of exposing customer data. Recently, large organizations such as Equifax, Yahoo, Target, Marriott and Capital One have been subject to data breaches. The majority of us have, at some point, provided these large organizations with information about ourselves. Account numbers, addresses, passwords, and other information open up doors for cybercriminals. The consumers fall victim to these data breaches, but the large organizations spend big bucks when their customer data is exposed or compromised by a cyber-attack.
In 2013, 110M Target customers’ credit cards and other personal data were exposed leaving them vulnerable to identity theft. The attack began with a malware-laced phishing email sent to an HVAC company that worked for Target. Costs to the nationwide retailer totaled over $300M plus an ongoing negative effect on their brand and sales.
Equifax, one of the largest consumer credit bureaus in the United States announced in September of 2017, a large data breach that exposed the personal information of 147 million people. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The hackers were able to exploit a vulnerability in Equifax’s unpatched online dispute portal and grant them unauthorized access to their systems from mid-May through July 2017. According to the Equifax report published by the United States Senate, (www.hsgac.senate.gov, page 35) Equifax failed to patch affected systems within 48 hours after a critical vulnerability was found on their systems and were left unpatched until July 29, 2017.
Types of Cyber Fraud
There are many types of cyber fraud meant to deceive a person or business in order to gain important data or private information. One of the main methods known as phishing you will see in wide variety, but is basically defined as the fraudulent attempt to obtain sensitive information such as usernames, passwords, security codes, and pins by disguising oneself as a trustworthy entity in an electronic communication, such as email.
The first type of attack is spear phishing which is the most common type of phishing attack. This attack uses aggressive and direct means to trick an individual to give up data or personal information. It directs the user to enter sensitive information at a fake website that matches the look and feel of the legitimate site.
A form of phishing, smishing is when someone tries to trick you into giving away your sensitive information via a text message. It may ask for sensitive information directly via a text message or request to call a specific number or it will direct users to enter the information at a fake website that matches the look and feel of the legitimate site.
Another form of phishing, vishing is when someone tries to trick you into giving them your sensitive information over a telephone call while impersonating as a trustworthy entity such a financial institution, government body, or a corporation. Sensitive information may include a username, password, security code, and a pin number.
Like phishing, whaling uses deceptive email messages targeting specific high-level decision-makers within an organization, such as CEOs, CFOs, and other executives. These individuals have access to highly valuable information including trade secrets and passwords to administrative company accounts.
Social engineering is experienced when an attacker uses personal data to mimic an urgent situation by a client, coworker, family, friend or a company you use.
Social engineering examples:
- Impersonating a company or person to gather YOUR credentials.
- Impersonating a company or person to gather YOUR information.
- Impersonating a person, you know to gain your trust.
3 Ways to Avoid Cyber Fraud
Just reading this article increases your general awareness of cybercriminals and what to look out for. The following are three concrete ways to protect yourself.
1. Critical Thinking when Reading Emails
With increased awareness, make no assumptions when reading emails, responding or clicking links. Scan your email for the following common fraud indicators.
- Check the real FROM email address
- Look out for spelling & grammar mistakes
- Be wary of unnecessary urgency or threats in the email body
- Don’t open attachments or click on links and should it open a website requesting for your sensitive information, think twice and verify the sender and the reason
- Contact IT if unable to identify
2. Password Security Best Practices
Check Have I Been Pwned
One of the first steps for password security is to ensure your password hasn’t already been involved in a data breach. I recommend utilizing haveibeenpwned.com. This site was developed by an expert on cybersecurity from Microsoft and utilizes a protocol which allows for the secure searching of passwords and usernames from a database if publicly available usernames ad passwords attackers use to gather sensitive data The site will not cover every breach out there but does cover hundreds of smaller breaches that have been identified. Again, this is a 100% safe way to test your chosen password has not appeared in a breach and to ensure you haven’t been involved in a major breach.
Do not use the same password for multiple accounts
If an attacker can obtain your password from a less secure account you can consider all accounts using the same password as breached. Even if the other accounts have increased security.
Enable Two-Factor Authentication
Dual factor authentication is generally best practice on any Google, email, or social media account. The general rule-of-thumb should be to enable dual-factor authentication anywhere sensitive information is present and is a method of confirming users’ claimed identities by using a combination of two different factors. 1. Something you know and 2. Something you have or something you are. Two-factor authentication offers an extra layer of security and reduces risks associated with compromised accounts should one factor be exposed.
Passwords should contain the following:
- 12 characters or more
- No dictionary words (spelled forward or backward
- Little to NO personal information
3. Utilize Password Managers
Password managers make secure storage and organization easy across multiple devices. These platforms also offer password generation and secure password sharing. An example and one Adage uses internally is Last Pass.
Last Pass and other password managers are not just for use in the office. Many offer free personal accounts as an add-on to your business or organization account. Complete the following to get the most from Last Pass or other password managers:
- Setup Two-Factor Authentication to protect the Master password
- Install the browser plugin
- Utilize the password generator for new logins
- Review passwords that are shared
- Organize passwords by category for ease of use, access, and sharing
- Download and utilize the mobile app