I've recently been asked the question "What can I do to protect myself from hackers?" There's no simple answer to this question, so I'll break this up into multiple posts.
First let's address the term "hacker". The modern representation of hacker goes back to 1980s when the term was first used to describe computer criminals by mass media. The original definition however refers to someone who modifies a device or system to do something it's not designed to do. Another widely used reference describes someone skilled in programming and are passionate about it.
Of course, not everyone is trying to reinvent technology. Hackerville is a prime example https://www.wired.com/2011/01/ff-hackerville-romania/. As such, it's important to learn how to protect yourself.
YOU are your best defense!
Sure, there are always new products being sold and touted as the most comprehensive security protection of all time. But let's face it, there are plenty of trade-offs. Convenience is one - those annoying alerts stopping you from picking your team in fantasy basketball or realizing your email doesn't work. Privacy is another. I'm not saying don't use Antivirus or other tools, but rather be very selective in what you do use. We'll get to these topics in future posts.
Being cautious and learning what signs to look for are the first steps in protecting yourself from dangers of the Internet and even in life. This can help with everything from reducing virus exposure, avoiding ransomware from phishing emails, to spotting a scammer on ebay.
Social Engineering
By nature, humans tend to trust until trust is lost. Attackers take advantage of this to their advantage. I'm not saying we should not trust anyone and become isolated. It's more of, take a moment to think about what is asked of you to understand the outcome.
In almost all social engineering schemes, the motive is almost always monetary. Access to your passwords, personal information, payment info, etc. all leads to attackers getting paid. FOLLOW THE MONEY!
Here are examples I've come across or have heard:
- Ebay/Paypal scams as buyer who lures victim to fake Paypal site
- Kijiji buyer wants you to ship to their cousin in Miami and will pay you with fake Paypal
- African prince needs help moving money, but it will cost you a little bit with the fake promise of earning much more for helping
- Congratulations! You've won...
- Office 365/Gmail warning of closing account of running out of space "Click Here" to login to a fake website to steal your credentials
- Phone call "on behalf of bank" to sell me something
- Phone call "We detected a virus on your computer and can help!"
- Ransomware in th form of email with attachments, locks your files and attacker demands Bitcoins to release your files
- Door to door sales person: "We are working with {Some Real Company}, and would like to offer you a free inspection on..."
- "We detected virus on your computer. We can help you fix it." (It's always funny when I call them out on it or just play dumb)
- "This is officer ___ , I have a criminal arrest warrant for you because you haven't paid your taxes." followed by, go to this Bitcoin machine and insert some cash
- From your friend's actual email with a link "Hey, it's you!" that goes to a page with some nasty viruses
- ...and the list goes on...
Red Flags
- Too good to be true offers
- Emails with some type of threat (account closure, Office 365 running out of space, etc.)
- Emails with a file or other requests you didn't expect
- Emails where it seems real, but incorrect sender or website link (URL) points to some odd website unrelated
- Other communications asking you for personal info, passwords, etc. (hang up, call the company yourself)
- Caller ID? Don't trust it! This is so easy to fake (spoof) a 5 year old can do it on a smartphone (hang up, call the company yourself)
- Unexpected communications from people you don't know
*What to do
On the email front, make good use of email providers like Gmail, which would filter out almost all junk and malicious emails so you don't have to. But if you do notice one, there's usually an option to report it. Don't click a link or file in an email if you're not sure what it is. Sometimes, your friend's email's been hacked and you've been sent something that you didn't expect.
Outside of that, with phone calls, never ever share information about yourself if you did not make the call. Banks will never ask you for account information when they call you. They will not be offended if you say, "I'd prefer to call in to provide this information". Then call using the number listed on the bank's website. If they give you threats or warnings or won't let you off the phone, you know it's a fake call already.
Hope this helps. Next post will focus on best practice with passwords and authentication.