We are glued to our phones and computers – and now more than ever, cyber attacks and scams are mainstream. They're not just hitting major corporations; they're hitting small businesses and individuals using home and public Wi-Fi networks. The advent of 5G and our economy's Work From Home (WFH) culture only exacerbate the problem. Everyone is working at unusual hours and on weekends, so it's getting harder to tell if network access is normal or suspicious. In the home, the Internet of Things (IoT) is booming, as devices and appliances are more and more connected, like your dad’s new grill, a smart refrigerator, or alarm system that keeps your family safe by sending alerts. This puts a new spin on securing your home (and its network) as much as your employer would for their networks. We thought that some tips on how to be more 'cyber-ready' would come in handy, so we asked a trusted source (Molly's fiancé, Bobby) who has insured businesses against cyber attacks for nearly a decade, for his top 5. While he disclaims that he is not a security professional or expert, he wanted to pass along his research and personal viewpoints (neither those of his current nor former employer). Please consult a security professional for clarification to any of this information or to learn more about cybersecurity in general. This stuff is not going away! Here it goes...
1. Mute your phone and computer – and turn off your microphone. It’s important that you don't have your computer volume turned on if you aren’t using it. When you participate in online meetings, make sure you’re following the instructions outlined by the technology provider, host, and/or your employer. There’s no reason to leave audio on your computer all day long because criminals can record snippets of your voice through the computer’s microphone while you sit there talking on your phone.
Ever wonder how ads are so perfectly targeted? We sort of prefer it that way as opposed to irrelevant ads, but stop and think about it. Remember the last conversation you had about buying something, and whether you saw an ad pop up almost instantly thereafter. It’s (in part) because you have your phone’s microphone turned on in your settings, allowing certain apps access to your microphone, like Instagram, LinkedIn, Snapchat, Waze, and WhatsApp to name some. Sure, you need to have the microphone turned on in order to record videos with sound within social media apps or speak to Siri, but you don’t need it on all of the time. If you have an iPhone for example, go to: Settings, and search ‘Microphone’ which is under Privacy, and it will list all apps that have requested access because your toggle is turned on. For Android, under Settings, then Apps, click the gear icon then click 'App Permissions' to get a list of Android functions such as location and microphone. Click 'Microphone' and you will see the list of apps that are requesting access to your microphone. These instructions may be incomplete or change over time, so feel free to investigate yourself.
2. Get webcam covers. Not just for your laptop but your phone too. Your devices are basically cameras connected to the internet constantly and pointed at you often. The concern is not just the internet creep, but someone who wants your facial (biometric) data because it’s a valuable asset that can build a criminal's profile on you. Yes, it's unlikely that it can actually work to commit ID theft, but at the end of the day, privacy is sacred. While we’re on that topic – don’t be so trusting with new apps. (especially face capturing apps.) during their 15 minutes of fame. Just because a developer says they're reputable and secure, doesn’t mean they aren’t sharing your data and or backing it up to a third-party cloud provider based in another country. You don’t want your data getting into the wrong hands and you don’t necessarily want to use every app. just because it's available. This sounds rather doom and gloom, but just normalize it. Webcam covers are getting popular and are a cheap gift for the family and coworkers – not to mention a good conversation starter.
3. Be skeptical (and patient) with emails, attachments, calendar invites, hyperlinks, calls, and texts that seem ‘off.’ Fraud schemes today are sophisticated and unnerving. You don’t have to be a grandma or think a Nigerian prince wants to send you money to be a victim. We all can become victims. It’s important to realize that you are not stupid if you end up duped – scammers are tricking CEO's, Controllers, and even technology professionals. Take a second to read the full URL before clicking and then typing your sensitive information. Both the URL and homepage can look incredibly similar to the real site – common examples are government, banks, social media, and email service provider sites. Instead of clicking, just type the URL in by hand instead. Also, make sure the site you visit has HTTPS in the URL, as these sites are ‘generally’ more secure than those with HTTP. Only click on links, open attachments and calendar invites, and download software from senders you’ve seen and trust.
We are info hungry, especially during times of uncertainty. As respects COVID-19, cyber criminals are preying on our desperation and curiosity. They’ll mask malicious links with something seemingly credible, like an interesting update about lifting a shelter-in-place order in your state, or a landing page to apply for a loan, or unemployment. Once clicked, that malicious link can run malware and lock up your files or network – or, launch a spoofed site that asks you to enter your confidential information, including your bank account and routing #s (under the guise of direct deposit) – essentially, letting you hand over the keys yourself. If you’re unsure, Google search the title or URL in a separate tab to see if you can navigate to a legitimate site that way. URLs that end in .gov are supposed to be more secure, but they too can be illegitimate.
For placing calls however, only call customer service phone #s provided on the mobile app. or in a legitimate email or site. Don't just call the first phone # in Google search results. There's a thing as "man-in-the-middle" fraud, where a criminal will intercept calls to those phone #s, act as a bank representative to you (while a partner in crime connects to an actual bank representative), thus having you confirm a passcode over the phone (to the criminal) that your bank has actually texted you. The partner criminal will reiterate that passcode to your bank on your behalf to bypass authentication and wire funds out of your account. In some cases, banks have been able to claw back these wires, but it's enough to make your heart sink.
Trust your gut! Be skeptical of what looks weird and think it through – even if that means putting the phone down and revisiting the email once you’re on a bigger screen. Criminals want you to be impatient because they know you tend to be, and they don’t have much time either!
4. Stop using the same passwords. Maybe your password strategy has gotten better since high school, but chances are you reuse the same or similar passwords all the time. Obvious? Yeah – experts say that nearly 80% of people do this, especially when password resets aren’t enforced at work. On average, people have about 100 accounts on the internet and it just takes one to be hacked. Or better yet, you give away your credentials on a spoofed site, allowing criminals to unlock dozens of your accounts.
What’s harder than creating better passwords? Remembering them. Look into ‘Password Manager’ software to take this burden off your plate. Trials are often free with premium upgrades at low cost. Families have paid for this together to better secure everyone’s devices from exposing the home network. Others ask for this at work by either suggesting the employer pay for it or tap into their cyber insurance for discounts. It’s a great idea, and companies are starting to realize that taking care of employees’ security means they’re safer as well. There are a lot of affordable options out there, such as Dashlane and LastPass.
Not ready for that? Just follow basic hygiene. Reset passwords in a memorable way. Here’s an easy framework for this. For example, let's say you grew up on a street called ‘Country Way’ – your password could be WayCountry@42020FB – but only for Facebook and only for April 2020. Next month, your Wells Fargo password may be WayCountry@52020WF. Switching the endings is a way to strengthen (i.e. changing WF to Wells, WFargo, and WellsF, then back again).
If all else fails, write them in an old school notebook or planner because if you lose that, you are at least aware. Not recommended, but if you have to save to your desktop, make sure the file is encrypted. Reach out to a friend or colleague in IT and ask for assistance with how to encrypt your file.
Finally, do not keep the default password on your internet router. Always change it.
5. Turn on multi-factor authentication (MFA). Many of us have now perfected the art of sleeping in and WFH, but few of us have stopped to think about what WFH means for our privacy and security. Does your company or client provide you email access via a browser? If so, ask them if MFA is turned on. Even Microsoft says it works 99.9% of the time. MFA is what it sounds like – there has to be more than 1 factor (or way to prove your identity) beyond the basic user ID/email and password. With MFA, you need to give at least 2 authenticating factors, creating a second line of defense against a criminal who has your password. This is super important when more people are accessing networks remotely, a time when cyber criminals have more points of entry. MFA is getting a lot of hype now if you haven’t already heard about it – you would have if you’ve ever received a one-time code or one-time-password (OTP) by text or email for a password reset or to log into something. Similarly, banks are adding voice recognition to authenticate you even after you’ve provided the correct DOB or last 4 of your Social. People preach MFA because it’s a small inconvenience to the user, yet a big inconvenience to the cyber criminal.
Of course, if you have tips of your own and are willing to share, let us know! Email: firstname.lastname@example.org.
ARTICLE BY: Bobby Richards
Celebrate every day!
From recipes and entertaining, to style, wellness, and more, for an unforgettable year.