If someone you didn’t know approached you on the street and asked you where you lived, would you tell them? Probably not. If they asked you where you banked and for your account number and online banking password, would you consider giving out that information? Very unlikely. Face-to-face and in real time, we tend to be good at protecting what is important to us. We lock our cars, set the house alarm when we leave and stop the mail on vacations.
Somehow, these same questions and intrusions on the screen of our devices can seem less invasive and safe enough to embolden us to share our most valuable assets. I’m not talking about cherished jewelry, a new computer or a family heirloom — the items that you value the very most and have taken steps to insure and protect. Rather, what you have that is worth stealing is less visible yet valuable to you AND others, those with self-serving and malicious intent.
I’m talking about data. Profitable data. Ever get an email that “looked right” from your bank or Internet provider? Ever click on a link in an email without verifying that it’s from a safe source? These days “street smarts” are not enough to keep you safe. You need to apply those same cautious instincts in the virtual world. You need “Cyber Street Smarts” The reality is that your personal data is lucrative source of income to criminals of all kinds — from your account information to your social security number.
If you look at past and current headlines about hacking events that have led to private information being disclosed to others, you will start to see a pattern. In many cases, the sources of the stolen data have not valued their information enough to protect it from misuse. The lesson from these past mistakes is that you need to be thinking about what others value — not just about what you personally value – and protect accordingly.
Today’s IT systems when managed properly, provide a good defense to outside parties wishing to steal your data. So good, in fact, that hackers not only directly attack systems but have also adopted new strategies that compromise individuals to get the data they are after. The latest headlines about the suspected information compromises by Russian hackers that targeted the Democratic National Committee (DNC) is a prime example of the social engineering technique known as Phishing.
A common hacking technique, Phishing, involves a malicious hacker crafting an email, text message, or social media message that is written in such a way that you are compelled to click the link or open a document that is part of the message. The next step typically involves you entering your username and password (also called authentication credentials) to access a bank account, email account, social media account, or any other online service. The temptation to click and open anything has made Phishing the most widely used technique to get people to give up their access credentials for years.
There are a few actions you can take to help ensure you and your family members are not an easy target for the Phishers.
- Stop reusing passwords. I know this a challenging request based on the many logins necessary every day, each one typically requiring you to authenticate yourself and prove it is you trying to log in by using a username and password. To save you from having to remember hundreds (at last count, I am over 800) of username and password combinations, use a reputable password manager such as Password Safe.
- Enable strong authentication (also called multi-factor or 2 factor authentication) on ALL accounts that accept it. The multifactor aspect can come in the form of a text message sent to your phone, an email sent to the address you have on file with a service provider, a challenge request from an authenticator app, such as Google Authenticator, a voice call to a phone number on record, or another way to verify that you are actually the one trying to gain access to your account and not someone pretending to be you. For instructions on how to enable strong authentication across multiple services, review the information at the 2FA Tutorials site.
- Verify the person or organization that sends you an email, text, or social media message with a link or attachment to click ACTUALLY sent it (and it was not forged by someone with malicious intent). You can call them or go directly to the website being used. As an example, if you receive an email from your bank or email provider asking you to reset or verify your password, open a new browser page and type the main service provider site address yourself and then login to see if indeed they need you to take any action.
To protect everything that you have that is worth stealing, fight your basic instinct to click and open anything sent to you. Take a moment to think about the action you are about to take. Should you really click that link? Be aware and stay vigilant.
By Ben Halpert
Originally published January 19, 2016 on earthlink.net.