The Best Tool you Have is your Head – Use it!
I’ve found that a lot of people that spend a couple of hours or more online each day still don’t have a good feel for what’s safe and what isn’t. So I thought I’d share some online security tips with you.
Everyone doesn’t surf the web, but most of us have an email account or two. And there are some threats you need to be aware of that can pop up in your inbox.
I’m going to skip over anti-virus and malware protection programs for the moment, as they warrant a post all their own. This post will deal more with just plain common sense.
There are three basic types of incoming email threats to be aware of:
1. Spam -
These are unsolicited emails, trying to get you to buy something or visit a page in the hope of convincing you to give them something… an order, your email address, a subscription sign-up… could be a number of things. The point is, you didn’t ask for it, but they sent it to you anyway, and they want you to give them something in return for the favor of gracing you with their presence.
Don’t! In fact, don’t open them, don’t even view them in your preview window. If you know it’s not something you requested, delete it immediately. Some emails have a script embedded in them which will ping the sender when an email is opened. This tells the guy that just sent his garbage to 10,000 random addresses that yours is a valid address. That means your address is no longer a question mark – it’s now inked-in, and you can rest assured, you’ll be hearing more from him, and others, because this is a common ploy when building a “verified list” of emails to sell to mass-marketers (spammers, so as not to put too fine a point to it).
2. Spoofs -
These are unsolicited too, of course, but may not be as obvious. It may purport to be from eBay, PayPal, or Bank of America, and the subject line may say something about you winning something, or your account being suspended or otherwise jeopardized, just to get your attention. If you view the email, it’ll often display the logo of the supposed sender, and say that you have to log in to change your password, or verify your details…
Again, don’t! If you click through to what they say is the login link, you’ll be taken to a page that is a copy of the page of the authentic eBay, PayPal or B of A, and when you enter your username and password… did you hear that? That was the whooshing sound of your account being cleaned out by some giggling fiend on the other side of the monitor.
First of all, if you use Wells Fargo or United Bank, why would you even consider opening such an email from B of A? Obvious, right?
But maybe you do use B of A. So how do you protect yourself? First of all, you should NEVER… let me repeat that… absolutely NEVER use the link in ANY email to proceed to a site where security should be a major issue. Type the link into your browser. (DON’T copy and paste it… you might as well click on it if you do that!) And it’s a good practice to check links out regardless, so you know if they’re what they say they are.
For instance, you might receive an email from United Bank saying that they’ve noticed suspicious activity and need you to verify a transaction. You can hover you mouse over the link, without clicking on it and in your status bar, the actual address of the link will be displayed. If the link address is something like igorsrevenge.ru/ripoff/sept11, it’s a fair bet that Union Bank didn’t send it. Similarly, you can check out the real email address of the sender. No business that I’m aware of is going to have a hotmail or gmail address.
Some of these folks are slightly brighter than others, so they’ll make it less obvious. I got one today from someone purporting to be AlertPay. They had gone to some length to hide their site’s real address by setting up a series of subdirectories, so when I hovered over their “Click Here to Verify Your Identity” link, what actually was embedded was:
What that means is that their site URL is actually upweb.ir. They attempted to make it look as though the URL was alertpay.com. And if a person was in a hurry, they might miss it and think it was authentic.
When I come across items like that, at least for businesses I actually use, I’ll take the time to visit their real site and make them aware of it so they can warn their users.
Even if I hadn’t noticed the phony URL, common sense should warn me that any email so grammatically incorrect as this probably didn’t originate in a reputable business:
This EMAIL SENT YOU TO VERIFY YOUR IDENTITY .
- WE HAVE NEW SECURITY SYSTEM SO WE NEED VERIFY YOUR IDENTITY
- CLICK HERE TO VERIFY YOUR IDENTITY
- IF YOU HAVE NOTE VERIFY YOUR IDENTITY WE WILL
- BLOCK YOUR VISA AND MONEY AND ACCOUNTS
- ATTENTION YOU LINK EXPIRE AFTER 24 HOURS
As you can see, good grammar isn’t a prerequisite for thieves.
3. Phishing –
This is a slightly more direct approach than the Spoof email. Phishing emails will often try to convince you to enter your private information in an email response to the sender. This one should send up red flags immediately. No reputable business will ask you to submit sensitive information via email. If they do, they’re really too stupid to do business with… find a new vendor!
They may not be so obvious as to ask for your username and password. In fact, they’ll often come from places you wouldn’t even have an account. What they’re looking for is any portion of your private information they can get. Maybe it’s your full name, street address, employer, or IM username… you’d probably be shocked to find out how much information already is available online about you. Why help them fill in any blanks, just so they can either sell your data or worse, steal your identity themselves.
Identity theft is a HUGE business, and there are some very astute technical minds at work in the field.
Other clues that should grab your attention include a list of coincidental addressees in the To: field of the email. Do you think this is coincidence, when over 30,000 consecutive names all show up in alphabetical order, as they did in the spoof example above?
TO: david.adams; david.adamson; david.addams; david.benson; david.bentley; david.carlson; etc…
There are many tools at your disposal, to protect you from this sort of activity: antivirus, anti-malware, email filters, firewalls… but your best weapon is your head.