Fraud Smarts - eFraud Prevention
FRAUD
SMARTS
APr
act
i
cal
Gui
def
or
Onl
i
neSaf
et
y
FRAUDPREVENTIONHANDBOOK
2017
Edi
ti
on
ACH&WireFraudPrevention
BothACH(automatedclearinghouse)transactionsandwiretransfersareformsofelectronicfund
transfers(EFTs).Wiretransferstypicallyinvolvelargersumsofmoneyandaretransferredbetween
banks.ACHtransfersarescheduledtransactions,likeonlinebillpayments,thattypicallyinvolve
smalleramountsofmoney.
ACH(automatedclearinghouse)
ACHfraudisthetheftoffundsthroughtheAutomatedClearingHousefinancialtransactionnetwork.
TheACHnetworkactsasthecentralclearingfacilityforallElectronicFundTransfer(EFT)
transactionsintheUnitedStates,representingacruciallinkinthenationalbankingsystem.Payments
lingerintheACHnetworkawaitingclearancefortheirfinalbankingdestination.
HereareafewexamplesofACHfraud:
1. Thecriminalaccessesacommercialcustomer'scredentials,generatesanACHfileinthe
originator'sname,andquicklywithdrawsfundsbeforethevictimdiscoversthefraud.
2. Thecriminalaccessesaretailcustomer'scredentialsandsetshimselfupasanautomaticbillpay
recipient.
3. Inaninsiderthreatscenario,anemployeeofthetargetcompanyorabankmodifiesACHfilesto
stealmoney.
4. Inavariationoncheckkiting--ascaminwhichfundsarejuggledbackandforthbetweenbank
accountsatseparatebanks--acriminaltakesadvantageofthetimelagintransactions.
5. Inaspearphishingscam,anemployeewithauthorizationforACHtransactionsreceivesanemail
thatleadshimtoaninfectedsite,whichinstallsakeyloggertoaccessauthenticationinformation.
Thethiefcanthenimpersonatethecompany'sauthorizedrepresentativeandwithdrawfunds.
ACHfraudpreventiontips:
1.
2.
3.
4.
5.
6.
7.
Reconciliationofallbankingtransactionsonadailybasis.
InitiateACHandwiretransferpaymentsunderdualcontrol,withatransactionoriginatoranda
separatetransactionauthorizer.
Ifpossible,andinparticularforcustomersthatdohighvalueorlargenumbersofonline
transactions,carryoutallonlinebankingactivitiesfromastand-alone,hardenedandcompletely
lockeddowncomputersystemfromwhiche-mailandWebbrowsingarenotpossible.
Besuspiciousofe-mailspurportingtobefromafinancialinstitution,governmentdepartmentor
otheragencyrequestingaccountinformation,accountverificationorbankingaccesscredentials
suchasusernames,passwords,PINcodesandsimilarinformation.Openingfileattachmentsor
clickingonweblinksinsuspiciousemailscouldexposethesystemtomaliciouscodethatcould
hijacktheircomputer.
Installadedicated,activelymanagedfirewall,especiallyiftheyhaveabroadbandordedicated
connectiontotheInternet,suchasDSLorcable.Afirewalllimitsthepotentialforunauthorized
accesstoanetworkandcomputers.
Createastrongpasswordwithatleast10charactersthatincludesacombinationofmixedcase
letters,numbersandspecialcharacters.
Prohibittheuseof"shared"usernamesandpasswordsforonlinebankingsystems.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
Useadifferentpasswordforeachwebsitethatisaccessed.
Changethepasswordafewtimeseachyear.
NevershareusernameandpasswordinformationforOnlineServiceswiththird-partyproviders.
Limitadministrativerightsonusers'workstationstohelppreventtheinadvertentdownloadingof
malwareorotherviruses.
Installcommercialanti-virusanddesktopfirewallsoftwareonallcomputersystems.Freesoftware
maynotprovideprotectionagainstthelatestthreatscomparedwithanindustrystandardproduct.
Ensurevirusprotectionandsecuritysoftwareareupdatedregularly.
Ensurecomputersarepatchedregularlyparticularlyoperatingsystemandkeyapplicationwith
securitypatches.Itmaybepossibletosignupforautomaticupdatesfortheoperatingsystemand
manyapplications.
ClearthebrowsercachebeforestartinganOnlineBankingsessioninordertoeliminatecopiesof
webpagesthathavebeenstoredontheharddrive.Howthecacheisclearedwilldependonthe
browserandversion.Thisfunctionisgenerallyfoundinthebrowser'spreferencesmenu.
Verifyuseofasecuresession(httpsnothttp)inthebrowserforallonlinebanking.
Avoidusinganautomaticloginfeaturesthatsaveusernamesandpasswordsforonlinebanking.
Neverleaveacomputerunattendedwhileusinganyonlinebankingorinvestingservice.
Neveraccessbank,brokerageorotherfinancialservicesinformationatInternetcafes,public
libraries,etc.Unauthorizedsoftwaremayhavebeeninstalledtotrapaccountnumberandsignon
informationleavingthecustomervulnerabletopossiblefraud.
Stayintouchwithotherbusinessestoshareinformationregardingsuspectedfraudactivity.
Immediatelyescalateanysuspicioustransactionstothefinancialinstitutionparticularly,ACHor
wiretransfers.Thereisalimitedrecoverywindowforthesetransactionsandimmediateescalation
maypreventfurtherlossbythecustomer.
Hereisanexampleofwirefraud:
1. Theorganization’[email protected]
2. Theattackerregistersdomainnamesdeceptivelysimilartotheorganization’s(forinstance,
@conpany.com,@cornpany.com,@cmpany.com).
3. TheattackerlearnsthenamesoftheDesignatedExecutiveandDesignatedEmployeethrough
socialengineeringoronlineresearch.
4. TheattackersendsanemailpurportingtobefromtheDesignatedExecutive,usingadeceptively
similaremaildomain.
5. TheDesignatedEmployeereceivesthisemailandseesthatitisfrom“DesignatedExecutive”
<[email protected]>directingtheDesignatedEmployeetohave$1million
wiredtoaccountnumber123456789.
6. TheDesignatedEmployee,followingprocedure,checkstoseethattheemailcamefrom
“DesignatedExecutive.”
7. Butt[email protected]conpany.com,
mistakingitforalegitimatecompanyemailaddress.
8. TheDesignatedEmployeelogsintotheonlinebankingportalaccountandrequestsanoutbound
wiretransferfor$1milliontoaccountnumber123456789.
9. Thebank,followingprocedure,checkstoconfirmthattherequestforthewiretransferdidcome
fromtheDesignatedEmployee’saccountontheonlinebankingportal.
10. Thebankwires$1milliontoaccountnumber123456789.
11. Meanwhile,theactualDesignatedExecutivehasnoknowledgeofthiswiretransfer.
Wirefraudpreventiontips:
1. Neverwiremoneytopeopleyoudon'tknow,regardlessofhowconvincingorenticingtheir
storymaybe.Scammersoftenwintheirvictims'confidencewithsome"bait,"suchasaworkat-homeoffer,agreatdealonaproductforsale,ornewsthatyouhavewonsomekindof
lottery.BeespeciallycarefulwithtransactionsovertheInternet,wheretheotherperson'strue
identitycanremainanonymous.Astrangeraskingyoutowiremoneyisahugeredflagthatitis
ascam.Don'tfallforit.
Butevenifyougetarequesttosendawiretransferandit'ssupposedlyfromsomeoneyoudo
know,confirmthat'sthecasesomeotherway,suchasthroughaseparatephonecall.
2.Ifyou'rebeingpressedtomakeadecisionorsendmoneyfast,it'sprobablyasignofascam.
3.Walkawayfromanyofferfromastrangerwhoasksyoutodepositacheckintoyourbank
accountandinstructsyoutowireanyofthatmoneytosomeoneelse,perhapsinanother
country.Let'ssayyoureceiveacheck,cashier'scheckormoneyorderforanitemyouare
sellingortocoverso-calledprocessingfees,shippingcostsorotherexpenses.Butthenyou
noticethatthecheckisformoremoney-perhapsfarmore-thanwhatyouwereexpecting.The
otherpartyinstructsyoutodepositthecheckandwireaportionbacktoanassociateinanother
country.Lateryoufindoutthatthecheckwasfakeandyouareoutallofthemoneyyouwired.
Inthistypeofscam,victimsmayendupowingthousandsofdollarstothefinancialinstitution
thatwiredthemoney.
Likewise,ifyouaresellingsomethingonline,bewaryofarequestbya"buyer"towireyouthe
moneybecausethatmaybearusetogetyourbankaccountinformation.Or,thispersonmay
plantosendyouthemoneyillegallyusingsomeoneelse'sbankaccountnumber,andultimately
you'dbewithoutyourmerchandiseaswellanypayment.Alwaysrememberthatwiringmoney
islikesendingcash,andbecauseyouvoluntarilysentthemoney,youhavefewerprotectionsin
termsofgettingitback.
4.Nevergiveoutyourbankaccountorcreditcardnumbersinresponsetoanadvertisementor
anunsolicitedcall,textmessageore-mail.Thatinformationcouldenablesomeonetosteal
moneyoutofyouraccountbyawiretransfer,beforeyouhavetimetorealizethatthe
interactionwasfabricatedbyaswindler.
ATMMachineSafety
1. Asalwaysbemindfulofyoursurroundings.Don'tselectanATMatthecornerofabuildingcornerscreateablindspot.Doyourautomatedbankinginapublic,well-lighted,hightraffic
locationthatisfreeofshrubberyanddecorativepartitionsordividers.
2. Maintainanawarenessofyoursurroundingsthroughouttheentiretransaction.Bewary
ofpeopletryingtohelpyouwithATMtransactions.Beawareofanyonesittinginaparkedcar
nearby.WhenleavinganATMmakesureyouarenotbeingfollowed.Ifyouarefollowedor
thinkyouare,driveimmediatelytoapoliceorfirestation,ortoacrowded,well-lighted
locationorbusiness.IflightsaroundtheATMarenotworking,don'tusethatmachine.
3. DonotuseanATMthatappearsunusuallookingoroffersoptionswithwhichyouarenot
familiarorcomfortable.TherearemachinesthatthievesstickontopofATMmachinescalled
skimmersthatstealyourbankinginformation.
4. Whenusingawalk-upATM,parkascloseasyoucantothemachine.Beforeleavingthe
safetyofyourcar,checkforsuspiciouspersonsorcircumstances.HaveyourATMcardready
beforeyouapproachthemachine.
ATMSkimming
ATMsandgasstations—especiallyintouristareas—mayhaveskimmingdevices.Scammersuse
cameras,keypadoverlays,andskimmingdevices—likearealistic-lookingcardreaderplacedover
thefactory-installedcardreaderonanATMorgaspump—tocapturetheinformationfromyour
card’smagneticstripwithoutyourknowledgeandgetyourPIN.
Whattolookoutfor:
InspecttheATM,gaspump,orcreditcardreaderbeforeusingit…besuspiciousifyousee
anythingloose,crooked,ordamaged,orifyounoticescratchesoradhesive/taperesidue.
WhenenteringyourPIN,blockthekeypadwithyourotherhandtopreventpossiblehidden
camerasfromrecordingyournumber.
Ifpossible,useanATMataninsidelocation(lessaccessforcriminalstoinstallskimmers).
BecarefulofATMsintouristareas…theyareapopulartargetofskimmers.
Ifyourcardisn’treturnedafterthetransactionorafterhitting“cancel,”immediatelycontactthe
financialinstitutionthatissuedthecard.
TurnCardsOff:
Youmaybeabletoturnyourcards"on"and"off"fromyourphone.Ifyoususpectyourcardhas
beenskimmed,youcanusetheapponyourphonetoturnthecard"off,"asettingthatdeniesany
requeststouseyourcard.Oncethesuspicionhaspassed,ifnofraudoccurred,youcanusetheappto
turnthecardback"on."
Thistypeofswitchingfeatureoftenincludessomeflexibility.Youmightturnoffthecardforonline
purchasesbutkeepitopenforstores.Youmightalsoturnthecard'on"foralltransactionsexcept
ATMs.
Discoveroffersa"freeze"buttonyoucanuseonyouraccounttopreventnewpurchases,cash
advancesorbalancetransfers.Andavarietyoffinancialinstitutionshavemadetheswitchingfeature
available.Checkyourbankorcreditunion'swebsiteoraskifthistypeoffeatureisavailableforthe
plasticyoucurrentlycarry.
Geolocation:
Askyourfinancialinstitutionaboutpairinggeolocationsoftwarewithyourcard.Thistypeoffeature
tracksthelocationofbothyourcardandphone.Whensomeoneattemptsatransaction,thecard
companycomparesthelocationofthephonewithwherethecardisbeingused.Ifitmatchesitwilllet
thetransactiongothrough.Ifthecardandphonelocationsdon'tmatch,thecardcompanydeniesthe
transaction.Thisway,ifsomeonestealsyourcardorcardinformation,itwouldbedifficulttomakea
purchase.
YoualsomaybeabletosetGPSlimitsonthecard,makingitpossibletousethecardwithinacertain
geographicalarea,butnotoutsideofit.
WatchYourStatements:
Keepacloseeyeonyourcreditcardstatementforpurchasesyoudidn'tmake.
Considermonitoringyourcheckingaccounttransactionsdailyonyourfinancialinstitution'swebsite.
Considerusinganotificationservice.Ifyouputathresholdonyourcreditordebitcardwhenusing
suchaservice,youwillgetanalertifsomeonechargessomethingoverthatamount.Forinstance,if
yousetalimitof$1,000,you'llbenotifiedifsomeoneattemptstospend$1,500withthecard.
Typically,undertheaccountservicestab,you'llbeabletochangethenotifications.Mostfinancial
institutionsandcreditcardissuersofferthisfeature,butifyoudon'tseeit,contactthefinancial
institutionandaskifnotificationscanbesetup.
Askfora"cardnotpresenttransaction"notification.Ifsomeonetriestouseyourcreditordebitcard
numberonline,you'llbenotifiedimmediately.
ChipEnabled:
EMV,whichstandsforEuropay,MasterCardandVisa,referstoastandardforcardsequippedwith
computerchips.Ratherthanswipingthecard,asyouwouldforacardwithamagneticstripe,you
insertthecardintoaterminalslotduringatransactionandthenremoveitoncethetransactionis
complete.
OneofthebiggestperksofEMVcardsinvolvesahigherlevelofsecurity.Unlikethemagneticstripe
onacard,whichcontainsdatathatremainsthesame,EMVcardschangewitheachtransaction.
EMVcardsareagreatsolutiontotheproblemwithskimmingbecausetheyproduceunique,1-time
tokensthatahackercan'treproduce.They'rebasicallyimpossibletopredict,andtheydon'tworkfor
morethan1transaction.So,ifahackerisabletogetyourcardnumberandclonethecard,heorshe
can'tuseitataretailerthatacceptsEMV.Also,EMVcardsdon'tsignificantlyimprovesecurityfor
onlinepurchases,nordoesthetechnologyworkwhentheATMorpoint-of-saleterminalhasn'tbeen
upgraded,likeatmanygasstations,forexample.
Bitcoin
1.
2.
3.
4.
5.
6.
7.
8.
Ifyourwallet’sstolen,actfast-IfyourBitcoinwallethasbeenstolen,thethiefwillneedto
movetheBitcoincurrencyoutofit.YouneedtoactfastinordertosaveyourBitcoin.Whenthe
Bitcoinwalletisstolenfromthevictim,thethiefwillhaveto“spend”theBitcoinsinit-by
eitheraddingthemtohisownwallet,purchasingsomething,etc.Theonlywaytogetaway
withoutlosingyourmoneyisifyou“spend”theBitcoins(purchasesomethingorimportthem
toanewwallet)beforethethiefdoes.
KeepyourPCcleanifyou’redabblinginBitcoin-CybercriminalsloveBitcoin.Thereare
numerousmalwarefamiliestodaythateitherperformBitcoinminingordirectlystealthe
contentsofvictims’Bitcoinwallets,orboth.Keepyourcomputercleananduncompromisedby
“thinkingbeforeyouclick”andkeepingyoursystem,applicationsandanti-virusup-to-date.
Encryptyourwallet-DespiteBitcoinsownbeautifulillustrationsofglitterycoins,what
you’redealingwitharenumbers-longencryptionkeys.Tostaysafe,youjusthavetoensure
nooneelseeverhasaccesstothese.ThereareseveralimportantrulestokeepBitcoinssafe.
Thekeywordshereare:backupandencrypt.Bitcoinprovidesawaytoencryptwallets,andthis
wouldmakeitmuchmoredifficultfortheattackertogethishandsontheBitcoins.
Don’tkeepallyoureggsinonebasket-oryou’reBitcoininonewallet-Bitcoinisaspecial
case-ifyou’reworriedasitebreachorTrojanattackmayhaveputyourBitcoinwithinreach,
don’tjustchangepasswords,evenifyourwalletisencrypted.Makeanewone,andmoveyour
coinstoit(withanew,strongpassword).Ifawalletoranencryptedwallet’spasswordhasbeen
compromised,itiswisetocreateanewwalletandtransferthefullbalanceofbitcoinsto
addressescontainedonlyinthenewlycreatedwallet.
Mostfinanceexpertsadvise-don’tputyourlifesavingsinBitcoin-Thesoaringpriceof
Bitcoinisn’tasignaltoinvest:Ifyou’vemadeaprofitonBitcoinsyoualreadyown,welldone.
There’ssimplynowaytoknowwhethertheirpriceswillkeeprising,stabilizeorcollapse.And
therearealotofrisks-everythingfromthembeinghacked,youre-walletbeinghacked,
someonesuccessfullyforgingthemorBitcoinsbeingmadeillegal.
IfyoumuststoreBitcoinsonline,don’tstorelargeamounts-OnlineBitcoinwalletsarenot
designedtoworklikebankaccounts-they’reconvenient,asyoucanaccessthemfrom
anywhere-butthey’reaprimetargetforcybercriminals.WebWalletsarelikearegularwallet
thatyoucarrycashinandnotmeanttokeeplargeamountsin.
MobilesandBitcoinsdon’tmix-VariousAndroidappsofferwaystocarryBitcoinswithyoubutagain,thesecomewiththeirownrisks.Earlierthisyear,aflawinAndroidrenderedALL
Bitcoinwalletsunsafe-althoughitwasrapidlypatched-andappswhichallowtransferviaNFC
addadditionalrisks,particularlyifadeviceislost.Mobilewalletapplicationsareavailablefor
AndroiddevicesthatallowyoutosendbitcoinsbyQRcodeorNFC,butthisopensupthe
possibilityoflossifmobiledeviceiscompromised.Itisnotadvisabletostorealargeamount
ofbitcoinsthere.
Keepyourfortunein“coldstorage”-Ifyou’reseriousaboutBitcoin,thesecurityprocedures
arelongandcomplex-evenBitcoinadmitsthatsettingupanofflinewallet,storedonCDsand
USBsticksis“tedious”and“notuserfriendly”.Bitcoinsays,“Becausebitcoinsarestored
directlyonyourcomputerandbecausetheyarerealmoney,themotivationforsophisticated
andtargetedattacksagainstyoursystemishigherthaninthepre-bitcoinera.”Bitcoinsown
9.
procedureforcreatingan“offline”wallet,whichnevercontactstheinternetinplaintextform,is
here.Thisprocedureisalsoknownascreatingan“airgap”or“coldstorage”.Followed
correctly,itprovidesprotectionfrommalwareandcyberattacks-althoughnot,ofcourse,
fromtraditionalcrimessuchasextortion.
Stillworried?Storethemonpaper-Onesafe-ifextreme-wayofensuringBitcoinsdon’t
fallintothehandsofhackersistostorethemonpaper.Bitcoinsays,“Whengeneratedsecurely
andstoredonpaper,orotherofflinestoragemedia,apaperwalletdecreasesthechancesof
yourbitcoinsbeingstolenbyhackers,orcomputerviruses.Witheachentryonapaperwallet,
youaresecuringasequenceofsecretnumbersthatisusedtoproveyourrighttospendthe
bitcoins.Thissecretnumber,calledaprivatekey,mostcommonlywrittenasasequenceof
fifty-onealphanumericcharacters,beginningwitha’5′.”Besure,though,yourPCisclean
beforeyouprint-thefreesoftwareusedtogeneratecodeshasbeentargetedbycybercriminals.
Runacompletescanofyourmachinefirst,thenkeepAVsoftwarerunningasyouprintout.
Businessbasics
DataSecurity
1.
2.
3.
4.
5.
6.
7.
8.
9.
SafeguardDataPrivacy:Employeesmustunderstandthatyourprivacypolicyisapledgeto
yourcustomersthatyouwillprotecttheirinformation.Datashouldonlybeusedinwaysthat
willkeepcustomeridentityandtheconfidentialityofinformationsecure.Ofcourse,your
employeesandorganizationsmustconformtoallapplicablelawsandregulations.
EstablishPasswordManagement:Apasswordpolicyshouldbeestablishedforallemployees
ortemporaryworkerswhowillaccesscorporateresources.Ingeneral,passwordcomplexity
shouldbeestablishedaccordingtothejobfunctionsanddatasecurityrequirements.Passwords
shouldneverbeshared.
GovernInternetUsage:Mostpeopleusetheinternetwithoutathoughttotheharmthatcan
ensue.Employeemisuseoftheinternetcanplaceyourcompanyinanawkward,orevenillegal,
position.Establishinglimitsonemployeeinternetusageintheworkplacemayhelpavoidthese
situations.Everyorganizationshoulddecidehowemployeescanandshouldaccesstheweb.
Youwantemployeestobeproductive,andthismaybethemainconcernforlimitinginternet
usage,butsecurityconcernsshouldalsodictatehowinternetguidelinesareformulated.
ManageEmailUsage:Manydatabreachesarearesultofemployeemisuseofemailthatcan
resultinthelossortheftofdataandtheaccidentaldownloadingofvirusesorothermalware.
Clearstandardsshouldbeestablishedregardinguseofemails,messagecontent,encryptionand
fileretention.
GovernandManageCompany-OwnedMobileDevices:Whenorganizationsprovidemobile
devicesfortheiremployeestouse,aformalprocessshouldbeimplementedtohelpensurethat
mobiledevicesaresecureandusedappropriately.Requiringemployeestoberesponsiblefor
protectingtheirdevicesfromtheftandrequiringpasswordprotectioninaccordancewithyour
passwordpolicyshouldbeminimumrequirements.
EstablishanApprovalProcessforEmployee-OwnedMobileDevices:Withtheincreased
capabilitiesofconsumerdevices,suchassmartphonesandtablets,ithasbecomeeasyto
interconnectthesedevicestocompanyapplicationsandinfrastructure.Useofthesedevicesto
interconnecttocompanyemail,calendaringandotherservicescanblurthelinesbetween
companycontrolsandconsumercontrols.Employeeswhorequestandareapprovedtohave
accesstocompanyinformationviatheirpersonaldevicesshouldunderstandandacceptthe
limitationsandcontrolsimposedbythecompany.
GovernSocialMedia:Allusersofsocialmedianeedtobeawareoftherisksassociatedwith
socialmedianetworking.Astrongsocialmediapolicyiscrucialforanybusinessthatseeksto
usesocialnetworkingtopromoteitsactivitiesandcommunicatewithitscustomers.Active
governancecanhelpensureemployeesspeakwithintheparameterssetbytheircompanyand
followdataprivacybestpractices.
OverseeSoftwareCopyrightandLicensing:Therearemanygoodreasonsforemployeesto
complywithsoftwarecopyrightandlicensingagreements.Organizationsareobligedtoadhere
tothetermsofsoftwareusageagreementsandemployeesshouldbemadeawareofanyusage
restrictions.Also,employeesshouldnotdownloadandusesoftwarethathasnotbeenreviewed
andapprovedbythecompany.
ReportSecurityIncidents:Aprocedureshouldbeinplaceforemployeesorcontractorsto
reportmaliciousmalwareintheeventitisinadvertentlyimported.Allemployeesshouldknow
howtoreportincidentsofmalwareandwhatstepstotaketohelpmitigatedamage.
NetworkSecurity
1.
2.
3.
SetClearAdministratorPrivileges.Animportantfirststepinprovidingsecurityforyour
networkistoestablishandenforceadministratorprivileges,managingwhohasauthorizationto
installsoftwareandchangesystemconfigurationsettings.
SecureYourPrivateNetwork.Manyintranetorprivatenetworksconsistofmultiplelocal
areanetworks(LANs)designedtoconnectyourcomputerstoresources,suchasprinters,
serversandotherapplications.Tracedepartmentbusinessfunctionsfromuserscomputersback
tothephysicalserversthathousetheirdata.Yournetworkdesignshouldallowuserstohave
accesstotheinformationtheyneedtodotheirjob,withoutallowingthemtoaccessothernonjob-relatedinformation.
SecureEndpointsbyConfiguringDemilitarizedZone(DMZ).Innetworksecurity,endpoint
securityreferstoprotectionoftheprivatenetworkwhereitintersectswithpublicnetwork.The
commondevicesusedattheseendpointstoconnecttothepublicnetworkincludemailservers
tosendandreceiveemails,webserverstohostwebsites,andproxyserverstohandlerequests
fromclientsseekingresources.
AcommonsecurityconfigurationtoprotecttheseendpointsisaDemilitarizedZone(DMZ).A
DMZisacomputernetworkwithfirewallsandotherpreventionsystemsinsertedasa"neutral
zone"betweenacompany'sprivatenetworkandtheoutsidepublicnetwork.Allincomingand
outgoingcommunicationspassthroughthefirewallandintrusiondetectionandprevention
systemspriortoenteringtheprivatenetwork.
4.MonitortheNetwork.Youandyourcybersecurityprovidersshouldimplementnetwork
loggingandmonitoringstrategies.Theseallowcompaniestomonitorunauthorizeddata
transfersandunauthorizedattemptstoaccessyourprivatenetwork.Detectionsystemsshould
provideresponsiblepartieswithappropriatealertsandscheduledreports.
5.MaintainFirewalls.Firewallsareafundamentalnetworksecuritysolution.Theyareusedto
permitonlyappropriatetraffictoenterandleavetheprivatecomputernetwork.Inadditionto
usingfirewallstoprotectyourprivatenetworkfromtheInternet,firewallsinstalledwithinyour
privatenetworkcanbeusedtosegmentthenetworkintouniquesecuritydomainssupporting
enhancedlayersofdefense.
6.EstablishIntrusionDetectionandPreventionSystems.Intrusiondetectionsystems(IDS)
andintrusionpreventionsystems(IPS)canworktogetherwithfirewallstoanalyzetrafficto
determineifitislegitimate.AnIDSproductwillprovidealertsoninvalidtraffic,whileanIPS
willblockthetraffic.
7.ProtectRemoteAccess.Ifyouremployeesareallowedaccesstoyourprivatenetworkfrom
remotenetworks,thisaccessshouldonlybethroughafirewallthatprotectsyourprivate
network.AnotheroptionistoutilizeaVirtualPrivateNetwork(VPN)thatusesencryptionand
multi-factorauthenticationtoprovidegreatersecurity.
8.IsolateGuestWirelessLocalAreaNetwork(WLAN).Ifyourcompanyoperatesawireless
localareanetwork(WLAN)fortheuseofcustomers,guestsandvisitors,itisimportantthatit
iskeptseparatefromthemaincompanynetwork.
9.UseEncryptionPrograms.Whenusedproperly,encryptiontechnologiescanvirtually
preventfiles,directories,ordisksfromfallingintounauthorizedhands.
10.DefineandPracticeContinuityPlans/DisasterRecovery.Onceyouhavecompletedmapping
andsecuringyournetwork,assessanycriticalequipmentorsystemsandevaluatethepotential
businessimpactiftheyshouldfailorarebreached.
Security&PrivacyBestPractices
Cybersecurityisagrowingconcernfororganizations,regardlessofsize.Whileyoucanneverfully
takeawaytheriskofanattackorbreach,withsomeplanning,duediligence,andregularreview,you
cantakehelpfulstepstoprotectyourentityinthisimportantarea.
Operations&HumanResources:
1.
2.
3.
4.
5.
6.
EducateYourEmployeesDatabreachesareoftencausedbyemployees-navigatingtosites
infectedwithmalware,downloadinginfectedattachments,and/oraccessingWi-Fifroman
unsecurelocation.Educateyouremployeesonyourpoliciesandwhytheyareinplace.
Encouragethemtofrequentlychangepasswords,andofferguidelinesoncreatingsecure
passwords.Asmobiledevicesbecomemoreandmoreprevalent,itisessentialtoalsoconsider
smartphonesandtabletsinyourbusinesscybersecurityplan.Youwillneedtodeveloppolicies
andcontrolsaroundprotectingdataonemployeedevices(suchasmandatingasecuritylock)
andalsotalktoemployeesaboutprotectinganycompanydatatheymayhaveontheirphonesor
tablets.
CheckingAccountandFinancialStatements.Reviewyourcheckingaccountandfinancial
statementsforsuspiciousamountsorvendors.Bykeepingaregularpulseonthefinancialstate
ofyourbusiness,youwillbemorelikelytorecognizefraudulentactivity.Thesedocuments
shouldbereviewedonamonthlybasis.
SegregationofDuties.Regularlyreviewyourcompany’ssegregationofdutiesforanygaps,
especiallyiftherehasbeenstaffturnoverintheaccountingdepartment.Thisissueisbestdealt
withassoonasanemployeeleaves,butyoumayfindithelpfultosetaregularreviewschedule
toensurethatproperseparationismaintained.
TechnologyControls.Whenreviewinggapsfromemployeeturnover,don’tforgettechnology
controls.Companiesoftenforgettochangeaccesscodesandpasswordswhenanemployee
leaves,leavingtheirtechnologyatrisk.Aregularreviewofpoliciesandaccesslevelswillhelp
topreventsecuritybreaches.
AccessSecurity-Disablingnetworkaccess,disablinge-mailaccess,anddeletingcontact
informationfromallcompanydirectories.
DataSecurity-Recoveringalldatafromthedesktopharddriveandnotifyingvendorssothat
thisindividualcannotplaceordersorincurobligationsonbehalfofthecompany.
PoliciesandEducationalProcesses.
Eachyear,companiesshouldreviewtheiranti-fraudandwhistleblowerpoliciestoensuretheyare
stilleffectiveforthecompany’scurrentsizeandthattheyareservingtheirintendedpurpose.While
thesearegeneralriskareasthataffecteverycompany,itisessentialtounderstandyourbusiness’
specificrisks,whichwilldependonyoursize,structureandindustry.InvolveyourBoardof
Directors,AuditCommittee,orCertifiedPublicAccountantasappropriate.Largerorganizationsmay
wanttoengageaCertifiedFraudExaminertohelpitreviewanddeveloptheappropriatecontrols.A
smalltimeinvestmentupfrontmayjustpayoffbypreventingcostlyoccupationalfraud.
1.
2.
InternalControlsandPolicies.Justlikeyouhaveinternalcontrolsforyourfinancial
processes,youneedcontrolsandpoliciesaroundyourITassets,aswell.Ensurethatpasswords
arechangedandaccessisremovedforterminatedemployeesassoonaspossible,andlimit
employeeaccesstosensitivedata.
Developandcommunicateclearpoliciesforemployeesregardingwhatdevicestheycanuse,
whattypesofprograms/applicationstheycandownload,andhowtosecurelyaccessWi-Fi
whenneeded.Withoutclear,communicatedpoliciesaroundyourcompany’sIT,eventhe
strongestcontrolswillnotdomuchtosignificantlydecreaseyourorganization’svulnerability.
MobileDevices:
1.
2.
Implementamobiledevicemanagementprogram,requiringauthenticationtounlockadevice,
lockingoutadeviceafterfivefailedattempts,usingencrypteddatacommunications/storage,
andenablingtheremotewipingofdevicesifamobiledeviceislostorstolen.
Permitonlyauthorizedwirelessdevicestoconnecttoyournetwork,includingpointofsale
terminalsandcreditcarddevices,andencryptcommunicationswithwirelessdevicessuchas
routersandprinters.Keepall"guest"networkaccessonseparateserversandaccessdevices
withstrongencryptionsuchasWPA2withAESencryptionoruseofanIPSecVPN.
Computers&Servers
1. Continuouslymonitorinreal-timethesecurityofyourorganization’sinfrastructure
includingcollectingandanalyzingallnetworktrafficinrealtime,andanalyzingcentralized
logs(includingfirewall,IDS/IPS,VPNandAV)usinglogmanagementtools,aswellas
reviewingnetworkstatistics.Identifyanomalousactivity,investigate,andreviseyourviewof
anomalousactivityaccordingly.
2. Deploywebapplicationfirewallstodetect/preventcommonwebattacks,suchascross-site
scripting,SQLinjectionanddirectorytraversalattacks.Reviewandmitigatethetop10listof
webapplicationsecurityrisksidentifiedbytheOpenWebApplicationSecurityProject
(OWASP).Ifrelyingonthird-partyhostingservices,requiredeploymentoffirewalls.
3. Hardenclientdevicesbydeployingmultilayeredfirewallprotections(bothclientandWANbasedhardwarefirewalls),usingup-to-dateanti-virussoftware,disablingbydefaultlocally
sharedfoldersandremovingdefaultaccounts.Enableautomaticpatchmanagementfor
operatingsystems,applications(includingmobileandwebapps)andadd-ons.Allportsshould
beblockedtoincomingtrafficbydefault.Disableauto-runningofremovablemedia(e.g.USB
drives,externaldrives,etc.).Wholediskencryptionshouldbedeployedonalllaptops,mobile
devicesandsystemshostingsensitivedata.
4. Conductregularpenetrationtestsandvulnerabilityscansofyourinfrastructureinorderto
identifyandmitigatevulnerabilitiesandthwartpotentialattackvectors.Regularlyscanyour
cloudprovidersandlookforpotentialvulnerabilitypointsandrisksofdatalossortheft.
Deploysolutionstodetectanomalousflowsofdatawhichwilltohelpdetectattackersstaging
dataforexfiltration.
5. ImplementAlwaysOnSecureSocketLayer(AOSSL)forallserversrequiringlogin
authenticationanddatacollection.AOSSLhelpspreventsniffingdatafrombeingtransmitted
betweenclientdevices,wirelessaccesspointsandintermediaries.
6. RegularlyUpdateSecurityPrograms.Out-of-dateantivirussoftwareisalmostasineffective
asnothavingoneatall.Don’tignorethoselittlepop-upsandreminderstodownloadthelatest
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
update,andmakesureyouremployeesdon’t,either.
Reviewservercertificatesforvulnerabilitiesandrisksofyourdomainsbeinghijacked.
Attackersoftenuse“DomainValidated”(DV)SSLcertificatestoimpersonatee-commerce
websitesanddefraudconsumers.SitesarerecommendedtoupgradefromDVcertificatesto
“OrganizationallyValidated”(OV)or“ExtendedValidation”(EVSSL)SSLcertificates.OVand
EVSSLcertificatesarevalidatedbytheCertificateAuthoritytoensuretheidentityofthe
applicant.EVSSLcertificatesofferthehighestlevelofauthenticationandverificationofa
website.EVSSLprovidesusersahigherlevelofassurancethatthesiteowneriswhothey
purporttobe,presentingtheuseragreentrustindicatorinabrowser ’saddressbar.
Develop,testandcontinuallyrefineadatabreachresponseplan.Regularlyreviewand
improvetheplanbaseduponchangesinyourorganization’sinformationtechnology,data
collectionandsecurityposture.Takethetimeafteranincidenttoconductapost-mortemand
makeimprovementstoyourplan.Conductregulartabletopexercisestestingyourplanand
personnel.
BackupyourData.Evenwiththerightcontrolsinplace,yourdigitalassetsmaystillbe
compromised.It’simportanttobackupyourfinancial,legal,andclientinformationonaregular
basis.Setbackupprocessestorunautomaticallysothattheyarenotsubjecttohumanerror(i.e.
-forgetfulness).
BeknowledgeableabouttheCloud.Cloud-basedstorageoffersavarietyofbenefits,
especiallyforsmallerentitiesthatdonothaveinternalITstaff.However,youarestill
responsibleforyourdatawhenitisstoredinthecloud,somakesureyoufullyunderstand
wherecloud-baseddataisstored(intheUSoroffshore)andyourprovider ’sliabilitytoprotect
thedata.
Enforceeffectivepasswordmanagementpolicies.Attacksagainstusercredentials,including
bruteforce,sniffing,host-basedaccessandtheftofpassworddatabases,remainverystrong
attackvectorswarrantingtheuseofeffectivepasswordmanagementcontrols.Bestpracticesfor
passwordmanagementinclude:
Usemulti-factorauthentication(e.g.one-timePINs)foraccesstoadministrativelyprivileged
accounts.Administrativeprivilegesshouldbeuniqueaccountsandmonitoredforanomalous
activityandshouldbeusedonlyforadministrativeactivities;
Requireuserstohaveauniquepasswordforexternalvendorsystemsandrefrainfrom
reusingthesamepasswordforinternalsystemandpersonalwebsitelogins;
Requirestrongpasswordscomprisedofan8-characterminimumincludingacombinationof
alphanumericcharacters,andforcepasswordchangesevery90dayswithlimitedreuse
permitted;
Deployalog-inabusedetectionsystemmonitoringconnections,logincounts,cookies,
machineIDs,andotherrelateddata;
Avoidstoringpasswordsunlessabsolutelynecessaryandonlystorepasswords(andfiles)that
arehashedwithsaltorareotherwiseencrypted;
Removeordisablealldefaultaccountsfromalldevicesandconductregularauditstoensure
thatinactiveaccountscannolongeraccessyourinfrastructure;
Removeaccessimmediatelyforanyterminatedemployeesoranythirdpartiesorvendorsthat
nolongerrequireaccesstoyourinfrastructure.
Leastprivilegeuseraccess(LUA)isacoresecuritystrategycomponent,andallaccounts
shouldrunwithasfewprivilegesandaccesslevelsaspossible.LUAiswidelyrecognizedasan
importantdesignconsiderationinenhancingdatasecurity.Italsoprovidesprotectionsagainst
maliciousbehaviorandsystemfaults.Forexample,ausermighthaveprivilegestoedita
specificdocumentoremailcampaign,butlackpermissionstodownloadpayrolldataoraccess
customerlists.Also,LUAcontrolshelptominimizedamagesfromexposedpasswordsor
rogueemployees.
Email
Requireemailauthenticationonallinboundandoutboundmailstreamstohelpdetectmaliciousand
deceptiveemailsincludingspearphishingandspoofedemail.Allorganizationsshould:
1.
2.
3.
4.
5.
AuthenticateoutboundmailwithSPFandDKIM,includingparkedanddelegatedsub-domains;
AdoptaDMARCrejectorquarantinepolicyonceyouhavevalidatedthatyouareauthenticating
alloutboundmailstreams;
ImplementinboundemailauthenticationcheckforSPF,DKIM,andDMARC;
Encouragebusinesspartnerstoauthenticateallemailsenttoyourorganizationtohelp
minimizetheriskofreceivingspear-phishingandspoofedemails,
Requireend-to-endemailauthenticationusingSPFandDKIMwithaDMARCrejector
quarantinepolicyforallmailstreamsmanagedorhostedbythirdparties.
Spearphishingrisks
Oneofthemostsophisticatedtypesofphishingattacksiscalledspearphishing.Thisiswhenahacker
willtargetaspecificgroupororganizationandwilltailortheirattackstomakethemlookrelevantto
therecipient.Hackerswillcarryoutthesetypesofattacksinordertogainaccesstosensitive
corporatedata,andbecausetheemailstheysendwilllookgenuinetheycanoftenbeverysuccessful.
1. However,despitetheseworryingstatisticsthereareanumberofstepswhichcanhelptoidentify
potentialphishingemails.Whenreceivingemails,usersshouldlookatthefollowing:
2. Doyouknowthesender,andistheemailaddressoneyouwouldexpectthemtouse?Anemail
purportingtobefromyourCEO,butsentfromaGmailaccount,shouldalwaysringalarm
bells.
3. Areyouexpectingamessagefromtheperson?Doestheemaillooksuspicious?Doesthelink
lookgenuine?
4. Thecontentoftheemailcanbeagiveaway.Oneofthemostbasicreasonsthatphishingattacks
workisthattheypreyonauser ’semotionalresponse-fear,curiosityorreward,andemails
thatevokestrongemotionssuchastheseshouldbeconsideredtriggers.
5. Istheemailspecific?Doesitmakesense?Althoughcriminalshavealotofinformationabout
individualstheywillstillkeepmessagesgenerictopiqueyourinterest,andmakeyoutake
action.
6. Andofcourse,whilegrammarhasimprovedinrecentyears,mistakesareoftenanindicator
thatallisnotasitseems.
Phishingisoneofthemostcommonattackmethodsforcyber-criminals,howeveraneffective
trainingprogramanduserawarenesswillminimizetheriskofemployeesfallingvictim.Once
employeesknowwhattolookfortheywillbeabletoquicklyidentifyanypotentialphishingemails
andreportthembeforeanydamageisdone.
Carsecurity
Carsecuritymeasuresareveryimportantbecausecarsgetveryoftenstolenandbrokenintoand
moreoftenthannot,thewallets,passportsorIDsgetstolenfromthecar.Thievesaremostlikelyafter
cashorvaluableobjectslikejewelry,watch,laptopcomputersandsunglasseswhentheybreakinto
thecars.
Ifthievesaccidentallycomeacrossyourcheckbook,wallet,phone,passport,oranyothervaluable
iteminyourcarduringtheiradventures,theymaythinkofcommittingadifferentkindofcrime,
identitytheft.Although,theirinitialmotivemighthavebeenbreakingintoyourcartostealcashand
othervaluables,or,stealingyourcarforitsparts,thethievesmaynotforgiveyouforleavingparts
ofyouridentitycomponentsinthecar.Theywillwriteasmanychecksandtakeasmuchcashasthey
canfromyourbankaccount,untilyoureportthelossofyourcheckbookorlostcardstothebank.
Theymayevengoshoppingorcalltheircousinsoverseasandrunyoua4-digitphonebillfromyour
friendlywirelessserviceprovider.
1. Don'tleaveyourvaluablesinthecarforalongandextendedperiodoftime.Ifyouhaveto
makeshorttripstomakecopies,takealltheimportantdocumentsandobjectswithyou,orjust
leavethemforaveryshortperiodoftimetoreduceyourrisks.Neverleavedocuments,purses
orwalletsinthecar.Thetrunkisn’tasafeplaceeither—thievesalwayscheckhere.
2. Parkyourcarinasecure,monitored,andprivateparkinglot,awayfromvisibility.Park
yourcarinaparkinggarageequippedwithsecuritysystemsandon-sitesecurityattendant.
Usually,privateandsmallerparkingprovidebettersecurityfortheirfacilities.
3. Don'tparkyourcarinsuchparkingplacesaslong-termairportparking.Suchplacesare
hardlyevermonitoredandthievesknowthattheselongtermparkingprovidethebest
opportunitysincethecarownersarenotcomingbackanytimesoon.Emptyyourcarofall
importantcontentswhenyouparkyourcarinthelong-termairportparking.
4. Parkyourcarinawell-litarea.Thiswillmaketheirworkingconditionsalittlemoredifficult
andchallengingsincetheyhavetobeverycarefulnottobeseen.
5. Parkyourcarinabusyarea.Don'tparkitinanisolatedareawherethereisnocarorfoot
trafficinordertodeterthieves.Again,youwillmaketheirlifemoredifficultandworking
conditionschallenging.
6. Installacarsecuritysysteminyourcar.Makesureitistheelectronicsoundalarm,which
maydiscouragethethievesfromfurthersearchingthecar.Themanualwheellockmayprevent
themfromsteelingthecarbutwillnotdiscouragethemfromsearchingyourcarandstealing
valuables.Usemultiplewarningdevices,suchascaralarms,steeringwheellocksandgear-shift
locks.
7. Helpauthorities.ConsideretchingyourVehicleIdentificationNumber(VIN)onwindowsand
enginepartssoauthoritiescanIDacarifit’sstolen.
8. Usetechnology.InstallGPSandimmobilizationdevices,thisincludessmartkeysandkill
switches.
Children&teens
Asthedefinitionof“privacy”changesinthemodernage,it’smoreimportantthanevertoensure
yourchildispostingsafelyandresponsiblyonsocialnetworks.
Thesedays,kidsaregluedtotheirsocialmedia.WhetherusingTwitter,Instagram,Snapchator
Facebookonasmartphonefromthehighschoolcafeteria,theyoungergenerationisinconstant
communicationwiththeirpeers.That’swhyaddressingtheissueofprivacyonsocialmediashould
beapriorityofallparents.
Thisalsomeanskidsneedtounderstandhowtobehaveappropriatelyandknowwhatinformationis
OKtoshare.Withthethreatsofonlinepredators,hackers,orcyberbulliesbeingveryrealandvery
relevant,it’simportanttopreventthemfromaccessingyourchild’spersonalinformation,including
phonenumber,homeoremailaddress,orpersonalphotos,formaliciousreasons.Reviewthe
followingissueswithyourchildtoensuretheyknowwhatisandisn’tOKontheirsocialmedia
profile.
1. Everythingyoushareispermanent.Anythingyoupostonlinecanpotentiallyliveonthe
Internetpermanently.Evenwhenyoudeleteaphotoormessage,itcanbescreen-captured,
copied,forwarded,shared,orstoredonotherpeople’scomputers.Therefore,youmust
carefullyconsidereverythingyoupost.
2. Don’tsharepersonalinformation.Thismeansdon’tpostyourphonenumber,emailaddress,
homeaddress,or“tag”yourcityofresidenceonsitesthatallowyoutodoso,suchas
Facebook.Alsodon’tshareinformationaboutyourschoolorschedule.
3. Onlycommunicatewithpeopleyouknow.Yoursocialnetworksshouldbecomprisedof
peopleyouknowpersonally.Ifastrangercontactsyoutryingtogetpersonalinformation,
detailsaboutwhereyougotoschool,etc.,letanadultknow.
4. Carefullyselectthephotosyoupost.It’sbesttohaveaprofilephotothatisn’taphotoofyou
(whichcanattractunwantedattention).Askaparenttoapproveallphotosyoupost,and
carefullyconsiderwhatyouwouldwantyourfriendstosee.Remember,too,thatanyphotoyou
postcouldalsobealteredtoembarrassyouormakeyoulookbad.
5. Donotsharemeanpostsorpicturesaboutotherpeople.Ifyouseeameancomment,
forward,tweet,orothersocialmediacommunication,youshouldnevershareitwithyour
friends.Thisiscruelbehaviorandcanbelegallyunsafeforbothyouandthepersonwho
sharedit.
6. Makeanappropriatescreenname.Ifyoursocialmediasiterequiresyoutomakeascreen
name,makeonethatdoesn’tpersonallyidentifyyou—andmakeitappropriate.
7. Reportanythingthatmakesyouuncomfortable.Ifsomeoneismakingyouuncomfortableor
hurtingyourfeelingsviasocialmedia,reportittoyourparents.
8. Socialnetworkingisnotabadthing.TheAmericanPsychologicalAssociation,forinstance,
pointsoutthatshyteensandpre-teenscanbetterlearnhowtosocializebehindthesafetyof
computerscreensandmobiledevices.Butifyourchildaccidentallyexposestoomuchofhisor
herpersonalinformation,theycouldbeaskingforserioustrouble.
HerearesomeSafetyTipstohelpyouthinkaboutonlinesafetyforyourfamily.
1. UsetheInternetwithyourkids.Whileyou'respendingtimewiththem,youcanhelpthemtobe
safeandresponsibleonline.
2. Learnaboutthetechnologytogether,asklotsofquestions,anddon'tbeintimidatedifitseems
likeyourkidshaveabetterunderstandingofthetechnologythanyou.Remember,it'syour
family,andyouhavethepowerandresponsibilitytokeepaneyeonwhatyourkidsaredoing.
3. Teachkidsnevertogivetheirpersonalinformationtopeopletheymeetonline,especiallyin
chatroomsandonbulletinboards.Ifyouhaveafamilywebsitewithyourchildren'spictures
up,don'tincludeinformationlikewheretheygotoschool,whereyoulive,yourphonenumber,
oranyotherpersonallyidentifiableinformation-that'sgivingpersonalinformationoutevery
bitasmuchassendingane-mailortalkingtosomeoneinachatroom.
4. Instructyourchildnevertoplanaface-to-facemeetingwithonlineacquaintances,andtonotify
youiftheyareapproachedforanofflinemeeting.
5. EstablishcleargroundrulesforInternetuseforyourfamily.ThinkaboutsigningaContract
withyourchildrenthatreflectsthoserules.Learnaboutthedifferentparentalcontroltools,
protectivesoftware,andcontrolledaccessoptionsthatareavailable,anddecidewhich,ifany,
arebestforyourneeds.
6. Tellyourchildrennottorespondiftheyreceiveoffensiveordangerouse-mail,chatrequests,
orothercommunications,andtoleaveiftheygotoawebsitethatmakesthemuncomfortable.
Alsotellthemtoshowyouanythingtheyreceivethatmakesthemuncomfortable.Assuring
themthatyouwon'tbeangrywiththemandthattheyarenottoblamecanhelpyoutodevelopa
trusting,openrelationship.
7. Ifyoubecomeworriedthatyourchildoranotherchildisindanger,don'thesitatetocontactthe
authorities
WhatYouReallyNeedKnow
Q.Whoisincontrolofmyyoungchild'spersonalinformationonline?
A.Youareincontrolofyouryoungchild'spersonalinformation.
Q.HowwillIknowifaWebsiteiscollectingpersonalinformationfrommychildunder13years
old?
A.Websiteswishingtocollectpersonalinformationaboutyourchildrenwillseekyououtandlet
youdecidewhetherornottheymaycollect,useand/orsharethatinformation.
Q.Howwilltheynotifyme?
A.Websiteswilltrytoemailyoutoseekyourpermission.Ifyourchildtriestoprovideinformation
abouthimorherself,thesitewillaskherforyourcontactinformationandusethatinformationto
seekyourpermission.
Q.HowdoIprove/verifythatIammychild'sparent?
A.Websiteswillaskyoutoverifythatyouaretheparentinseveralpossibleways.Somewillaskthat
youcallatoll-freephonenumberandspeakwithatrainedoperatorwhowillverifythatyouarethe
parent.Somesiteswillaskyoutosendanoteviapostalmailorviafax.TheWebsitemayalsoseek
creditcardinformationtoprovethatyouaretheparent.
Q.HowdoIknowifaWebsitewillrespectmychild'sprivacy?
A.ProactivelysurfwithyourchildrenandfamiliarizeyourselfwiththeWebsitestheymostliketo
visit.First,looktoseeifthereisaprivacypolicypostedontheWebsite-itshouldbeeasytofind.
Next,readthepolicyandaskyourselfiftheWebsitesharesyourchild'sinformationwithothers
outsideofthecompany.
4TipsToPreventCyberbullying
1. Beaproactiveparent
Cyberbullyingis—andshouldbe—amajorconcernforparents.Doingwhatyoucanto
preventyourchildfrombeingaperpetratororvictimisparamount.
2. Definewhatcyberbullyingis
Talktoyourchildaboutwhatcyberbullyingbehavioris.TheCyberbullyingResearchCenter
definescyberbullyingas“willfulandrepeatedharminflictedthroughtheuseofcomputers,
cellphones,andotherelectronicdevices.”However,itisnotlimitedtothat.Yourchildmaybe
participatingincyberbullyingunknowingly.Thingslikeforwardingahurtfulmessageor
takinginappropriatephotosofsomeonecanalsobeconsideredcyberbullying(and,more
importantly,makeyourchildlegallyliable).Ensureyourchildrenknowwhatthisbehavioris
andthattheydonotparticipate.
3. Keepaneyeoutfortelltalesigns
Thoughyoumayencouragecommunication,yourchildmayfeeluncomfortabletalkingabout
theircyberbullyingproblemsforreasonssuchasfear,insecurity,orshame.MarieNewman,
co-authorofthebookWhenYourChildIsBeingBullied:RealSolutions,listsbehaviorsthat
maybesymptomsofachildwhohasbeenavictimofcyberbullying.
Yourchildsuddenlyspendsmuchmore—ormuchless—timesocialnetworking,orasks
tohaveasocialmediaaccountshutdown.
Aftertextingorbeingonline,yourchildseemswithdrawn,upset,oroutraged.
Yourchildsuddenlyavoidsformerlyenjoyablesocialsituations.
Yourchildblocksanumberoranemailaddressfromtheiraccount.
Manynewphonenumbers,texts,oremailaddressesshowuponyourchild’sphone,laptop,
ortablet.
Ifyounoticeanyofthesebehaviors,gentlyaddressthesubjectwithyourchild,offeringyourlove
andsupport.
4.Encourageyourcommunitytotakeaction
Bearolemodelforyourownchild,andencourageotherstofollowsuit.TheBullyProject
encouragesindividualstomobilizetheircommunitiesandtakeastandagainstbullyingby
unitingstudents,teachers,parents,andthecommunityatlarge.Youcanreviewatoolkitand
resourcesforanti-bullyingadvocates,andencouragedialoguewithinyourcommunity.
Preventingyourchildfrombecomingavictimorperpetratorofcyberbullyingisinyour
hands.Therefore,youshouldalwaysencourageanopendialogueaboutthisimportantissue.
Children'sOnlinePrivacyProtectionAct
TheprimarygoaloftheChildren'sOnlinePrivacyProtectionAct(COPPA)Ruleistogiveparents
controloverwhatinformationiscollectedfromtheirchildrenonlineandhowsuchinformationmay
beused.
TheRuleappliesto:
1. OperatorsofcommercialWebsitesandonlineservicesdirectedtochildrenunder13that
collectpersonalinformationfromthem;
2. Operatorsofgeneralaudiencesitesthatknowinglycollectpersonalinformationfromchildren
under13;and
3. Operatorsofgeneralaudiencesitesthathaveaseparatechildren'sareaandthatcollectpersonal
informationfromchildrenunder13.
TheRulerequiresoperatorsto:
1. PostaprivacypolicyonthehomepageoftheWebsiteandlinktotheprivacypolicyonevery
pagewherepersonalinformationiscollected.
2. Providenoticeaboutthesite'sinformationcollectionpracticestoparentsandobtainverifiable
parentalconsentbeforecollectingpersonalinformationfromchildren.
3. Giveparentsachoiceastowhethertheirchild'spersonalinformationwillbedisclosedtothird
parties.
4. Provideparentsaccesstotheirchild'spersonalinformationandtheopportunitytodeletethe
child'spersonalinformationandopt-outoffuturecollectionoruseoftheinformation.
5. Notconditionachild'sparticipationinagame,contestorotheractivityonthechild'sdisclosing
morepersonalinformationthanisreasonablynecessarytoparticipateinthatactivity.
6. Maintaintheconfidentiality,securityandintegrityofpersonalinformationcollectedfrom
children.
7. Inordertoencourageactiveindustryself-regulation,COPPAalsoincludesasafeharbor
provisionallowingindustrygroupsandotherstorequestCommissionapprovalofselfregulatoryguidelinestogovernparticipatingWebsites'compliancewiththeRule.
KasperskyLabprovidesagreatresourceforchildrenandteensafety.Visittheirsiteat
https://kids.kaspersky.com
Cloudsafety
Whatiscloudcomputing?
Insimpleterms,cloudcomputingisamethodofstoringfilesanddatainacentralizednetworkthat
canbereachedfromanywhereandbyanytypeofdevice.Thisincludesmobilephones,tablets,
laptopsanddesktops.Thenotionofthe“cloud”isbecausethisdataisplacedinanetworkwheresay
someoneinNYCcouldaccessaswellassomeoneinCalifornia.
Manypeopleusecloud-basedcomputerservicesandtheydon’tevenknowit.Consumersaccessand
shareinformationusingremoteservernetworkswhenevertheylogontosocialnetworks,like
LinkedInorFacebook,editphotosonFlickr,blogwithWordPress,orcreatefilesusingGoogle
Docs.Theseareexamplesofcloudcomputing,which,simplydefined,ishowwestoreandsharedata,
applicationsandcomputingpowerontheInternet.
Isitsafe?
Whiletherearesomanyadvantagesfromusingthecloudtostoreyourdata,ofcoursethere’sthe
questionofsafetyandsecurity.Primarily,themethodofcloudcomputingisanextremelysafewayto
storedata.Mostcompanieshaveasysteminplacewiththeirownfirewallsandanti-virussoftwareto
protecttheirdatastoredonthepremises.Theissuecomesaboutwhencomputingisoutsourced,and
thecontroloversecurityisnolongerinyourhands
Herearesometipstoprotectyourdatainthecloud:
1. LookforaSecureWebAddress:Beforeshoppingonlineorgivinganysortofpersonal
information,lookattheURL—ifthewebsiteissecureconnectionenabled,itwillhavean‘s’
afterthe‘http’portionoftheURL.An‘https’URLtellsyouthewebsitehasanSSLlicense,
meaningyourinformationisscrambledasittravelsacrosstheinternet.
2. Don’tProvidePersonalInformation:Don’tputanythinginthecloudyouwouldnotwant
otherstosee,especiallythegovernmentoraprivatelitigant.Acrediblewebsitewillneverneed
sensitivepersonalinformation,likeyoursocialsecurity,PIN,orbankaccountnumbers.Ifasite
youdon’ttrustasksyouforanythingpersonal,don’ttrustit!Itcouldbeaphishingscamtrying
togainaccesstoyourpersonalinformation.Paycloseattentionifthecloudproviderreserves
rightstouse,disclose,ormakepublicyourinformation.
3. CreateStrongPasswords:Makelongpasswordswithatleasteightormorecharacters.For
addedsecurity,includepunctuation,symbolsandamixofupperandlowercaseletters.Don’t
everusethesamepasswordforallofyouraccountsandchangethematleastonceamonth.
4. BeWaryofDownloads:Don’teverdownloadafilefromawebsiteyoudon’ttrust.There’re
manymaliciouswebsitesouttherewhichletyoudownloadcorruptedfileswithvirusesand
trojansthatcaninfectyourcomputerandstealyourpersonalinformation.
5. CheckforSiteUpdates:Crediblewebsitesareupdatedoftenwithsecuritymeasures.Look
aroundtoseewhenthesitewaslastupdated.Ifit’sbeenmorethanacoupleofmonths,you
mightnottrustthesite.
6. LookforContactInformation:Ifyou’rethinkingaboutpurchasingsomethingfroma
website,lookforthecompany’scontactinformation,includingaphysicaladdressanda
telephonenumber.Thisinformationisusuallyinthewebsite’sfooter.Don’tassumethataphone
numberisreal—alwayscallandaskquestionstomakesurethecompanyislegitimate.
7. ReadthePrivacyPolicy:Readtheprivacypolicybeforeplacingyourinformationinthe
cloud.Ifyoudon’tunderstandthepolicy,considerusingadifferentprovider.Alsomakesure
thatthecloudprovidergivesadvancenoticeofanychangeinthetermsofserviceorprivacy
policy.ReadtheTermsofServicebeforeplacinganyinformationinthecloud.Ifyoudon’t
understandtheTermsofService,considerusingadifferentcloudprovider.
8. LeavingtheCloud:Knowexactlywhathappenswhenyouremoveyourdatafromthecloud
provider.Doesthecloudproviderstillretainrightstoyourinformation?Ifso,consider
whetherthatmakesadifferencetoyou.
9. DeleteCookiesOften:Cookiesaresmallfilesdesignedtotrackyourwebactivity.Whenyou
enterinformationintoasite,suchasausernameandpassword,thesiteusescookiesto
rememberyourinformationsoyoudon’thavetoenteritthenexttimeyouvisit.Hackerscan
usecookiestogainaccesstoyouraccounts,soyoushoulddeletethemoften.Deletingcookies
differsdependingonwhichbrowseryouuse,butit’susuallyfoundinyourbrowser ’sprivacy
settings.
CollegeStudents
Inorderforathieftostealacollegestudent'sidentity,theymustfirstobtainthenecessary
informationwhichallowsthemto“become”thecollegestudent,atleastintheeyesoflending
institutionsandotherfinancialcompanies.Howeasythistaskisdependsonhowvigilantastudentis
aboutprotectingtheirpersonalinformation.
1. Pre-approvedcreditoffersmonthly.Thosemass-mailedforms,usuallypartiallyfilledoutwith
therecipient’sinformationsuchasname,address,andotherpersonaldataisfantasticopportunity
tostealaperson’sidentity.Iftherecipientisnotinterestedintheofferandsimplythrowsawaythe
form,itisoneofthemostcommondocumentsusedbyidentitythieves.Bypickingtheofferoutof
thetrashcan,thethiefcanthenfillintherestoftheblanksandsenditinorsimplycallthetollfree
phonenumberprovidedontheform,allowingthemnearinstantaccesstooneaspectofthe
victim'sidentity.
2. BankAccounts.Anothermannerinwhichidentitytheftoccursiswhenthievesgettheirhandson
personalbankingaccountinformation,suchasacheckingorsavingsaccountstatement.Anyone
whodoesnotbalancetheiraccountisatriskofincurringfraudulentcharges,simplybecausethey
donotkeeptrackofwhatchargesarelegitimate.Oftentimes,thethiefstealsbywithdrawing
moneyinsmallincrements-notenoughtostandoutasaglaringerrortothecasualobserverbut
enoughtobuilduptoalargeamountovertime.
3. SocialSecurityNumber.AnotherdangertocollegestudentsistheirSocialSecurityNumber.
ManycollegecoursesrequireastudenttousetheirSocialSecurityNumbertologintowebsites
usedtoposthomeworkassignmentsandothercoursecommunications.Theuniversitymayalso
usethatnumberasanidentifyingnumberintheadministrationoffice.Itisveryeasytoforgetto
exercisecautionwhenusingaSocialSecurityNumber,particularlywhenitisusedsooften.Lax
computersecurityorevenssomethingassimpleasacriminalwatchingastudententerthenumber,
allowsathiefcanquicklyandeasilygainaccesstotheSocialSecurityNumber,whichisthekeyto
obtainingadditionalinformationaboutanindividual.
4. Computers/Laptops/Tablets.Computersandlaptopsalsoposeathreatthatmanystudentsdon't
thinkabout.Manystudentsusealaptopeverydayinclasstotakenotesandorganizecoursework
documents.Butwhatifthatcomputerisstolen?Whatwouldathieffindinside?Moststudentsin
today’sworldusetheircomputerstoaccessonlinebanking,paybills,ordermerchandise,and
communicateinjustabouteveryotheraspectoftheirlives,too.Ifpersonalandaccount
informationisstoredontheharddrive,thethiefhasinstantaccesstoveryinformationthatmakes
itpossibleforthemtoassumethestudent'sidentity.Ofcourse,studentsalsoshouldn'toverlookone
ofthemostcommonwaystostealsomeone’sidentity-stealingawallet,purse,orbackpack.This
canevenoccurinthestudent'sdormroom,particularlyifpartiesorunfamiliarguestsare
common,andtheyusuallyareincollegedorms.Studentsshouldexercisethesamesecurityat
homeasinanyunfamiliarenvironment.
Howstudentscanprotectagainstidentitytheft.
1. Lockyourdoor.Thisisthesinglemostimportantwaytokeepyourcomputerssecure.
2. Don'tassumeyourdesktopcomputerissafe.Investinsomeinexpensivecablesdesignedto
tethertheCPUtosomethingimmovableintheroom.
3. Usepasswordprotection.Adjustyourcomputersettingstopromptforapasswordanytimethe
computerisused.Changethatpasswordfromtimetotime.
4. Don'trevealtoomuch.Socialnetworkingsitesmayaskforyourbirthdate,butbirthdatesarea
boontoidentitythieves.Likewise,donotrevealanyotherpersonalinfoonthesepublicsites,orin
responsetoanye-mailrequestsforyourSocialSecuritynumber,creditcardnumbers,orother
data,evenifit'sfromafamiliar-soundingcompany.Alwayserronthesideofcaution.For
example,ifyoureceiveane-mailthatsaysit'sPayPalandwantstoverifyyourcreditcardnumber,
callPayPaldirectlyfromthenumberlistedonitsWebsite-NOTfromanyinformationinthatemail.Ifyousimplysendyourcreditcardnumberinresponsetothate-mail,youcouldfind
yourselfstuckwithamaxed-outcreditcardandahostofnegativecreditreportproblems.
5. Keepthoroughrecords.Ifyourlaptopisstolen,canyouprovideafulldescriptionforthepolice?
Writedownyourcomputer'smake,model,colorandmostimportantly,theuniqueserialnumber,
whichactsasakeyidentifier,muchlikethevehicleidentificationnumber(VIN)onacar.You
mightalsoneedthisinformationincaseyouwanttofileaninsuranceclaim.
6. Installatrackingdevice.UseaGPStrackingdevicethatrunsinvisiblyonthecomputerto
relocatethestolenproperty.
7. Useamulti-layeredsecurityapproach.Considersoftwarethatprovidespermanenttagging,GPS
tracking,covertdatarecovery,remotedatadeletion,stolenpropertytracing,andproperty
registration.
8. Startshredding.Searchandpreviewthepersonaldata(bothyourdataandanyoneelse'sdatathat
mightbeonyourcomputer),includingcreditcardnumbers,SocialSecuritynumber(s),birth
dates,taxreturnsandfinancialaiddocuments,onyourcomputer.Youthenhavetheoptionto
digitallyshred,encrypt,orredactthatinformation,dependingonyourneeds.Studentscanalso
findfreedigitalshreddersoftwareonline.
9. Contactyourcollege'sITdepartmentaboutnetworksecurity.Manycollegesprovidesecurity
softwareorotherservicesfreetotheirstudents.Beforeyoupurchaseaspecificcomputer
protectionsystem,checkwiththeITdepartmentofthecollegetoensurethatsystemiscompatible
withthecollege'snetwork,oryou'llbetossingmoneyoutthewindow.
Crimesthattargetcollegestudents
1. Thetuitionscam.Thefraudstercallsoremailsastudent,claimingtobefromthecollege
admissionsdepartment.SometimesthecrookspoofsIDstomakeitlooklikehe'scomingfroma
legitimateorganization.Thescammerclaimsthestudent'stuitionfeeislateandclaimsthestudent
willbeimmediatelydroppedfromclassesifapaymentisn'tmadeimmediatelybycreditcard.
Studentsneedtohangupimmediatelyonsuchcallsandcontactthecollege'sadmissions
departmentdirectly.
2. Badbehavior.Studentsarenotoriousfortheirhard-partying,free-spiritedlifestylesincollege.
Butbehindeverysmartphoneisacamerathatcanphotographandvideotapeembarrassing
indiscretions--whichcanlaterbeusedagainstthestudenttoextortmoney.Therearepeoplewho
willpretendtolikeyoubutareactuallysettingyouupforblackmail.Studentsshouldthinktwice
abouttheiractionswhileatcollege-especiallyifthey'redrinking.
3. Fakecreditcards.Somecreditcardoffersarefake,aimedatgettingnaïvestudentstohandover
personalinformation-orlurethemtositesthathavemalwareoraddmalicioussoftwaretothe
student'scomputer.Thecreditcardworldisladenwithscams,andcollegestudents,beingnewto
thecreditgame,areparticularlysusceptible.Bewaryofsigningupforcardsfromissuersyou’re
4.
5.
6.
7.
8.
9.
10.
11.
12.
notfamiliarwith–andnotonlycreditcards,butprepaiddebitaswell.Youriskthechanceof
relayinginformationtoaphonylenderandpotentialidentitythief.Andeventhecardisactually
availableandfunctioning,youneedtobeexceedinglycautiousabouthiddenfeesandunreasonable
rates.Knowwhattoexpectfromacreditcard.IfyouseeanAPRof25%ormore,oranannualfee
of$30ormore,youshouldbeconcerned.
Passwords.Everyoneknowstheyshouldneverusesimpleoreasy-to-usepasswordsonemail
accountsorothersitesandneverusethesamepasswordonmultiplesites.Butstudentsneedtobe
particularlysavvyaboutwheretheystorethosepasswords,asleavingthemonsmartphonesand
laptopsincollegedormsmakethemvulnerabletotheft.
AdvanceFees.Ifsomeoneofferstofindastudentaloan,job,scholarshiporotherservicefora
"fee,"it'slikelyascam.Thisisparticularlytrueifthescammersaysa"scholarshipisguaranteed
oryourmoneyback"orclaims"youcan'tgetthisinformationanywhereelse"orinsistsona
creditcardto"hold"thescholarship.Ingeneral,thehigherthefee,themoresuspicioustheperson
shouldbe.
Onlinebooks.Neverbuybooksonlinewithoutfirstcheckingoutreviewsortalkingtofriendsto
validatethesiteorseller.Booksaredrasticallydiscountedinthiscon.Thievesstealyourcredit
cardinformationwhenyousubmityourorderonline,andthebooksyouorderarenever
delivered.Remembertomakeonlinepurchasesonlythroughareputable,securedwebsite.
Non-existentApartments.Neveragreetorentanapartmentwithoutseeingitfirst-bothinside
andoutside-andmeetingwiththelandlord.Thisscamissimple:Offeragreatapartment,collect
rentoradepositoverthephoneforaplaceyoudon'town,andthendisappear.
Checkcashing.Inthisscam,a"friend"asksthestudenttocashacheckforhim-andmighteven
offertoletthestudentkeepsomeofthecashforthetrouble.Oncethecheckisdeposited,it
bounces,andthestudentisoutboththemoneyandareturnedcheckfee.
Wi-Fi.Collegestudents,morethananyone,spendmountainsoftimeonlineviaWi-FIatcoffee
shops,restaurantsandparks.HackersandthievespreyonthembysettingupanalternativeWi-Fi
site-oftendubbeda"maninthemiddle"site-thatlookssimilartothemainsitebutisactuallya
scammertryingtogetstudentstoconnecttotheirsitewheretheystealaperson'sinformation.
Socialsecuritynumber.NeverGiveOutASocialSecurityNumber-Studentsareoftentoo
trustingandopen,andgearedtowardansweringquestionsandinformation.Ifsomeone'scredit
cardisstolen,itcanbecanceledandanewcardissued.ButifaSocialSecuritynumberisstolen,
therepercussionscanlastalifetime.Whenascammergainsaccesstoyoursocialsecuritynumber,
theyhaveanoptiononyourlifeandyouhavetolookoveryourshoulderfortherestofyourlife.
"
Spearphishing.Emailsarebeingsenttouniversityemployeesthatappeartobefromtheir
employer.Thee-mailcontainsalinkandclaimssometypeofissuehasrisenrequiringthemto
entertheirlog-incredentials.Onceemployeesprovidetheirusernameandpassword,the
perpetratoraccessestheuniversity’scomputersystemtoredirecttheemployees’payrollallocation
toanotherbankaccount.Theuniversityemployees’payrollallocationsarebeingdepositedinto
students’accounts.Thesestudentswerehiredthroughonlineadvertisementsforwork-at-home
jobs,andprovidedtheirbankaccountinformationtotheperpetratorstoreceivepaymentforthe
worktheyperformed.
Checkfraud.Scammersarepostingonlineadvertisementssolicitingcollegestudentsfor
administrativepositionsinwhichtheywouldreceivechecksviathemailore-mail.Studentsare
directedtodepositthechecksintotheiraccounts,andthenprintchecksand/orwiremoneytoan
13.
14.
15.
16.
17.
18.
individual.Studentsareneveraskedtoprovidetheirbankaccountinformationtotheperpetrators.
DataBreaches.Someuniversitieshavebeenvictimsofintrusions,resultingintheperpetrators
beingabletoaccessuniversitydatabasescontaininginformationontheiremployeesandstudents.
Mysteryshopping.Studentsreceiveemailsorpromotionsforawebsitewheretheycanregisterto
becomeasecretshopper.Oncesignedup,they’rethentoldtheymustpayafeeformoreprogram
informationtocontinuetheapplicationprocess.Neverpaymoneyupfrontforajob.Legitimate
jobofferswillnotrequirepayment.Ifyouareinterestedinthistypeofwork,youcansearch
throughlegitimateassignmentsattheMysteryShoppingProvidersAssociation(MSPA)websiteat
www.mysteryshop.org.
Addressfarming.Thievestargetlargegroupsofstudentsinthisscam.Theypromisemembersof
Greekorganizations,andothertypesofclubs,discountedinterestratesoncreditcardsorother
services—allofwhicharebogus.Inturn,scammersrequiregroupmemberstoprovidetheir
addressesandpersonalinformation,enablingthemtostealstudents'identities.
Fakecreditcardapplications.Thievesmixinwithrepresentativesoflegitimatecreditcard
companieswhoareoncampushandingoutcreditcardapplications.Thethievescollect
applicationsyou’vefilledout,thenstealyourinformationsotheycanripyouoffonyournew
creditcard.Typically,theyskimoffyourcardslowlyeachmonth,relyingonthefactthatmost
studentsusuallydon’treadtheirstatements.Youcanavoidthisscambyapplyingforacreditcard
onlythroughaknownentitysuchasyourbankorcreditunion.
Studentloanandscholarshipscams.Crooksaskstudentsforanadvancefeeinordertosecure
theirstudentloans.Therequestedamountcanbe3to4percentoftheloan.Or,theymakeupafee
inorderforstudentstoapplyforascholarship.Don’tfallforthesescams.Legitimatestudentloan
agenciesandscholarshipprovidersneveraskformoneyupfront.
Socialmediascams.Onetechniqueinvolvesscammerssettingupfakepagesforuniversitiesand
reachingouttothecollege’sstudentstoacquiree-mailaddresses.Phonypagesandprofilesare
createdtoharvestpersonalinformation.Initsmostinnocuousincarnation,thissortofscammeans
aninboxfullofspam.Initsmosthostileform,socialmediafraudcanresultinidentitytheft.To
avoidthesescams,addonlyfriendsyouknow,limittheinformationyoupostonline,andbewary
ofinvitationsto“like”pages.
Computers
InternetSafety
1. Neveropensuspiciousfiles.Assumethatanyfileyoureceivemaybepotentiallyinfected,even
ifyouknowthesenderwell.Viruses,spywareandothermaliciouscodetypicallyoriginate
fromaninfectedPCanditsaddressbook,thusitwillmostlikelycomefromfamily,friends,or
businessassociates.Whenworkingwithyouremail,browsingwebsites,orchattingviaan
InstantMessenger,donotacceptanyunsolicitedfilesfromanyonesincetheycouldcontain
maliciouscode.
2. ClickingUnknownLinks.AvoidgoingtoanyURLsinemailmessagesthatmaybe
questionable.Hackersofteninfectwebpageswithmaliciouscode,sodonotvisitanywebsite
thatyouarenotfamiliarwith.
3. AntiVirus.Alwayskeepyouranti-virus,anti-spyware,andfirewallprotectionuptodate.New
threatsemergeregularlysoitiscriticalthatyoukeepyourprotectivesoftwareandfirewall
technologycurrent.Inaddition,scanyoursystemmonthlywiththesettingsrecommendedby
yourInternetsecurityprovider.
4. RestrictAdministrativePrivileges.Itisimportanttomakesurethatallemployeeshavealevel
ofadministrativeaccessequaltotheirjobresponsibilities.Thisincludesnotallowing
employeestoinstallsoftware,musicfiles,games,etc.,aswellasrestrictingaccesstoexternal
servicessuchaswebmailandremotecontrolservices.Thesetypesofrestrictionswillhelp
protectyourorganizationfromspywaresuchaskeystrokelogging.
5. YourOperatingSystem.Keepyouroperatingsystemandyourapplicationsoftwarepatchesup
todate.Inordertopreventbeinginfectedbymaliciouscode,keepthesoftwarepatchesupto
dateforyouroperatingsystem,i.e.:Windows,Linux,Apple,aswellasforyourapplications,
i.e.:InternetExplorer,FirefoxandSafari.
6. Stayinformedandeducated.ItisimportantthatnotonlyyourITdepartmentstaysuptodate
onthelatestthreatsbutthatyouremployeesandyourbusinesscustomersarealsoadvisedof
themandthatyoueducatethemaboutthetechniquesof"safecomputing."Internetsecurity
providersreleaseformalalertsonthelatestthreatsandvulnerabilitiesandhowtoprotect
againstthem.
7. Spam.Spammersscantheinternettofindcomputersthataren'tprotectedbysecuritysoftware,
andtheninstallbadsoftware-knownas"malware"-throughthose"opendoors."That'sone
reasonwhyup-to-datesecuritysoftwareiscritical.Malwaremaybehiddeninfreesoftware
applications.Itcanbeappealingtodownloadfreesoftwarelikegames,file-sharingprograms,
customizedtoolbars,andthelike.Butsometimesjustvisitingawebsiteordownloadingfiles
maycausea"drive-bydownload,"whichcouldturnyourcomputerintoa"bot."Spammerstake
overyourcomputerisbysendingyouanemailwithattachments,linksorimageswhich,ifyou
clickonoropenthem,installhiddensoftware.Becautiousaboutopeninganyattachmentsor
downloadingfilesfromemailsyoureceive.Don'topenanemailattachment-evenifitlooks
likeit'sfromafriendorcoworker'unlessyouareexpectingitorknowwhatitcontains.Ifyou
sendanemailwithanattachedfile,includeatextmessageexplainingwhatitis.
8. Don'tLetYourComputerBecomePartofa"BotNet"Somespammerssearchtheinternet
forunprotectedcomputerstheycancontrolanduseanonymouslytosendspam,turningthem
intoarobotnetwork,knownasa"botnet."Alsoknownasa"zombiearmy,"abotnetismadeup
ofmanythousandsofhomecomputerssendingemailsbythemillions.Mostspamissent
remotelythisway;millionsofhomecomputersarepartofbotnets
UseSecuritySoftwareThatUpdatesAutomatically
Thebadguysconstantlydevelopnewwaystoattackyourcomputer,soyoursecuritysoftwaremust
beup-to-datetoprotectagainstthelatestthreats.Mostsecuritysoftwarecanupdateautomatically;set
yourstodoso.Also,setyouroperatingsystemandwebbrowsertoupdateautomatically.Ifyoulet
youroperatingsystem,webbrowser,orsecuritysoftwaregetout-of-date,criminalscouldsneaktheir
badprograms-malware-ontoyourcomputeranduseittosecretlybreakintoothercomputers,send
spam,orspyonyouronlineactivities.Don’tbuysecuritysoftwareinresponsetounexpectedpop-up
messagesoremails,especiallymessagesthatclaimtohavescannedyourcomputerandfound
malware.Scammerssendmessageslikethesetotrytogetyoutobuyworthlesssoftware,orworse,to
“breakandenter”yourcomputer.
TreatYourPersonalInformationLikeCash
Don’thanditouttojustanyone.YourSocialSecuritynumber,creditcardnumbers,andbankand
utilityaccountnumberscanbeusedtostealyourmoneyoropennewaccountsinyourname.So
everytimeyouareaskedforyourpersonalinformation-whetherinawebform,anemail,atext,or
aphonemessage-thinkaboutwhetheryoucanreallytrusttherequest.Inanefforttostealyour
information,scammerswilldoeverythingtheycantoappeartrustworthy.Learnmoreabout
scammerswhophishforyourpersonalinformation.
CheckOutCompaniestoFindoutWhoYou’reReallyDealingWith
Whenyou’reonline,alittleresearchcansaveyoualotofmoney.Ifyouseeanadoranofferthat
looksgoodtoyou,takeamomenttocheckoutthecompanybehindit.Typethecompanyorproduct
nameintoyourfavoritesearchenginewithtermslike“review,”“complaint,”or“scam.”Ifyoufind
badreviews,you’llhavetodecideiftheofferisworththerisk.Ifyoucan’tfindcontactinformation
forthecompany,takeyourbusinesselsewhere.Don’tassumethatanadyouseeonareputablesiteis
trustworthy.Thefactthatasitefeaturesanadforanothersitedoesn’tmeanthatitendorsesthe
advertisedsite,orisevenfamiliarwithit.
GivePersonalInformationOverEncryptedWebsitesOnly
Ifyou’reshoppingorbankingonline,sticktositesthatuseencryptiontoprotectyourinformationas
ittravelsfromyourcomputertotheirserver.Todetermineifawebsiteisencrypted,lookforhttpsat
thebeginningofthewebaddress(the“s”isforsecure).Somewebsitesuseencryptiononlyonthe
sign-inpage,butifanypartofyoursessionisn’tencrypted,theentireaccountcouldbevulnerable.
Lookforhttpsoneverypageofthesiteyou’reon,notjustwhereyousignin.
ProtectYourPasswords
Hereareafewprinciplesforcreatingstrongpasswordsandkeepingthemsafe:
1. Thelongerthepassword,thetougheritistocrack.Useatleast10characters;12isidealfor
mosthomeusers.
2. Mixletters,numbers,andspecialcharacters.Trytobeunpredictable-don’tuseyourname,
birthdate,orcommonwords.
3. Don’tusethesamepasswordformanyaccounts.Ifit’sstolenfromyou-orfromoneofthe
companieswithwhichyoudobusiness-itcanbeusedtotakeoverallyouraccounts.
4. Don’tsharepasswordsonthephone,intextsorbyemail.Legitimatecompanieswillnotsend
youmessagesaskingforyourpassword.Ifyougetsuchamessage,it’sprobablyascam.
5. Keepyourpasswordsinasecureplace,outofplainsight.
LearnHowToCreateAStrongPassword:fraudsmarts.com/password
BackUpYourFiles
Nosystemiscompletelysecure.Copyimportantfilesontoaremovablediscoranexternalhard
drive,andstoreitinasafeplace.Ifyourcomputeriscompromised,you’llstillhaveaccesstoyour
files.
WebBrowserSecurity:
OneofthemostcriticalpointsofentrytoyourcomputerorgadgetsisyourWebbrowser.
Unfortunately,yourWebbrowsercanhavehundredsofsecurityholesthathackerscan,anddo,
exploit.Maybeyourbrowserisn'tupdating,orperhapsyouhaveadd-onsorplug-insinstalledthat
havetheirownsecurityholes.
1. KEEPBROWSERUPTODATE
OneoftheeasiestwaystokeephackersawayistomakesureyourWebbrowseruptodate.A
lotoftimes,browserslikeMicrosoft'sEdge,Mozilla'sFirefoxandGoogleChromeissue
patchesandfixesforbugstheyknowabout.Typically,theygetmostofthembeforehackerscan
haveafielddayexploitingvulnerabilities.
Fortunately,mostbrowsersthesedaysareautomaticallyupdated.Forinstance,ifyouinstalled
Microsoft'snewWindows10operatingsystem,itsdefaultsettingistoautomaticallyupdate
yoursoftwareandissuepatches,includingforitsEdgebrowser.
FirefoxandChromealsohavedefaultsettingsforautomaticupdates.Youjustneedtorestart
themoccasionallyforthelatestupdatestoinstall.Ifyou'renotsureifyou'resetupfor
automaticupdates,here'showtocheck:
Chrome:GoogleChromeupdatesautomatically,andturningthatoffisn'teasy.That'sgood.But
tomakeabsolutelysureyou'vegotthelatestversion,youcanclickontheMenuicon(littlebox
withthreehorizontallinesintheupperrightcornerofyourpage).Choose"HelpandAbout,"
then"AboutGoogleChrome."
Ifyouneedtochangetheupdatesettings,gotoMenu>>Settings,andthenclickthe"Show
AdvancedSettings"link.Clickorun-click"ProtectYouandYourDeviceFromDangerous
Sites"toturnautomaticupdatesonoroff.
Edge:Ifyou'reusingWindows10,gotoStart>>Settings,thenclick"Update&Security."
WindowsUpdateshouldsayyourdeviceisuptodate.Ifit'snot,choose"AdvancedOptions,"
then"ChooseHowUpdatesAreInstalled"andselect"Automatic(recommended)."
InternetExplorer:InWindows8,usingamouse,right-clickinthelowerrightcornerofthe
screenandchoose"ControlPanel."Ifyou'reusingatouchscreen,swipefromtherightofthe
screenandtap"Settings,"then"ControlPanel."InWindows7andVista,gotoStart>>Control
Panel.
InControlPanel,click"SystemandSecurity."Under"WindowsUpdate,"choose"Turn
AutomaticUpdatingOnOrOff."Choose"InstallUpdatesAutomatically"fromthedrop-down
menu.
Firefox:ClicktheMenuicon(farupperright-handcorner;itsthreehorizontallines)and
choose"Options"andthen"Advanced"intheleft-handcolumn.Selectthe"Update"tabonthe
right,andunder"FirefoxUpdates,"makesure"AutomaticallyInstallUpdates(Recommended:
ImprovedSecurity)"isselected.
2.UNINSTALLUNNEEDEDPLUG-INS
Evenifyourbrowseritselfissecure,itmighthavethird-partyplug-insthataren't.
Flashtheonlyplug-instokeepaneyeon,though.YoumightalsohaveMicrosoftSilverlight,
Unityoratoolbarthatyouinstalledyearsagoanddon'tactuallyneed.So,onewaytogive
yourselfanextralayerofprotectionistodeleteunneededplug-ins.
TodothatinWindows10,gotoStartandselect"AllApps."That'sessentiallyWindows10's
versionoftheControlPanel.Thatwilllistalltheprogramsinstalledonyourdevice.Rightclick
ontheoneyoudon'twant;thenselectUninstall.
InolderversionsofWindows,gotoStart>>ControlPanel,thenunder"Programs,"click
"UninstallaProgram."Selecttheplug-inyouwanttoremove,andclickUninstall.
Secureyourwebbrowser
Today,webbrowserssuchasMicrosoftInternetExplorer,MozillaFirefox,andAppleSafari
areinstalledonalmostallcomputers.Becausewebbrowsersareusedsofrequently,itisvitalto
configurethemsecurely.Often,thewebbrowserthatcomeswithanoperatingsystemisnotset
upinasecuredefaultconfiguration.Notsecuringyourwebbrowsercanleadquicklytoa
varietyofcomputerproblemscausedbyanythingfromspywarebeinginstalledwithoutyour
knowledgetointruderstakingcontrolofyourcomputer.
Thereisanincreasingthreatfromsoftwareattacksthattakeadvantageofvulnerableweb
browsers.Wehaveobservednewsoftwarevulnerabilitiesbeingexploitedanddirectedatweb
browsersthroughuseofcompromisedormaliciouswebsites.Thisproblemismadeworsebya
numberoffactors,includingthefollowing:
1. Manyusershaveatendencytoclickonlinkswithoutconsideringtherisksoftheir
actions.
2. Webpageaddressescanbedisguisedortakeyoutoanunexpectedsite.
3. Manywebbrowsersareconfiguredtoprovideincreasedfunctionalityatthecostof
decreasedsecurity.
4. Newsecurityvulnerabilitiesareoftendiscoveredafterthesoftwareisconfiguredand
packagedbythemanufacturer.
5. Computersystemsandsoftwarepackagesmaybebundledwithadditionalsoftware,which
6.
7.
8.
9.
increasesthenumberofvulnerabilitiesthatmaybeattacked.
Third-partysoftwaremaynothaveamechanismforreceivingsecurityupdates.
Manywebsitesrequirethatusersenablecertainfeaturesorinstallmoresoftware,putting
thecomputeratadditionalrisk.
Manyusersdonotknowhowtoconfiguretheirwebbrowserssecurely.
Manyusersareunwillingtoenableordisablefunctionalityasrequiredtosecuretheir
webbrowser.Asaresult,exploitingvulnerabilitiesinwebbrowsershasbecomea
popularwayforattackerstocompromisecomputersystems.
HowtoSecureYourWebBrowser
MicrosoftInternetExplorer
Forup-to-dateinformationonsecurityandprivacysettingsforInternetExplorer,visit:
http://windows.microsoft.com/en-us/internet-explorer/ie-security-privacy-settings
MozillaFirefox
TolearnhowtokeepyourinformationsafeandsecurewithFirefox'sprivatebrowsing,
passwordfeaturesandothersecuritysettings,
visit:https://support.mozilla.org/en-US/products/firefox/privacy-and-security
AppleSafari
ForinformationontheSafari’ssecuritysettingsonAppledevices,visit:
https://support.apple.com/en-us/HT201265
ForinformationonSafariinstalledoncomputers,
visit:http://help.apple.com/safari/mac/8.0/andselect“Privacyandsecurity”onthemenu.
GoogleChrome
FormoreinformationonChrome’ssecurity,safetyandreportingfeatures,visit:
https://support.google.com/chrome#topic=3421433andselecttheoptionsdisplayedunder
thetopic.
Opera
Securitybadges:http://help.opera.com/opera/Windows/1857/en/private.html#badges
Webpreferences:http://help.opera.com/opera/Windows/1857/en/controlPages.html#content
Chromium
Securityinformation:https://www.chromium.org/Home/chromium-security
3.ENABLECLICK-TO-PLAYPLUG-INS
AdobeFlash.TherehavebeenmanyholesinFlashandwerecommendthatyoudisableorat
leastlimitthisPlug-In.
It'scalledclicktoplay.Insteadofaplug-inalwaysrunning,youhavetoclickonittoactivateit.
Here'showtodothat.
Chrome:Menu(horizontallinesintheupperrightcorner)>>Settings.Click"Advanced
Settings"atthebottomofscreen.Under"Privacy,"choose"ContentSettings."Under"Plug-ins,"
choose"LetMeChooseWhenToRunPlug-inContent."
Edge:Thisbrowserdoesn'treallyhaveclick-play.Youhavetodisableandre-enableplug-ins
manually.
Windows10:Right-clickontheStartmenuandchoose"ControlPanel."Click"Networkand
Internet"andthenunder"InternetOptions"click"Managebrowseradd-ons."Clickthe"Manage
add-ons"buttonandthenhighlightaspecificplug-ininthe"ToolbarsandExtensions"area.Ifa
plug-inisenabled,clickthe"Disable"buttoninthelower-rightcorner.
Ifyou'rejustinterestedinAdobeFlash,inEdge,clicktheiconwiththethreedotsintheupperrightcorner,thenselect"Settings."Clickthe"ViewAdvancedSettings"buttonandyou'llseethe
"UseAdobeFlashPlayer"option.Turnthisoffwhenyoudon'tneedtouseFlash.
InternetExplorer:Inthefartoprightcorner,clickonthelittlegeariconandchoose"Manage
Add-Ons."Highlightaspecificplug-ininthe"ToolbarsandExtensions"area.Ifaplug-inis
enabled,clickthe"Disable"buttoninthelower-rightcorner.
Firefox:Menu(horizontallinesintheupperrightcorner)>>Add-Ons.Choose"Plugins"inthe
left-handcolumn.Nexttoeachplug-in,you'llseeadrop-downmenu.Changeeachoneto"Ask
ToActivate."
4.GETRIDOFUNNEEDEDBROWSEREXTENSIONS
Browserplug-insandbrowserextensionsareeasytoconfuse.Plug-inshandlevideoorother
contentthatthebrowsercan'thandleonitsown.Extensionsarebitsofcodethataddnew
featurestothebrowser.
Extensionshaveadownside,though.Manyofthemneedyourpasswordstodotheirjob.That
opensupextensionstohackers,whouseextensionstoinstallmalware.
Acoupleoftips:Beforeyouinstallanextension,makesureit'scomingfromatrustworthy
sourceandhasbeenaroundforawhile.Second,besuretoreviewyourextensionseveryonce
inawhile,toweedouttheonesyoudon'tneedanymore.Ifyou'renotusinganextension,or
yoususpectit'snotfromareliablecompany,deleteit.Here'show:
Chrome:GotoMenu>>MoreTools>>Extensions,thenclick"Remove"oneachextensionyou
don'tneed.
Edge:Microsoft'snewbrowserisgoingtostartintroducingextensionssometimethisyear.
InternetExplorer:Thisbrowserdoesnotsupportextensions.
Firefox:Menu>>Add-Ons.Choose"Extensions"intheleft-handcolumn,thenselecttheones
youdon'twantandclick"Remove."
5.RUNANTI-EXPLOITSOFTWARE
Whilemostsecuritysoftwareisgreatatdetectingandstoppingthemillionsofvirusesoutthere
beforetheycaninstall,securityholesinyourbrowserandotherprogramsgivevirusesabetter
chancetoslippastunnoticed.Unfortunately,youdon'tevenknowthere'sasecurityholeina
programuntilthedeveloperreleasesanupdate.
Softwarecompaniesarestartingtoreleaseanti-exploitprograms.Thiswatchyourprograms
forsignsthatsomeonemightbetryingtousethemtosneakontoyoursystem.Thenitblocks
thoseattempts.
Ifyouthinkofyourmainsecurityprogramasthecastlewallandthearmyguardingit,anantiexploitprogramistheguywatchingfortraitorouscitizenstryingtoopenthebackdoor.
6.TYPOSQUATTING
OnemistypedlettercouldleadtoIDtheft.Missingjustafewlettersinawebaddresscancost
youthemoneyinyourbankaccount,orstartanall-outidentitytheftattack,becauseofatypeof
fraudcalled"typosquatting."
Thetyposquatter'sURLwillusuallybeoneoffourkinds,allsimilartothevictimsiteaddress:
1. Acommonmisspelling,orforeignlanguagespelling,oftheintendedsite:exemple.com
2. Amisspellingbasedontypos:xample.comorexamlpe.com(xample.comredirectstoascam
sitethattriestotrickyouintodownloadingmalware,itisnotsuggestedyouvisitit)
3. Adifferentlyphraseddomainname:examples.com
4. Adifferenttop-leveldomain:example.org
AnabuseoftheCountryCodeTop-LevelDomain(ccTLD):example.cmbyusing.cmor.om.A
personleavingouttheletteroorcin.cominerrorcouldarriveatthefakeURL'swebsite.
Onceinthetyposquatter'ssite,theusermayalsobetrickedintothinkingthattheyareinfactinthe
realsite;throughtheuseofcopiedorsimilarlogos,websitelayoutsorcontent.Thefraudulentsiteis
tryingtogetyoutologinwithyourusernameandpasswordordownloadmalwarewithafake“flash
updater”pop-up,forexample.
StaySafe:
1. Whenvisitinganywebsite,double-checktheURLbeforeloggingin.
2. Beverycarefulenteringthings.Ifyou'regoingtoPayPaloryou'regoingtoyourbank,justbe
verycarefulandpayattentiontowhatyoutype.
3. Makesureyou'reontherealwebsitebylookingattheaddressbaronyourbrowser.
CommonMisconceptions:
Misconception:WindowsUpdatesMakeAntivirusSoftwareUnnecessary
SinceWindowsupdatesarecrucialtoyourPC’ssecurity,ifyou’rediligentaboutinstallingpatches
youcanforgetusinganantivirus.This,however,isadeadlymistake.
Truth:WindowsUpdatesComeAfterTheFact.WindowsUpdatespatchknownvulnerabilities,but
aren’tmeanttoprotectfromeverydaythreats.WhilekeepingWindowsup-to-dateisanecessarypart
ofsecurity,itcan’treplaceanantivirus,whichworksnonstoptoprotectyou.Alsorememberthat
anti-virussoftwareisamanagementtooltocatchalreadyknownviruses.AVsoftwaredoesnotstop
brandnewvirusesorsocialengineeringscams.
Misconception:MalwareInfectionsAreObvious
Truth:ALotofMalwareIsSilent.Therearedozensofrogueapplicationsthatarespyingonyou
withoutmakingasound.Manyofthesecreatezombiecomputers,whichareresponsibleformuchof
thespamandwebsiteattacksthathappenconstantly.Additionally,ifyoufallforaphishingscamanda
passwordfallsintoathief’sgrasp,theycouldbeaccessingyouraccounts-quietly,ofcourse,sothat
youdon’tsuspectanything.
Don’tassumethatjustbecauseeverythinglooksnormalthatitis.Changeyourpasswordsregularlyto
besurethatsomeoneisn’tgettinginbehindyourback.
Misconception:IDon’tDoAnythingImportantOnMyComputer,SoIDon’tNeedToBeCareful
Thisisprobablythemostcommonreasonpeoplegivefornotkeepingtheircomputersafe.Sadly,it’s
apoorexcuseandthosewhogiveitarewrong.
TheTruth:Atthebareminimum,avirusorothermalwareinfectingyourPC—evenifyour
financialinfoisn’tatrisk-isgoingtotaketimetodealwith.Yourtimeisvaluable,andifyou’re
recruitingatech-savvyfriendtofixyourPCafteryourneglect,theirtimeisaffectedtoo.Wiping
yourcomputerandstartingfreshthankstomalwaremeansmoretimeandefforttogetyour
programsre-installedandrunningjustthewayyoulike.Inaddition,Malwareisn’tlookingtosteal
filesonyoursystem.Rather,it’strackingyoureverykeystroke,stealingpasswords,orevenhacking
intoyourwebcamtospyonyou.
Misconception:Idon’trunWindows,soI’mimmunetoMalware
TheTruth:AllplatformsarevulnerableandthisincludesiPad,iPhone,Androidandothermobile
devices.WhileWindowsviruseswon’taffectMaccomputers,Macscanstillgetinfectedwithviruses.
Inaddition,youcanfallforphishingtricks,perhapsviaemailorsocialmedia,nomatterwhat
platformyouuse.Accidentallyhandingyourpasswordovertoafakesiteisgoingtoyieldthesame
resultnomatterifit’sdoneonWindows,Mac,orAndroid.
Misconception:MyAppleorAndoidtabletissecure
TheTruth:Thereisaplethoraofmobile-basedmalwareandvirusesouttheretoday.Neverletyour
guarddownandcarelesslyopenawebsite,emailorattachmentonasmartphoneortablet.These
devicescanbeinfectedandcaninfectacorporatenetworkifconnectedasaBYODdevice.
Misconception:WindowsIsInherentlyInsecure
TheTruth:EversinceWindows7hitthescene,thevirusproblemhasbeensignificantlycurtailed.
TheproblemisthatmostWindowsusersdon’tcareenoughtoupdatetheirsystemswithpertinent
securitypatches.Microsoftisgoodaboutpluggingsecurityholesasthey’refound,butifusersdon’t
applythoseupdates,theyleavethemselvesvulnerable.Atthatpoint,Windowsitselfisnolongerat
fault.
Moreover,Windowsistheworld’smostpopularoperatingsystem.Combinethatwiththefactthat
Windowsdoesnotrequireitsuserstobetech-savvyandyou’vegotarecipeforhighnumberof
securityincidences.
Misconception:Youdon’tneedsecuritysoftware
TheTruth:Theoneswhocreatemalwareandvirusesarealwayslookingfornewwaystofacilitate
thespreadofmalicioussoftware,whichmeansthattheirmethodsarealwaysevolving.
Butmoreimportantly,wearehuman.Humansmakemistakes.Wecan’tkeepourguardsup24/7and
sometimeswe’relazy,forgetful,orreckless.Allittakesisonelapseinjudgmentforyourcomputer
tobeinfectedandthat’stherealvalueofantivirussoftware:itprotectsyouthroughyourmistakes.
Ifyouaren’tusingantivirussoftware,installonenowalongwithavirusscanner.Afterwards,ifyou
findthatyouhaveaninfection,cleanitupassoonaspossible.
Misconception:AllYouNeedIsSecuritySoftware
TheTruth:Malwareandviruscreatorsarealwaysengineeringnewwaystospreadtheircode.
Antiviruscompaniesarealwaysonestepbehind(theyhavetostudyavirustounderstandit’s
signaturebeforetheycanprotectagainstit)whichmeansthatthenotionofantivirusisfundamentally
reactionary.AVsoftwaredoesnotstopbrandnewvirusesorsocialengineeringscams.
Creditcards
Tohelppreventfraudulentuseofyourcard,herearestepsyoushouldtake.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Signnewcardsassoonasyoureceivethem.
Keepyourcardaccountnumbersandpersonalidentificationnumber(PIN#)inaconfidential
place.
Checkyourcardsperiodicallytomakesurenonearemissing.
Destroyanddisposeofcopiesofreceipts,airlinetickets,andtravelitineraries,anythingthat
displaysyourcardnumbers.
MemorizeyourPIN.
Checkoutunfamiliarcompaniesbycallingyourlocalconsumerprotectionagency.
Don'tprovideinformationthatyou'reuncomfortablegiving.
NEVERgiveanyonethepasswordthatyouusetologontoyouronlineaccountorInternet
ServiceProvider.
Don'tprovidefinancialaccountinformationunlessyouarepayingforapurchaseusingthat
account.
CardCracking
Incard-crackingscams,youngadults(primarilystudents,newly-enlistedmilitary,orsingleparents)
arerecruitedtofacilitatefraudagainstthebank.Theperpetratorstypicallytargetconsumersvia
socialmediaandconvincethemtosharetheircheckingaccountinformationinexchangeforsome
typeofakickback-usuallyintheformofacounterfeitcheckremotelydepositedintotheiraccount
ofwhich,theconsumerisallowedtokeepaportionofthefunds.
However,thefraudsteroftenremovesallofthefundsbeforethebankdeterminesthatthecheckis
counterfeit.Fraudstersmayalsoconvincethestudenttoprovidethemwiththeirdebitcard,alongwith
theirPIN.Theconsumerisinstructedtoreportthecardaslostorstolen,therebyreceivingprotection
viaRegE,whilethefraudsterwithdrawsthefunds.
Usingacreditcardoverseas
1. Checkifyourcardisaccepted.ChooseaU.S.creditcardthat’swidelyacceptedabroad.
Generally,thismeanstakingaVisaorMasterCardratherthanAmexorDiscover.SomeU.S.
cardsarealsostartingtoofferchip-and-PINtechnologythatcanmeanwideracceptanceacross
Europe.Callyourcreditcardcompanytofindouthowwidelyit’sacceptedoverseasandwhat
feesyoumaybechargedforpurchasesinforeigncurrencies.
2. Letyourcreditcardcompanyandbankknowaboutyourtrip.Ifacreditcardcompanyor
yourbankstartsseeingpurchasesoverseas,theymayflagyourcardasfraudandfreezeyour
account.Thisisgreatifyourcardhadactuallybeenstolen,butlessgreatwhenyou’retraveling
andyourmeansofpayingforthingsgetscutoff.Letthemknowthelocationsyouaretraveling
toandthedatesofthistripsotheydonotfreezeyourcard.Theyshouldnotethisinyour
accountsotherearenoissues.
3. Knowyourcreditlimit.It’snotuncommontoaccidentallytogooveryourcreditlimitespeciallyifyou’retravellingforweeksatatime.Athome,goingoverlimitmaybean
inconvenienceorincurasmallfee,indifferentcountrieswherecreditcardsarenotaswidely
used,thismaybeseeninaharsherlight.U.S.StateDepartmentwebsitesvaguelysuggestthat
Americanshavebeenarrestedfor“innocentlyexceedingtheircreditlimitwhiletraveling
abroad.”That’sprobablyanunusualsituation,butoneinwhichyoucertainlydon’twanttofind
yourself.
4. Writedowntheinternationalcustomerservicenumberforyourcard(s).Theusual800
numberforcustomerservicewon’tworkabroadsofindouttheinternationalnumberwhere
youcanreachthemifyourcardisstolen,lost,oryouencounteranyotherissues.Storeitin
yourphone,e-mailittoyourself,orwriteitonapieceofpaperyou’llkeepwithimportant
documents.
5. Transferextrafundstoasavingsaccount.Ifyou’rebringingyourdebitcard,onlyhavethe
moneyinyouraccountyouwillneedforthetripandalittleextraforemergencies.Transfer
anyexcesstoasavingsaccount.Thiswayifyourcardisstolen,thethievescan’twipeoutyour
entireaccount.
6. Makecopiesofyourcards.Makeacopyofthefrontsandbacksofyourcreditanddebitcards.
Thiswayifyou’recardsarestolen,youcanreportittothelocalpoliceandtheU.S.Embassy.
7. Limityourcards.Youdon’tneedtotakeyourentirewalletandallofyourcreditcards.This
willjustmakethesituationworseifyourbaggetslostorstolen.Choosethebestcreditcardfor
yourtravels,andbringoneortwo.
8. Beawareofwhat’scoveredbyyourcreditcard.Youmaybepleasedtofindoutyourcredit
cardmayofferaformoftravelinsuranceforanythingyouchargeonthecard.Forexample,if
youchargearentalcarwithyourcard,youcanbeinsuredforanydamages.Callyourcredit
cardcompanytoseewhat’scoveredabroad.
9. Protectyourcards.Carryyourcardsinasafeway,likeamoneybeltthatwrapsaroundyour
bodyorapursethatwrapsacrossyourchest.Walletsandpursesaroundashouldercanbe
targets,andabackpackcanbeeasilylookedthroughwhileyou’renotpayingattention.When
you’reputtinginyourPIN,coverit.Someonecanbelookingoveryourshouldertoattemptto
stealit.
10. Keeptrackofyourcard.Don’tletyourcardoutofyoursight.It’snotuncommonfor
merchantsabroadtodoubleswipeortakeitinthebacktocopyinformationdown.Andof
course,alwaysmakesureyougetyourcardbackbeforeyouleave.
11. Trackyourpurchases.Keepareceiptforyourpurchases.Checkyourstatementsregularly
12.
13.
14.
15.
whileyou’restilltraveling.Ifyouhaveanychargesthatshouldn’tbethere,callyourcreditcard
immediatelybecausetimeisafactor.
Askifthere’safeetocharge.Someplaceschargeaheftyfeefornotpayingwithcash,so
doublecheckanywhereyougo.Somecreditcardschargeanadditionalfewpercentagepoints
ofthetransactionasaforeigncurrencytransactionfee.
Alwayscarryback-upcash.There’sagoodchanceyou’llencounterplacesthatonlyaccept
cash.Also,creditanddebitcardsaren’tasreliableasyouwouldhope.AnATMcaneatyour
card,creditcardmachinescanbedown,oryoucanrunintootherproblemsusingyourcard.
Actfastifyourcardisstolen.Ifyourcardismissing,contactyourcreditcardcompany,the
localpolice,andtheU.S.Embassy.Whenyou’rehome,youcancontacttheIRSIdentity
ProtectionUnittoreportanystolencreditanddebitcardsasafirststepinmitigatingpotential
harmfuleffectsofidentitytheft.
Bewareofpickpockets.WhilepickpocketinghasbeenonthedeclineintheU.Sforthepast
fiftyyearsorso,it’sstillamajorprobleminEurope.Pickpocketsoftenworkingroups,are
oftenchildrenandaretypicallywell-dressed.Beextravigilantaroundtouristattractions,public
transportation,restaurants,barsandhotellobbies.
Databreaches
ForConsumers:
1. CONSIDERANOTHERWAYTOPAY-Trynewerwaystopay,suchasPayPalorApplePay.
Anytechnologythatavoidsyouhavingyourcreditcardinyourhandinastoreissafer.Those
servicesstoreyourcreditcardinformationandit'snotgiventotheretailerwhenyoumakea
payment.Stored-valuecardsorapps,suchastheonesusedatcoffeechainsStarbucksand
DunkinDonuts,arealsoasaferbet,becausetheydon'texposecreditcardinformationatthe
register.
2. SIGNIT,DON'TPINIT-Ifyou'replanningonpayingwithadebitcard,signforyour
purchaseinsteadoftypinginyourpersonalidentificationnumberatthecashregister.Youcan
dothisbyaskingthecashiertoprocessthecardasacreditcardorselectcreditcardonthe
display.NotenteringyourPINintoakeypadwillhelpreducethechancesofahackerstealing
thatnumbertoo.CrookscandomoredamagewithyourPIN,possiblyprintingacopyofthe
cardandtakingmoneyoutofanATM.
3. BEWAREOFEMAILSCAMMERS-Afterbigdatabreachesareexposed,andgetalotof
mediaattention,scammerscomeoutofthewoodworklookingtostealpersonalinformation.
Someemailsmaymentionthelatestbreachorofferfreecreditmonitoring,butyoushould
neverclickonthelinks.Manyareforfakesitesthattrytostealpersonalinformationor
passwords.
4. KEEPUPWITHCREDITCARDACTIVITY-Reviewcreditcardactivityoftenforany
unauthorizedcharges.Andkeepaneyeoutforsmallercharges.Thieveswillchargesmaller
amountstotesttoseeifyounoticeandthenchargealargeramountlater.Theymayalsosteala
smallamountfrommillionsofaccounts,scoringabigpayday.Also,takeadvantageofthe
manyalertfeaturesthatcreditcardscompaniesoffertoday.
5. MONITORCREDITREPORTS-Checkyourcreditreportforanyaccountsthatcrooksmay
haveopenedinyourname.Creditreportsareavailableforfree,fromeachofthethreenational
creditreportingagencies-Equifax,ExperianandTransUnion-every12months
ForSmallBusinesses:
1. KeepOnlyWhatYouNeed.Reducethevolumeofinformationyoucollectandretaintoonly
whatisnecessary.Minimizetheplacesyoustorepersonaldata.Knowwhatyoukeepandwhere
youkeepit.
2. SafeguardData.Lockphysicalrecordsinasecurelocation.Restrictaccesstoemployeeswho
needtoretrieveprivatedata.Conductemployeebackgroundchecksandnevergiveaccessto
temporaryemployeesorvendors.
3. DestroyBeforeDisposal.Cross-cutshredpaperfilesbeforedisposingofprivateinformation.
AlsodestroyCDs,DVDsandotherportablemedia.Deletingfilesorreformattingharddrives
doesnoterasedata.Instead,usesoftwaredesignedtopermanentlywipethedrive,orphysically
destroyit.
4. UpdateProcedures.DonotuseSocialSecuritynumbersasemployeeIDorclientaccount
numbers.Ifyoudoso,developanotherIDsystemnow.
5. TrainEmployees.Establishawrittenpolicyaboutprivacyanddatasecurityandcommunicateit
6.
7.
8.
9.
10.
toallemployees.Educatethemaboutwhatinformationissensitiveandtheirresponsibilitiesto
protectthatdata.
ControlUseofComputers.Restrictemployeeuseofcomputerstobusiness.Don'tpermituse
offilesharingpeer-to-peerwebsites.Blockaccesstoinappropriatewebsitesandprohibituseof
unapprovedsoftware.
SecureAllComputers.Implementpasswordprotectionandrequirere-logonafteraperiodof
inactivity.TrainemployeestoneverleavelaptopsorPDAsunattended.Restricttele-workingto
company-ownedcomputersandrequireuseofrobustpasswordsthatarechangedregularly.
KeepSecuritySoftwareUp-To-Date.Keepsecuritypatchesforyourcomputersuptodate.
Usefirewalls,anti-virusandspywaresoftware;updatevirusandspywaredefinitionsdaily.
EncryptDataTransmission.Mandateencryptionofalldatatransmissions.AvoidusingWi-Fi
networks;theymaypermitinterceptionofdata.
ManageUseofPortableMedia.Portablemedia,suchasDVDs,CDsandUSB"flashdrives,"
aremoresusceptibletolossortheft.Allowonlyencrypteddatatobedownloadedtoportable
storagedevices.
Aretheremoresecuritybreachesnowthaneverbefore?
Thisquestionishardtoanswer.Morecompaniesarerevealingthattheyhavehadadatabreach,either
duetolawsorpublicpressure.Oursenseisthattwothingsarehappening-thecriminalpopulationis
stealingmoredatafromcompaniesANDthatwearehearingmoreaboutthebreaches.
Areallbreachesalike?
No-securitybreachescanbebrokendownintoanumberofcategories.Whattheyhaveincommon
isthattheyusuallycontainedpersonalidentifyinginformationinaformateasilyreadbythieves,in
otherwords,notencrypted.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Lostorstolenlaptops,computersorothercomputerstoragedevices
Backuptapeslostintransitbecausetheywerenotsenteitherelectronicallynorwithaqualified
humanescort
Hackersbreakingintosystems
Employeesstealinginformationorallowingaccesstoinformation
Informationboughtbyafakebusiness
Poorbusinesspractices-forexamplesendingpostcardswithSocialSecuritynumbersonthem
Internalsecurityfailures
Viruses,TrojanHorsesandcomputersecurityloopholes
Informationtossedintodumpsters-improperdispositionofinformation
Visithttp://www.FraudSmarts.com/datafordatatheftresources.
Debitcards
Debitcardshavedifferentprotectionsanduses.Sometimesthey'renotthebestchoice.
Hereare10placesandsituationswhereitcanpaytoleavethatdebitcardinyourwallet:
1.
2.
3.
4.
5.
6.
7.
Online.Sincethedebitcardlinksdirectlytoacheckingaccount,don'tuseadebitcardonline,
youhavepotentialvulnerabilitythere.Ifyouhaveproblemswithapurchaseorthecardnumber
getshijacked,adebitcardis"vulnerablebecauseithappenstobelinkedtoanaccount.Also
includesphoneordersinthiscategory.
TheFederalReserve'sRegulationE(commonlydubbedRegE),coversdebitcardtransfers.It
setsaconsumer'sliabilityforfraudulentpurchasesat$50,providedtheynotifythebankwithin
twodaysofdiscoveringthattheircardorcardnumberhasbeenstolen.
Big-TicketItems.Withabigticketitem,acreditcardissafer.Acreditcardoffersdispute
rightsifsomethinggoeswrongwiththemerchandiseorthepurchase,shesays.Withadebit
card,youhavefewerprotections.Inaddition,somecreditcardswillalsoofferextended
warranties.Andinsomesituations,suchasbuyingelectronicsorrentingacar,somecredit
cardsalsoofferadditionalpropertyinsurancetocovertheitem.
DepositRequired.Whenrentingsomethinganditrequiresadeposit.Thisiswhereyouwantto
useacreditcardinsteadofadebit.Thatway,thestorehasitssecuritydeposit,andyoustillhave
accesstoallofthemoneyinyourbankaccount.Withanyluck,you'llneveractuallyhaveto
partwithadollar.
Restaurants.Inrestaurants,youhavesomanypeoplearound.Thedanger:restaurantsareone
ofthefewplaceswhereyouhavetoletcardsleaveyoursightwhenyouusethem.Butothers
thinkthatavoidingsuchsituationsisnotworkable.The"conventionaladviceof'don'tletthe
cardoutofyoursight'-isjustnotpractical.
Theotherproblemwithusingadebitcardatrestaurants:Someestablishmentswillapprovethe
cardformorethanyourpurchaseamountbecause,presumably,youintendtoleaveatip.Sothe
amountofmoneyfrozenforthetransactioncouldbequiteabitmorethantheamountofyour
tab.Anditcouldbeafewdaysbeforeyougetthecashbackinyouraccount.
You'reaNewCustomer.Onlineorintherealworld,ifyou'reafirst-timecustomerinastore,
skipthedebitcardthefirstcoupleoftimesyoubuy.Thatway,yougetafeelforhowthe
businessisrun,howyou'retreatedandthequalityofthemerchandisebeforeyouhandovera
cardthatlinkstoyourcheckingaccount.
BuyNow,TakeDeliveryLater.Buyingnowbuttakingdeliverydaysorweeksfromnow?A
creditcardoffersdisputerightsthatadebitcardtypicallydoesnot.Butbeawarethatsome
cardswilllimittheprotectiontoaspecifictimeperiod.Sosettleanyproblemsassoonas
possible.
RecurringPayments.We'veallheardtheurbanlegendaboutthegymthatwon'tstopbillingan
ex-member'screditcard.Nowimaginethechargesaren'tgoingontoyourcard,butinstead
comingrightoutofyourbankaccount.Anotherreasonnottousethedebitcardforrecurring
charges:yourownmemoryandmathskills.Forgettodeductthatautomaticbillpaymentfrom
yourcheckbookonemonth,andyoucouldeitherfacefeesorembarrassment(dependingon
whetheryou'veoptedtoallowover-draftingornot).Soifyoudon'tkeepacashbufferinyour
8.
9.
10.
account,toprotectyourselffromover-limitfees,youmaywanttothinkaboutusingacredit
cardforrecurringpayments.
FutureTravel.Bookyourtravelwithacheckcardandtheydebititimmediately.Soifyou're
buyingtravelthatyouwon'tuseforsixmonthsormakingareservationforafewweeksfrom
now,you'llbeoutthemoneyimmediately.Anotherfactoristhathotelsaren'timmuneto
hackersanddatabreaches,andseveralname-brandestablishmentshavesufferedtheproblem
recently.Dodon'twantyourdebitcardinformationtositinasystemforfourmonths,waiting
foryoutoarrive.
GasStationsandHotels.Thisonedependsontheindividualbusiness.Somegasstationsand
hotelswillplaceholdstocovercustomerswhomayleavewithoutsettlingtheentirebill.That
meansthateventhoughyouonlybought$10ingas,youcouldhaveatemporarybankholdfor
$50to$100.
Thesamecangoforhotels,wheretherearesometimesholdsordepositsinthehundredsto
makesureyoudon'trunupalongdistancebill,emptytheminibarortrashtheroom.The
practiceisalmostunnoticeableifyou'reusingcredit,butcanbeproblematicifyou'reusinga
debitcardandhavejustenoughintheaccounttocoverwhatyouneed.Athotels,askabout
depositsandholdsbeforeyoupresentyourcard.Atthepump,selectthepin-numberoption,
whichshoulddebitonlytheamountyou'veactuallyspent.
CheckoutsorATMsThatLook'Off'.Criminalsaregettingbetterwithskimmersand
plantingtheminplacesyou'dneversuspect-likeATMmachinesonbankproperty.Sotakea
goodlookatthemachineorcardreaderthenexttimeyouuseanATMorself-checklane.Does
themachinefittogetherwellordoessomethinglookoff,differentorlikeitdoesn'tquite
belong.Makesureitdoesn'tlooklikeit'sbeentamperedwith.
Disposal-PC,smartphone&tablet
Wipedataonyouroldphone/tabletbeforeyoudonate,resellorrecycleit.
YourSmartphoneortabletcontainspersonaldatayouwanttokeepprivatewhenyoudisposeyour
oldphone.Toprotectyourprivacy,completelyerasedataoffofyourphoneandresetthephonetoits
initialfactorysettings.Nowhavingwipedyourolddevice,youarefreetodonate,resell,recycleor
otherwiseproperlydisposeofyourphone/tablet.
Disposingofyourphone/tablet:
Youcan'tjustthrowanoldcellphone/tabletinthegarbage.TheToxicchemicalscontainedinits
batteries,andotherpartscanescapefromthephonewhileitisinalandfill,andtheycaneventually
leakintothegroundwater,therebypoisoningthewaterofthesurroundingarea.Also,inmanycases,
citydisposalworkershavebeenburned,blinded,andpoisonedwhiletryingtocrushgarbagethat
containedilldisposedofelectronics,suchascellphones.
1. Therearespecialgarbagebinsforoldcellphones/tabletsthatyoucanfindinyourlocaltech
shop.
2. Considerdonatingyourphone/tablettoacharitythatrecyclesoldcellphones,likeCell
PhonesforSoldiers,whichrecyclesoldcellphones,andusesthemoneytobuyphonecardsfor
soldierstocalltheirfamilies.
3. Ifyourcellphone/tabletisstillfunctioning,andyoujustdon'twantitanymore,youcangiveit
toafriendwhodoesn'thaveaphone,tosavethemmoney.
PCDisposal
Computersoftenholdallkindsofpersonalandfinancialinformation.Ifyou'regettingridofyour
oldcomputer,therearethingstodobeforeyoulogoffforthelasttimesoyourharddrivedoesn't
becomea21stcenturytreasurechestforidentitythieves.
QuickFacts
1. Saveimportantfilesonanexternalstoragedevice-forexample,aUSBdrive,aCDRom,oran
externalharddrive-ortransferthemtoanewcomputer.
2. "Wipe"yourharddriveclean-usesoftwareavailablebothonlineandinstoreswhere
computersaresold.They'regenerallyinexpensive;someareavailableontheInternetforfree.
3. Ifyouroldcomputercontainssensitiveinformationthatwouldbevaluabletoanidentitythief,
considerusingaprogramthatoverwritesorwipestheharddrivemanytimes.Or,removethe
harddrive,andphysicallydestroyit.
4. Ifyouuseyourcomputerforbusinesspurposes,checkwithyouremployerabouthowto
managebusiness-relatedinformationonyourcomputer.Thelawrequiresbusinessestofollow
datasecurityanddisposalrequirementsforcertaininformationthat'srelatedtocustomers.
Onceyouhavea"clean"computer,considerrecycling,donating,orresellingit-andkeepthe
environmentinmindwhendisposingofyourcomputer.
Ifyouwanttogetridofyouroldcomputer,optionsincluderecycling,reselling,anddonating.But
beforeyoulogoffforthelasttime,thereareimportantthingstodotoprepareitfordisposal.
Computersoftenholdpersonalandfinancialinformation,includingpasswords,accountnumbers,
licensekeysorregistrationnumbersforsoftwareprograms,addressesandphonenumbers,medical
andprescriptioninformation,taxreturns,andotherpersonaldocuments.Beforegettingridofyour
oldcomputer,it'sagoodideatousesoftwareto"wipe"theharddriveclean.Ifyoudon't,consider
youroldharddrivea21stcenturytreasurechestforidentitythievesandinformationpirates.
TheFederalTradeCommission(FTC),thenation'sconsumerprotectionagency,saysyoucandeter
identitytheftandinformationpiracybytakingafewpreventivesteps.
UnderstandingHardDrives
Acomputer'sharddrivestoresdata,andmaintainsanindexoffiles.Whenyousaveafile,especially
alargeone,itisscatteredaroundtheharddriveinbitsandpieces.Filesalsoareautomaticallycreated
bybrowsersandoperatingsystems.Whenyouopenafile,theharddrivecheckstheindex,then
gathersthebitsandpiecesandreconstructsthem.
Whenyoudeleteafile,thelinksbetweentheindexandthefiledisappear,signalingtoyoursystem
thatthefileisn'tneededanylongerandthatharddrivespacecanbeoverwritten.Butthebitsand
piecesofthedeletedfilestayonyourcomputeruntilthey'reoverwritten,andtheycanberetrieved
withadatarecoveryprogram.Toremovedatafromyourharddrivepermanently,itneedstobe
wipedclean.
CleaningHardDives
Beforeyoucleanyourharddrive,savethefilesthatareimportanttoyouonanexternalstorage
device?forexample,aUSBdrive,aCDRom,oranexternalharddrive?ortransferthemtoanew
computer.Checkyourowner'smanual,themanufacturer'swebsite,oritscustomersupportlinefor
informationonhowtosavedataandtransferittoanewcomputer.
Utilityprogramstowipeyourharddriveareavailablebothonlineandinstoreswherecomputersare
sold.They'regenerallyinexpensive;someareavailableontheInternetforfree.Wipeutility
programsvaryintheircapabilities:someerasetheentiredisk,whileothersallowyoutoselectfiles
orfolderstoerase.Theyalsovaryintheireffectiveness:programsthatoverwriteorwipethehard
drivemanytimesareveryeffective;thosethatoverwriteorwipethedriveonlyoncemaynotprevent
informationbeingwipedfrombeingrecoveredlater.Ifyouroldcomputercontainssensitive
informationthatwouldbevaluabletoanidentitythief,considerusingaprogramthatoverwritesor
wipestheharddrivemanytimes.Or,removetheharddrive,andphysicallydestroyit.
Onemorethingtokeepinmind:Ifyouuseyourhomeorpersonalcomputerforbusinesspurposes,
checkwithyouremployerabouthowtomanageinformationonyourcomputerthat'sbusinessrelated.Thelawrequiresbusinessestofollowdatasecurityanddisposalrequirementsforcertain
informationthat'srelatedtocustomers.
DisposalOptions
Onceyouhavea'clean'computer,here'showtodisposeofit:
1. Recycleit.Manycomputermanufacturershaveprogramstorecyclecomputersand
components.Checktheirwebsitesorcalltheirtoll-freenumbersformoreinformation.The
EnvironmentalProtectionAgency(EPA)hasinformationonelectronicproductrecycling
programsathttp://www.epa.gov/epaoswer/hazwaste/recycle/ecycling/donate.htm.Yourlocal
communitymayhavearecyclingprogram.Checkwithyourcountyorlocalgovernment,
includingthelocallandfillofficeforregulations.
2. Donateit.Manyorganizationscollectoldcomputersanddonatethemtocharities.
3. Resellit.Somepeopleandorganizationsbuyoldcomputers.Checkonline.
4. Keeptheenvironmentinmindwhendisposingofyourcomputer.Mostcomputerequipment
containshazardousmaterialsthatdon'tbelonginalandfill.Forexample,manycomputershave
heavymetalsthatcancontaminatetheearth.TheEPArecommendsthatyoucheckwithyour
localhealthandsanitationagenciesforwaystodisposeofelectronicssafely.
Emailsafety
Properlymanagingyouremailaccounts
1. Usingjustoneemailaccount.Individualsnewtoemailoftenthinkabouttheiremailaccount
liketheydotheirhomeaddress,youonlyhaveonehomeaddress,soyoushouldonlyhaveone
email.Instead,youshouldthinkaboutyouremailaddresslikeyoudoyourkeys;whileitmay
beOKtousethesamekeyforyourfrontandyourbackdoor,havingasinglekeyopen
everythingisbothimpracticalandunsafe.
Agoodruleofthumbfortheaverageemailuseristokeepaminimumofthreeemailaccounts.
Yourworkaccountshouldbeusedexclusivelyforwork-relatedconversations.Yoursecond
emailaccountshouldbeusedforpersonalconversationsandcontacts,andyourthirdemail
accountshouldbeusedasageneralcatch-allforallhazardousbehavior.Thatmeansthatyou
shouldalwayssignupfornewslettersandcontestsonlythroughyourthirdemailaccount.
Similarly,ifyouhavetopostyouremailaccountonline,suchasforyourpersonalblog,you
shouldonlyuseyourthirdemailaccount(andpostawebfriendlyformofitatthat).
Whileyourfirstandsecondemailaccountscanbepaidorfreebie,yourthird'catch-all'account
shouldalwaysbeafreebieaccountsuchasthoseofferedbyGmailorYahoo!Youshouldplan
onhavingtodumpandchangeoutthisaccounteverysixmonths,asthecatch-allaccountwill
eventuallybecomespammedwhenanewslettermanagerdecidestosellyournameora
spammerstealsyouremailaddressoffaWebsite.
2. Holdingontospammed-outaccountstoolong.Itissimplyafactoflifethatemailaccounts
willaccumulatespamovertime.Thisisespeciallytrueoftheaccountyouusetosignupfor
newslettersandthatyoupostonline(whichasstatedaboveshouldnotbeyourmainemail
account).Whenthishappens,itisbesttosimplydumptheemailaccountandstartafresh.
Unfortunately,however,manynewemailusersgetveryattachedtotheiremailaccountsand
insteadjustwadethroughdozensofpiecesofspameveryday.Toavoidtheproblem,prepare
yourselfmentallyaheadoftimefortheideathatyouwillhavetodumpyour'catchall'account
everysixmonths.
3. Notclosingthebrowserafterloggingout.Whenyouarecheckingyouremailatalibraryor
otherpubliccomputer,younotonlyneedtologoutofyouremailwhenyouaredone,butyou
alsoneedtomakesuretoclosethebrowserwindowcompletely.Someemailservicesdisplay
yourusername(butnotyourpassword)evenafteryouhaveloggedout.Whiletheservicedoes
thisforyourconvenience,itcompromisesyouremailsecurity.
4. Forgettingtodeletebrowsercache,historyandpasswords.Afterusingapublicterminal,it
isimportantthatyouremembertodeletethebrowsercache,history,andpasswords.Most
browsersautomaticallykeeptrackofallthewebpagesthatyouhavevisited,andsomekeep
trackofanypasswordsandpersonalinformationthatyouenterinordertohelpyoufillout
similarformsinthefuture.
Ifthisinformationfallsintothewronghands,itcanleadtoidentitytheftandstolenbankand
emailinformation.Becausethestakesaresohigh,itisimportantthatnewinternetusersbe
awareofhowtoclearapubliccomputersbrowsercachesothattheycandeleteprivate
informationbeforelurkinghackerscangetaholdofit.
ForthoseofyouusingMozilla'sFirefox,simplypressCtrl+Shift+Del.Operausersneedgoto
Tools>>DeletePrivateData.AndusersofMicrosoft'sInternetExplorerneedtogoto
Tools>>InternetOptionsthenclickthe'ClearHistory','DeleteCookies',and'DeleteFiles'
buttons.
5. Usingun-secureemailaccountstosendandreceivesensitivecorporateinformation.
Largecorporationsinvesthugeamountsofmoneytoensurethattheircomputernetworksand
emailremainsecure.Despitetheirefforts,carelessemployeesusingpersonalemailaccountsto
conductcompanybusinessandpassalongsensitivedatacanunderminethesecuritymeasuresin
place.Somakesurethatyoudon'triskyourcompany'ssecurity,andyourjob,bytransmitting
sensitivecompanydataviayourownpersonalcomputeroremailaddress.
6. Forgettingthetelephoneoption.Oneofthemostimportantlessonsaboutemailsecurityis
thatnomatterhowmanystepsyoutaketosecureyouremail,itwillneverbefoolproof.Thisis
nevertruerthanwhenusingapubliccomputer.Sounlessyouneedawrittenrecordof
somethingorarecommunicatingacrosstheglobe,considerwhetherasimplephonecallrather
thananemailisabetteroption.Whileaphoneconversationmayrequireafewextraminutes,
whencomparedwithaccessingemailthroughapubliccomputer,aphonecallisafarmore
secureoptionanditdoesnotleaveapapertrail.
Emailingtherightpeople
1. NotusingtheBlindCarbonCopy(BCC)option.Whenyouputaperson'semailaddressesin
theBCC:ratherthantheCC:window,noneoftherecipientscanseetheaddressesoftheother
emailrecipients.
NewemailusersoftenrelytoomuchontheTO:becauseitisthedefaultwayofsendingemails.
Thatisfineaslongasyouarewritingtojustonepersonorafewfamilymembers.Butifyou
aresendingmailouttoadiversegroupofpeople,confusingBCC:andCC:raisessomeserious
privacyandsecurityconcerns.Ittakesjustonespammertogetaholdoftheemailand
immediatelyeveryoneonyouremaillistgetsspammed.
Evenifthehonestyofthegroupisn'tinquestion,manyemailprogramsaresetupto
automaticallyaddtotheaddressbooksanyincomingemailaddresses.Thatmeansthatsome
peopleinthegroupwillinadvertentlyhaveaddedtheentirelisttotheiraddressbook,andasa
result,ifoneoftheircomputersisinfectedwith"Zombie"malwareandsilentlysendsoutspam
emails,youwillhavejustcausedtheentirelisttogetspammed.
2. Beingtriggerhappywiththe"ReplyAll"button.Sometimesthemistakeisn'tindeciding
betweenCC:andBCC:butbetweenhittingReplyAllinsteadofReply.WhenyouhitReplyAll,
youremailmessageissenttoeveryoneincludedontheoriginalemail,andifyoudidn'tintend
toincludethem,theinformationcanbedisastrousfrombothasecurityandpersonal
humiliationperspective.
3. Spammingasaresultofforwardingemail.Forwardingemailscanbeagreatwaytoquickly
bringsomeoneuptospeedonasubjectwithouthavingtowriteupasummaryemail,butifyou
aren'tcareful,forwardingemailscancreateasignificantsecuritythreatforyourselfandthe
earlierrecipientsoftheemail.Asanemailisforwarded,therecipientsofthemail(untilthat
pointintime)areautomaticallylistedinthebodyoftheemail.Asthechainkeepsmoving
forward,moreandmorerecipientidsareplacedonthelist.
Unfortunately,ifaspammerorsomeonejustlookingtomakeaquickbuckgetsaholdofthe
email,theycanthenselltheentirelistofemailidsandtheneveryonewillstarttogetspammed.
Itonlytakesafewsecondstodeleteallthepreviousrecipientidsbeforeforwardingapieceof
mail,anditcanavoidtheterriblesituationofyoubeingthecauseofallyourfriendsor
coworkersgettingspammed.
Makingbackupsandkeepingrecords
1. Failingtobackupemails.Emailsarenotjustforidlechatting,butcanalsobeusedtomake
legallybindingcontracts,majorfinancialdecisions,andconductprofessionalmeetings.Justas
youwouldkeepahardcopyofotherimportantbusinessandpersonaldocuments,itis
importantthatyouregularlybackupyouremailtopreservearecordifyouremailclient
crashesandlosesdata(IthappenedtoGmailasrecentlyasDecember2006).
Thankfully,mostemailprovidersmakeitrathersimpletobackupyouremailbyallowingyou
toexportemailstoaparticularfolderandthenjustcreatingacopyofthefolderandstoringit
ontoawriteableCD,DVD,removabledisk,oranyothertypeofmedia.Ifthatsimpleexporting
processsoundstoocomplicated,youcanjustbuyautomatedbackupsoftwarethatwilltakecare
ofthewholethingforyou.Whetheryoupurchasethesoftwareordecidetobackupmanually,it
isimportantthatyoumakeandfollowaregularbackupschedule,asthisisthesortofthingthat
newemailuserstendtojustputoff.Thefrequencyofbackupsnecessaryforyouwillofcourse
dependonyouremailusage,butundernocircumstancesshoulditbedonelessfrequentlythan
every3months.
2. Mobileaccess:Presumingabackupexists.Mobileemailaccess,suchasthroughBlackBerry,
hasrevolutionizedthewaywethinkaboutemail;nolongerisittiedtoaPC,butratheritcanbe
checkedon-the-goanywhere.MostnewBlackBerryuserssimplyassumethatacopyofthe
emailstheycheckanddeleteofftheBlackBerrywillstillbeavailableontheirhomeoroffice
computer.
Itisimportanttokeepinmind,however,thatsomeemailserversandclientsoftwaredownload
emailstotheBlackberrydeviceandthendeletethemfromtheserver.Thus,forsomemobile
emailaccessdevices,ifyoudeleteitfromthedevice,youhavedeleteditfromyourInbox.
Justbeawareofthedefaultsettingsofyouremailclientandmakesurethatifyouwantacopy
oftheemailretained,youhaveadjustedtheemailclient'ssettingstomakeithappen.And
preferablymakesureofthisbeforeyoudecidetodeletethatimportantemail.
3. Thinkingthatanerasedemailisgoneforever.We'veallsentanembarrassingorunfortunate
emailandsighedreliefwhenitwasfinallydeleted,thinkingthewholeepisodewasbehindus.
Thinkagain.Justbecauseyoudeleteanemailmessagefromyourinboxandthesenderdeletes
itfromtheir'Sent'inbox,doesnotmeanthattheemailislostforever.Infact,messagesthatare
deletedoftenstillexistinbackupfoldersonremoteserversforyears,andcanberetrievedby
skilledprofessionals.
Avoidingfraudulentemail
1. Believingyouwonthelottery-andotherscamtitles.Spammersuseawidevarietyofclever
titlestogetyoutoopenemailswhichtheyfillwithallsortsofbadthings.Newemailusers
oftenmakethemistakeofopeningtheseemails.Soinanefforttobringyouuptospeed,letme
tellyouquickly:
YouhavenotwontheIrishLotto,theYahooLottery,oranyother
bigcashprize.ThereisnoactualNigerianKingorPrincetryingtosendyou$10million.
YourBankAccountDetailsdonotneedtobereconfirmedimmediately.
Youdonothaveanunclaimedinheritance.
Youneveractuallysentthat"ReturnedMail".
TheNewsHeadlineemailisnotjustsomeoneinformingyouaboutthedailynews.
YouhavenotwonaniPodNano.
2.Notrecognizingphishingattacksinemailcontent.Whileneveropeningaphishingemailis
thebestwaytosecureyourcomputer,eventhemostexperiencedemailuserwilloccasionally
accidentallyopenupaphishingemail.Atthispoint,thekeytolimitingyourdamageis
recognizingthephishingemailforwhatitis.
Phishingisatypeofonlinefraudwhereinthesenderoftheemailtriestotrickyouintogiving
outpersonalpasswordsorbankinginformation.Thesenderwilltypicallystealthelogofroma
well-knownbankorPayPalandtrytoformattheemailtolooklikeitcomesfromthebank.
Usuallythephishingemailasksforyoutoclickonalinkinordertoconfirmyourbanking
informationorpassword,butitmayjustaskyoutoreplytotheemailwithyourpersonal
information.
Whateverformthephishingattempttakes,thegoalistofoolyouintoenteringyour
informationintosomethingwhichappearstobesafeandsecure,butinfactisjustadummysite
setupbythescammer.Ifyouprovidethephisherwithpersonalinformation,hewillusethat
informationtotrytostealyouridentityandyourmoney.
Signsofphishinginclude:
1. Alogothatlooksdistortedorstretched.
2. Emailthatreferstoyouas"DearCustomer"or"DearUser"ratherthanincludingyouractual
name.
3. Emailthatwarnsyouthatanaccountofyourswillbeshutdownunlessyoureconfirmyour
billinginformationimmediately.
4. Anemailthreateninglegalaction.
5. Emailwhichcomesfromanaccountsimilar,butdifferentfrom,theonethecompanyusually
uses.
6. Anemailthatclaims'SecurityCompromises'or'SecurityThreats'andrequiresimmediate
action.
Ifyoususpectthatanemailisaphishingattempt,thebestdefenseistoneveropentheemailinthe
firstplace.Butassumingyouhavealreadyopenedit,donotreplyorclickonthelinkintheemail.If
youwanttoverifythemessage,manuallytypeintheURLofthecompanyintoyourbrowserinstead
ofclickingontheembeddedlink.
1. Sendingpersonalandfinancialinformationviaemail.Banksandonlinestoresprovide,
almostwithoutexception,asecuredsectionontheirwebsitewhereyoucaninputyourpersonal
andfinancialinformation.Theydothispreciselybecauseemail,nomatterhowwellprotected,
ismoreeasilyhackedthanwellsecuredsites.Consequently,youshouldavoidwritingtoyour
bankviaemailandconsideranyonlinestorethatrequeststhatyousendthemprivate
informationviaemailsuspect.
Thissameruleofavoidingplacingfinancialinformationinemailstoonlinebusinessesalso
holdstrueforpersonalemails.If,forexample,youneedtogiveyourcreditcardinformationto
yourcollegestudentchild,itisfarmoresecuretodosooverthephonethanviaemail.
2. Unsubscribingtonewslettersyouneversubscribedto.Acommontechniqueusedby
spammersistosendoutthousandsoffakenewslettersfromorganizationswithan
"unsubscribe"linkonthebottomofthenewsletter.Emailuserswhothenentertheiremailinto
thesupposed"unsubscribe"listarethensentloadsofspam.Soifyoudon'tspecifically
remembersubscribingtothenewsletter,youarebetteroffjustblacklistingtheemailaddress,
ratherthanfollowingthelinkandpossiblypickingupaTrojanhorseorunknowinglysigning
yourselfupforyetmorespam.
Avoidingmalware
1. Trustingyourfriendsemail.Mostnewinternetusersareverycarefulwhenitcomestoemails
fromsenderstheydon'trecognize.Butwhenafriendsendsanemail,allcautiongoesoutthe
windowastheyjustassumeitissafebecausetheyknowthatthesenderwouldn'tintendtohurt
them.Thetruthis,anemailfromafriend'sIDisjustaslikelytocontainavirusormalwareasa
stranger's.Thereasonisthatmostmalwareiscirculatedbypeoplewhohavenoideatheyare
sendingit,becausehackersareusingtheircomputerasazombie.
2. Deletingspaminsteadofblacklistingit.Anemailblacklistisausercreatedlistofemail
accountsthatarelabeledasspammers.Whenyou'blacklist'anemailsender,youtellyouremail
clienttostoptrustingemailsfromthisparticularsenderandtostartassumingthattheyare
spam.
Unfortunately,newinternetusersareoftentimidtousetheblacklistfeatureontheiremail
client,andinsteadjustdeletespamemails.Whilenoteverypieceofspamisfromrepeat
senders,asurprisingamountofitis.Sobytrainingyourselftohittheblacklistbuttoninsteadof
thedeletebuttonwhenconfrontedwithspam,youcan,inthecourseofafewmonths,drastically
limittheamountofspamthatreachesyourInbox.
3. Disablingtheemailspamfilter.Newemailuserstypicallydonotstartoutwithalotofspamin
theiremailaccountandthusdonotvaluethehelpthatanemailspamfiltercanprovideatthe
beginningoftheiremailusage.Becausenospamfilterisperfect,initiallythehassleofhaving
tolookthroughone'sspamboxlookingforwronglyblockedemailsleadsmanynewemail
userstoinsteadjustdisabletheiremailspamfilteraltogether.
However,asanemailaccountgetsolderittendstopickupmorespam,andwithoutthespam
filteranemailaccountcanquicklybecomeunwieldy.Soinsteadofdisablingtheirfilterearly
on,newinternetusersshouldtakethetimetowhite-listemailsfromfriendsthatgetcaughtupin
thespamfilter.Then,whenthelevelsofspamstarttopickup,theemailaccountwillremain
usefulandfewerandfewerfriendswillgetcaughtupinthefilter.
4. Failingtoscanallemailattachments.Nineoutofeverytenvirusesthatinfectacomputer
reachitthroughanemailattachment.Yetdespitethisratio,manypeoplestilldonotscanall
incomingemailattachments.Maybeitisourexperiencewithsnailmail,butoftenwhenwesee
anemailwithanattachmentfromsomeoneweknow,wejustassumethatthemailandits
attachmentaresafe.Ofcoursethatassumptioniswrong,asmostemailvirusesaresentby
'Zombies'whichhaveinfectedacomputerandcausedittosendoutviruseswithouttheowner
evenknowing.
Whatmakesthisoversightevenmorescandalousisthefactthatanumberoffreeemailclients
provideanemailattachmentscannerbuilt-in.Forexample,ifyouuseGmailorYahoo!foryour
email,everyemailandattachmentyousendorreceiveisautomaticallyscanned.Soifyoudo
notwanttoinvestinathird-partyscannerandyouremailproviderdoesnotprovideattachment
scanningbuilt-in,youshouldaccessyourattachmentsthroughanemailproviderthatoffers
freevirusscanningbyfirstforwardingyourattachmentstothataccountbeforeopeningthem.
Keepinghackersatbay
1. Sharingyouraccountinformationwithothers.We'vealldoneit-weneedanurgentmail
checked,andwecallupourspouseorfriendandrequestthemtocheckouremailonourbehalf.
Ofcourse,wetrustthesepeople,butoncethepasswordisknowntoanybodyotherthanyou,
youraccountisnolongerassecureasitwas.
Therealproblemisthatyourfriendmightnotusethesamesecuritymeasuresthatyoudo.Your
friendmightbeaccessinghisemailthroughanunsecuredwirelessaccount,hemaynotkeephis
anti-virussoftwareuptodate,orhemightbeinfectedwithakeyloggervirusthatautomatically
stealsyourpasswordonceheentersit.Soensurethatyouaretheonlypersonthatknowsyour
personalaccessinformation,andifyouwriteitdown,makesuretodosoinawaythat
outsiderswon'tbeabletounderstandeasilywhattheyarelookingatiftheyhappentofindyour
records.
2. Usingsimpleandeasy-to-guesspasswords.
Hackersusecomputerprogramsthatscrollthroughcommonnamestocompilepossibleuser
names,andthensendspamemailstothoseusernames.Whenyouopenthatspamemail,alittle
hiddenpieceofcodeintheemailsendsamessagebacktothehackerlettinghimknowthatthe
accountisvalid,atwhichpointtheyturntothetaskoftryingtoguessyourpassword.
HackersoftencreateprogramswhichcyclethroughcommonEnglishwordsandnumber
combinationsinordertotrytoguessapassword.Asaconsequence,passwordsthatconsistofa
singleword,aname,oradatearefrequently"guessed"byhackers.Sowhencreatinga
passworduseuncommonnumberandlettercombinationswhichdonotformawordfoundina
dictionary.Astrongpasswordshouldhaveaminimumofeightcharacters,beasmeaninglessas
possible,aswellasusebothupperandlowercaseletters.Creatingatoughpasswordmeansthat
thehacker'scomputerprogramwillhavetoscrollthroughtensofthousandsofoptionsbefore
guessingyourpassword,andinthattimemosthackerssimplygiveup.
3. Failingtoencryptyourimportantemails.Nomatterhowmanystepsyoutaketominimizethe
chancethatyouremailisbeingmonitoredbyhackers,youshouldalwaysassumethatsomeone
elseiswatchingwhatevercomesinandoutofyourcomputer.Giventhisassumption,itis
importanttoencryptyouremailstomakesurethatifsomeoneismonitoringyouraccount,at
leasttheycan'tunderstandwhatyou'resaying.
Whiletherearesometop-of-the-lineemailencryptionservicesforthosewithabigbudget,if
youarenewtoemailandjustwantasimpleandcheapbuteffectivesolution,youcanfollow
thesestep-by-step20minuteinstructionstoinstallPGP,themostcommonemailencryption
standard.Encryptingallyouremailmaybeunrealistic,butsomemailistoosensitivetosendin
theclear,andforthoseemails,PGPisanimportantemailsecuritystep.
4. Notencryptingyourwirelessconnection.Whileencryptingyourimportantemailsmakesit
hardforhackerswhohaveaccesstoyouremailtounderstandwhattheysay,itisevenbetterto
keephackersfromgettingaccesstoyouremailsinthefirstplace.
Oneofthemostvulnerablepointsinanemailstripfromyoutotheemailrecipientisthepoint
betweenyourlaptopandthewirelessrouterthatyouusetoconnecttotheinternet.
Consequently,itisimportantthatyouencryptyourwifinetworkwiththeWPA2encryption
standard.Theupgradeprocessisrelativelysimpleandstraightforward,evenforthenewest
internetuser,andthefifteenminutesittakesarewellworththestepupinemailsecurity.
5. Failingtousedigitalsignatures.Thelawnowrecognizesemailasanimportantformof
communicationformajorundertakingssuchassigningacontractorenteringintoafinancial
agreement.Whiletheabilitytoenterintothesecontractsonlinehasmadeallofourliveseasier,
ithasalsocreatedtheaddedconcernofsomeoneforgingyouremailsandenteringinto
agreementsonyourbehalfwithoutyourconsent.
Onewaytocombatemailforgeryistouseadigitalsignaturewheneveryousignanimportant
email.Adigitalsignaturewillhelpprovewhoandfromwhatcomputeranemailcomesfrom,
andthattheemailhasnotbeenalteredintransit.Byestablishingthehabitofusinganemail
signaturewheneveryousignimportantemails,youwillnotonlymakeitharderfortheother
partytothoseagreementstotrytomodifytheemailwhentheywanttogetoutofit,butitwill
alsogiveyouextracredibilitywhensomeonetriestoclaimthatyouhaveagreedtoacontract
viaemailthatyouneverdid.
Youmighthavebeenhackedif:
friendsandfamilyaregettingemailsormessagesyoudidn’tsend
yourSentmessagesfolderhasmessagesyoudidn’tsend,orithasbeenemptied
yoursocialmediaaccountshavepostsyoudidn’tmake
youcan’tlogintoyouremailorsocialmediaaccount
Inthecaseofemailswithrandomlinks,it’spossibleyouremailaddresswas“spoofed,”orfaked,and
hackersdon’tactuallyhaveaccesstoyouraccount.Butyou’llwanttotakeaction,justincase.
Whattodowhenyou’vebeenhacked:
1. Updateyoursystemanddeleteanymalware
Makesureyoursecuritysoftwareisup-to-date
Ifyoudon’thavesecuritysoftware,getit.Butinstallsecuritysoftwareonlyfromreputable,
well-knowncompanies.Then,runittoscanyourcomputerforvirusesandspyware(aka
malware).Deleteanysuspicioussoftwareandrestartyourcomputer.
Setyoursecuritysoftware,internetbrowser,andoperatingsystem(likeWindowsorMac
OS)toupdateautomatically.Softwaredevelopersoftenreleaseupdatestopatchsecurity
vulnerabilities.Keepyoursecuritysoftware,yourinternetbrowser,andyouroperatingsystem
up-to-datetohelpyourcomputerkeeppacewiththelatesthackattacks.
2.Changeyourpasswords
That’sIFyou’reabletologintoyouremailorsocialnetworkingaccount.Someonemayhave
gottenyouroldpasswordandchangedit.Ifyouusesimilarpasswordsforotheraccounts,
changethem,too.Makesureyoucreatestrongpasswordsthatwillbehardtoguess.
3.Checktheadviceyouremailproviderorsocialnetworkingsitehasaboutrestoringyour
account.Youcanfindhelpfuladvicespecifictotheservice.Ifyouraccounthasbeentaken
over,youmightneedtofilloutformstoproveit’sreallyyoutryingtogetbackintoyour
account.
4.Checkyouraccountsettings
Onceyou’rebackinyouraccount,makesureyoursignatureand"away"messagedon’tcontain
unfamiliarlinks,andthatmessagesaren’tbeingforwardedtosomeoneelse’saddress.Onyour
socialnetworkingservice,lookforchangestotheaccountsinceyoulastloggedin—say,a
new“friend.”
5.Tellyourfriends
Aquickemaillettingyourfriendsknowtheymighthavegottenamaliciouslinkorafakeplea
forhelpcankeepthemfromsendingmoneytheywon’tgetbackorinstallingmalwareontheir
computers.Putyourfriends’emailaddressesintheBcclinetokeepthemconfidential.You
couldcopyandsendthisarticle,too.
RedFlagsYou'reAbouttoGetScammed
Here'salistof13scamindicatorsyoushouldwatchoutforwhengoingthroughyourinbox.Keep
yourguardupandyou'llhavenothingtoworryabout.
1. Linksthataretheonlycontentinthebodyofanemail
2. Bit.lyorotherwiseshortenedlinksthatdon'tdisplaytheactualaddress
3. Hyperlinkedtext(forthesamereasonasshortenedlinks—there'snoindicationofwhatyou
wouldbeclicking)
4. Whenindoubt,don'tclick.Buttohelpyouout,browserslikeGoogleChromecanreveala
link'sfulladdresswhenyouhoveroveritwithyourmousecursor.
5. InordinateNumberofRecipients.Ifyougetanemailwithhundredsofemailaddressesinthe
recipientfield,yetthemessageseemsdirectedtowardoneperson,yourscamsenseshouldbe
onhighalert.
6. Vague,GenericorNonexistentSubjectLines
Sure,yousendemailswithoutsubjectstoyourfriendsallthetime,butifanemailpopsupfrom
anunrecognizableaddresswith"(nosubject),"becareful.Thesamegoesforvagueorgeneric
subjectlines,including"Fwd:private"or"Freetolook!"Ifyouhavenoideawhatyou're
opening,it'sprobablybesttoleaveitalone.
7. IntenseEnthusiasm.WHENITCOMESTOEMAILSECURITY,CAPSLOCKCANBEMORE
8.
9.
10.
11.
12.
13.
THANJUSTANNOYING—itcanindicatespam.Overlyenthusiasticemailswithemphasis
andexclamations(e.g."IJUSTLOST45lbsW/THEX-Fitfitnessprogram!!1!!")aresurefire
signsthattheinformationisn'twhatitseems.
GrammarandSpelling.Youdon'thavetobeagrammarnuttonoticeoddmistakesinscam
emails.Lookoutforquestionablesyntaxandmajortypos,especiallyiftheemailsupposedly
comesfromareputablecompanyorbank.Alsowatchoutforscammersthatpurposelymisspell
thingstoavoidyourspamfilter,suchas"[email protected]"insteadof"Viagra."
StrangeRequests.Thisone'seasy:Ifsomeoneisemailingyouformedicalassistanceor
writes,"Helpmecheatonmyhusband,"it'sjustnotlegit.That'swhatemergencycontactsare
for.
Urgency.Peopledon'ttypicallyuseemailtosendurgentmessagesofanemergencynature.If
yougetanemailthatclaimsasituationisamatteroflifeordeath(oradesperatepersonwho
needsmoneywirednow),it'ssafetoassumethesenderwouldn'tbetargetingyou,astranger,in
thefirstplace.
SensitiveInformationRequests.Unfortunately,peopleaccidentallysendsecureinformationto
scammersmoreoftenthanyouwouldexpect.Thisishowscammers(thatis,smartscammers)
operate—manyaskforpersonalinformation(creditcardnumbers,passwords)anddisguise
emailstolookofficial.Companies,schools,banksandotherinstitutionswon'taskyouto
transmitsensitiveinformationinanemail.
Name-SenderDisagreement.Scamemailaddressesoftenhavedifferentnamestodupethe
recipient.Checktheaddressbeforeassumingsomethingistrue.
SurefireGuarantees.YoushouldknowbynowthatnothingontheInternetisguaranteed.
Promisestoboostyoursexlifeorquickmoneyviaworkingfromhomeshouldn'tbetaken
seriously."Watchthisvideoandwomenwilladoreyou?"Morelike,"Clickthislinkandregret
it."
Visithttp://www.FraudSmarts.com/toolsforresourcesthatwillhelpyoustaysafeandtestfor
fraud,virusesandmalware.
Gift/Rewardcards
Thereareseveraltrapsthattargetpeoplesellinggiftcards.
1. Inonescam,fraudsterspayyouforacard(orthecodeonthecard),butthendisputeorcancel
thechargeaftertheyhavealreadyusedthegiftcard.
2. Inanother,theyaskyoutobuyabunchofgiftcardsinexchangeforanitemonanauctionsite
—andthenneveractuallysendyouthepurchase.
Toavoidbecomingavictim,takeseveralprecautionswhenyouusegiftcardwebsites.
1. Checkreviewsofanywebsiteyouuse.
2. Alwaysreviewgiftcardbalancesbeforeandafterpurchasingthecard.
3. Ifyouaresellingagiftcard,don’tevergiveoutthecard’sPINuntilyourpaymenttransaction
iscomplete.
4. Bewaryofauctionsitessellinggiftcardsatadiscountorinbulk.
5. Ifyouarebuyingagiftcardinastore,examinetheprotectivescratch-offareaonthebackof
thecardforevidenceoftampering.
6. Bewareofsocialmediapostingsofferingvouchersorgiftcards:Fraudulentmessagescan
sometimesappeartohavebeensharedbyafriendwhentheyreallycomefromascamartist.
Youcanprotectyourselffromgiftcardfraudbyfollowingafewsimpleprecautions.
1. Don'tbuygiftcardsdisplayedprominentlywithinthestore.Asksalesclerkstosellyou
cardsfromthebackroomorbehindthecustomerservicedesk.
2. Examinecardsandpackagingforsignsoftampering.Don'tbuyacardwherethecoating
coveringthePINnumberhasbeenscratchedawayortheactivationstickerisn'tfirmlyaffixed.
3. Spendthegiftcardassoonaspossible.Don'tputthecardinadrawerformonths.Thelonger
consumerstaketospendtheirgiftcards,themoretimethieveshavetodoitforthem.
4. Bewareofonlineexchangesandauctionsites.Onlinebuycardsfromreputableonline
exchangesorauctionsitesbecauseofthepossibilityofbuyingstolencards.
Homebanking
Thebeautyofonlineaccountsisthatyoucanmonitorthemalmostinrealtime.Thatmeansyoucan
catchcrookslongbeforeastatementarrivesinthemail.
Don'tuseyouraccountonanunknowncomputer.Unlessyouaresureacomputerissecure,
bewaryofusinganunknowncomputer.Computerscanrecordpagesviewedandkeystrokes
enteredamongotherpossiblesecurityviolations.Granted,thiswillnotbeyourexperienceon
mostcomputers,butbecareful.
2. Don'tuseyourcomputeratwork.Evenifit'sonyourlunchhourandonyourowntime,
employerscanmonitorcomputerusageandeventyping(althoughmostdon't).Whileyour
companymightnotcarehowmuchmoneyisinyouraccounts,thosewhoarepaidtomonitor
Internetandemailusewillalsohaveaccesstothisinformation.Youcanuseyourcomputerat
work,justbeawareoftherisks.
3. Shredorsecurelystoreyourpaperbankstatements.Oneoftheadvantagesofonline
bankingisthatyourrecordsarestoredsecurelyonline.However,ifyourfinancialinstitution
sendsyoumonthlystatementsaboutyouraccountoranotheraccountyouhavewiththem,be
awarethatthesestatementscanincludelog-ininformationaswellasaccountnumbersthatcan
beusedtoaccessyouraccount.Youshouldshredthesedocumentswhenyouaredonewiththem
orstoretheminasecureplace.
4. Understandsecurityandonlinebanking.Youhavetakenagoodfirststepbyreviewingthe
informationonthissiteandthislistofsecuritymeasuresthatyoucantake,butmakesureyou
continuetobeawareofthesecuritymeasuresyourfinancialinstitutionemploys.
5. Passwords.Don'tuseyourfullorpartialSocialSecuritynumberasaPersonalIdentification
Number(PIN),userIDorpassword.Makesurethatyourpasswordis8ormorecharactersand
combinesletters,numeralsandsymbols.Don'tusethesameuserIDandpasswordforyour
financialaccountsasyoudoforothersites.
6. Considerascreenlockonyourmobiledevice.Manymobilephonesofferthisoption,aswell
asothercustomizablesecuritysettings,thatcanhelpkeepyourphoneandinformationsecure.
7. SmartPhones.Don'tuseyourmobiledevicetostoresensitivepersonalinformationorbank
accountnumbers.
8. Email.Neverrespondtourgentemailclaimingtobefromabankoranycompanythatrequests
youraccountinformationorpersonaldetails.Forwardtheseemailstoyourfinancialinstitution.
9. SocialNetworks.Limittheamountofpersonalinformationyouprovideonsocialnetworking
sites.Themoreinformationyoupost,theeasieritmaybeforacriminaltousethatinformation
tostealyouridentity,accessyourdataorcommitothercrimes.
Becautiousaboutmessagesyoureceiveonsocialnetworkingsitesthatcontainlinks.Evenlinks
thatlookliketheycomefromfriendscansometimesbeharmfulorfraudulent–andinfactmay
beattemptstogaincontrolofyourcomputerorstealyourpersonalinformation.Ifyou're
suspicious,don’tclickthelink.Contactyourfriendorthebusinessdirectlytoverifythevalidity
oftheemail.
10.Computer.Keepyourcomputeroperatingsystemandbrowseruptodatewiththelatest
softwareandsecuritydownloads.Oftencalledpatchesorservicepacks,theseshouldbe
installedassoonaspossible.
11.Email.Don’topenattachmentsorinstallfreesoftwarefromunknownsources;thismayexpose
1.
yourcomputerandtheinformationonittounauthorizedsources.
Homenetwork
Howtosecurean802.11b/g/nwirelesshomenetwork.Securingawirelessnetworkisveryimportant
becauseifyoudon't,criminalscannotonlyborrowyourInternetconnection,butalsoaccessyour
filesandcheckuponwhatyou'redoing.Evenworse,hackerscanuseyourinternetconnectionto
uploadillegalmaterials.
1. Connecttoyourrouterviayourbrowser,byinputtingsomethingcalledaGatewayIPAddress.
TofindyourGatewayIPAddressandconnecttoitinWindows
ClickStart>Run>type'cmd'>Click'Enter'
OncetheCommandPromptwindowopens,type'ipconfig/all'andhit'Enter'
Locatethelinelabeled'Gateway'andmakenoteofthenumberthatfollows.Itwilllooksimilar
to'192.168.1.1'
OpenInternetExplorer(oryourfavoritebrowser)
EntertheGatewayIPAddressintotheaddressbarandclick'Enter
TofindyourGatewayIPAddressandconnecttoitonaMac
OpenyourFinderandrun'Terminal'insideofApplications>Utilities
Oncetheterminalwindowopens,type'ipconfig-a'andhit'Enter'
Locatethelinelabeled'Gateway'andmakenoteofthenumberthatfollows.Itwilllooksimilar
to'192.168.1.1'
OpenSafari(oryourfavoritebrowser)
EntertheGatewayIPAddressintotheaddressbarandclick'Enter'
2.Enableencryptiononyouraccesspoint.Using128-bitencryptionorhighermakesyour
WirelessNetworkmoresecure.WEPandWPAareentirelydifferentencryptionschemes.WEP
hasbeenproveninsecureandcanbecrackedinafewminutesusingfreeutilitiesthatcanbe
downloadedfromtheInternet.UsingatleastWPAisrecommended,becauseitismuchmore
secure,butissometimesabithardertosetupcorrectlythanWEPis,andisn'tcompletely
secure.[1][2]SomeolderaccesspointsorwirelesscardsdonotsupportWPA2.Ifyouhaveone
ofthese,itisrecommendedthatyoupurchaseaneweronethatsupportsWPA2,dependingon
howimportantyouconsideryoursecurity.
3.Settherouteraccesspassword.Anybodywhogainsaccesstotherouterconfiguration
settingscandisablethesecurityyouhavesetup.Ifyouforgetthepassword,mostroutershavea
hardwareresetthatwillrestoreallofthesettingstofactorydefaults.Thebestoptionistousea
randomsequenceofthemaximumlengthofcharacters-youonlyhavetotypethatonce,soitis
notabigthing.WhenyouconnecttotherouterviaLANcablewhilesettingitup,youcancopy
andpastethepasswordontotherouterandontoyourlocalsetting,soyouneverneedtotypeit
again.
Useasecurepassword.Don'tuseeasilyguessedpasswordsforyourWPA2orrouteraccess
passwords,suchas"ABC123","Password",orastringofnumbersinorder.Usesomething
hardtoguessthatcontainsbothupperandlowercaselettersaswellasnumbers.Special
[email protected]#$%arenotsupportedbysomerouters.Thelongerthekey,thebetter,
althoughtheWPA2keyhasaminimumandmaximumlength.Trytomakealittlementaleffort
-goodpasswordsmightbehardtoremember,buttheyarehardertocrack.
IfyouuseaweakkeythenevenWPAandWPA2canbeeasilycrackedwithinadayusinga
combinationofspecialprecomputedtablesanddictionaryattacks.Thebestwaytogeneratea
securekeyistouseanofflinerandomnumbergeneratororwritetheentirealphabetin
uppercaseandlowercaseandnumbers0-9onseparatepiecesofpaper,mixthepaperupand
randomlypickuppiecesandreturnthem,mixingthemupagaineachtime;eachcharacteryou
pulloutbecomesacharacterinyourkey.Youcanalsotrythrowingapairofdiceandusingthe
resultingnumbersasyourpassword.
4.ChangetheServiceSetIdentifier(thenetworknameor"SSID")fromthedefaultto
somethingunique.AdefaultSSIDindicatestohackersthatthenetworkwassetupbyanovice
andthatotheroptions(suchasthepassword)arealsoleftasthedefault.Useanameyoucan
rememberandidentify,astheSSIDhasnoinfluenceonthesecurityofyournetwork(noteven
ifyouchoosenottobroadcastit).
5.EnableMACAddressfilteringonyourAccessPointorrouter.AMAC(nottobeconfused
withthecomputermodel'Mac')addressisacodeuniquetoeverywirelessnetworkingcardin
existence.MACAddressfilteringwillregisterthehardwareMACAddressofyournetworked
devices,andonlyallowdeviceswithknownMACAddressestoconnecttoyournetwork.
However,hackerscancloneMACaddressesandstillenteryournetwork,soMACaddress
filteringshouldnotbeusedinplaceofproperWPA2encryption.
6.Don'tdisablethe'SSIDBroadcast'.Donotdisablethe'SSIDBroadcast'featureofyour
AccessPointorrouter.Thisseemscounter-intuitive,butitisactuallyabadidea.[3]Although
thiswouldmakeyournetworkinvisibletoyourneighbors,anydeterminedhackercanstillsniff
outyourSSID;andyouareimplicitlyforcingyourcomputertoshoutoutyourSSIDanywhere
youare,whileitistryingtoconnecttoit.Anyonecouldthenimpersonateyourrouterwiththat
SSID,andgetyourcredentialsthatway.
7.Disableremotelogin.Thefirstrouterwormbruteforcesitswayintotherouterinthis
manner.MostdefaultusernamesaresettoAdmin.Itisn'thardforavirus/wormtocrackthe
passwordiftheusernameisknown.Thegoodthingisthatroutersnormallyhavethisdisabled
bydefault.Besuretoconfirmthatitisdisabledwhenyoufirstsetupyourrouterand
periodicallythereafter.Ifyouneedtoupdateyourroutersettingremotely,onlysetupaccessfor
thetimeyouaregoingtobeconnected.
8.Disablewirelessadministrating.Finally,changethesettingthatallowsadministratingthe
routerthroughawirelessconnectionto'off'(meaningthatyouneedtoconnectwithaLAN
cableforadministration).Thisdisablesanywirelesshackingintotherouter.
Visithttp://www.FraudSmarts.com/toolsformoreresourcestohelpyousecureyourhome
network.
I.D.theft
WhatDoThievesDoWithYourInformation?
Onceidentitythieveshaveyourpersonalinformation,theycandrainyourbankaccount,runup
chargesonyourcreditcards,opennewutilityaccounts,orgetmedicaltreatmentonyourhealth
insurance.Anidentitythiefcanfileataxrefundinyournameandgetyourrefund.Insomeextreme
cases,athiefmightevengiveyournametothepoliceduringanarrest.
WarningSignsofIdentityTheft
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Youseewithdrawalsfromyourbankaccountthatyoucan’texplain.
Youdon’tgetyourbillsorothermail.
Merchantsrefuseyourchecks.
Debtcollectorscallyouaboutdebtsthataren’tyours.
Youfindunfamiliaraccountsorchargesonyourcreditreport.
Medicalprovidersbillyouforservicesyoudidn’tuse.
Yourhealthplanrejectsyourlegitimatemedicalclaimbecausetherecordsshowyou’ve
reachedyourbenefitslimit.
Ahealthplanwon’tcoveryoubecauseyourmedicalrecordsshowaconditionyoudon’thave.
TheIRSnotifiesyouthatmorethanonetaxreturnwasfiledinyourname,orthatyouhave
incomefromanemployeryoudon’tworkfor.
Yougetnoticethatyourinformationwascompromisedbyadatabreachatacompanywhere
youdobusinessorhaveanaccount.
Ifyourwallet,SocialSecuritynumber,orotherpersonalinformationislostorstolen,thereare
stepsyoucantaketohelpprotectyourselffromidentitytheft.
Howtokeepyouridentityprivate
TheonlythinganidentitythiefneedsisyourSocialSecurityNumber,yourbirthdateor,sometimes,
identifyinginformationasbasicasyouraddress,driver ’slicensenumberandphonenumber.
Someoftheplacesidentitythievesgetthisinformationinclude:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Purses/wallets
Personalinformationkeptinyourcar(especiallyyourglovebox)
Receiptstossedinthetrash
Overhearingconversationsyouhaveinpublic
Informationstolenfromyourmailbox
Divertingyourmailtoanotherlocationbyfillingouta“changeofaddressform”
LookingoveryourshoulderwhenyouuseyourcreditcardsortheATM.
Observinguserstypingtheirlogincredentials,credit/callingcardnumbersetc.intoIT
equipmentlocatedinpublicplaces.
Rummagingthroughrubbishforpersonalinformation(dumpsterdiving)
RetrievingpersonaldatafromredundantITequipmentandstoragemediaincludingPCs,
servers,PDAs,mobilephones,USBmemorysticksandharddrivesthathavebeendisposedof
carelesslyatpublicdumpsites,givenawayorsoldonwithouthavingbeenproperlysanitized
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
Usingpublicrecordsaboutindividualcitizens,publishedinofficialregisterssuchaselectoral
rolls
Stealingbankorcreditcards,identificationcards,passports,authenticationtokens...typically
bypickpocketing,housebreakingormailtheft
Common-knowledgequestioningschemesthatofferaccountverificationandcompromise:
"What'syourmother'smaidenname?","whatwasyourfirstcarmodel?",or"Whatwasyour
firstpet'sname?”etc.
Skimminginformationfrombankorcreditcardsusingcompromisedorhand-heldcard
readers,andcreatingclonecards
Using'contactless'creditcardreaderstoacquiredatawirelesslyfromRFID-enabledpassports
Stealingpersonalinformationfromcomputersusingbreachesinbrowsersecurityormalware
suchasTrojanhorsekeystrokeloggingprogramsorotherformsofspyware
Hackingcomputernetworks,systemsanddatabasestoobtainpersonaldata,ofteninlarge
quantities
Exploitingbreachesthatresultinthepublicationormorelimiteddisclosureofpersonal
informationsuchasnames,addresses,SocialSecuritynumberorcreditcardnumbers
Advertisingbogusjoboffersinordertoaccumulateresumesandapplicationstypically
disclosingapplicants'names,homeandemailaddresses,telephonenumbersandsometimes
theirbankingdetails
ExploitinginsideraccessandabusingtherightsofprivilegedITuserstoaccesspersonaldata
ontheiremployers'systems
Infiltratingorganizationsthatstoreandprocesslargeamountsorparticularlyvaluablepersonal
information
Impersonatingtrustedorganizationsinemails,SMStextmessages,phonecallsorotherforms
ofcommunicationinordertodupevictimsintodisclosingtheirpersonalinformationorlogin
credentials,typicallyonafakecorporatewebsiteordatacollectionform(phishing)
Brute-forceattackingweakpasswordsandusinginspiredguessworktocompromiseweak
passwordresetquestions
Obtainingcastingsoffingersforfalsifyingfingerprintidentification.
Browsingsocialnetworkingwebsitesforpersonaldetailspublishedbyusers,oftenusingthis
informationtoappearmorecredibleinsubsequentsocialengineeringactivities
Divertingvictims'emailorpostinordertoobtainpersonalinformationandcredentialssuchas
creditcards,billingandbank/creditcardstatements,ortodelaythediscoveryofnewaccounts
andcreditagreementsopenedbytheidentitythievesinthevictims'names
Usingfalsepretensestotrickindividuals,customerservicerepresentativesandhelpdesk
workersintodisclosingpersonalinformationandlogindetailsorchanginguser
passwords/accessrights(pretexting)
Stealingcheckstoacquirebankinginformation,includingaccountnumbersandbankrouting
numbers
GuessingSocialSecuritynumbersbyusinginformationfoundonInternetsocialnetworking
sites.
Lowsecurity/privacyprotectiononphotosthatareeasilyclickableanddownloadedonsocial
networkingsites.
Befriendingstrangersonsocialnetworksandtakingadvantageoftheirtrustuntilprivate
informationaregiven.
ChildIdentityTheft
Identitytheftonachildcangoundiscoveredforyears.Whileparentsmayhaveasystemofalertsand
creditcheckstoprotecttheirowncredit,kidsareeasiertargets.Identitytheftonachildcango
undiscoveredforyears.Youmaynotbecomeawareuntilyourchildisturneddownforajoborloan
duetoahorriblecredithistory.
Signsthatyourchild’scredithistoryhasbeencompromisedinclude:
1.
2.
3.
4.
Yourchildisdeniedabankaccountordriver ’slicense
Creditcardandloanoffersaddressedtoyourchild
Collectioncallsorbillsaddressedtoyourchild
BeingturneddownforgovernmentbenefitsbecausetheSocialSecuritynumberisalreadyin
use
5. AnoticefromtheIRSthatyourchildowesincometaxesorwasclaimedasadependenton
anotherreturn
Don’timmediatelypanicifyoureceiveacreditcardofferinyourchild’sname.Financial
companiessometimesmistakenlysendcreditcardofferstoaminorbutbeonalertifyou
suddenlystartreceivingalotofmailthatwouldtypicallybeforadults.
CheckYourChild’sCreditReport
Itisn’taseasytocheckachild’screditreportasitistocheckyourown.You’llhavetomailorfaxin
documentationprovingyouaretheparentorguardian.Experian,Equifax,andTransUnioneachhave
theirownprocessforcheckingaminor ’screditreport.Tolearnmore,pleasevisit:
https://www.fraudsmarts.com/identity
InternetofThings
Asconsumersbuymoresmartwatches,activitytrackers,holographicheadsets,andotherInternetof
Things(IoT)devices,theneedforimprovedsecurityonthesedeviceswillbecomemorepressing.
Onlinecriminalscouldexploitthesenewdevicestoconductdatabreaches,corporateorgovernment
espionage,anddamagecriticalinfrastructurelikeelectricalgrids.
ForSmartT.V.Security
1. IfyoursmartTVrunsontheAndroidplatform,gototheGooglePlaystoreanddownloadany
ofthesecurityappsdesignedtoprotectyourAndroidsmartphone.
2.IfyourWi-Firouterallowsyoutocreatemultipleaccounts,setupaguestaccountforyour
TV.Thiswaythey'renotonthesamenetworkasmyPCandlaptopwhereyoudoallofmy
sensitivestuff.
3.Makesurethat"firmware"-permanentsoftwarebuiltintoacomputingdevice'sread-only
memory-isuptodatewhenyoufirstusetheTVandsetittoautomaticallyacceptfuture
firmwareupdatesastheybecomeavailable.
4.Becarefulwheninstallingnewapplicationsbecausetheycouldbehidingmalware.Yourbest
bet:Avoidappsfromunknownsourcesandnon-officiallocations.
5.Limitwhatyoudoonlineviathattelevision.EventhoughtheseTVsmakeiteasytogetonline,
don'tusethemtodoanythingthatinvolvesaccountnumbers,PINs,passwordsorothersensitive
information.
6.Don’tdoanykindoffinancialtransactionthroughyourTVisareallybadidea.
Thetop10internetofthingsvulnerabilities
InsecureWebinterface
Overview:Anattackerusesweakcredentials,capturesplain-textcredentialsorenumerates
accountstoaccessthewebinterface.
HowDoIMakeMyWebInterfaceSecure?
1. Defaultpasswordsandideallydefaultusernamestobechangedduringinitialsetup
2. Ensuringpasswordrecoverymechanismsarerobustanddonotsupplyanattackerwith
informationindicatingavalidaccount
3. EnsuringwebinterfaceisnotsusceptibletoXSS,SQLiorCSRF
4. Ensuringcredentialsarenotexposedininternalorexternalnetworktraffic
5. Ensuringweakpasswordsarenotallowed
6. Ensuringaccountlockoutafter3-5failedloginattempts
Insufficientauthenticationorauthorization
Overview:Anattackerusesweakpasswords,insecurepasswordrecoverymechanisms,poorly
protectedcredentialsorlackofgranularaccesscontroltoaccessaparticularinterface.
HowDoIMakeMyAuthentication/AuthorizationBetter?
1.
2.
3.
4.
5.
6.
7.
8.
Sufficientauthentication/authorizationrequires:
Ensuringthatthestrongpasswordsarerequired
Ensuringgranularaccesscontrolisinplacewhennecessary
Ensuringcredentialsareproperlyprotected
Implementtwofactorauthenticationwherepossible
Ensuringthatpasswordrecoverymechanismsaresecure
Ensuringre-authenticationisrequiredforsensitivefeatures
Ensuringoptionsareavailableforconfiguringpasswordcontrols
Insecurenetworkservices
Overview:Anattackerusesvulnerablenetworkservicestoattackthedeviceitselforbounce
attacksoffthedevice.
HowDoISecureMyNetworkServices?
1. Ensuringonlynecessaryportsareexposedandavailable.
2. Ensuringservicesarenotvulnerabletobufferoverflowandfuzzingattacks.
3. EnsuringservicesarenotvulnerabletoDoSattackswhichcanaffectthedeviceitselfor
otherdevicesand/orusersonthelocalnetworkorothernetworks.
4. EnsuringnetworkportsorservicesarenotexposedtotheinternetviaUPnPforexample
Lackoftransportencryption
Overview:Anattackerusesthelackoftransportencryptiontoviewdatabeingpassedoverthe
network.
HowDoIUseTransportEncryption?
1. EnsuringdataisencryptedusingprotocolssuchasSSLandTLSwhiletransiting
networks.
2. Ensuringotherindustrystandardencryptiontechniquesareutilizedtoprotectdataduring
transportifSSLorTLSarenotavailable.
3. Ensuringonlyacceptedencryptionstandardsareusedandavoidusingproprietary
encryptionprotocols
Privacyconcerns
Overview:Anattackerusesmultiplevectorssuchasinsufficientauthentication,lackof
transportencryptionorinsecurenetworkservicestoviewpersonaldatawhichisnotbeing
properlyprotectedorisbeingcollectedunnecessarily.
HowDoIPreventPrivacyConcerns?
1. Ensuringonlydatacriticaltothefunctionalityofthedeviceiscollected
2. Ensuringthatanydatacollectedisofalesssensitivenature(i.e.,trynottocollectsensitive
data)
3. Ensuringthatanydatacollectedisde-identifiedoranonymized
4. Ensuringanydatacollectedisproperlyprotectedwithencryption
5. Ensuringthedeviceandallofitscomponentsproperlyprotectpersonalinformation
6. Ensuringonlyauthorizedindividualshaveaccesstocollectedpersonalinformation
7. Ensuringthatretentionlimitsaresetforcollecteddata
8. Ensuringthatend-usersareprovidedwith"NoticeandChoice"ifdatacollectedismore
thanwhatwouldbeexpectedfromtheproduct
Insecurecloudinterface
Overview:Anattackerusesmultiplevectorssuchasinsufficientauthentication,lackof
transportencryptionandaccountenumerationtoaccessdataorcontrolsviathecloudwebsite.
HowDoISecureMyCloudInterface?
1. Defaultpasswordsandideallydefaultusernamestobechangedduringinitialsetup
2. Ensuringuseraccountscannotbeenumeratedusingfunctionalitysuchaspasswordreset
mechanisms
3. Ensuringaccountlockoutafter3-5failedloginattempts
4. Ensuringthecloud-basedwebinterfaceisnotsusceptibletoXSS,SQLiorCSRF
5. Ensuringcredentialsarenotexposedovertheinternet
6. Implementtwofactorauthenticationifpossible
Insecuremobileinterface
Overview:Anattackerusesmultiplevectorssuchasinsufficientauthentication,lackof
transportencryptionandaccountenumerationtoaccessdataorcontrolsviathemobile
interface.
HowDoISecureMyMobileInterface?
1. Defaultpasswordsandideallydefaultusernamestobechangedduringinitialsetup
2.Ensuringuseraccountscannotbeenumeratedusingfunctionalitysuchaspasswordreset
mechanisms
3.Ensuringaccountlockoutafteran3-5failedloginattempts
4.Ensuringcredentialsarenotexposedwhileconnectedtowirelessnetworks
5.Implementingtwofactorauthenticationifpossible
Insufficientsecurityconfiguration
Overview:Anattackerusesthelackofgranularpermissionstoaccessdataorcontrolsonthe
device.Theattackercouldalsousthelackofencryptionoptionsandlackofpasswordoptions
toperformotherattackswhichleadtocompromiseofthedeviceand/ordata.
HowDoIImproveMySecurityConfigurability?
1. Ensuringtheabilitytoseparatenormalusersfromadministrativeusers
2.Ensuringtheabilitytoencryptdataatrestorintransit
3.Ensuringtheabilitytoforcestrongpasswordpolicies
4.Ensuringtheabilitytoenableloggingofsecurityevents
5.Ensuringtheabilitytonotifyendusersofsecurityevents
Insecuresoftwareorfirmware
Overview:Attackerusesmultiplevectorssuchascapturingupdatefilesviaunencrypted
connections,theupdatefileitselfisnotencryptedortheyareabletoperformtheirown
maliciousupdateviaDNShijacking.
HowDoISecureMySoftware/Firmware?
1.
2.
3.
4.
5.
Ensuringthedevicehastheabilitytoupdate(veryimportant)
Ensuringtheupdatefileisencryptedusingacceptedencryptionmethods
Ensuringtheupdatefileistransmittedviaanencryptedconnection
Ensuringtheupdatefiledoesnotexposesensitivedata
Ensuringtheupdateissignedandverifiedbeforeallowingtheupdatetobeuploadedand
applied
6. Ensuringtheupdateserverissecure
Poorphysicalsecurity
Overview:AttackerusesvectorssuchasUSBports,SDcardsorotherstoragemeanstoaccess
theOperatingSystemandpotentiallyanydatastoredonthedevice.
HowDoIPhysicallySecureMyDevice?
1. Ensuringdatastoragemediumcannotbeeasilyremoved.
2. Ensuringstoreddataisencryptedatrest.
3. EnsuringUSBportsorotherexternalportscannotbeusedtomaliciouslyaccessthe
device.
4. Ensuringdevicecannotbeeasilydisassembled.
5. EnsuringonlyrequiredexternalportssuchasUSBarerequiredfortheproductto
function
6. Ensuringtheproducthastheabilitytolimitadministrativecapabilities
Investmentfraud
Theseschemes,sometimesreferredtoashighyieldinvestmentfraud,involvetheillegalsaleor
purportedsaleoffinancialinstruments.Financialinstrumentsaredefinedbroadlyasanycontractthat
givesrisetoafinancialassetofoneentityandafinancialliabilityorequityinstrumenttoanother
entity.Theseinstrumentscanbeatradeableassetofanykind,toincluderegisteredsecuritiesand
commoditiesandunregisteredsecurities(e.g.asimplepromissorynotebetweenthefraudsterand
his/hervictiminvestors).Schemestakeonmanyforms,andperpetratorsquicklyalterschemesas
theyarethwartedbylawenforcement.
1. PonziSchemes:APonzischemeisaninvestmentfraudthatinvolvesthepaymentofpurported
returnstoexistinginvestorsfromfundscontributedbynewinvestors.Ponzischemesoften
sharecommoncharacteristics,suchasofferingoverlyconsistentreturns,unregistered
investments,highreturnswithlittleornorisk,orsecretiveorcomplexstrategies.This
arrangementgivesinvestorstheimpressionthereisalegitimate,money-makingenterprise
behindthesubject’sstory,butinreality,unwittinginvestorsaretheonlysourceoffunding.
2. AffinityFraud:Perpetratorsofaffinityfraudtakeadvantageofthetendencyofpeopletotrust
otherswithwhomtheysharesimilarities—suchasreligionorethnicidentity—togaintheir
trustandmoney.
3. PyramidSchemes:Inpyramidschemes,asinPonzischemes,moneycollectedfromnew
participantsispaidtoearlierparticipants.Inpyramidschemes,however,participantsreceive
commissionsforrecruitingnewparticipantsintothescheme.
4. PrimeBankInvestmentFraud:Intheseschemes,perpetratorsclaimtohaveaccesstoasecret
tradingprogramendorsedbylargefinancialinstitutionssuchastheFederalReserveBank,
TreasuryDepartment,WorldBank,InternationalMonetaryFund,etc.Perpetratorsoftenclaim
theunusuallyhighratesofreturnandlowriskaretheresultofaworldwide“secret”exchange
openonlytotheworld’slargestfinancialinstitutions.Victimsareoftendrawnintoprimebank
investmentfraudsbecausethecriminalsusesophisticatedterms,legal-lookingdocuments,and
claimtheinvestmentsareinsuredagainstloss.
5. AdvanceFeeFraud:Advancefeeschemesrequirevictimstoadvancerelativelysmallsumsof
moneyinthehopeofrealizingmuchlargergains.Notalladvancefeeschemesareinvestment
frauds.Inthosethatare,however,victimsaretoldthatinordertohavetheopportunitytobean
investor(inaninitialofferingofapromisingsecurity,investmentorcommodity,etc.);the
victimmustfirstsendfundstocovertaxesorprocessingfees,etc.
6. PromissoryNotes:Thesearegenerallyshort-termdebtinstrumentsissuedbylittle-knownor
nonexistentcompanies.Thenotestypicallypromisehighreturnswithlittleornoriskandare
typicallynotregisteredassecuritieswiththeappropriateregulatoryagency.
7. CommoditiesFraud:Commoditiesfraudisthesaleorpurportedsaleofacommoditythrough
illegalmeans.Commoditiesarerawmaterialsorsemi-finishedgoodsthatarerelatively
uniforminnatureandaresoldonanexchange(e.g.,gold,porkbellies,orangejuice,and
coffee).Mostcommoditiesfraudsinvolveillicitmarketingortradingincommoditiesfutures
oroptions.Perpetratorsoftenofferinvestmentopportunitiesinthecommoditiesmarketsthat
falselypromisehighratesofreturnwithlittleornorisk.Twocommontypesofcommodities
investmentfraudsinclude:
8. ForeignCurrencyExchange(Forex)Fraud:TheperpetratorsofForexfraudsentice
9.
10.
11.
12.
individualsintoinvestinginthespotforeigncurrencymarketthroughfalseclaimsandhighpressuresalestactics.Foreigncurrencyfirmsthatengageinthistypeoffraudinvestclient
fundsintotheForexmarket—notwiththeintenttoconductaprofitabletradefortheclient,but
merelyto“churn”theclient’saccount.Churningcreateslargecommissionchargesbenefiting
thetradingfirm.InotherForexfrauds,theperpetratorcreatesartificialaccountstatementsthat
reflectpurportedinvestmentswhen,inreality,nosuchinvestmentshavebeenmade.Instead,the
moneyhasbeendivertedfortheperpetrator ’spersonaluse.
PreciousMetalsFraud:Thesefraudschemesofferinvestmentopportunitiesinmetals
commoditiessuchasrareearth,gold,andsilver.Theperpetratorsofpreciousmetalsfrauds
enticeindividualsintoinvestinginthecommoditythroughfalseclaimsandhigh-pressuresales
tactics.Oftentimesinthesefrauds,theperpetratorscreateartificialaccountstatementsthat
reflectpurportedinvestmentswhen,inreality,nosuchinvestmentshavebeenmade.Instead,the
moneyhasbeendivertedfortheperpetrators’personaluse.
MarketManipulation:Theseschemes,commonlyreferredtoas“pump-and-dumps,”are
effectedbycreatingartificialbuyingpressureforatargetedsecurity,generallyalow-trading
volumeissuerintheover-the-countersecuritiesmarketthatislargelycontrolledbythefraud
perpetrators.Thisartificiallyincreasedtradingvolumehastheeffectofartificiallyincreasing
thepriceofthetargetedsecurity(i.e.,the“pump”),whichisrapidlysoldoffintotheinflated
marketforthesecuritybythefraudperpetrators(i.e.,the“dump”).Theseactionsresultinillicit
gainstotheperpetratorsandlossestoinnocentthird-partyinvestors.Typically,theincreased
tradingvolumeisgeneratedbyinducingunwittinginvestorstopurchasesharesofthetargeted
securitythroughfalseordeceptivesalespracticesand/orpublicinformationreleases.A
modernvariationontheseschemesinvolveslargelyforeign-basedcomputercriminalsgaining
unauthorizedaccessandintrudingintotheonlinebrokerageaccountsofunsuspectingvictimsin
theUnitedStates.Theseintrudedvictimaccountsarethenusedtoengageincoordinatedonline
purchasesofthetargetedsecuritytoaffectmanipulationwhilethefraudperpetratorsselltheir
preexistingholdingsinthetargetedsecurityintotheinflatedmarket.
BrokerEmbezzlement:Theseschemesinvolveillicitandunauthorizedactionsbybrokersto
stealdirectlyfromtheirclients.Suchschemesmaybefacilitatedbytheforgingofclient
documents,doctoringofaccountstatements,unauthorizedtrading/fundstransferactivities,or
otherconductinbreachofthebroker ’sfiduciaryresponsibilitiestothevictimclient.
Late-DayTrading:Theseschemesinvolvetheillicitpurchaseandsaleofsecuritiesafter
regularmarkethours.Suchtradingisrestrictedinordertopreventindividualsfromprofiting
onmarket-movinginformationwhichisreleasedafterthecloseofregulartrading.
Unscrupuloustradersattempttoillegallyexploitsuchopportunitiesbybuyingorselling
securitiesatthemarketcloseprice,secureintheknowledgethatthemarket-moving
informationwillgenerateillicitprofitsattheopeningoftradingonthefollowingday.
NoticetheSignsofFraud
1. Legitimateinvestmentprofessionalsencourageyoutoaskquestionsandtohaveasmuch
informationaspossible.Theywantyoutoclearlyunderstandtherisksinvolved.Theywantyou
tofeelcomfortablewiththeinvestmentsyouaremaking.Conartistswantyoutobelievethem
andnotaskquestions.Allthey'reafterisyourmoney.
2. EducateYourselfandRecognizetheSignsofFraud
3. HighPressureSalesTactics
4. Bewareofsalespitches,whetherfromindividualsorinads,thaturgeyoutogetinonthe
groundfloorortoactatonce.Avoidbeingpressuredtomakeaquickpurchaseata“low,low
price,”tobuynowbecause“tomorrowwillbetoolate,”oroverreacttobeingtold“don’tbea
fool,”or“whenthisbecomespublicknowledgepeoplewillbelineduptotakeadvantageofthis
goldenopportunity.”Shadypromotersmayevenoffertohaveanexpressdeliveryservicepick
upyourcheck!Theydon'twantyoutotaketimetothink,readthesmallprint,ortalktoothers.
5. PromisesofExorbitantProfits
6. Nohonestinvestmentorbusinessisbuiltonquick,astronomicalprofits.Ifitsoundstoogood
tobetrue,itprobablyis.
7. ClaimsofNoRiskorMinimalRisk
8. Returnoninvestmentisguaranteed.Assurancesthat“youcan’tgowrong”areasuretipthat
youarebeingconned.
9. NotAnsweringQuestionsorAllowingYoutoAskQuestions
10. Conartistsdon’twantyoutoaskquestions.Instead,theywillanswerbyaskingyouquestions.
Theseareusuallyonesintendedtogetapositiveresponse.“Youwouldliketomakemore
money,wouldn’tyou?”Reputableinvestmentprofessionalsencourageyoutoaskquestions.
Conartistsdon’twantyouto.
11. EvasiveAnswersandLackofCommunication
12. Apromoter ’sfailuretoprovidedetailsandadisclosuredocumentortoresponddirectlyto
inquiriesshoulddiminishyourenthusiasm.Heorsheisprobablyhidingsomething.
13. ClaimsthattheInvestmentDoesn’tHavetobeRegistered
14. AvoidAnyInvestmentthatisn'tClearlyDescribedinDetail,WithoutHedging
15. Swindlersoftendeclarethatthespecificsare“tootechnical”todescribeinlayman’stermsor
thattheinformationis“classified”or“confidential.”Don’tbuyit.Aprospectusmust
accompanyallinvestments.Ifitisthatcomplicated,youprobablydon’twanttobeinvolved.
16. UnprofessionalBusinesslikeConduct
17. Theyrefusetoreturnphonecalls,answercorrespondence,orgiveouttheirphonenumberand
physicaladdress.Callerscanonlygetanansweringmachine.Theyalwayswanttomeetyou
someplaceotherthantheiroffices.Theseareallwarningsignsoffraud.Thereare,however,
conartistswhohavefancyoffices,cars,andprofessionalreceptionists.
18. Promisesof“InsideInformation”
19. Neverbuyonthebasisofrumorsorhottips.Andactingon“insiderinformation”isillegaland
couldlandyouinlotsoftrouble.Alwaysrelyonfactratherthanemotion.Iftheurgegetstoo
strong,callyourbrokerandaskforaresearchpaperonthesecurityyouhaveinmind.
20. Whenhoundedonthephonebyapromoter,don’tbeafraidtohangupwithoutexplanation.You
donotowethecalleranything.Thiskindofsolicitationisaninvasionofyourprivacy.Ifyou
haveanydoubtsmakenopromisesorcommitments,nomatterhowtentative.Itisfarbetterto
waitandloseanopportunitythantotaketheplungeandloseeverything.
TenSelf-DefenseTips
1. Don’tbeacourtesyvictim.Conartistswillnothesitatetoexploitthegoodmannersofthe
potentialvictim.Rememberthatastrangerwhocallsandasksforyourmoneyistoberegarded
withutmostcautionandskepticism.Youhaveabsolutelynoobligationtostayonthephonewith
astrangerwhowantsyourmoney.It'snotimpolitetosayyouarenotinterestedandhangup.
2. Don’tberushed-checkitout.Saynotoanysalespersonthatpressuresyoutomakean
3.
4.
5.
6.
7.
8.
immediatedecision.Ifheorshedoesn’thavethetimetoexplaintheinvestmenttoyourregular
investmentprofessional,orotherparty,oriftheyask“Can’tyoumakeyourowninvestment
decisions?”SayNO!Youhavetherightandresponsibilitytocheckoutthesalesperson,firm,
andtheinvestmentopportunityitself.Almostallinvestmentopportunitiesmustberegistered
withtheSEC.Extensivebackgroundinformationoninvestmentprofessionalsandfirmsis
availablefromtheSEC.Beforeyouevenconsiderinvesting,gettheprospectus,reviewit
carefully,andmakesureyouunderstandalltherisksinvolved.Butremember,evenwritten
materialsentfromthepromotercanbefraudulentormisleading.
Alwaysstayinchargeofyourmoney.Don'tbetakeninbyanyonewhowantsyourmoneyand
assuresyouthatheorsheisaprofessionalandcanhandleeverything.Bewareofanyfinancial
professionalwhosuggestsputtingyourmoneyintosomethingyoudon’tunderstand.Andnever
letyourselfbetalkedintoleavingeverythinginhisorherhands.
Alwayswatchoverandprotectyournestegg.Nevertrustanyonewhowantsyoutoturnover
yourmoneytothemandthensitbackandwaitforresults.Ifyouunderstandlittleaboutthe
worldofinvestments,takethetimetoeducateyourself.Constantvigilanceisanecessarypartof
beinganinvestor.
Neverjudgeaperson’sintegritybyhowtheylookorsound.Fartoomanyinvestorswhoare
wipedoutbyconartistslaterexplainthattheswindler“lookedandsoundedsoprofessional."
Successfulconartistssoundextremelyprofessionalandhavetheabilitytomakeeventhe
flimsiestinvestmentdealsoundassafeasputtingmoneyinthebank.Rememberthatsincerityin
avoice,especiallyonthephone,hasnobearingonthesoundnessofaninvestmentopportunity.
Alwaysdothenecessaryhomework.
Watchoutforsalespeoplethatpreyonyourfears.Conartistsknowthatmanyinvestors,
particularlyolderinvestors,worrythattheywilleitheroutlivetheirsavingsorseealloftheir
financialresourcesvanishovernightastheresultofacatastrophicevent.It'squitecommonfor
swindlersandabusivesalespeopletopitchtheirschemesasawaytobuilduplifesavingstothe
pointwheresuchfearsarenolongernecessary.Rememberthatfearandgreedcancloudyour
goodjudgmentandleaveyouinamuchworsefinancialposture.Aninvestmentthatisrightfor
youwillmakesensebecauseyouunderstanditandfeelcomfortablewiththedegreeofrisk
involved.Highreturnalmostalwaysmeanshighrisk.
Exerciseparticularcautionifyouhavelimitedornoexperiencehandlingmoney.Askacon
artisttodescribehisidealvictimandyou'relikelytohear"elderlywidoworwidower."Many
peoplenowintheirretirementyearshavelimitedknowledgeabouthandlingmoney.Theyoften
reliedontheirspousestohandlemostorallmoneydecisions.Thosewhohavereceived
windfallinsuranceinthewakeofthedeathofaspouseareprimetargetsforconartists.People
whoareontheirownforthefirsttimeinyearsshouldalwaysseekadviceoffamilymembers
orimpartialprofessionalsbeforedecidingwhattodowiththeirmoney.
Monitoryourinvestmentsandasktoughquestions.Toomanyinvestorstrustunscrupulous
investmentprofessionalsandoutrightconartiststomakefinancialdecisionsforthem.They
thencompoundtheirerrorbyfailingtokeepaneyeontheprogressoftheinvestment.Insiston
regularwrittenreports.Checkthewritteninformation.Lookforexcessiveorunauthorized
tradinginyourfunds.Don’tbeswayedbyassurancesthatsuchpracticesareroutineorinyour
bestinterest.Don’tpermitasenseoffriendshiportrusttokeepyoufromdemandingthis
information.Ifyoususpectsomethingiswrongandyoudon’tgetsatisfactoryanswers,callthe
SecuritiesDivisionandletushelp.
9. Lookfortroubleretrievingyourprincipalorcashingoutprofits.Ifastockbroker,financial
planner,orotherindividualstallsyouwhenyouwanttopulloutyourprincipalorprofits,
demandtoknowwhy.Sinceunscrupulousinvestmentpromotershaveprobablypocketedthe
fundsoftheirvictims,theywillgotogreatlengthstoexplainwhyyoursavingsarenot
available.Theymayevenpressureyouto“rollover”non-existentprofitsintonewandeven
morealluringinvestments.Thiswillonlyfurtherdelaythefraudbeinguncovered.Ifyou'renot
investinginaproductwithafixedterm,suchasabond,youshouldbeabletoreceiveyour
fundsorprofitswithinareasonableamountoftime.
10. Don’tletembarrassmentorfearkeepyoufromreportinginvestmentfraudorabuse.
Investorswhofailtoreportthatthey'vebeenvictimizedoftenhesitateoutofembarrassment.
Olderinvestorsfearthey'llbejudgedincapableofhandlingtheirownaffairsandbeforcedinto
anursinghomeorotherfacility.Sophisticatedinvestorsdon'twanttoadmitthatasmoothtalker
tookthemin.Conartistsknowallaboutsuchsensitivities.Theycountonthesefearspreventing
ordelayingthetimewhentheauthoritieswillbenotifiedaboutthescam.It'struethatmost
moneylosttoinvestmentfraudisrarelyrecoveredbeyondpenniesonthedollar.Inmanycases,
however,wheninvestorsrecognizedearlythatthey'dbeenmisled,theywereabletorecover
someoralloftheirfundsbybeinga“squeakywheel”.Oneofthebestresourcesforinvestors
whofeartheyhavebeenvictimizedistheSecuritiesDivisionoftheDepartmentofFinancial
Institutions.
Socialmediainvesting
Whilesocialmediacanprovidemanybenefitsforinvestors,italsopresentsopportunitiesfor
fraudsters.SocialmediaandtheInternetgenerally,offeranumberofattributescriminalsmayfind
attractive.Socialmedialetsfraudsterscontactmanydifferentpeopleatarelativelylowcost.Itisalso
easytocreateasite,account,email,directmessage,orwebpagethatlooksandfeelslegitimate-and
thatfeelingoflegitimacygivescriminalsabetterchancetoconvinceyoutosendthemyourmoney.
Finally,itcanbedifficulttotrackdownthetrueaccountholdersthatusesocialmedia.Thatpotential
foranonymitycanmakeitharderforfraudsterstobeheldaccountable.Asaresult,investorsneedto
usecautionwhenusingsocialmediawhenconsideringaninvestment.
WhatYouCanDotoAvoidInvestmentFraud
1. Askquestions.Fraudstersarecountingonyounottoinvestigatebeforeyouinvest.Fendthem
offbydoingyourowndigging.It’snotenoughtoaskformoreinformationorforreferencesfraudstershavenoincentivetosetyoustraight.Takethetimetodoyourownindependent
research.
2. Researchbeforeyouinvest.Unsolicitedemails,messageboardpostings,andcompanynews
releasesshouldneverbeusedasthesolebasisforyourinvestmentdecisions.Understanda
company’sbusinessanditsproductsorservicesbeforeinvesting.Lookforthecompany’s
financialstatementsontheSEC’swebsite,orcontactyourstatesecuritiesregulator.
3. Knowthesalesperson.Spendsometimecheckingoutthepersontoutingtheinvestmentbefore
youinvest-evenifyoualreadyknowthepersonsocially.Alwaysfindoutwhetherthe
securitiessalespeoplewhocontactyouarelicensedtosellsecuritiesinyourstateandwhether
theyortheirfirmshavehadrun-inswithregulatorsorotherinvestors.Youcancheckoutthe
disciplinaryhistoryofbrokersandadvisersforfreeusingtheSEC’sandFINRA’sonline
databases.Yourstatesecuritiesregulatormayhaveadditionalinformation.
4. Bewaryofunsolicitedoffers.Beespeciallycarefulifyoureceiveanunsolicitedpitchtoinvest
inacompany,orseeitpraisedonline,butcan’tfindcurrentfinancialinformationaboutitfrom
independentsources.Itcouldbea“pumpanddump”scheme.Bewaryifsomeonerecommends
foreignor“off-shore”investments.Ifsomethinggoeswrong,it’shardertofindoutwhat
happenedandtolocatemoneysentabroad.
Redflagsforfraudandcommonpersuasiontactics
Howdosuccessful,financiallyintelligentpeoplefallpreytoinvestmentfraud?Researchershave
foundthatinvestmentfraudstershittheirtargetswithanarrayofpersuasiontechniquesthatare
tailoredtothevictim’spsychologicalprofile
1. Ifitsoundstoogoodtobetrue,itis.Watchfor“phantomriches.”Comparepromisedyields
withcurrentreturnsonwell-knownstockindexes.Anyinvestmentopportunitythatclaims
you’llreceivesubstantiallymorecouldbehighlyrisky-andthatmeansyoumightlosemoney.
2. “Guaranteedreturns”aren’t.Everyinvestmentcarriessomedegreeofrisk,whichis
reflectedintherateofreturnyoucanexpecttoreceive.Ifyourmoneyisperfectlysafe,you’ll
mostlikelygetalowreturn.Highreturnsentailhighrisks,possiblyincludingatotallossonthe
investment.Mostfraudstersspendalotoftimetryingtoconvinceinvestorsthatextremelyhigh
returnsare“guaranteed”or“can’tmiss.”Theytrytoplantanimageinyourheadofwhatyour
lifewillbelikewhenyouarerich.Don’tbelieveit.
3. Bewarethe“halo”effect.Investorscanbeblindedbya“halo”effectwhenaconartistcomes
acrossaslikeableortrustworthy.Credibilitycanbefaked.Checkoutactualqualifications.
4. “Everyoneisbuyingit.”Watchoutforpitchesthatstresshow“everyoneisinvestinginthis,so
youshould,too.”Thinkaboutwhetheryouareinterestedintheproduct.Ifasalespresentation
focusesonhowmanyothershaveboughttheproduct,thiscouldbearedflag.
5. PressuretosendmoneyRIGHTNOW.Scamartistsoftentelltheirvictimsthatthisisaoncein-a-lifetimeofferanditwillbegonetomorrow.Butresistthepressuretoinvestquicklyand
takethetimeyouneedtoinvestigatebeforesendingmoney.Ifitisthatgoodanopportunity,it
willwait.
6. Reciprocity.Fraudstersoftentrytolureinvestorsthroughfreeinvestmentseminars,figuringif
theydoasmallfavorforyou,suchassupplyingafreelunch,youwilldoabigfavorforthem
andinvestintheirproduct.Thereisneverareasontomakeaquickdecisiononaninvestment.
Ifyouattendafreelunch,takethematerialhomeandresearchboththeinvestmentandthe
individualsellingitbeforeyouinvest.Alwaysmakesuretheproductisrightforyouandthat
youunderstandwhatyouarebuyingandalltheassociatedfees.
Lookoutfor“AffinityFraud”Nevermakeaninvestmentbasedsolelyontherecommendationofa
memberofanorganizationorgrouptowhichyoubelong,especiallyifthepitchismadeonline.An
investmentpitchmadethroughanonlinegroupofwhichyouareamember,oronachatroomor
bulletinboardcateredtoaninterestyouhave,maybeanaffinityfraud.Affinityfraudrefersto
investmentscamsthatpreyuponmembersofidentifiablegroups,suchasreligiousorethnic
communities,theelderlyorprofessionalgroups.Evenifyoudoknowthepersonmakingthe
investmentoffer,besuretocheckouteverything-nomatterhowtrustworthythepersonseemswho
bringstheinvestmentopportunitytoyourattention.Beawarethatthepersontellingyouaboutthe
investmentmayhavebeenfooledintobelievingthattheinvestmentislegitimatewhenitisnot.
BeThoughtfulAboutPrivacyandSecuritySettings
Investorswhousesocialmediawebsitesasatoolforinvestingshouldbemindfulofthevarious
featuresonthesewebsitesinordertoprotecttheirprivacyandhelpavoidfraud.Understandthat
unlessyouguardpersonalinformation,itmaybeavailablenotonlyforyourfriends,butforanyone
withaccesstotheInternet-includingfraudsters.
AskQuestionsandCheckOutEverything
Beskepticalandresearcheveryaspectofanofferbeforemakingadecision.Investigatethe
investmentthoroughlyandcheckthetruthofeverystatementyouaretoldabouttheinvestment.Never
relyonatestimonialortakeapromoter ’swordatfacevalue.Youcancheckoutmanyinvestments
usingtheSEC’sEDGARfilingsystemoryourstate’ssecuritiesregulator.Youcancheckout
registeredbrokersatFINRA’sBrokerCheckwebsite(http://brokercheck.finra.org/)andregistered
investmentadvisersattheSEC’sInvestmentAdviserPublicDisclosurewebsite.
AFewCommonInvestmentScamsUsingSocialMediaandtheInternet
WhilefraudstersareconstantlychangingthewaytheyapproachvictimsontheInternet,therearea
numberofcommonscamsofwhichyoushouldbeaware.
Hereareafewexamplesofthetypesofschemesyoushouldbeonthelookoutforwhenusing
socialmedia:
1. “Pump-and-Dumps”andMarketManipulations
“Pump-and-dump”schemesinvolvethetoutingofacompany’sstock(typicallysmall,so-called
“microcap”companies)throughfalseandmisleadingstatementstothemarketplace.Thesefalse
claimscouldbemadeonsocialmediasuchasFacebookandTwitter,aswellasonbulletin
boardsandchatrooms.Pump-and-dumpschemesoftenoccurontheInternetwhereitis
commontoseemessagespostedthaturgereaderstobuyastockquicklyortosellbeforethe
pricegoesdown,oratelemarketerwillcallusingthesamesortofpitch.Oftenthepromoters
willclaimtohave“inside”informationaboutanimpendingdevelopmentortousean
“infallible”combinationofeconomicandstockmarketdatatopickstocks.Inreality,theymay
becompanyinsidersorpaidpromoterswhostandtogainbysellingtheirsharesafterthestock
priceis“pumped”upbythebuyingfrenzytheycreate.Oncethesefraudsters“dump”their
sharesandstophypingthestock,thepricetypicallyfalls,andinvestorslosetheirmoney.
2. FraudUsing“ResearchOpinions,”OnlineInvestmentNewsletters,andSpamBlasts
Whilelegitimateonlinenewslettersmaycontainusefulinformationaboutinvesting,othersare
merelytoolsforfraud.Somecompaniespayonlinenewslettersto“tout”orrecommendtheir
stocks.Toutingisn’tillegalaslongasthenewslettersdisclosewhopaidthem,howmuch
they’regettingpaid,andtheformofthepayment,usuallycashorstock.Butfraudstersoftenlie
aboutthepaymentstheyreceiveandtheirtrackrecordsinrecommendingstocks.Fraudulent
promotersmayclaimtoofferindependent,unbiasedrecommendationsinnewsletterswhenthey
standtoprofitfromconvincingotherstobuyorsellcertainstocks-often,butnotalways,
pennystocks.Thefactthattheseso-called“newsletters”maybeadvertisedonlegitimate
websites,includingontheonlinefinancialpagesofnewsorganizations,doesnotmeanthatthey
arenotfraudulent.
3. HighYieldInvestmentPrograms
TheInternetisawashinso-called“high-yieldinvestmentprograms”or“HYIPs.”Theseare
unregisteredinvestmentstypicallyrunbyunlicensedindividuals-andtheyareoftenfrauds.The
hallmarkofanHYIPscamisthepromiseofincrediblereturnsatlittleornorisktotheinvestor.
AHYIPwebsitemightpromiseannual(orevenmonthly,weekly,ordaily!)returnsof30or40
percent-ormore.Someofthesescamsmayusetheterm“primebank”program.Ifyouare
approachedonlinetoinvestinoneofthese,youshouldexerciseextremecaution-theyare
likelyfrauds.
4. Internet-BasedOfferings
Offeringfraudscomeinmanydifferentforms.Generallyspeaking,anofferingfraudinvolves
asecurityofsomesortthatisofferedtothepublic,wherethetermsoftheofferarematerially
misrepresented.Theofferings,whichcanbemadeonline,maymakemisrepresentationsabout
thelikelihoodofareturn.
WherecanIgoforhelp?
Investorswholearnofinvestingopportunitiesfromsocialmediashouldalwaysbeonthelookoutfor
fraud.Ifyouhaveaquestionorconcernaboutaninvestment,oryouthinkyouhaveencountered
fraud,pleasecontacttheSEC,FINRA,oryourstatesecuritiesregulatortoreportthefraudandtoget
assistance.
U.S.SecuritiesandExchangeCommission
OfficeofInvestorEducationandAdvocacy
100FStreet,NE
Washington,DC20549-0213
Telephone:(800)732-0330
Fax:(202)772-9295
FinancialIndustryRegulatoryAuthority(FINRA)
FINRAComplaintsandTips
9509KeyWestAvenue
Rockville,MD20850
Telephone:(301)590-6500
Fax:(866)397-3290
NorthAmericanSecuritiesAdministratorsAssociation(NASAA)
750FirstStreet,NE
Suite1140
Washington,DC20002
Telephone:(202)737-0900
Fax:(202)783-3571
Mailbox
PreventionAdvice:
1. LimitExposure:Youcanlimityourexposuretomailfraudbyutilizingonlineconveniences
likeeStatements,onlinebillpay,directdepositandonlinebanking.
2. Opt-Out:Youshouldoptoutofreceivingcreditcardandinsuranceoffers.Youcandosoby
calling1-888-5OPTOUToronthewebathttps://www.optoutprescreen.com.Thistellscredit
cardcompaniesfromsendingpre-approvedcreditcardapplicationstoyourhouse.Byfilinga
simplechangeofaddressformwiththepostofficeorbycontactingyourcreditors,anidentity
thiefcanhaveyourpersonalmailsenttohisorherownaddress.Banksandothercompanies
nowsendletterstoboththenewaddressandoldaddresswhenachangeismadeinordertostop
thistypeoffraud.
3. Lockyourmailbox:Ifyourpostalcarrieriswilling,youcanbuyapadlockforyourmailbox.
Placeitunlockedinsideyourmailbox.Whenthecarrierdeliversyourmail,heorshelocksthe
box.Thisworkswellwithrural-deliverystyleboxeswithaholetoaccommodatealock,oryou
candrillholesinawall-mountedbox.Themethodisnotfoolproof,however.persistentthieves
havebeenknowntousehacksawstoremovelocks;somesmashopenmailboxeswithbaseball
bats-orevenstealthemailbox,lockandall.2.Keepyourmailboxvisible:Trimshrubberyto
keepyourmailboxasvisibleaspossible,eliminatinghidingplacesforthieves.
4. Replaceawall-mountedmailboxwithamailslot:Ifyouhavedoor-to-doordelivery,askyour
localPostOfficeifyoucanreplaceyourmailboxwithamailslotonyourfrontorgarage
door.Thepostmasterneedstoapproveanychangesindelivery.Ifyouaddamailslot,makeit
largeenoughtoaccommodatecatalogsandboxesofchecks.Mailslotsarenotallowed,
however,inruraldeliveryareasornewerneighborhoodswithclusterboxes.
5. Buyasecuritymailbox:Checktheyellowpagesunder"mailboxes"forlistingsofcompanies
thatselltamper-resistantmailboxes.Heavy-dutymetalboxesareavailableinbothwall-mounted
andfree-standingmodels(thelattermaybesunkinconcretetopreventvandalism.)Security
mailboxestypicallyhaveaslotforthecarriertodelivermail.Mailgoesdownachuteandinto
alockedcompartment.
6. Askyourapartmentmanagertoimprovesecurity:Ifyou'rearenterandyourmailboxlock
doesn'twork,insistthatthemanagementrepairthedamage.Counterfeitkeysareanother
probleminrentalcommunities,sinceoftenthesamekeyopensalltheboxes.Managerscan
countertheseproblemsbyinstallingsecuritycamerasormovingmailboxesintoamailroom
whereresidentsmustuseanaccesskeytogetinside.
7. Getapostofficebox:Iftheftisaconcern,thecostofrentingapostofficeboxmaybeworth
theinvestment,sincetheftsfromsuchboxesarerare,accordingtopostalauthorities.
8. Consideraparcellocker:Ifyouownahome-basedbusinessandreceivefrequentshipmentsof
valuablegoods,youmaywishtoinvestinaparcellocker.Ifyouusemultipledeliveryservices,
however,you'llneedoneforpostaldeliveriesandaseparatelockerforothers,suchasFederal
ExpressorUnitedParcelService.
9. Pickupmailpromptly:Mailthievesoftenfollowcarriersontheirroutes,strikingwithin15
minutesafterdelivery.Ifyou'rehomeduringtheday,pickupmailassoonafterdeliveryas
possible.Ifyou'renothome,askatrustedneighbortogetyourmail.Thievescanstealmail
fromyourmailboxinordertogetcreditcardapplicationsandothersensitivedata.
10. OutgoingMail:Outgoingmailisespeciallylucrativeforthievesbecauseitcanincludebills
thatyouarepayingbycheckorcreditcard.It'smorecommonformailtobestolenfrom
apartmentorhousingcomplexmailboxesbecausetheycombineseveralhouseholds-mailin
oneplace.
TheftofyourMail
Ifyouhavehadyourmailstolenfromyourmailboxthenyouhavebecomeavictimofmailfraud,a
federalcrime.Itisimportanttoreportthiscrimeimmediatelyandtotakestepstoprotectyourassets
andcreditrating.
Here'sachecklistofactionsyoushouldtake:
1. Notifyyourlocalpostalauthority.AsktofilloutForm2016,availableatyourlocalpost
office,orbymail.
2. Callyourlocalpoliceagency.Reportthethefttopoliceorthesheriff'sdepartment,particularly
ifyoususpectthatchecksorothervaluableswerestolen.Locallaw-enforcementauthorities
havecaughtsomethievesbycirculatinglistsofstolencheckstolocalbanks,thennabbing
suspectswhoshoweduptoclearoutavictim'sbankaccount.
3. Closeaccounts:Ifyoususpectthethiefobtainedacreditcard,checksorbankstatement,cancel
youraccountsimmediatelyandnotifycreditorsbothbytelephoneandinwriting.
4. Takeactiononmissingchecks:Ifacheckpayabletoyouisstolen,askthesendertostop
paymentandissueanewone.Givepolicethestolenchecknumber.
5. Protectyourcredit:Makealistofcreditorsandseeifanybillsareoverduetoarrive.Call
creditorsandobtainduplicatecopiestoavoidlatepayments,whichcoulddamageyourcredit
rating-orworse.Besuretopayyourmortgagepaymentandcarpaymenttoavoidtheriskof
foreclosureorrepossession.Don'tforgetotherbillsthatcouldbemissing,suchasanannual
insurancepremium,property-taxlevyorincometaxrefund.
6. Determinewhatelseismissing:Contactprofessionalorganizationstolearnifyou'vemissed
meetingnoticesorduesstatements.Askfriendsandrelativesifthey'vemailedanythingtoyou
recently.Wereyouexpectinganewdriver'slicense?Ifso,contactyourstateDivisionofMotor
Vehicle(DMV)promptly.
7. Talktoneighbors:Findoutiftheirmailwasstolen.Askifanyonesawastrangeperson
aroundyourhomeoranapartmentmailbox,thenpassanyinformationalongtopostalandlaw
enforcementauthorities.
Malware
ConsumerTips
Scamartiststrytotrickpeopleintoclickingonlinksthatwilldownloadmalwareandspywaretotheir
computers,especiallycomputersthatdon'tuseadequatesecuritysoftware.Toreduceyourriskof
downloadingunwantedmalwareandspyware:
1.
2.
3.
4.
5.
6.
7.
8.
Keepyoursecuritysoftwareupdated.Ataminimum,yourcomputershouldhaveanti-virus
andanti-spywaresoftware,andafirewall.Setyoursecuritysoftware,internetbrowser,and
operatingsystem(likeWindowsorMacOS)toupdateautomatically.
Don'tclickonanylinksoropenanyattachmentsinemailsunlessyouknowwhosentitand
whatitis.Clickingonlinksandopeningattachments-eveninemailsthatseemtobefrom
friendsorfamily-caninstallmalwareonyourcomputer.
Downloadandinstallsoftwareonlyfromwebsitesyouknowandtrust.Downloadingfree
games,file-sharingprograms,andcustomizedtoolbarsmaysoundappealing,butfreesoftware
cancomewithmalware.
Minimize"drive-by"downloads.Makesureyourbrowsersecuritysettingishighenoughto
detectunauthorizeddownloads.ForInternetExplorer,forexample,usethe"medium"settingat
aminimum.
Useapop-upblockeranddon'tclickonanylinkswithinpop-ups.Ifyoudo,youmayinstall
malwareonyourcomputer.Closepop-upwindowsbyclickingonthe"X"inthetitlebar.
Resistbuyingsoftwareinresponsetounexpectedpop-upmessagesoremails,especiallyads
thatclaimtohavescannedyourcomputeranddetectedmalware.That'satacticscammersuseto
spreadmalware.
Talkaboutsafecomputing.Tellyourkidsthatsomeonlineactionscanputthecomputerat
risk:clickingonpop-ups,downloading"free"gamesorprograms,openingchainemails,or
postingpersonalinformation.
Backupyourdataregularly.Whetheritstextfilesorphotosthatareimportanttoyou,backup
anydatathatyou'dwanttokeepincaseyourcomputercrashes.
DetectMalware
Monitoryourcomputerforunusualbehavior.Yourcomputermaybeinfectedwithmalwareifit:
1.
2.
3.
4.
slowsdown,crashes,ordisplaysrepeatederrormessages
won'tshutdownorrestart
servesupabarrageofpop-ups
displayswebpagesyoudidn'tintendtovisit,orsendsemailsyoudidn'twrite
Otherwarningsignsofmalwareinclude:
1.
2.
3.
4.
newandunexpectedtoolbars
newandunexpectediconsinyourshortcutsoronyourdesktop
asuddenorrepeatedchangeinyourcomputer'sinternethomepage
alaptopbatterythatdrainsmorequicklythanitshould
GetRidofMalware
Ifyoususpectthereismalwareisonyourcomputer,takethesesteps:
1.
2.
3.
4.
5.
Stopshopping,banking,anddoingotheronlineactivitiesthatinvolveusernames,passwords,
orothersensitiveinformation.
Updateyoursecuritysoftware,andthenrunittoscanyourcomputerforvirusesandspyware.
Deleteanythingitidentifiesasaproblem.Youmayhavetorestartyourcomputerforthe
changestotakeeffect.
Ifyourcomputeriscoveredbyawarrantythatoffersfreetechsupport,contactthe
manufacturer.Beforeyoucall,writedownthemodelandserialnumberofyourcomputer,the
nameofanysoftwareyou'veinstalled,andashortdescriptionoftheproblem.
Manycompanies-includingsomeaffiliatedwithretailstores-offertechsupportonthephone,
online,attheirstore,andinyourhome.Decidewhichismostconvenientforyou.Telephone
andonlinehelpgenerallyaretheleastexpensive,butyoumayhavetodosomeofthework
yourself.Takingyourcomputertoastoreusuallyislessexpensivethanhiringarepairperson
tocomeintoyourhome.
Onceyourcomputersisbackupandrunning,thinkabouthowmalwarecouldhavebeen
downloadedtoyourmachine,andwhatyoucoulddodifferentlytoavoiditinthefuture.
Onlinedating
Here’showtheromancescamusuallyworks.
You’recontactedonlinebysomeonewhoappearsinterestedinyou.Heorshemayhaveaprofileyou
canreadorapicturethatisemailedtoyou.Forweeks,evenmonths,youmaychatbackandforth
withoneanother,formingaconnection.Youmayevenbesentflowersorothergifts.Butultimately,
it’sgoingtohappen;yournew-found“friend”isgoingtoaskyouformoney.
Don’tbeavictim,checkoutthesetipsandtakethemtoheart:
1. Ifyou’resuspicious,Googlethemessagetexthe/shesendsyou.Unlikespam,datingscams
requireafairamountofworkfromthecriminals-sotheytendtocutcorners.Often,the
‘romantic’messageyoureceivehasbeensenttodozensofotherpeople.Putquotesaroundit
andGoogleit:ifitbringsupresultsfromformervictims,youshouldstarttoworry.Ifthe
messagesareinbrokenEnglish,butyourloverclaimstobeAmerican,it’sanothergood
reasontobecautious.Askadvicefromasiteadministrator,orafriend.
2. Don’tbeashamedto‘playdetective’.Millionsofpeopleusedatingsites,buttheyDOcarry
risksthatnormaldatingdoesnot.Youdon’tknowwhetherthepersonyouarespeakingtois
real,wherethey’refrom,orwhetherthephotosarethem,orsomeonedifferent.Intheolddays,
youwouldoftenmeetpeopleviafriendsoffriends-butyoudon’thavethisreassuranceonline.
Soplaydetective.Iftheywon’ttellyouwheretheywork,worry.Likewise,iftheykeepasking
questionsaboutyou,butneveranswersanyaboutthemselves,worry.Searchforthemon
LinkedIn,orjustviaGoogle-it’salmostimpossibleNOTtoleavetracesonlinethesedays.If
someonehasnot,theyprobablyarenotreal.
3. Iftheirphotosarereallyglossy,beafraid.Oddly,oneofthegiveawaysthatyourlovermay
notbewhotheyseemisthattheylooktoogood-asin,thephotographsareprofessional.Few
normalpeoplewouldmakethismucheffort-butforacybercriminal,theeasiestwaytocreatea
fakeprofileistouseglamorouspicturesfromtheweb,shotbyprofessionalphotographers.
4. Don’thandoverinformationbitbybit.Datingsitesareahugegrowthareaforcybercrime,
andscamsvaryfromsimplecons,wherepeopleareaskedformoneyforvisas,toclassic
phishing.Theproblemisthathandingoverinformationisanormalpartofromance-butperfect
foridentitythieves.Untilyouhaveverifiedthatthepersonisgenuine,donotgiveoutyour
address,ever,andifpossiblelimitotherdetailssuchasworkplacesandcontactdetails.
5. Don’tshare‘racy’photoswithpeopleyouhavenotmet.Onevariationoftoday’sdating
scamsisasimpleone-blackmail.Donothandoverpicturesyouwouldbeembarrassedtosee
publishedonline-otherwise,you’reatriskfromblackmailers.Evenracymessagescanbeatool
forcriminals-particularlyifyou’reattached.Keepthingscleanuntilyouknowyour‘romance’
isreal.Allowingsomeonetoseeyouviawebcam,orto,forinstance,undressonwebcam,is
particularlyrisky.
6. Ifyour‘lover’sendsyouaphotowhichyouneedtoclickon,worry.Keepantivirussoftware
runningandbewaryofprofileswithoutimagesinthefirstplace.Iftheyhaveanimage,ask
themtoaddittotheirprofile.
7. Long-distanceloveDOEShappen-butbewary.Profileswithoutpictures,detailsand
interestsareaclearwarningofafakeprofile.USlawenforcementsaythatcommonsignsare
8.
9.
10.
11.
peoplewhoclaimtobeAmericanbutsaytheyareworkingabroad,thensuddenlyneedplane
farehome.
Sticktoreputablesites.Match.comandother‘major ’sitessuchaseHarmonyhavea
reputationtoprotectsotheirsystemswillhelptokeepyousafe(accusationsoffakeprofiles
notwithstanding).OnMatch,forinstance,youcaninstantlyflaganyemailormessageas
suspicious,andflaganyprofileyouthinkisn’tquiteright.Matchwillinvestigaterapidly.Other
large,reputablesiteshavesimilarsystems.Smaller,specialistsites-particularlythosefocused
onshort-termrelationships-won’tofferthesamepeaceofmind.However,siteswhichcatertoa
particularculturalgroupmayachievehigherlevelsoftrustiftheyflyundertheradarofcyber
criminals.Expect‘Free’sitestobethemostdangerousthebarriertoentryislowfor
enterprisingcybercriminals.
Don’tbepersuadedtoswitchtoanothersocialnetwork,emailorIM.Millionsofpeopleuse
datingsites,andthe‘big’sitesarefacingepidemiclevelsoffakeprofiles,phishingandother
scams,socybercriminalswilloftenpersuadevictimstoswitchtoanothersite,eitherasocial
site,orsimplyemail.Thisway,theycancontinuethefraudinprivate.
Ifyouthink,“It’sallhappeningsofast!”It’stimetoworry.Datingscamsareoneofthefew
areasofcybercrimewheregangsplaya‘longgame’-sometimesstringingvictimsalongfor
weeksormonths.Butmostareimpatienttobepaid-soanyonline‘lover ’whodeclares
undyingloveinthespaceofafewemailsshouldberegardedwithextremesuspicion.
Donotsendmoney,ever.The‘redflag’momentcomeswhenyour‘lover ’asksformoney.Do
notsendit-whetherit’sforflights,orforlife-savingsurgery.Evenifthestoryissotragicyou
feelyouHAVEtohelp.
Ifthesubjectofmoneycomesupearlyinarelationship,bewary.Ifsomeoneasksoutrightfora
WesternUnionpaymentorbankwiretransfer,youmaywellbedealingwithacriminal.Speak
toasiteadministratorifpossible.Talktoafriend-oraskadvicefromanindependentagency,
orlocallawenforcement.
Passwords
WenowusetheInternetforawiderangeofactivities,includingonlinebanking,onlineshoppingand
onlineresearch.Increasingly,we’realsousingtheInternettosocialize.Inthelastfewyearsthere's
beenamassivegrowthinthenumberofsocialnetworkingsites.Weshareallkindsofpersonal
detailsaswellasmusic,pictures,andvideos.Unfortunately,themorepersonaldetailswemake
available,themoreexposedwearetoonlineidentifytheft.
Giventhatpasswordsprotectsuchvaluabledata,they'reclearlyveryimportant.Youshouldprotectall
youronlineaccountswithpasswords-butyoumustbecarefulwhenchoosingthem.Passwordshelp
safeguardyouagainstidentitytheft.Theymakeitharderforcybercriminalstoprofileyou,access
yourbankaccount(orotheronlineaccounts)andstealyourmoney.
Choosingagoodpasswordisanimportantpartofloweringtheriskofbecomingavictimof
cybercrime.Thefollowingguidelinesshouldhelpyouwhenchoosingpasswordsforyouronline
accounts.
Howtochooseastrongpasswordandothersafetyprecautions:
1. Don'tusevariationsofanyobviouspeople,numbers,orthingsrelatedtoyourlife.This
includesnames,addresses,phonenumbers,socialsecuritynumbers,orvariationsofanyof
these.Don'tusewordsorphrases.Don'tusethefirstlettersofeachwordincommonphrases.
Douseacombinationofrandomnumbersandletters.Manyfinancialinstitutionswillprovidea
randompasswordand/orusernameforyou;usethese.Ifpossiblechangethepasswordtoone
onlyyouknow,andchangeitonlineoverasecureconnectionintothebankorcreditunion's
officialwebsite.Don’trecyclepasswords,e.g.don’tuse'password1','password2','password3',
etc.fordifferentaccounts.
2. Don'twriteyourpassworddown.Makeyourpasswordsmemorable,sothatyoudon’thaveto
writethemdownorstoretheminafileonyourcomputer(remember,thisfilecouldbestolen
bycybercriminals).
andifyoudo...Ifyourightdownyourpasswordyoumakeitpossibleforanyonewhohas
accesstoyourhouse,whetherlegallyornot,togainaccesstoyouraccount.Ifyoudowantto
haveitinwriting,incaseyouforgetit,writeitdown,andplaceitinyourphysicaldepositbox
(yes,sometimesyoustillneedaphysicalplace)orasafe.
3. Don'tusethesamepasswordorusernameagain.Manyonlinestoresandevensome
informationbasedwebsitesrequirethatyouregistertousetheirservice,andthatrequires
havingausernameandpassword.Nomatterhoweasyitseemstohaveoneusernameand
passwordforallyourInternetaccounts,don'tdoit.Ifyoudesireconvenience,createone
passwordandusernamecombinationthatyouuseforallyournon-bankaccounts.Ifanonline
store,oranywebsite,sendsyouanemailconfirmationthatcontainsanewpassword,login
againandchangeyourpasswordimmediately.
4. Don’tusethesamepasswordformultipleaccounts.Ifacybercriminalfindsthepasswordto
oneaccount,theycanusetoaccessotheraccounts.
5. Createadifferentpasswordforyourfinancialinstitution.Remember,manywebsitesdon't
havethesecurityyouronlinefinancialinstitutiondoes.Don'tallowyourpasswordto
inadvertentlyberevealedormisused.
6. Don'tsavethepasswordonyourcomputer.Manymodernbrowsersallowyoutosave
passwordsonthecomputer'sharddriveandhavethemcomeupasyoutypeinyourusername.
Itmaybeconvenient,butyouallowanyonewithaccesstoyourcomputer,whetherforacouple
ofminutesorhours,theabilitytoaccessyouraccount.Itmayneverhappen,butdon'tmakeit
easyforyouraccounttobeaccessed.
7. Log-offyouraccountandcloseyourbrowserwhendone.Manyfinancialinstitutionswill
automaticallylogyououtofyouraccountifyoudon'tuseitforasetamountoftime,usually
fiveortenminutes.Thisstepistomakesureonlyyouuseyouraccount.Ifyouhappentostep
away,youraccountwillnotbeopenforhourstoanyonewhocouldcomealong.Evenifyour
financialinstitutionoffersthisserviceyoushouldlog-offofyouraccountimmediatelywhen
youaredoneusingit.Additionally,ifotherspeopleusethecomputer,youshouldshutdown
yourentirebrowsertoinsurethatpreviouslyviewedpageswillnotbeaccessible.
8. Anti-Virus/MalwareSoftware.CheckthatyourInternetsecuritysoftwareblocksattemptsby
cybercriminalstointerceptorstealpasswords.
9. ChangePasswordsOften.Itisbesttoperiodicallychangeyourpasswordsasanadded
precautiontoremainassafeasyoucan.Itisrecommendedtochangeyourpasswordseveryfew
months.
CreateaStrongPasswordthatisEasytoRemember:
Astrongpassword:
1.
2.
3.
4.
5.
Isatleasteightcharacterslong.
Doesnotcontainyourusername,realname,orcompanyname.
Doesnotcontainacompleteword.
Issignificantlydifferentfrompreviouspasswords.
Containscharactersfromeachofthefollowingfourcategories:
Uppercaseletters-A,B,C
Lowercaseletters-a,b,c
Numbers-0,1,2,3,4,5,6,7,8,9
Symbolsfoundonthekeyboard-`[email protected]#$%^&*()_-+={}[]\|:;"'<>,.
?/
Helpyourselfrememberyourstrongpasswordbyfollowingthesetips:
1. Createanacronymfromaneasy-to-rememberpieceofinformation.Forexample,picka
phrasethatismeaningfultoyou,suchasMyson'sbirthdayis12December,2004.Using
thatphraseasyourguide,youmightuseMsbi12/Dec,4foryourpassword.
2. Substitutenumbers,symbols,andmisspellingsforlettersorwordsinaneasy-torememberphrase.Forexample,Myson'sbirthdayis12December,2004couldbecome
Mi$un'sBrthd8iz12124(it'sOKtousespacesinyourpassword).
3. Relateyourpasswordtoafavoritehobbyorsport.Forexample,Ilovetoplaybadminton
[email protected]()n.
Addextrasecuritywith2-Factor-Authentication:Two-factorauthenticationaddsasecondlevelof
authenticationtoanaccountlog-in.Whenyouhavetoenteronlyyourusernameandonepassword,
that'sconsideredasingle-factorauthentication.2FArequirestheusertohavetwooutofthreetypesof
credentialsbeforebeingabletoaccessanaccount.
Two-factorauthenticationaddsasecondlevelofauthenticationtoanaccountlog-in.Whenyouhave
toenteronlyyourusernameandonepassword,that'sconsideredasingle-factorauthentication.2FA
requirestheusertohavetwooutofthreetypesofcredentialsbeforebeingabletoaccessanaccount.
Thethreetypesare:
1. Somethingyouknow,suchasapersonalidentificationnumber(PIN),passwordorapattern
2. Somethingyouhave,suchasanATMcard,phone,orfob
3. Somethingyouare,suchasabiometriclikeafingerprintorvoiceprint
HOWDOESTWO-FACTORAUTHENTICATIONWORK?
Whenyouhavetwo-factorauthenticationactivated,youneedtwopiecesofinformationtogetinto
youraccount:
Somethingyouknow—likeapassword,PINorpattern
Somethingyouhave—likeaSmartphone,ATMcardorFOB
Somethingyouare,suchasabio-metriclikeafingerprintorvoiceprint
Whyistwo-factorsoeffective?It’sprettyeasyforbadguystoguessweakpasswords—especially
withallthepersonalinformationavailabletodayviasocialmedia.Buthackerswillhaveaheckofa
timeobtainingthatsomethingyouhave—suchasthehardwareorsoftwaresecuritytokenormobile
phoneyou’veauthorizedforverificationtexts.Youneedtohavethatmobilephoneortokeninhand
togettheinformationyouneedtoaccessyouraccount.
EXPERTTIP-Useoneformoftwo-factorforloggingin,andasecond,differenttwo-factor
comboforrecovery.
Listingofwebsitesthatoffertwo-factorauthentication:http://www.FraudSmarts.com/twofactor
Phishing
Herearesomequalitiesthatidentifyanattackthroughanemail:
Theyduplicatetheimageofarealcompany.
Copythenameofacompanyoranactualemployeeofthecompany.
Includesitesthatarevisuallysimilartoarealbusiness.
Promotegifts,orthelossofanexistingaccount.
Phishingdoesn'tonlypertaintoonlinebanking
Mostphishingattacksareagainstbanks,butcanalsouseanypopularwebsitetostealpersonaldata
suchaseBay,Facebook,PayPal,etc.
Phishingknowsalllanguages
Phishingknowsnoboundaries,andcanreachyouinanylanguage.Ingeneral,they’repoorlywritten
ortranslated,sothismaybeanotherindicatorthatsomethingiswrong.Ifyouneveryougotothe
Spanishwebsiteofyourbank,whyshouldyourstatementsnowbeinthislanguage?
Havetheslightestdoubt,don'triskit
Thebestwaytopreventphishingistoconsistentlyrejectanyemailornewsthatasksyoutoprovide
confidentialdata.Deletetheseemailsandcallyourbanktoclarifyanydoubts.
Socialmediasitescanhaveinfectedlinks.Forexample,youreceiveanInstagrampicturefroma
friend.It'sagreatpicturesoyoudecidetoshareitbyclickingtheFacebook"like"buttonunderneath
theimage.Thiscanbedangerousevenifthepicturecamefromatrustedsource,it'sarealFacebook
buttonandyouarenotdownloadinganything.Ifyoucanseethepicture,youcouldhavedownloaded
Malware.IftheFacebook"like"linkwasfake,youalsocouldhaveinadvertentlydownloadMalware.
Malicioussoftware(Malware)canbedisguisedasaFacebook"Like"button,pictureoraudioclip.
Whenyouclickalinkoropenanattachment,malwareinstallsonyourdevice.UnlikeearlyPC
malware,itdoesn'taskyourpermission,andyourdeviceisfigurativelyinthehandsofacriminal.
Freewirelesscanbedangerous.Whileatlocalcoffeeshop,airport,orpublicgatheringplaceDO
NOTconnecttothe"freewireless"networkifyouareaskedtocreateatemporaryLOGINtoget
accesstothefreewi-fi.Don’tAssumeaWi-FiHotspotisSecure.MostWi-Fihotspotsdonotencrypt
theinformationyousendovertheinternetandarenotsecure.WhenusingaWi-Fihotspot,onlylog
inorsendpersonalinformationtowebsitesthatyouknowarefullyencrypted.Ifyouusean
unsecurednetworktologintoanunencryptedsite-orasitethatusesencryptiononlyonthesign-in
page-otherusersonthenetworkcanseewhatyouseeandwhatyousend.
Freepublicwi-finetworkcanbedangerous.Wheneveryouhaveaccesstoafreepublicwi-fi
network,youshouldNOTusethatfreewi-ficonnectioninsteaduseyourmobilewirelessconnection.
BesmartonopenWi-Finetworks.WhenyouaccessaWi-Finetworkthatisopentothepublic,your
phonecanbeaneasytargetofcybercriminals.Youshouldlimityouruseofpublichotspotsand
insteaduseprotectedWi-Fifromanetworkoperatoryoutrustormobilewirelessconnectionto
reduceyourriskofexposure,especiallywhenaccessingpersonalorsensitiveinformation.Always
beawarewhenclickingweblinksandbeparticularlycautiousifyouareaskedtoenteraccountor
log-ininformation.
Donotincludeinformationdoyouincludeonyoursocialnetworkingprofile:
Yourdateofbirth,includingtheyear
Yourphonenumber
Yourphysicaladdress
Thenameofyourhighschool
Yourpetsname
Usersofsocialmediasiteswereatgreaterriskofphysicalandidentitytheftbecauseofthe
informationtheyweresharing.Ifyouparticipateinsocialnetworking,youshouldsafeguardyour
information.Postingyourfullbirthdateandplaceofbirth,phonenumber,physicaladdress,andany
informationthatcouldbeusedtoguessyourpassword-suchasyourmother'smaidenname-could
providefraudsterswithinformationtohelpthemgainaccesstoyourfinancialaccounts.Sobesureto
keepthisinformationsafeandupdatetheprivacysettingsforyourprofile.
BecarefulwhenyouclickonaPinterest"pin"toenteraanytypeofpromotion.Payclose
attentiontotheURLthesepinsleadtobeforeclickingonthem.IftheURLdoesn'tseemlikeanything
officialtoyou,don'tclickitanddon'tre-pinit.lickingthepincanredirectyoutoathirdparty
website,haveyourep-inthepinorfillinasurveyprovidingpersonaldetails.Thesetrickscaninstall
malwareorgainaccesstoinformationaboutyouinordertostealyouridentity.
Bewaryofsocialnetworkinvites.IfyoureceiveamessagefromafriendonFacebookinvitingyou
tojoinanewsocialnetwork,youshouldsuspectthatthemessageisfraudulentandcontactyour
friendtoverify.Don'ttrustthatamessageisreallyfromwhoitsaysit'sfrom.Hackerscanbreakinto
accountsandsendmessagesthatlooklikethey'refromyourfriends,butaren't.
Donotallowaccessaboutyourcontacts.Ifyoujoinanewsocialnetworkandreceiveanofferto
enteryouremailaddressandpasswordtofindoutifyourcontactsareonthenetwork,youshould
declinetheofferandDONOTallowthesocialnetworksiteaccesstoyouremailaddressbook.To
avoidgivingawayemailaddressesofyourfriends,donotallowsocialnetworkingservicestoscan
youremailaddressbook.Thesitemightusethisinformationtosendemailmessagestoeveryonein
yourcontactlistoreveneveryoneyou'veeversentanemailmessagetowiththatemailaddress.
Socialnetworkingsitesshouldexplainthatthey'regoingtodothis,butsomedonot.
DONOTacceptasocialmediaconnectionrequestfromastrangeroftheoppositesexaslongas
thepersonlookshonestandknowsotherpeopleyouknow.Beselectiveaboutwhoyouacceptasa
friendonasocialnetwork.Identitythievesmightcreatefakeprofilesinordertogetinformation
fromyou.Thatlackofcautioncanbeextremelycostly.Mostnetworkingsitescontainpersonal
information.Whenyoufriendsomeone,yougivethemaccesstothatinformationandthatcanbeused
byfraudsters.
DeletingpicturesorvideosfromyoursocialnetworkingsiteswillNOTpermanentlyremove
themfromtheInternet.Youneedtocontactthesupportdepartmentatthesocialnetworkingsiteto
makesuretheyareremoved.Assumethateverythingyouputonasocialnetworkingsiteis
permanent.Evenifyoucandeleteyouraccount,anyoneontheInternetcaneasilyprintphotosortext
orsaveimagesandvideostoacomputer.
YoucanbeatriskevenifyoudownloadAppsonsocialnetworkingsitesthatlookofficialand
theAppinstalllinkiswithinthesocialnetworkingsite.Becarefulaboutinstallingextrasonyour
site.Manysocialnetworkingsitesallowyoutodownloadthird-partyapplicationsthatletyoudo
morewithyourpersonalpage.Criminalssometimesusetheseapplicationstostealyourpersonal
information.Todownloadandusethird-partyapplicationssafely,takethesamesafetyprecautions
thatyoutakewithanyotherprogramorfileyoudownloadfromtheweb.Modifyyoursettingsto
limittheamountofinformationappscanaccess.
Donotrespondtosocialmediarequests.Ifyoureceiveane-mailrequestingyoutoupdateyour
Facebook,Twitter,LinkedIn,eBay,orPayPalaccounts,doNOTclickonthelinkintheemailandDO
NOTLOGINandupdateyouraccountasrequested.Beforewritingyourusernameandpassword
lookatthewebaddressinthebrowser.Thefakeoneslooksimilartothis:http://k2nxw.com/cgibin/login/orwww.paypal5281.com.Ifyouarenotsure,logintoyourrealaccountjustlikeyou
usuallydo,bytypingthewebaddressinthebrowserbyyourselfandnotusingthelinksprovided.
Usemultiplepasswordseverywhere.ItisNOTokaytousethesamepasswordsforsocial
networkingsitesaslongasyouusedifferentpasswordsforhomebankingtypesites.Itiscorrectto
useadifferentpasswordforhomebankingtypesites.However,socialnetworkingsitesmaynothave
thesecurityyouronlinefinancialinstitutionbutusingthesamepasswordonthosesitesisliketrusting
theweakestlinkinachaintocarrythesameweight.Everysitehasvulnerabilities,planforthemtobe
exploited.
Ifyoudoreceiveoffersofpre-approvedcredit,youshouldshredtheofferbeforeputtingthem
inthetrash.Firstyoushouldpurchaseacross-cutshredderandshredallyourpre-approvedcredit
cardoffers.Nextyoushouldremoveyournameandopt-outofreceivingtheseoffersbyvisitingthe
websitehttps://www.optoutprescreen.com
Understandhowyourfinancialinstitutioncommunicateswithyou.Ifyoureceiveane-mailwith
yourbank'snameande-mailaddress,explainingthat,forsecurityreasons,youhadtoclickona
particularInternetlinkandlogintoyouraccounttoupdateyoursettings.Youshoulddeletetheemail
withouttakinganyaction,callorotherwisecontactyourbanktoensurecredibilityandreportitto
yourbankasSPAM.FinancialinstitutionsDONOTaskforpersonaloraccountinformationvia
email.
Alwaysbeskepticalofattachments.Ifyoureceiveamessagetoviewafileorvideoonasocial
networkingsiteandfromsomeonewithinyournetwork(atrustedsource),itisstillNOTsafetoopen
theattachment.Criminalsareavidfansofsocialnetworkingsites.Theyhijackuseraccountstosend
phishinginvitestoanaccountholder ’sentirecontactlist,postpoisonedlinkstoavarietyof
malicioussites,andsendcredibleemailswithmaliciouslinks-abusingthetrustthatfriendsnormally
share.Somecreativecriminalshavetailoredmessagestoappeartocomefromthesocialnetworking
siteitself,designedsothatuserswilldivulgetheirlogincredentialsordownloadaTrojan.
Technology-basedsecuritymeasuressuchasfirewalls,encryption,anti-virus,spamfilters,and
strongauthenticationwillNOTpreventsocialengineeringfraud.Nomatterhowmuchsecurity
technologyyouimplement,youcannevergetridoftheweakestlink-thehumanfactor.Asocial
engineerissomeonewhousesdeception,persuasionandinfluencetogetinformationthatwould
otherwisebeunavailable.
Ifyoureceiveanemailfromafriendortrustedsource,itisNOTalwayssafetoclickonalinkor
attachmentwithinthatemail.Theemailaccountofyourfriendortrustedsourcecouldhavebeen
compromisedandisbeingsenttoyoubyacriminalwiththeintentofgettinginformationortohave
youclickalinkoropenanattachment.
Feedbackwhenincorrect:Theemailaccountofyourfriendortrustedsourcecouldhavebeen
compromisedandisbeingsenttoyoubyacriminalwiththeintentofgettinginformationortohave
youclickalinkoropenanattachment.
ItisNOTalwayssafetoclickalinkaslongasthelinkisthroughapopularsearchsitelike
Yahoo,GoogleorBing.Searchenginepoisoningmakesup40%ofmalwaredeliveryontheWeb.
Thepracticeiswhenmalwareandspamattackersinundatesearchresultswithlinkstobaitpagesthat
willtakeuserstomaliciouswebsitesthatwilldownloadmalwaretoacomputer.Peoplewanttobe
abletotrustthatwhattheysearchforinGoogle,BingorYahooissafetoclickon.
Accesswebsitesthroughyourwebbrowser.Typingtheaddressofawebsitedirectlyintoyour
WebbrowserwillensurethatyouaregoingtothelegitimateWebsiteandnotaphishingsitethatwas
designedtomimicthelookoftherealthing.Unlessthesitewashijackedoryourcomputerhasa
virus,typingthewebaddressyourselfisthebestwaytoguaranteetheauthenticityofawebsite.
Techsupportscamsareverypopular.Ifyoureceiveane-mailfromaMicrosoftsupportperson
sayingthatyourcomputerisinfectedbyavirusandsuggeststhatyouinstallatoolavailableontheir
Internetsitetoeliminatethevirusfromyourcomputer.YoushouldNOTclickonthelinkeven
[email protected]comemailaddress.Email
spoofingise-mailactivityinwhichthesender'saddressandotherpartsofthee-mailheaderare
alteredtoappearasthoughthee-mailoriginatedfromadifferentsource.
Beskepticalwhentherearebignewseventshappening.Ifyouhearonthenewsthatyourinsurance
companyhasrecentlybeenbreachedandsoonafteryoureceiveanemailfromyourinsurance
companythatexplainsthebreachandprovidesthenecessarystepsforyoutotake.Thesestepsinclude
clickingonalinktoupdateyourpersonalinformationandchangeyourusernameandpassword.You
shouldNOTfollowallinstructionstokeepyourinformationprotected.Nowthatthecriminalshave
informationaboutyou,theymaytrytotrickyouintogivingupmoreinformationthroughfraudulent
emails.Besuspiciousofurgentemailsrequestinginformationandneveropenattachmentsyouaren’t
expectingevenifit’sfromsomeoneyouknow.
Ifyouareunsureaboutalinkinyouremail,doNOTcopyandpastethelinkinyourweb
browser.Youcouldstillendupatthemalicioussiteandpotentiallyloadmalwareonyourcomputer
ornetwork.Ifyouareunsurewhetheralinkyoureceivedinanemailissafe,itisnotsafetocopyand
pastethelinkintheURLsectionofyourwebbrowser.
Ifyouareunsureaboutalinkinyouremail,itisNOTsafetoforwardthelinktohaveittested
bysomeoneelse.Byforwardinganemail,allyou'vedoneisforwardapotentiallydangerousand
maliciousemailthatcouldinfectsomeoneelse'scomputerornetwork.
Criminalscouldstrikeveryquickly.Forexample,withinhoursofhurricane,youreceiveanemail
fromtheRedCrossaskingforadonationtohelpthevictims.Thisemailismostlikelyahigh-profile
phishingscamthatreceivesmediaattentionandisontheforefrontofpeople’sminds.Thesescams
areeffectivebecausetheyrelyonyouremotionsandcompassion.
Beawareofwebsiteextensions.Forexample,outofthesesixwebaddresses,the"whitehouse.com"
isphonybecauseanyofficialU.S.governmentwebsitewillendin.govandnot.com.
https://www.usa.gov
https://cio.gov
http://www.ssa.gov
https://www.ssa.gov
http://www.fdic.gov
https://www.whitehouse.com
Cluesthatanemailisfakecaninclude:poorspelling,grammaticalerrors,offerofareward,typos,
informationrequest,threateningtone.
Ransomware
Forcomputerusers,aformofmaliciouscodedubbedransomwarecanbeamongthemost
frighteningformsofcomputerinvasion-suddenly,yourscreenisreplacedbyamessagethatappears
tobefromthepolice,demandingmoney,oramessagesayingyourfilesarelostunlessyoupaya
ransomtounlockthem.Oneparticularformofransomware,referredtoasfilecoders,aredesigned
toextortmoneybyencryptingauser ’sfilesanddemandingpaymenttoaccessthem.Oneofthemost
prevalentexamplesofthistypeofmalwareiscalledCryptoLocker.
Belowaresometipsthatcanhelp-evenifyou’vealreadyfallenvictim.
1. Don’tpaythemoney.NopoliceforceonEarthwilllockyourcomputeranddemandmoneythemessageisNOTfromtheFBI.Donotpaythemoney.Contactacomputerprofessional
instead,ifyoucan’tunlockityourself.Insomecases-especiallyfilecoders-theremaybe
nothingyoucando,butanITprofessionalshouldbeyourfirststop.
2. Don’tpiratesoftware,musicormovies.Piratesitesofferingfreemusic,gamesorfilmsare
ofteninfestedwithmalware-butthisyear,cybercriminalshavebeen“gaming”Google
searchestoinfectwannabepirateswithransomware.OrdinaryInternetsearchesleadpeopleto
suchsites-withcybercriminalsusing“blackhat”SEOtopushinfectedsiteshighupinGoogle
results.
3. Don’tthinkthatifyougetpastthelockscreen,it’s“gone”.Itissometimespossibletoget
“past”thelockscreendisplayedbysomeformsofransomware-butthatdoesn’tmeanyou’re
safe.Yourcomputerisprobablystillinfected.EitherinvestinAVsoftwareorcontactanIT
professionalforhelp.
4. Ifyouarebackedup,you’re“immune”tofilecoders.Filecodersrelyononething-thatyou
keepunique,preciousfilesonyourPC.Don’t.Youdon’tkeepfamilyheirloomsinyourcaryoukeeptheminasafe.Dothesamewithyourdata.Iftheyhavebackups,thanthemalwareis
merelyanuisance.So,theimportanceofdoingregularbackupsshouldbestronglyreiterated.
Thereare,however,atleasttwo“fortunatepoints”aboutthismalware:It’svisible,nothidden,
theuserknowshe’sinfected-unlikemanyothermalwaretypesthatcouldbestealing
money/datasilently(ofcourse,thatdoesn’tmeanthathe’snotinfectedwithsomethingelse
togetherwiththefilecoder!)
5. Tryandrescueyourfiles.Unlessyouhavein-depthknowledge,youshouldcontactanIT
professionaltohelpwithfilecoders-anddon’tgetyourhopesup,asmanyusestrong
encryptionwhichisbasicallyimpossibletobreak.Insomecases,whenthefilecoderusesa
weakcipher,orafaultyimplementation,orstorestheencryptionpasswordsomewheretobe
recovered,itmaybepossibletodecryptthefiles.Unfortunately,inmostcases,theattackers
havelearnedtoavoidthesemistakesandrecoveringtheencryptedfileswithouttheencryption
keyisnearlyimpossible.
6. Learnwhat“backup”means-andchoosetherightsolutionforyou.Forhomeusers,a
simplewaytostart“backingup”-withoutdelvingintocomplexsolutions-istousecloud
servicessuchasGoogleDrive,Amazon,DropboxandFlickrtostoredocuments,music,videos
andphotos.Theseservicesofferfreeversions,andcanatleastsavesomeofthemostpersonal
filesonyourcomputerfrombeingdevouredbymalware.
HowRansomwareWorks
Therearemanystateofransomware,theseincludeCryptoWall,TorrentLockerandCTB-Locker,
tonameafew.CTB-Lockerisaransomwarevariantthatencryptsfilesonavictim’sharddisk
beforedemandingaransombepaidtodecryptthefiles.
TheCTB-LockermaliciousspamcampaignattackvectorisanemailwithaZIPoraCAB
attachmentclaimingtobeaFAXorinvoice.TheseZIPorCABcontainersholdadownloaderthat
arelikelynewvariantsofseveraldifferentfamiliesofransomware.Thesedownloadersare
generallyaportableexecutablefiletype(.EXE,.SCR,.BAT,.PIF,.CMD)andareresponsiblefrom
downloadingthesecondarythreat,whichisanencryptedfilethatperformstheactualencryption
routine.
Seniorcitizens
Seniorsareatagreaterriskforidentitytheftthanmostpeople.Learnhowtoguardagainstidentity
theftandspotsuspicioussignsoffraud.Catchidentitytheftearly,beforeitdamagesyourfinances.
TheIssue
1. IdentitytheftisarapidlygrowingcrimeintheUnitedStates.About10millionpeopleare
victimsofthisdamagingcrimeeachyear.Seniorsareespeciallyvulnerabletothesecrimes
because:
2. Seniorsoftenhavehighercashreservesandhomeequitythanothers
3. Seniorsareusuallylesstechnologicallysavvyanddonotresearchscamsonline
4. Seniorsdonotmonitortheircreditandfinancialaccountsveryclosely
5. Retirementhomestaffandotherassistantsmayhaveaccesstoandtakeadvantageofasenior's
personalrecords
6. AccordingtoarecentsurveybyExperian,11%ofpeopleovertheage65reportedthatthey
havehadtheirfinancialinformationstolen.
TheCrimes
Thetypesofidentitytheftcrimesseniorsexperiencearesimilartothoseimpactingtherestofthe
population.Alongwithbasiccreditcardfraud,seniorsareatriskforlargeidentitytheft
compromisesinvolvingloans,SocialSecuritynumbers,andinsurance.Herearesomeoftheways
thatthievescanobtainpersonaldata:
1. Dumpsterdiving-Diggingforpersonalinformationinthetrashofhomesandbusinesses.
2. Phonescams-Seniorcitizensareparticularlyvulnerabletofraudbyphone.Thievesmaypose
asinsurancecompanies,charities,orotherbusinessesinordertogatherpersonaldataoverthe
phone.
3. Personaltheft-Theftofpersonalinformationbyanemployee,nurse,relative,orfriend.
4. Wallettheft-Thetheftofapurseorwallet.SeniorsaremorelikelytocarrytheirSocial
SecuritycardorMedicarecardwiththem,makingthemaprimetarget.
5. Recordtheft-Medicalrecords,SocialSecurityrecords,andotherformsofpersonal
documentsareapotentialgoldmineforthieves.
6. Onlinefraud-Fakeemailsandwebsitesaresetupasdatatrapsforunsuspectingconsumers.
Identitythievesmaydrainbankaccounts,opennewaccounts,rackupcreditcardcharges,obtain
loans,applyforjobs,refinancetheirvictim'shome,obtainmedicalcare,orevencommitcrimes
usingstolenpersonaldata.Themoreseriousthecrime,themoredifficultitisforthevictimto
recoverfromidentitytheft.
TheSteps
Itisimpossibletocompletelypreventidentitytheft,buttherearesomeimportantprecautionsthatcan
betakentoguardagainstthiscrime.Herearesomeidentitytheftpreventiontipsforseniors:
1. Donotgiveoutpersonalinformationoverthephoneunlessyouinitiatedthecall.
2. DonotcarryyourSocialSecuritycardorMedicarecardinyourwallet.
3.
4.
5.
6.
Researchtheauthenticityofcharitiesandotherorganizationsbeforeyoudonatemoney.
SignupfortheDoNotCallRegistry.
Keepsensitivedocumentsathomeinalockedfilecabinet.
Useacross-cuttingshreddertodestroysensitivemailandotherdocumentsbeforethrowing
themaway.
7. Opt-outofreceivingpre-screenedoffersbasedonyourcreditdata.
8. Regularlyreviewyourfinancialandcreditrecordsforsignsoffraud.
Ifyoudobecomeavictimofidentitytheftdespitetheseprecautions,itiscrucialthatyoureportthe
crimeimmediately.
HealthInsuranceFraud
1. Neversignblankinsuranceclaimforms.
2. Nevergiveblanketpermissiontoamedicalprovidertobillforservicesrendered.
3. Askyourmedicalproviderswhattheywillchargeandwhatyouwillbeexpectedtopayout-ofpocket.
4. Carefullyreviewyourinsurer ’sexplanationofthebenefitsstatement.Callyourinsurerand
providerifyouhavequestions.
5. Donotdobusinesswithdoor-to-doorortelephonesalespeoplewhotellyouthatservicesof
medicalequipmentarefree.
6. Giveyourinsurance/Medicareidentificationonlytothosewhohaveprovidedyouwithmedical
services.
7. Keepaccuraterecordsofallhealthcareappointments.
8. Knowifyourphysicianorderedequipmentforyou
MedicareScams
1. ProtectyourMedicarenumberasyoudoyourcreditcardnumbersanddonotallowanyone
elsetouseit.
2. BewaryofsalespeopletryingtosellyousomethingtheyclaimwillbepaidforbyMedicare.
3. ReviewyourMedicarestatementstobesureyouhaveinfactreceivedtheservicesbilled.
4. Reportsuspiciousactivitiesto1-800-MEDICARE.
TelemarketingScams
1. Don’tbuyfromanunfamiliarcompany.
2. Alwaysaskforandwaituntilyoureceivewrittenmaterialaboutanyofferorcharity.
3. Obtainasalesperson’sname,businessidentity,telephonenumber,streetaddress,mailing
address,andbusinesslicensenumberbeforeyoutransactbusiness.
4. Alwaystakeyourtimeinmakingadecision.
5. Ifyouhaveinformationaboutafraud,reportittostate,local,orfederallawenforcement
agencies
HomeRepairorContractorFraud
1. Beaninformedconsumer.Takethetimetocallandshoparoundbeforemakingapurchase.
Takeafriendwithyouwhomayoffersomeperspectivetohelpyoumakedifficultdecisions.
2. Carefullyreadallcontractsandpurchasingagreementsbeforesigningandmakecertainthatall
ofyourrequirementshavebeenputinwriting.
3. Makesureyouunderstandallcontractcancellationandrefundterms.
4. Asageneralruletakecontrolofallofyourtransactionsasaconsumer.
5. Donotallowyourselftobepressuredintomakingpurchases,signingcontracts,orcommitting
funds.Thesedecisionsareyoursandyoursalone.
GrandparentSchemes
1. Agrandparentreceivesaphonecall(orsometimesane-mail)froma“grandchild.”Ifitisa
phonecall,it’softenlateatnightorearlyinthemorningwhenmostpeoplearen’tthinkingthat
clearly.Usually,thepersonclaimstobetravelinginaforeigncountryandhasgottenintoabad
situation,likebeingarrestedfordrugs,gettinginacaraccident,orbeingmugged…andneeds
moneywiredASAP.Andthecallerdoesn’twanthisorherparentstold.
Thisisanexampleofwhat’scometobeknownas“thegrandparentscam”—yetanotherfraudthat
preysontheelderly,thistimebytakingadvantageoftheirloveandconcernfortheirgrandchildren.
Otherscenariosinclude:
2.Sometimes,insteadofthe“grandchild”makingthephonecall,thecriminalpretendstobean
arrestingpoliceofficer,alawyer,adoctoratahospital,orsomeotherperson.Andwe’vealso
receivedcomplaintsaboutthephonygrandchildtalkingfirstandthenhandingthephoneoverto
anaccomplice…tofurtherspinthefaketale.
3.Militaryfamiliescanbevictimized:afterperusingasoldier ’ssocialnetworkingsite,acon
artistwillcontactthesoldier ’sgrandparents,sometimesclaimingthataproblemcameup
duringmilitaryleavethatrequiresmoneytoaddress.
4.Whileit’scommonlycalledthegrandparentscam,criminalsmayalsoclaimtobeafamily
friend,anieceornephew,oranotherfamilymember.
Howtoavoidbeingscammed
1. Resistthepressuretoactquickly.
2. Trytocontactyourgrandchildoranotherfamilymembertodeterminewhetherornotthecall
islegitimate.
3. Neverwiremoneybasedonarequestmadeoverthephoneorinane-mail...especiallyoverseas.
Wiringmoneyislikegivingcash—onceyousendit,youcan’tgetitback.
Whattodoifyouhavebeenscammed.
Thefinanciallossesinthesecases—whiletheycanbesubstantialforanindividual,usuallyseveral
thousanddollarspervictim—typicallydon’tmeettheFBI’sfinancialthresholdsforopeningan
investigation.
TheFBIrecommendscontactingyourlocalauthoritiesorstateconsumerprotectionagencyifyou
thinkyou’vebeenvictimized.TheyalsosuggestyoufileacomplaintwithIC3,whichnotonly
forwardscomplaintstotheappropriateagencies,butalsocollatesandanalyzesthedata—looking
forcommonthreadsthatlinkcomplaintsandhelpidentifytheculprits.
ShoppingOnline
1. SearchtheInternetsafely
Eventhoughsearchenginesareveryusefulwhenyou’relookingforproducts,reviews,or
pricecomparisons,youruntheriskofunintentionallyclickingon‘poisoned’searchresultsthat
couldleadyoutomalwareinsteadofyourintendeddestination.Thesepoisonedsearchresults
arecreatedbycybercriminalsthatusesearchengineoptimization(SEO)tricks–sometimes
referredtoasBlackSEO–tomanipulatesearchengineresultstoincludemaliciouslinks.
2.TypetheURLintotheaddressbar
Insteadofjustclickingalinktotakeyoutoyourchosenretailer ’swebsite,it’ssafertotypethe
retailer ’sURLintotheaddressbaronyourwebbrowser.Itmaytakealittlemoreeffort,butthis
simpleactioncanhelptopreventyouvisitingafakeormaliciouswebsite.
3.CreditCards
UsethesafestwaytopayontheInternet.Payforyourorderusingacreditcard.Thesafest
waytopurchaseitemsviatheInternetisbycreditcardbecauseyoucanoftendisputethe
chargesifsomethingiswrong.
Getatemporarycreditcard-somecreditcardcompanieswillissueatemporarycreditcard
numberfortheircustomers.Thesetemporarynumberscanbeusefulforone-timepurchases.
However,youshouldavoidusingthemforanypurchasesthatrequireauto-renewalorregular
payments.
Don'tgiveoutyourcreditcardnumber(s)onlineunlessthesiteisasecureandreputable
site.Sometimesatinyiconofapadlockappearstosymbolizeahigherlevelofsecurityto
transmitdata.Thisiconisnotaguaranteeofasecuresite,butmightprovideyousome
assurance.
Checkonyourcreditcardstatements.Checkyourbankstatementsonamonthlybasis.Don't
letthemsitandpileup,anyonewhousesacreditcardcouldpotentiallybehackedandcould
becomeavictimthroughnofaultoftheirown.
4.Dedicateacomputertoonlinebankingandshopping
Foraddedsecurity,youcoulduseadedicatedmachineforonlinebankingandshopping.This
shouldbea‘clean’computerthatistotallyfreeofcomputervirusesandanyotherinfections.In
ordertohelpkeepitclean,themachineshouldnotbeusedforanycasualwebbrowsing,social
networking,oremail.InstallGoogleChrome,withforcedHTTPS.
5.Useadedicatedemailaddress
It’sworthconsideringcreatinganemailaddressthatyouonlyuseforonlineshopping.Thiscan
helpyoutoreducetheriskofopeningpotentiallymaliciousemailorspammessagesthatare
disguisedassalespromotionsorothernotifications.Ifsuchmessagesaresenttoyourprimary
emailaddress,you’llbeawarethatthere’safairchancethatthey’refakeormalicious.
6.Manageandprotectyouronlinepasswords
Usingapasswordmanagercanhelpyoutodealwithmultipleaccountsandpasswords–andto
encryptpasswordsthatwouldotherwisebeinplaintext.SomeantivirusandInternetsecurity
softwareproductsincludepasswordmanagementandpasswordsecurityfeatures.
7.BewareofusingpublicWi-Fi
Whenyou’reinashoppingmall–abouttomakeapurchase–itcanbeusefultomakealast
minutecomparisonwiththebestdealsthatInternetretailersareoffering.However,therecanbe
securityrisksifyouaccesstheInternetviaapublicWi-Finetwork.Cybercriminalscan
interceptyourdataandcaptureyourpasswords,logindetails,andfinancialinformation.Ifyou
needtoaccesstheInternetwhenyou’reoutshopping,it’ssafertodosoviayourcellular
network.
8.Considerusingyourtablet
IfyouhaveaLinux-baseddevice–suchasaSamsungtabletoranotherdevicethatrunsthe
Linuxoperatingsystem–itmaybesafertousethatforonlinetransactions.AppleiPadsmay
alsobelesslikelytobeexploitedwhileyou’reshoppingonline–providedthatyourdevicehas
notbeenjailbroken.However,alwaysremembertoavoidusingapublicWi-Finetwork–or
there’sariskyourpasswordsandotherdatacouldbestolen.
9.Beforeusingthesite,checkoutthesecurity/encryptionsoftwareituses.
10.Makesureyouarepurchasingmerchandisefromareputablesource.
11.Sendtheme-mailtoseeiftheyhaveanactivee-mailaddressandbewaryofsellerswhouse
freee-mailserviceswhereacreditcardwasn'trequiredtoopentheaccount.
Considernotpurchasingfromsellerswhowon'tprovideyouwiththistypeofinformation.
12.CheckwiththeBetterBusinessBureaufromtheseller'sarea.
13.Checkoutotherwebsitesregardingthisperson/company.
14.Don'tjudgeaperson/companybytheirwebsite.
15.Becautiouswhenrespondingtospecialoffers(especiallythroughunsolicitede-mail).
16.Becautiouswhendealingwithindividuals/companiesfromoutsideyourowncountry.
17.Makesurethetransactionissecurewhenyouelectronicallysendyourcreditcardnumbers.
18.Trustyourinstincts.Ifyoudon'tfeelcomfortablebuyingorbiddingonanitemoverthe
web,orifyoufeelpressuredtoplaceyourorderimmediately,maybeyoushouldn't.
19.Beknowledgeableaboutweb-basedauctions.Takespecialcaretofamiliarizeyourselfnot
onlywiththerulesandpoliciesoftheauctionsiteitselfbutwiththelegalterms(warranties,
refundpolicy,etc.)oftheseller'sitemsthatyouwishtobidon.
20.Doublecheckpricing.Besuspiciousofpricesthataretoogoodtobetrue.Alsoconsider
carefullywhetheryoumaybepayingtoomuchforanitem,particularlyifyou'rebidding
throughanauctionsite.Youmaywanttocomparisonshop,onlineoroffline,beforeyoubuy.
Makesuretherearenotextrashippingorhandlingcosts.
21.Findandreadtheprivacypolicy.Readtheprivacypolicycarefullytofindoutwhat
informationthesellerisgatheringfromyou,howtheinformationwillbeused,andhowyou
canstoptheprocess.Ifasitedoesnothaveaprivacypolicyposted,youmaynotwanttodo
businesswithit.Ifitdoeshaveaprivacypolicy,therewillprobablybealinktoitfromthe
seller'shomepage,oritcouldbeincludedwiththeLegalTerms.
22.Reviewthereturn,refund,andshippingandhandlingpoliciesaswellastheotherlegal
terms.Ifyoucan'tfindthem,askthesellerthroughane-mailortelephonecalltoindicate
wheretheyareonthesiteortoprovidethemtoyouinwriting.
23.MakesuretheInternetconnectionissecure.Don'ttrustasitejustbecauseitclaimstobe
secure.Beforeyougiveyourpaymentinformation,checkforindicatorsthatsecuritysoftware
isinplace.
24.Printtheterms.Youshouldprintoutanddateacopyofterms,conditions,warranties,item
description,companyinformation,evenconfirminge-mails,andsavethemwithyourrecords
ofyourpurchase.
25.Insurethesafedeliveryofyouritem.Ifyou'reconcernedyoumaynotbehomewhenyour
packageisdeliveredandthatsomeonemaytakeitifitisleftonthedoorstep,askwhetheryou
canspecifythattheshippermustreceiveasignaturebeforeleavingthepackage.Or,itmaybe
safertohavethepackagedeliveredtoyouroffice.
26.Inspectyourpurchase.Lookatyourpurchasecarefullyassoonasyoureceiveit.Contactthe
sellerassoonaspossibleifyoudiscoveraproblemwithit.Tellthesellerinwritingaboutany
problemsyouhave,askforarepairorrefund,andkeepacopyofyourcorrespondence.
Securityforyouronlinepurchases:
Beforepurchasingonline,youshouldassessthesecurityofbothyourcomputerandtheseller's
systems.Youcanlimittheriskofidentitytheftbyshoppingonlyonwebsitesthatdiscloseaneffective
datasecuritypolicy.Adatasecuritypolicyexplainshowanonlineselleraimstoprotectyour
personalinformation.WhenguardingyourselfagainstInternetcrimes,alsoconsideryourpayment
options,accountsecurity,andmalwareprotection.
HowcanItellhowanonlinesellersecuresmypersonalinformation?
Manyonlinesellersdescribetheirmethodsofprotectingyourpersonalinformationinthesecurity,
privacy,orFAQsectionoftheirwebsite.Typically,thedescriptionofadatasecuritypolicydiscusses
technologicalsecurity,physicalsecurity,andotherrelevantissues.
WhathappensifmypersonalinformationisstolenfromanonlinesellerthatIhavedonebusiness
with?
Mostonlinesellerswillnotifycustomers,affectedbusinesses,andlawenforcementagencieswhena
databreachoccurs.Thenotificationlettertocustomersusuallydescribeshowpersonalinformation
wascompromisedandtheseller'sresponsetothedatabreach.Whilefederallawgenerallydoesnot
mandatedatabreachnotificationtoconsumers,moststatesdorequiresuchnotification.
WhatshouldIdoifIamnotifiedofadatabreach?
Onceyoureceivenotificationofadatabreach,youshouldimmediatelyplaceafraudalertonyour
creditfiles.Instructionsforplacingafraudalertcanbefoundhere.Youshouldalsomonitoryour
accountsforevidenceofunauthorizedtransactions.Somesellersofferfreecredit-monitoring
servicesafteradatabreachtomitigateitseffects.Checkwiththesellertofindoutifitoffersthese
protections.
Whatifthereareunauthorizedchargesonmycreditcard?
Ifyoufindchargesonyourcreditcardstatementthatyoudonotrecognize,youshouldcontactthe
issuerofthecreditcard.Federallawallowsyoutodisputeandobtainrecordsofthefraudulent
actionsresultingfromthetheft.TheFairCreditReportingActrequirestheseller(andothertargeted
businesses)toprovideyouand/orlawenforcementagencieswithtransactionrecordsrelatedtothe
identitytheftwithin30daysofyourwrittenrequest.
HowdoesthepaymentmethodIuseaffectthesecurityofonlineshopping?
Whenselectingapaymentmethod,youshouldgivesomethoughttosecurity.Mostonlinesellers
acceptavarietyofpaymentmethodstomakepurchases,suchascreditcards,debitcards,checks,
prepaidcards,andgiftcards.Somesellersacceptpaymentthroughthird-partypaymentprocessors
suchasPayPal,GoogleWallet,andAmazonPayments.
Third-partypaymentprocessorspaythesellerdirectlysoyoucanavoidsubmittingpayment
informationtotheseller,whichreducestheriskofdealingwithaselleryouarenotfamiliarwith.
Somecreditcardcompaniesallowyoutoreducetheriskoffraudbyofferingsingle-useorvirtual
creditcardnumbers.Mostmajorcardissuersofferzero-liabilitypolicies,sothatifyourcardisused
fraudulentlyyouwillnothavetopayanything.Thisgoesbeyondtherequirementsoffederallaw,
whichlimitsyourliabilityto$50.
Ifyouareuncomfortablesubmittingyourpaymentinformationonline,somesellersallowyoutopay
byphoneorfax,orthroughthemail(asmalladditionalfeemaybeassessed).Keepinmindthatany
paymentinformationyousubmitofflinelikelyisstoredontheseller'sservers.
Whydoespasswordsecuritymatter?
Youraccountswithonlinesellersgenerallyrequireapasswordforaccess.Anyonewhoobtainsyour
passwordcanaccesstheaccountandmakepurchaseswithoutyourknowledge,oracquireyour
personalinformation.Soguardyouraccountswithstrongpasswords,andneverdiscloseapassword
exceptwhenaccessingtheaccountyourself.
Records:Howshouldyoukeeprecordsaboutyourpurchase?
Whatdocumentsshouldyoukeepwhenpurchasingonline?
Aprintoutofthewebpagesindicatingtheseller'sname,postaladdress,andtelephonenumber;
Aprintoutofthewebpagesdescribingtheitem(s)thatyouordered;
Aprintoutofthewebpagesorpop-upscreensthatprovidetheseller'slegalterms;
Printoutsofanye-mailmessages(forexample,confirmationmessages)thatyousendtoor
receivefromtheseller.Thisincludes:
Thosethatmightshowthatthesellerindicatedthattheproductwouldbesuitableforthespecific
purposeforwhichyouneededit,
Thoseinwhichyounotifythesellerofproblemswiththemerchandisethatyouhavereceived;and
Thosethatwouldshowyourgoodfaithattempttoresolvewiththemerchantachargethatyoudo
notfeelshouldhavebeenmadetoyourcreditcard.
Notesore-mailconfirmationsofanytelephoneconversationsthatyouhavewiththeseller.
Smartphones
1. Auto-lockyourphone.They’resmall,wecarrythemeverywhere,andunfortunatelymobile
phonesarelostorstolenalltoooften.Ifyourphonefallsintothewronghands,apasswordis
thefirstlineofdefenseforyourpersonaldata.Tokeepyourinformationprivate,createa
strongpasswordforyourphoneandsetyourscreentoauto-lockwithinfiveminutes.Arrange
phonesettingssoapasswordisrequiredtowakeupyourphoneafteraninactiveperiod.Usea
passwordthat’sdifferentfromyourothers(ATM,emailaccounts,onlinebill-payingaccounts).
Encryptsmartphonesusedforsensitivebusinesscommunications,activateatimeoutpassword
andinstallanupdatedanti-malwareprogramandon-devicepersonalfirewall.
2. Keepyourappsanddevicesoftwareuptodate.Hackersworkdiligentlytodiscovernew
vulnerabilitiesinourappsorthesoftwarethatoperatesourphones.Devicemanufacturersand
appdevelopersfrequentlyupdatetheirsoftwaretofixnewlyexploitedsecuritygaps,butifyou
don’tdownloadandinstalltheseupdatesyourinformationisstillatrisk.
3. Usediscretionwhendownloadingapps.Oneofthemostexcitingthingsaboutgettinganew
Smartphoneisdownloadingallthegreatappsthatareavailable.Unfortunately,eventhemost
innocent-lookingappcancontainsoftwaredesignedtostealpersonaldata,makefraudulent
chargesorevenhijackyourphone.Onlydownloadappsfromsitesyoutrust,checktheapp’s
ratingandreadreviewstomakesurethey’rewidelyusedandrespectedbeforeyoudownload.
4. Don’topenunfamiliarattachments,emailsortextmessagesfromunknownsources.
They’relikelytobeharmful.Bejudiciousaboutthetypeofapplicationsthatyoudownload.
Manyappscomewithspywareorothermalicioussoftware.Considerusingamoresecure
computerforsensitivetaskssuchasonlinebanking.
5. Sticktowindow-shoppingonpublicWiFi.PublicWiFinetworkshavebecomeubiquitous,but
securityforthesenetworksisscarce.BecarefulwhatyoudoonpublicWiFinetworksasthere
maybeotherswatchingnetworktraffic.Inparticularstayawayfrommakingpurchasesand
bankingtransactions—anycommunicationthatconveysapassword,accountnumberorcredit
cardnumber—unlessyouarecertainthatyouareonasecureconnection.
6. ProtectyourphonelikeyouprotectyourPC.Mostpeoplealreadyusesoftwaretoshield
theirPCfromvirusesandspyware.Withsomuchpersonaldataonourphonesandmobile
malwareontherise,ourmobiledevicesnowneedthesameattention.Protectyourselfandyour
privatedatafrommalware,spywareandmaliciousappsbydownloadingareputablesecurity
app.
7. Password-protectyourmobiledeviceandvoicemailwithaPIN.Makethepasswordstrong
andhardtoguessbyusingnumbers,upper-andlower-caseletters,andatleastonesymbol.
MemorizeyourPIN.Don’trecorditonanythingyoucarrywithyou.ChangeyourPIN
periodically.Use“strong”PINsthatarehardtoguess.Thesewillhavenumbers,upper-and
lowercaseletters,andatleastonesymbol.NeveruseaPIN(orpassword)withthelastfour
digitsofyourSocialSecuritynumber,yourdateofbirth,yourmiddlenameoranythingelse
that’seasilyguessedorsubjecttoreadyaccessviaothersources
8. Keeprecords.MakeaphysicallistofeverythingonyourSmartphone—alltheaccountsand
documents(ortypesofdocuments)itcanaccess.
9. Don'tSaveInformation.Deletevoiceandtextmessageswithfinancialorpersonal
information.
10. Data-wipemobiledevices.Useprogramstodestroyadevice’sdataifthepasswordisentered
incorrectlyacertainnumberoftimes—say
11. Software.Takeadvantageofsoftwarethatlocksthephoneorerasesthedataremotelyifthe
phoneislostorstolen.
TextMessageSafety
Hereareafewstepstopreventtextmessagespam:
1. Deletetextmessagesthataskyoutoconfirmorprovidepersonalinformation:Legitimate
companiesdon’taskforinformationlikeyouraccountnumbersorpasswordsbyemailortext.
2. Don’treply,anddon’tclickonlinksprovidedinthemessage:Linkscaninstallmalwareon
yourcomputerandtakeyoutospoofsitesthatlookrealbutwhosepurposeistostealyour
information.
3. Treatyourpersonalinformationlikecash:YourSocialSecuritynumber,creditcard
numbers,andbankandutilityaccountnumberscanbeusedtostealyourmoneyoropennew
accountsinyourname.Don’tgivethemoutinresponsetoatext.
4. IfyouareanAT&T,T-Mobile,Verizon,SprintorBellsubscriber,youcanreportspamtexts
toyourcarrierbycopyingtheoriginalmessageandforwardingittothenumber7726(SPAM),
freeofcharge.
5. Reviewyourcellphonebillforunauthorizedcharges,andreportthemtoyourcarrier.
6. Toblockspammessages-butnotallincomingtextsfromfriendsandfamily--callyour
carrier ’scustomerservicenumber(usually611)andinstructthemto“Blockalltextmessages
senttoyouasemail”and“Blockallmultimediamessagessenttoyouasemail.”Youalsomight
beabletologintoyouraccountonlineandactivatetheseblocksthere.
7. Ifdialing611orgoingintoyourphonesettingsonlinedoesnotslowdownspam,checkwith
yourmobileprovideraboutotheroptionstoblockfuturespammessages.
8. Setupanduseafreeemailaccountthat’sonlyforthingslikepromotions,contests,and
thelike.Thisway,youcaneasilysegregatethosemessagesfromyourpersonalandwork
correspondence.
Morepreventiontips:
1. Attacksusingverificationcodestobypass2FactorAuthentication.BesuspiciousofSMS
messagesaskingaboutverificationcodes,particularlyiftheyyourequestone.Legitimate
messagesfrompasswordrecoveryserviceswillsimplytellyoutheverificationcodeandwill
notaskyoutorespondinanyway.
2. Don’tfallfortextsfromyournetworkwhichaskfordetails.Yourphonenetworkwilloften
textyou–ifyou’reabroad,forinstance,towarnofdataroamingrates.Butnetworkswon’t
everaskyoutoconfirmorverifyyourdetails.Ifyouseea“security”textwhichasksfora
password,oranyotherdetails,don’tclickthelink,anddon’tcallanynumbersinit.Contact
yournetworkviatheirwebsite,orviatheirphonenumber(therealone,nottheoneintheSMS).
3. Ifyouseea“business”phonenumberinatext,it’snoguaranteeit’sreal.ManySMS
phishingattackswillinclude“tollfree”numbersthatlooklikelegitimatebusinessones–
they’renot.
4. Don’treplywith“STOP”ifyou’rebeingspammedcontactyournetworkinstead.Ifyou’re
beingspammedrepeatedly,andtheSMScontainsaninstructiontotextbackwith“STOP”tocut
5.
6.
7.
8.
9.
10.
11.
12.
offtheemails,don’t.Thiswillsimplytellthespammersthatyou’rethere,andthey’llintensify
theirattacks.YournetworkwillbeabletoblockSMSfromspecificnumbers.
Beverysuspiciousof“specialoffers”especiallyoneswhereyouhaveto“actfast”.Phishers
commonlysendoutSMSattacksintheformof“specialoffers”frombigcompanies–suchasa
$1,000giftcard,whereonlyalimitednumberareavailable,andyouhavetoclickalinktocash
in.
High-value“specialoffers”thatsoundtoogoodtobetrueusuallyare.Ifit’syourlocal
pizzaplaceofferingtwo-for-oneonTuesdays,youmightbesafer.Thinkfirst,andthinkhardif
you’rebeingaskedtoclickalink.
Setyourphonetoblockappsfromunknownsources.ManySMSphishingattacksaimto
foolyouintoinstallingmaliciousapps–particularlyonAndroid.Asaprecaution,block
installationfromunknownsources(it’sinAndroid’sSettingsmenu).Ifyouhavetounblockthis
(forinstancetoinstallaworkapp),setitbackto“blocked”whenyou’vefinished.Ifyoudo
makeamistake,thisgivesyouanotherlineofdefense.It’salsoworthusingGoogle’sbuilt-in
“VerifyApps”function,whichmonitorsappsforsuspiciousactivity.
Don’tfallfortextsfromyourbankwhichaskfor“confirmationdetails”.Yourbankmay
welltextyou–forinstancetoconfirmatransactiononPC–butbanktextswillnot,ever,ask
youtoconfirmdetails,orforpasswords.Banksalsowon’tupdatetheirappsinthisway.If
you’resuspicious,don’tclicklinks,don’tcallanynumbersinthetext.Instead,callyourbank
onits“normal”number–Googleitifyoudon’tknow–andcheckwhetherthetextisfrom
them.
Don’tfallforwarningssaying,“Yourphoneisinfected”.RecentSMSphishingscamsusea
bogus“securityalert”toscareusersintoinstallingfakeantivirusapps.Reputablesecurity
companieswillnot“push”productsinthisway.ESET’sCameronCampsays,“Malwareposing
assecurityapps,alsoknownas“scareware”,aresomeofthemostpervasivescamsonAndroid
inrecentmonths.”
Don'ttrustcallerID.JustbecauseyourcallerIDdisplaysaphonenumberornameofa
legitimatecompanyyoumightrecognize,itdoesn'tguaranteethecallisreallycomingfrom
thatnumberorcompany.
RegisteryournumberwiththeNationalDoNotCallregistryatdonotcall.gov.Eventhough
criminalsandunscrupuloustelemarketersmayignorethelist,ifyouareonthelistandgeta
callfromasupposedtelemarketer,thatcouldbeatipthattheofferisbogus.Mostlegitimate
telemarketersobeytherulesandlawsaboutcontactingconsumers.Also,theWebsiteprovidesa
placewherecomplaintscanbefiled.
Reportincidents.Reportfraudtowww.ftc.govorcall(888)382-1222.TheFTCwantsthe
numberandnamethatappearedonthecallerIDaswellasthetimeofdayandtheinformation
talkedaboutorheardinarecordedmessage.Ifyouthinkyou'vebeenavictimofavishing
attackyoucanalsocontact,theInternetCrimeComplaintCenter.FileacomplaintwiththeFCC
ifyoureceiveanunwantedcommercialemailmessagesenttoyourmobilephone,an
autodialed/prerecordedtelephonevoicemessageoranunwantedtextmessagetoyourmobile
phone.Thereisnochargeforfilingacomplaint.Call1-888-CALL-FCC(1-888-225-5322).For
thoseoutsidetheUS,thefollowingnumberscanhelpout.InCanadareportvishingorphishing
attemptsonlineattheReportingEconomicCrimeOnlinegovernmentorganization,orcall1888-495-8501.IntheUK,youshouldmakeyourreportdirectlytothebankindicatedinthe
scam.
Instantmessaging
Instantmessaging(IM)hassomeofthesamesecurityandprivacyrisksase-mail,butthereareafew
uniquedangersthatyoushouldbeawareof.
1. Chooseanonidentifiable,nongenderspecificscreenname.
2. NevergiveoutanypersonalinformationusingIM.Thatmeansyourrealname,telephoneor
cellphonenumber[s],mailingaddress,passwords,bankingdetailsetc.
3. Neveracceptfilesordownloadsfrompeopleyoudon'tknoworfrompeopleyoudoknow,if
youweren'texpectingthem.ThisincludesURLs.
4. NeverarrangetomeetsomeoneofflinethatyouonlyknowthroughIMconversations.
5. Neveropenpictures,downloadfiles,orclicklinksinmessagesfrompeopleyoudon'tknow.If
theycomefromsomeoneyoudoknow,confirmwiththesenderthatthemessage(andits
attachments)istrustworthy.Ifit'snot,closetheinstantmessage.
6. Becarefulwhencreatingascreenname.EachIMprogramasksyoutocreateascreenname,
whichissimilartoane-mailaddress.Yourscreennameshouldnotprovideoralludeto
personalinformation.
7. Createabarrieragainstunwantedinstantmessaging.Donotlistyourscreennameore-mail
addressinpublicareas(suchaslargeInternetdirectoriesoronlinecommunityprofiles)orgive
themtostrangers.
8. SomeIMserviceslinkyourscreennametoyoure-mailaddresswhenyouregister.Theeasy
availabilityofyoure-mailaddresscanresultinyourreceivinganincreasednumberofspam
andphishingattacks.
9. Neverprovidesensitivepersonalinformation,suchasyourcreditcardnumbersorpasswords,
inanIMconversation.
10. Onlycommunicatewithpeoplewhoareonyourcontactorbuddylists.
11. IfyoudecidetomeetastrangerthatyouknowonlyfromIMcommunication,takeappropriate
safetyprecautions.Forexample,donotmeetthatpersonalone,(takeafriendorparentwith
you),andalwaysmeetandstayinapublicplace,suchasacafe.
12. Don'tsendpersonalorprivateinstantmessagesatwork.Youremployermighthavearightto
viewthosemessages.
13. Ifyouuseapubliccomputer,donotselectthefeaturethatallowsyoutologonautomatically.
Peoplewhousethatcomputerafteryoumaybeabletoseeanduseyourscreennametologon.
14. Monitorandlimityourchildren'suseofIM.OnewaytodothisistosignupforWindowsLive
FamilySafety.IfyouuseWindowsVista,itcomeswithparentalcontrolsbuilt-in.
15. Whenyou'renotavailabletoreceivemessages,becarefulhowyoudisplaythisinformationto
otherusers.Forexample,youmightnotwanteveryoneonyourcontactlisttoknowthatyou're
"OuttoLunch."
Usingmobiledevicesinpublic
Withpeopleincreasinglyusingtabletsinpublicplaces,usersareatriskofsharingmorethanthey
mightwanttowiththepeoplearoundthem.Ifotherscanclearlyseewhatyou'redoingwithyour
device,itcanputyourprivacyatrisk.
ProtectYourSmartDevice
1. Consideryoursurroundingsanduseyourdevicediscreetlyatlocationsinwhichyoufeel
unsafe.
2. Neverleaveyourdeviceunattendedinapublicplace.Don'tleaveitvisibleinanunattendedcar;
lockitupintheglovecompartmentortrunk.
3. Writedownthedevice'smake,modelnumber,serialnumberanduniquedeviceidentification
number-eithertheInternationalMobileEquipmentIdentifier(IMEI),theMobileEquipment
Identifier(MEID)numberortheElectronicSerialNumber(ESN)-whichyoumayfindinyour
devicesettingsorprintedonalabelaffixedtoyourdeviceunderneaththebattery.Thepolice
mayneedthisinformationifthedeviceisstolenorlost.
4. Reviewyourwarrantyorserviceagreementtofindoutwhatwillhappenifyourphoneisstolen
orlost.Ifthepolicyisnotsatisfactory,youmaywishtoconsiderbuyingdeviceinsurance.
HowtoProtecttheDataonYourPhone
1. Establishapasswordtorestrictaccess.Shouldyourdevicebestolenorlost,thiswillhelp
protectyoufrombothunwantedusagechargesandfromtheftandmisuseofyourpersonaldata.
2. Installandmaintainanti-theftsoftware.
Appsareavailablethatwill:
Locatethedevicefromanycomputer;
Lockthedevicetorestrictaccess;
Wipesensitivedatafromthedevice,includingcontacts,textmessages,photos,emails,
browserhistoriesanduseraccountssuchasFacebookandTwitter;
Makethedeviceemitaloudsound(“scream”)tohelpthepolicelocateit.
3.Makeyourlockscreendisplaycontactinformation,suchasane-mailaddressoralternative
phonenumber,sothatthephonemaybereturnedtoyouiffound.Avoidincludingsensitive
information,suchasyourhomeaddress.
Becarefulaboutwhatinformationyoustore.Socialnetworkingandotherappsmayallowunwanted
accesstoyourpersonalinformation.
WhattoDoifYourWirelessDeviceIsStolen
1. Ifyouarenotcertainwhetheryourdevicehasbeenstolenorifyouhavesimplymisplacedit,
attempttolocatethedevicebycallingitorbyusingtheanti-theftsoftware'sGPSlocator.Even
ifyoumayhaveonlylostthedevice,youshouldremotelylockittobesafe.
2. Ifyouhaveinstalledanti-theftsoftwareonyourdevice,useittolockthephone,wipesensitive
information,and/oractivatethealarm.
3. Immediatelyreportthetheftorlosstoyourcarrier.Youwillberesponsibleforanycharges
incurredpriortowhenyoureportthestolenorlostdevice.
4. IfyouprovideyourcarrierwiththeIMEI,MEIDorESNnumber,yourcarriermaybeableto
disableyourdeviceandblockaccesstotheinformationitcarries.Requestwrittenconfirmation
fromyourcarrierthatyoureportedthedeviceasmissingandthatthedevicewasdisabled.
Ifthedevicewasstolen,alsoimmediatelyreportthethefttothepolice,includingthemakeandmodel,
serialandIMEI,MEIDorESNnumber.Somecarriersrequireproofthatthedevicewasstolen,anda
policereportwouldprovidethatdocumentation.
SafeguardYourMobileWalletSmartphone
1. ConsideryoursurroundingsanduseyourSmartphoneormobiledevicediscreetly.
2. DonotusemobilewalletservicestoconductfinancialtransactionsoveranunsecuredWi-Fi
network.
3. NeverleaveyourSmartphoneunattendedinapublicplace.Don'tleaveitvisibleinan
unattendedcar;lockitupintheglovecompartmentortrunk.
4. ThepolicemayneedyourSmartphone’suniqueidentifyinginformationifitisstolenorlost.
Writedownthemake,modelnumber,serialnumber,anduniquedeviceidentificationnumber
(eithertheInternationalMobileEquipmentIdentifier(IMEI)ortheMobileEquipmentIdentifier
(MEID)number).SomephonesdisplaytheIMEI/MEIDnumberwhenyoudial*#06#.The
IMEI/MEIDcanalsobefoundonalabellocatedbeneaththephone'sbatteryorontheboxthat
camewithyourphone.
5. Reviewtheserviceagreementforthefinancialaccountusedinyourmobilewallettofindout
whatwillhappenandwhotocontactifyourSmartphoneisstolenorlost,orifyourmobile
walletapplicationishacked.
6. Monitorthefinancialaccountusedinyourmobilewalletforanyfraudulentcharges.
7. Chooseauniquepasswordforyourmobilewallet.ShouldyourSmartphonebelostorstolen,
thismayhelpprotectyoufrombothunwantedchargesandfromtheftandmisuseofyour
personaldata.
8. Installandmaintainsecuritysoftware.Appsareavailableto:
LocateyourSmartphonefromanycomputer;
LockyourSmartphonetorestrictaccess;
WipesensitivepersonalinformationandmobilewalletcredentialsfromyourSmartphone;and
MakeyourSmartphoneemitaloudsound("scream")tohelpyouorthepolicelocateit.
9. Adjustyour"lockedscreen"displaytoshowyourcontactinformationsothatyourSmartphone
maybereturnedtoyouiffound.
10. Becarefulaboutwhatinformationyoustore.Socialnetworkingandotherappsmayposea
securityriskandallowunwantedaccesstoyourpersonalinformationandmobilewalletdata.
WhattoDoifYourMobileWalletSmartphoneIsStolen
1. IfyouarenotcertainwhetheryourSmartphoneormobiledevicehasbeenstolenorifyouhave
simplymisplacedit,attempttolocatetheSmartphonebycallingitorbyusingthesecurity
software'sGPSlocator.EvenifyoumayhaveonlylosttheSmartphone,youshouldremotely
lockittobesafe.
2. IfyouhaveinstalledsecuritysoftwareonyourSmartphone,useittolockthedevice,wipe
sensitivepersonalinformation,and/oractivatethealarm.
3. Immediatelyreportthetheftorlosstoyourwirelesscarrier.Youwilltypicallyberesponsible
foranychargesincurredpriortowhenyoureportthestolenorlostSmartphone.Ifyouprovide
yourcarrierwiththeIMEIorMEIDnumber,yourcarriermaybeabletodisableyour
Smartphone,yourmobilewalletservices,andblockaccesstoyourpersonalinformationand
sensitivemobilewalletdata.Requestwrittenconfirmationfromyourcarrierthatyoureported
theSmartphoneasmissingandthattheSmartphonewasdisabled.
4. IfyourSmartphoneormobiledevicewasstolen,alsoimmediatelyreportthethefttothepolice,
includingthemakeandmodel,serialandIMEIorMEIDnumber.Somecarriersrequireproof
thattheSmartphonewasstolen,andapolicereportcanprovidethatdocumentation.
5. IfyouareunabletolockyourstolenorlostSmartphone,changeallofyourpasswordsfor
mobilewalletservicesandbankingaccountsthatyouhaveaccessedusingyourSmartphone
service.
Mobileapps
Ifyouhaveasmartphoneorothermobiledevice,youprobablyuseapps-toplaygames,getturnby-turndirections,accessnews,books,weather,andmore.Easytodownloadandoftenfree,mobile
appscanbesomuchfunandsoconvenientthatyoumightdownloadthemwithoutthinkingabout
somekeyconsiderations:howthey’repaidfor,whatinformationtheymaygatherfromyourdevice,
orwhogetsthatinformation.
MobileAppBasics
What’samobileapp?Amobileappisasoftwareprogramyoucandownloadandaccessdirectly
usingyourphoneoranothermobiledevice,likeatabletormusicplayer.
WhatdoIneedtodownloadanduseanapp?
Youneedasmartphoneoranothermobiledevicewithinternetaccess.Notallappsworkonall
mobiledevices.Onceyoubuyadevice,you’recommittedtousingtheoperatingsystemandthetype
ofappsthatgowithit.TheAndroid,Apple,MicrosoftandBlackBerrymobileoperatingsystemshave
appstoresonlinewhereyoucanlookfor,download,andinstallapps.Someonlineretailersalsooffer
appstores.You’llhavetouseanappstorethatworkswithyourdevice’soperatingsystem.
Whyaresomeappsfree?
1. Someappsaredistributedforfreethroughappstores;thedevelopersmakemoneyinafew
ways:
2. Someselladvertisingspacewithintheapp.Theappdeveloperscanearnmoneyfromtheads,
sotheydistributetheappforfreetoreachasmanyusersaspossible.
3. Someappsoffertheirbasicversionsforfree.Theirdevelopershopeyou’llliketheappenough
toupgradetoapaidversionwithmorefeatures.
4. Someappsallowyoutobuymorefeatureswithintheappitself.Usually,youarebilledforthese
in-apppurchasesthroughtheappstore.Manydeviceshavesettingsthatallowyoutoblockinapppurchases.
5. Someappsareofferedfreetointerestyouinotherproducts.Theseappsareaformof
advertising.
Questionsaboutyourprivacy
Whattypesofdatacanappsaccess?
Whenyousignupwithanappstoreordownloadindividualapps,youmaybeaskedforpermission
toletthemaccessinformationonyourdevice.Someappsmaybeabletoaccess:
1.
2.
3.
4.
5.
6.
yourphoneandemailcontacts
calllogs
internetdata
calendardata
dataaboutthedevice’slocation
thedevice’suniqueIDs
7. informationabouthowyouusetheappitself
Someappsaccessonlythedatatheyneedtofunction;othersaccessdatathat’snotrelatedtothe
purposeoftheapp.
Ifyou’reprovidinginformationwhenyou’reusingthedevice,someonemaybecollectingitwhetherit’stheappdeveloper,theappstore,anadvertiser,oranadnetwork.Andifthey’recollecting
yourdata,theymayshareitwithothercompanies.
HowcanItellwhatinformationanappwillaccessorshare?It’snotalwayseasytoknowwhatdata
aspecificappwillaccess,orhowitwillbeused.Beforeyoudownloadanapp,considerwhatyou
knowaboutwhocreateditandwhatitdoes.Theappstoresmayincludeinformationaboutthe
companythatdevelopedtheapp,ifthedeveloperprovidesit.Ifthedeveloperdoesn’tprovidecontact
information-likeawebsiteoranemailaddress-theappmaybelessthantrustworthy.
Ifyou’reusinganAndroidoperatingsystem,youwillhaveanopportunitytoreadthe“permissions”
justbeforeyouinstallanapp.Readthem.It’susefulinformationthattellsyouwhatinformationthe
appwillaccessonyourdevice.Askyourselfwhetherthepermissionsmakesensegiventhepurpose
oftheapp;forexample,there’snoreasonforane-bookor“wallpaper”apptoreadyourtext
messages.
Whydosomeappscollectlocationdata?Someappsusespecificlocationdatatogiveyoumaps,
couponsfornearbystores,orinformationaboutwhoyoumightknownearby.Someprovidelocation
datatoadnetworks,whichmaycombineitwithotherinformationintheirdatabasestotargetads
basedonyourinterestsandyourlocation.
Onceanapphasyourpermissiontoaccessyourlocationdata,itcandosountilyouchangethe
settingsonyourphone.Ifyoudon’twanttoshareyourlocationwithadvertisingnetworks,youcan
turnofflocationservicesinyourphone’ssettings.Butifyoudothat,appswon’tbeabletogiveyou
informationbasedonyourlocationunlessyouenterityourself.Yourphoneusesgeneraldataabout
itslocationsoyourphonecarriercanefficientlyroutecalls.Evenifyouturnofflocationservicesin
yourphone’ssettings,itmaynotbepossibletocompletelystopitfrombroadcastingyourlocation
data.
Questionsaboutadvertising.WhydoestheappIdownloadedhaveadsinit?Developerswantto
providetheirappsasinexpensivelyaspossiblesolotsofpeoplewillusethem.Iftheyselladvertising
spaceintheapp,theycanoffertheappforalowercostthanifitdidn’thaveads.Somedevelopers
sellspaceintheirappstoadnetworksthat,inturn,sellthespacetoadvertisers.
WhydoIseetheadsIdo?Advertisersbelieveyou’remorelikelytoclickonanadtargetedtoyour
specificinterests.Soadnetworksgathertheinformationappscollect,includingyourlocationdata,
andmaycombineitwiththekindofinformationyouprovidewhenyouregisterforaserviceorbuy
somethingonline.Thecombinedinformationallowsthemobileadnetworktosendyoutargetedadsadsthatmayberelevanttosomeonewithyourpreferencesandinyourlocation.
MalwareandSecurityConcerns.ShouldIupdatemyapps?Yourphonemayindicatewhenupdates
areavailableforyourapps.It’sagoodideatoupdatetheappsyou’veinstalledonyourdeviceandthe
device’soperatingsystemwhennewversionsareavailable.Updatesoftenhavesecuritypatchesthat
protectyourinformationandyourdevicefromthelatestmalware.
Couldanappinfectmyphonewithmalware?Somehackershavecreatedappsthatcaninfect
phonesandmobiledeviceswithmalware.Ifyourphonesendsemailortextmessagesthatyoudidn’t
write,orinstallsappsthatyoudidn’tdownload,youcouldbelookingatsignsofmalware.Ifyou
thinkyouhavemalwareonyourdevice,youhaveafewoptions:youcancontactcustomersupport
forthecompanythatmadeyourdevice;youcancontactyourmobilephonecarrierforhelp;oryou
caninstallasecurityapptoscanandremoveappsifitdetectsmalware.Securityappsforphonesare
relativelynew;thereareonlyafewonthemarket,includingsomewithfreeversions.
MobileAppUserReviews.CanItrustalltheuserreviewsIreadaboutanapp?Mostappstores
includeuserreviewsthatcanhelpyoudecidewhethertodownload.Butsomeappdevelopersand
theirmarketershaveposedasconsumerstopostpositivecommentsabouttheirownproducts.Infact,
theFederalTradeCommissionrecentlysuedacompanyforpostingfakecommentsabouttheappsit
waspaidtopromote.
AppleiPhoneSafety
Topreventlossesassociatedwithfraudulentapps,wesuggestalliOSusersreadthereviewsand
checkratingsbeforebuyinganapplication.Donotbelieveinmagicalfeaturesthatdonotexistin
yourphone,noappisabletodothingsthatAppledoesnotallow.
Ifyouwerethevictimofsuchapps,youcantryaskingAppletorefundyourmoney,byfollowing
thesesteps:
1. OpeniTunesandselecttheiTunesStorelinkintheleft-handcolumn;
2. Nearthetoprightcorner,clickthearrownexttoyourusername(emailaddress)andthenselect
Account;
3. Abouthalfwaydownthescreen,clickthePurchaseHistorybutton;
4. Inthebottomportionofthescreen,youwillseeyourAppStorepurchasehistory-clickthe
ReportaProblembutton;
5. LocatetheiTunesinvoicewiththeapplicationyouwouldlikearefundfor,andclicktheReport
aProblemlink
6. Fillouttheformthatfollowsandbesuretobeasdetailedaspossible-whenfinished,click
Next
7. Ifyourreasonforrequestingarefundisvalid,Appleshouldrespondwithinafewdaysand
processyourrefundwithinaweek.
AndroidAppSafety
Whenanappisinstalled,thesystemwillalwaysdisplaythepermissionsrequested.Theusercanuse
thisataglancetoevaluateanapp’sintentions.Ifarelativelysimpleapp,likeawrapperforawebsite,
asksforpermissiontosendandreceiveSMSmessages,whichisaseriousredflag.Infact,alarge
numberoftheseso-called“SMSTrojans”areincirculationaroundtheseedierpartsoftheweb.
Wheninstalled,theytextpremiumratenumberstorackupcharges.Thesameconcernexistsforapps
thatincludephonecallingpermissions;theycouldcallpremiumratenumberswithouttheuser ’s
knowledge.
Androidpermissions
1. Anotherimportantpermissiontobeonthelookoutforisaccesstothecontactlist,and
2.
3.
4.
5.
Googleaccounts.Ifanapphasnobusinesslookingatthisdata,thereisachancethatit’sjust
malwaredesignedtoharvestuserdataforspammingorphishingscams.Theonlytimeone
mightexpecttoseethispermissionisinappsthatautocompletecontactnames,orhandle
legitimatemessagingactions.
Oflessconcernfinancially,butstillasignofshadybehavior,isthelocationpermission.This
cancomeineitherFine(GPS)orCoarse(Network)varieties.Anappthatdoesn’tneedthisdata
foritsessentialfunctioncouldbeusingitforsomethingasinnocuousaslocation-awareads,
butthereisadarkerpossibilityaswell.Questionableappcouldharvestauser ’sexactlocation,
storeitovertime,andsellthattoadvertisers.
ThebestwaytostaysafeonAndroidistojuststicktoestablishedappsfromtheofficial
AndroidMarketortheAmazonAppstore.Whilebadappsdooccasionallyshowupinthe
Market,Googleremovesthemswiftlyandcanremotelykilltheappsonphones.
Mostofthetrulydangerousthreatshavebeendetectedonforumsandthird-party
websitesmasqueradingaswell-knownapps.Basically,don’tinstallaversionof“Cutthe
Rope”obtainedfromaChinesepiratedsoftwareforum.ByleavingtheUnknownSources
optiondisabledintheAndroidsettings,appscannotevenbesideloadedfromothersources,
whichblocksthisvectorcompletely.
ItjusttakesalittleforethoughttoavoidthemostseriousAndroidmalwarethreatsout
there.Stickingtotheofficialapplicationrepositoriesisagoodpolicy,asischeckingoutthe
permissionsforanapp.UsersmightevenprefertoleavetheUnknownSourcesoptiondisabled.
ThereisnowgoodevidencethatfreeAndroidantivirusappsjustdon’twork,andcouldeven
causeuserstobelievetheyareprotected,andthustakemorerisks.Paidantivirusappswork
better,detectingmorethreats,butstillfallshortofthemark.Intheend,itisstillverymuchup
totheusertobeonthelookoutforsuspiciousbehaviorinordertostaysafe.
Mobilebanking
Mobilebankingoffersaccountaccesswiththesametightsecuritymeasuresasthefulldesktop
websitescounterpart.
Byfollowingthesesteps,itispossibletomakethingsmuchharderforcriminalsandtosignificantly
loweryoursafetyrisks:
1. Alwaysuseapinorgesturecodetolockmobiledevices.Ifaphysicaldevicefallsintothe
handsofacriminal,thefirstthingtheyshouldbefacedwithissecurity,particularlywhere
accesstofinancesandotherdataisconcerned.
2. Onlyuseofficialroutestocommunicatewithfinancialinstitutions.Ensuringusersstickto
theofficialwaysofcontactingandreceivinginformationfromtheirbanksiskey.Mobile
bankingshouldn'tdramaticallychangethewaybankscommunicate,soignoringlinkstositesin
emailsrequestingdetails,unusualtextsorothermessages,isadviceworthnotingwhenusinga
SmartphoneasitiswhenusingadesktopPC,tabletorlaptop.
3. Beawareofconnectionservices.PublicWi-Fiisfareasierto'sniff'fordatathanmobiledata
connectionsprovidedbyanetworkoperator.Unlesstheuseris100%sureofthesecurity,or
trusttheconnectiononoffer,thinktwiceaboutdealingwithpersonalfinancesoverit.Installing
trustedsecuritysoftware,likeNortonMobileSecurityorNortonTabletSecurity,willhelp
preventmalware-thecybercriminal'snumberonetool-fromloggingkeystrokesorgaining
accesstoadevice.Itcanalsoscanemailstoprovidesupportinavoidingphishingattacks
4.
5.
6.
7.
8.
9.
seekingbankaccountinformation.
Becarefulwhatyoudownload.It'spossiblethatmobilebankingsessionscouldcomeunder
threatfromcodecarriedbyotherapplicationsdownloaded.Whilesecuritysoftwarecanscan
forthreatsonadevice,beawareofinformationenteredontoadeviceandtrytosticktowellregardedorofficialsourcesofapplicationsorcontent.
Readthefineprint.Doesyourfinancialinstitution'sappallowyoutodeleteallbankingrelatedmessages,picturesandotherdatasavedonthephone?Canyoudisablethefeaturethat
automaticallysignsyouintoyouronlinebankaccounttheminuteyourphoneisturnedon?
Onceconnectedtoyouraccount,willtheappautomaticallydisconnectafteracertainperiodof
inactivity?
Setupyourphonetoencryptdata.Makesureyourphonehasanapplicationtoencryptall
storeddata.Then,useittoprotectsensitivemessagesfromyourfinancialinstitutionand
picturesofvalidchecks.Photosofchecksandothersensitivebankingdatamaybestoredon
yourphone’smemoryexpansioncard.Evenifthephoneitselfissecuredwithencryption,the
cardprobablyisnot.Notethatolderphonesmaynothaveenoughpowertorunencryption
software.
Downloadanti-virussoftwareandenablefirewallprotectionforyourcellphone.Makesure
toupdateitregularly.
Neverrespondtoemailmessagesfromyourbankthatrequestpersonalinformation.Banks
orCreditUnionsneveraskforthisinformationbyemail.Markitasspam,anddeleteit.Next,
deleteallyourcachedcontent(sentmessages,receivedmessages,etc.)onaregularbasis.
Finally,checkyourbrowsersecuritysettingstohelpfilteroutphishingemails.
Beskepticalabouttextmessages.Beforeopeningatextthatappearstobefromyourbank,
andespeciallybeforehitting“reply,”callyourfinancialinstitutionfirsttomakesurethe
messageisactuallyfromthem.
Android
DownloadappsonlyfromtheGooglePlayStore
Indeed,themost‘dangerous’thingaboutAndroidisnottheOSitself,butappsthatausercaninstall.
ContrarytoiOS,installinganappbyoneselforwith‘help’fromanotheruserissupereasyon
Android.Justneverdownloadanappfromthird-partyplatformsandwebsites:theymightbeinfected.
Itiseasiertofullydisablethiscapabilityinsettingsanddeployanintegratedappsecuritycheck.Also,
saynotorootaccess,asitsignificantlyelevatestherisksofrunningintoinfectedapplications.
Howithelps:significantlylowersyourchancesofgettingmalware.
Howtosetit:goto“Settings”->“Security”,un-checkthe“UnknownSources”box,check
“VerifyApps.”
Watchoutforapppermissions
First,you’dwanttoinstallappsonlybyknowndevelopers,orrelyonGooglerecommendations.
Second,checktheapps’permissionseverytimeyouinstalltoseewhatexactlyacertainappisasking
toaccess.Ifawallpaperapporgamewantstoaccessyouraccounts,SMS,mic,locationandtoenjoy
unlimitedInternet,thatlooksfishy.
Howithelps:significantlylowersyourchancesofgettingmalware
Howtosetit:uponinstallation,thelistofpermissionsisshownonthescreen,andalsothereis
the“SeePermissions”linkonthebottomoftheapppage.Ifasuspiciousapphasbeeninstalled
already,goto“GoogleSettings”->“EnabledApps”anddisabletheonesyoudon’twanttorun.
Usestrongpasswords
Thisismoreofa‘one-size-fits-all’tip.Tounlockyourphone,usesophisticatedpasswords,notaPIN
orgraphiccode.Thebestsolutionisapasswordthatcontainsatleasttencharacters,includinglower
caseanduppercaseletters,numbers,andsymbols.Butit’snoteasytoenterthatmanysymbolseach
timethatyouunlockyourphone,soyoushouldtryseveralpasswordstofindtheoptimalone.The
passwordshouldbechangedonaregularbasis.Also,settheminimalidletimetoenablethelock,and
disabletheoptiontoshowpasswordswhenenteringthem.Notethatmanyappsalsousepasswordbasedsecurity.
Howithelps:significantlylowersthechancesforotherpeopletoaccessyourphoneandits
content.
Howtosetit:goto“Setting”->“Security”->“ScreenLock”andchoose“Password”asa
meansoflockingthescreen.Thengoto“Settings”->“Security”andun-check“Make
passwordsvisible”box.
Encryptyourdata
It’ssimple!Ifthedataonyourphoneisencrypted,thennooneisabletoaccessitevenifthephoneis
lostorstolen.ItisbettertochooseapasswordratherthanaPINcodebecauseinthecurrentAndroid
version,encryptionisbasedonpassword/PINonlyandisonlyasstrongasthepasswordis.Android
5.0shouldimproveuponthis.
Howithelps:protectsdataincaseyourdeviceislost
Howtosetit:goto“Settings”->“Security”->“EncryptPhone”,andcheckthe“EncryptSD
Card”inaddition.
WatchoutforyourWi-Ficonnections
Bydefault,Androidtriestoconnecttoanywirelessnetworkyoueveraccessed.Inthecaseofopen
accesspoints,itmaywellbethatitisnotahotspotyouareusedtobutratheramalicioushotspot
createdbyacybercriminal.Withthatinmind,firsttrytoavoidpublichotspots,andsecond,runa
regularauditofyourrememberedWi-Finetworkslist.Also,disabledefaultsearchforopenwireless
connections.
Howithelps:lowersthechancesofinadvertentlyconnectingtopotentiallymaliciousWi-Fi
networks.
Howtosetit:goto“Settings”->“Wi-Fi”,pressandholdarememberedhotspotnametocall
upthemenuwhichallowsyoutodeletethenetwork;goto“AdvancedSettings”toun-check
“AlwaysSearchforWirelessNetworks.”
AlwaysuseVPN
Thistipisespeciallyrelevantwhenusingapublichotspotoranuntrustednetworkconnection.Using
VPNwillprotectthedatayoutransferand(asabonus)allowyoutoaccessresourcesthatare
somehowrestrictedonpublicnetworks.Today,robustVPNaccessisnotthatexpensiveandthelatest
modelsofhomeroutershavetheirownVPNservers,makingVPNaccesscompletelyfreeforyou.It
isbettertouseL2TPorOpenVPN,whichsportevenmorereliableprotectionthanthewidelyused
PPTP.TopreventadataleakpriortoestablishingaVPNconnection,donotforgettomakeVPN
‘always-on’,ordisableautomaticsyncingofyourapps.
Howithelps:encryptsinboundandoutbounddata.
Howtosetit:goto“Settings”,choose“More…”->VPNin“WirelessConnectionsand
Networks”;inthecontextmenucheck“Always-onVPN”andchoosetheconnection;
autosyncingcanbedisabledin“Settings”->“Accounts.”
Disablenotifications
Evenifyourphoneislocked,differentnotificationscanbepushedtothestatusbarortothedisplay.
Notificationsmayincludeone-timecodestoconfirmtransactions,accountstatusalertsandother
sensitivedata.Unfortunately,thereisnosingleAndroidnotificationcenterwherethesecanbe
disabled.Also,manydeviceOEMsusedifferentskinswhicharenotsecureinthisrespect.Thatmeans
thatyouwillhavetodisableallappnotificationsmanually.
Howithelps:nooutsiderisabletoseeyournotifications,whichmightcontainsensitive
information.
Howtosetit:goto“Settings”->“Apps”;chooseanappandun-checkthe“Show
notifications”box.Insomecasesitiseveneasiertodisablenotificationsintheprogram’s
settings.
ApplysettingstoGoogleservices
Theremaybegoodreasonstosetsomelimitsforthesearchgiant,asanyleakofGoogleaccount
informationmightleadtonegativeconsequencesforauser:anyculpritabletogainaccessmightnot
onlyreadyourmessagesbutmayalsofindoutwhereyouhavebeen,seeyourphotosandcontacts
andothermeaningfulthings.
Howithelps:minimizesdamagedoneincaseofdataleakage.
Howtosetit:inthe“GoogleSettings”app,in“MyLocation”entry,disable“Sending
GeolocationData”and“HistoryofLocation”optionsforallaccounts;in“SearchandTips,”
disableGoogleNow;in“AndroidRemoteManagement”youmaywanttoenable“Remote
DeviceSearch”and“RemoteLockandReset”options;inthe“GooglePhoto”app,goto
“Settings”->“AutoBackUp”anddisablethedefaultautomatedbackupofallofyourphotoson
Googleservers.
Getridofunnecessaryapps
Seetips1and2above.Themoreappsthatyouhave,thehighertheriskisthatsomeofthemare
involvedinmaliciousactivities.Also,intheAndroidworld,thereisthisbadhabitofsellingdevices
withtonsofpre-installedservicesandapps.Youmaynotusethem,butitdoesn’tmeanthattheir
creatorsdon’tuseyou.Some,butnotall,ofthem,canbedeleted.Refertoanapp’swebsitetoknow
whichofthemaregoodtogo.
Howithelps:minimizesdamagedoneincaseofdataleakage.
Howtosetit:goto“Settings”->“Apps”->“All,”tapontheappyouneedtodeleteinthelist
andpress“Wipedata”and“Disable”.
Usetwo-factorauthenticationforGoogleandotherapps
Two-factorauthenticationislikelythebestmethodtoensuremaximumuseraccountsecurity
availabletoday.Itissimple:besidesusingthepassword,itrequiresyoutoalsoenteraone-timecode
sentviatextmessageorwithinspecializedappsorevenhardware.Withoutthiscode,anintruder
cannotlogintoyouraccounts,eveniftheyhavelaidhandsonyourpassword.
Howithelps:significantlylowersthechancesofanoutsiderusingyouraccounts.
Howtosetit:gotohttps://accounts.google.com/SmsAuthConfiginyourbrowserand
followtheinstructions.
iPhone
iPhonesafety
1. Smartphonescontinuetogrowinpopularityandarenowaspowerfulandfunctionalas
manycomputers.ItisimportanttoprotectyourSmartphonejustlikeyouprotectyour
computertoavoidgrowingmobilecyberthreats.Mobilesecuritytipscanhelpyoureducethe
riskofexposuretomobilesecuritythreats.
Understandingpasscodes-http://support.apple.com/kb/HT4113
2. SetPINsandpasswords.Topreventunauthorizedaccesstoyourphone,setapasswordor
PersonalIdentificationNumber(PIN)onyourphone’shomescreenasafirstlineofdefensein
caseyourphoneislostorstolen.Whenpossible,useadifferentpasswordforeachofyour
importantlog-ins(email,banking,personalsites,etc.).Youshouldconfigureyourphoneto
automaticallylockafterfiveminutesorlesswhenyourphoneisidle,aswellasusetheSIM
passwordcapabilityavailableonmostsmartphones.
3. DonotmodifyyourSmartphone’ssecuritysettings.Donotaltersecuritysettingsfor
convenience.Tamperingwithyourphone’sfactorysettings,jailbreaking,orrootingyour
phoneunderminesthebuilt-insecurityfeaturesofferedbyyourwirelessserviceand
Smartphone,whilemakingitmoresusceptibletoanattack.
Backupandrestoreoverview-http://support.apple.com/kb/HT4859
4. Backupandsecureyourdata.Youshouldbackupallofthedatastoredonyourphone-such
asyourcontacts,documents,andphotos.Thesefilescanbestoredonyourcomputer,ona
removalstoragecard,orinthecloud.Thiswillallowyoutoconvenientlyrestorethe
informationtoyourphoneshoulditbelost,stolen,orotherwiseerased.
5. Onlyinstallappsfromtrustedsources.Beforedownloadinganapp,conductresearchto
ensuretheappislegitimate.Checkingthelegitimacyofanappmayincludesuchthingas:
checkingreviews,confirmingthelegitimacyoftheappstore,andcomparingtheappsponsor ’s
officialwebsitewiththeappstorelinktoconfirmconsistency.Manyappsfromuntrusted
sourcescontainmalwarethatonceinstalledcanstealinformation,installviruses,andcause
harmtoyourphone’scontents.Therearealsoappsthatwarnyouifanysecurityrisksexiston
yourphone.
6. Understandapppermissionsbeforeacceptingthem.Youshouldbecautiousaboutgranting
applicationsaccesstopersonalinformationonyourphoneorotherwiselettingtheapplication
haveaccesstoperformfunctionsonyourphone.Makesuretoalsochecktheprivacysettings
foreachappbeforeinstalling.
-AppleiOS:SetupFindMyiPhone-http://support.apple.com/kb/PH2697
-AppleiOS:Locateyourdeviceonamap-http://support.apple.com/kb/PH2698
-AppleiOS:Lockandtrackyourdevice-http://support.apple.com/kb/PH2700
7. Installsecurityappsthatenableremotelocationandwiping.Animportantsecurityfeature
widelyavailableonsmartphones,eitherbydefaultorasanapp,istheabilitytoremotelylocate
anderaseallofthedatastoredonyourphone,evenifthephone’sGPSisoff.Inthecasethat
youmisplaceyourphone,someapplicationscanactivatealoudalarm,evenifyourphoneison
silent.Theseappscanalsohelpyoulocateandrecoveryourphonewhenlost.
8. AcceptupdatesandpatchestoyourSmartphone’ssoftware.Youshouldkeepyourphone’s
operatingsystemsoftwareup-to-datebyenablingautomaticupdatesoracceptingupdateswhen
promptedfromyourserviceprovider,operatingsystemprovider,devicemanufacturer,or
applicationprovider.Bykeepingyouroperatingsystemcurrent,youreducetheriskof
exposuretocyberthreats.
HowtoupdateyouriPhone-http://support.apple.com/kb/HT4623
9. BesmartonopenWi-Finetworks.WhenyouaccessaWi-Finetworkthatisopentothe
public,yourphonecanbeaneasytargetofcybercriminals.Youshouldlimityouruseofpublic
hotspotsandinsteaduseprotectedWi-Fifromanetworkoperatoryoutrustormobilewireless
connectiontoreduceyourriskofexposure,especiallywhenaccessingpersonalorsensitive
information.Alwaysbeawarewhenclickingweblinksandbeparticularlycautiousifyouare
askedtoenteraccountorlog-ininformation.
10. Wipedataonyouroldphonebeforeyoudonate,resellorrecycleit.YourSmartphone
containspersonaldatayouwanttokeepprivatewhenyoudisposeyouroldphone.Toprotect
yourprivacy,completelyerasedataoffofyourphoneandresetthephonetoitsinitialfactory
settings.Nowhavingwipedyourolddevice,youarefreetodonate,resell,recycleorotherwise
properlydisposeofyourphone.
Understanding‘eraseallcontentsandsettings’-http://support.apple.com/kb/ht2110
11. ReportastolenSmartphone.Themajorwirelessserviceproviders,incoordinationwiththe
FCC,haveestablishedastolenphonedatabase.Ifyourphoneisstolen,youshouldreportthe
thefttoyourlocallawenforcementauthoritiesandthenregisterthestolenphonewithyour
wirelessprovider.Thiswillprovidenoticetoallthemajorwirelessserviceprovidersthatthe
phonehasbeenstolenandwillallowforremote“bricking”ofthephonesothatitcannotbe
activatedonanywirelessnetworkwithoutyourpermission.
Socialmedia
Usecautionwhenyouclicklinksthatyoureceiveinmessagesfromyourfriendsonyoursocial
website.Treatlinksinmessagesonthesesitesasyouwouldlinksinemailmessages.
1. Don'ttrustthesenderinformationinane-mailmessage.Evenifthee-mailmessageappears
tocomefromasenderthatyouknowandtrust,usethesameprecautionsthatyouwoulduse
withanyothere-mailmessage.Fraudsterscaneasilyspooftheidentityinformationinane-mail
message.
2. Knowwhatyou'vepostedaboutyourself.Acommonwaythathackersbreakintofinancialor
otheraccountsisbyclickingthe"Forgotyourpassword?"linkontheaccountloginpage.To
breakintoyouraccount,theysearchfortheanswerstoyoursecurityquestions,suchasyour
birthday,hometown,highschoolclass,ormother'smiddlename.Ifthesiteallows,makeup
yourownpasswordquestions,anddon'tdrawthemfrommaterialanyonecouldfindwitha
quicksearch.
3. Thinktwicebeforesharingpersonalinformationthatwouldmakeyouvulnerable.Social
networkingmeansopeningupandsharinginformationonlinewithothers,butthere'ssome
informationyoushouldnevershareonline.ProtectingyourselffromsharingTooMuch
Information(TMI)cansaveyoufromidentitytheftandevenprotectyourphysicalsafety.So
let'sstartwiththeobvious-nevershareyoursocialsecuritynumber(includingevenjustthe
last4digits),yourbirthdate,homeaddressorhomephonenumber(althoughsharingyour
businessphoneisok).Ofcourse,youshouldprotectallofyourpasswords,PINnumbers,bank
account,creditcardinformationandneversharethestatewhereyouwerebornasthis
informationcanbeusedtoobtainyoursocialsecuritynumberandotheridentityinformation.
4. Don'ttrustthatamessageisreallyfromwhoitsaysit'sfrom.Hackerscanbreakinto
accountsandsendmessagesthatlooklikethey'refromyourfriends,butaren't.Ifyoususpect
thatamessageisfraudulent,useanalternatemethodtocontactyourfriendtofindout.This
includesinvitationstojoinnewsocialnetworks.
5. Toavoidgivingawayemailaddressesofyourfriends,donotallowsocialnetworking
servicestoscanyouremailaddressbook.Whenyoujoinanewsocialnetwork,youmight
receiveanoffertoenteryouremailaddressandpasswordtofindoutifyourcontactsareonthe
network.Thesitemightusethisinformationtosendemailmessagestoeveryoneinyour
contactlistoreveneveryoneyou'veeversentanemailmessagetowiththatemailaddress.
Socialnetworkingsitesshouldexplainthatthey'regoingtodothis,butsomedonot.
6. Typetheaddressofyoursocialnetworkingsitedirectlyintoyourbrowseroruseyour
personalbookmarks.Ifyouclickalinktoyoursitethroughemailoranotherwebsite,you
mightbeenteringyouraccountnameandpasswordintoafakesitewhereyourpersonal
informationcouldbestolen.Formoretipsabouthowtoavoidphishingscams,seeEmailand
webscams:Howtohelpprotectyourself.
7. Beselectiveaboutwhoyouacceptasafriendonasocialnetwork.Identitythievesmight
createfakeprofilesinordertogetinformationfromyou.Accordingtoarecentsurveyby
HarrisInteractive,nearly13millionAmericansage18+whoareonsocialnetworkingsites
willacceptanysocialmediaconnectionrequestfromamemberoftheoppositesex,regardless
ofwhetherornottheyknowthatperson.Thatlackofcautioncanbeextremelycostly.Most
networkingsitescontainpersonalinformation.Whenyoufriendsomeone,yougivethem
8.
9.
10.
11.
12.
accesstothatinformationandthatcanbeusedbyfraudsters.
Chooseyoursocialnetworkcarefully.Evaluatethesitethatyouplantouseandmakesureyou
understandtheprivacypolicy.Useprivacysettings-Thedefaultsettingsonmostsocial
networkingsitesallowanyonetoseeyourprofile.Customizeyoursettingstorestrictaccess
onlytocertainusers.Despitetheuseofprivacysettings,thereisstillariskyourinformation
couldbecompromisedsodon’tpostanythingyouwouldn’twantthepublictosee.Reviewyour
privacysettingsperiodically.Findoutifthesitemonitorscontentthatpeoplepost.Youwillbe
providingpersonalinformationtothiswebsite,sousethesamecriteriathatyouwouldtoselect
asitewhereyouenteryourcreditcard.
Assumethateverythingyouputonasocialnetworkingsiteispermanent.Evenifyoucan
deleteyouraccount,anyoneontheInternetcaneasilyprintphotosortextorsaveimagesand
videostoacomputer.
Becarefulaboutinstallingextrasonyoursite.Manysocialnetworkingsitesallowyouto
downloadthird-partyapplicationsthatletyoudomorewithyourpersonalpage.Criminals
sometimesusetheseapplicationstostealyourpersonalinformation.Todownloadanduse
third-partyapplicationssafely,takethesamesafetyprecautionsthatyoutakewithanyother
programorfileyoudownloadfromtheweb.Usecautionwhendecidingwhichappstoenable
andtakethesamesafetyprecautionsyouwouldtakewithanyotherprogramorfileyou
downloadfromtheweb.Modifyyoursettingstolimittheamountofinformationappscan
access.
Thinktwicebeforeyouusesocialnetworkingsitesatwork.Ifyoudo,herearesomewaysto
usethataccessmoresafely:
FindoutifyourcompanyhasapolicyaboutvisitingcertainWebsitesusingyour
corporatenetwork.
-Whenyousignupforasocialnetworkingsite,useyourpersonale-mailaddress,notyour
companye-mailaddress.
-Usecautionwhenyouclicklinksthatyoureceiveinmessagesfromyourfriendsonyour
socialnetworkingsite.Treatlinksinmessagesonthesesitesasyouwouldlinksine-mail
messages.
-Bechoosyaboutwhoyouacceptasa"friend"onasocialnetwork.Identitythievesmaycreate
fakeprofilesinordertogleaninformationfromyou.Thisisknownassocialengineering.
-Becarefulabouttheinformationyourevealaboutyourworkplaceorcompanyonyoursocial
networkingsite.(Thisisagoodruletofollowforblogstoo.)
13. Talktoyourkidsaboutsocialnetworking.Ifyou'reaparentofchildrenwhousesocial
networkingsites.
14. Searchyourself.DoregularsearchesforyourselfonasitesuchasGoogle.Knowwhereyou
showupandwhatinformationisreadilyavailableonlineaboutyou.Also,checkoutyoursocial
networkingprofilesastheyappeartoothersandadjustyoursettingsaccordinglyforprivacy
andsecurity.YoucanalsosetupaGooglealertwithyournamewhichcouldpointtosuspicious
informationandwhethersomeoneelseisusingyouridentityonline.
15. Customizeprivacyoptions.Socialnetworkingsitesincreasinglygiveusersmorecontrolover
theirownprivacysettings.Don'tassumeyouhavetotakewhateverdefaultsettingsthesitegives
you.
Checkoutthesettings,configurationandprivacysectionstoseewhatoptionsyouhavetolimit
16.
17.
18.
19.
20.
whoandwhatgroupscanseevariousaspectsofyourpersonalinformation.
LimitworkhistorydetailsonLinkedIn:Ifyoufeelyouneedtheaddedinformationtohelpina
jobsearch,expandthedetailsduringthejobhuntingprocessandthencutbacklaterafteryou
haveaposition,leavingjustenoughinformationtoenticerecruiterstocontactyouwith
interestingnewpositions.LinkedInalsoofferssomecapabilitiestorestrictinformation.You
cancloseoffaccessbyotherstoyournetworkofcontacts,somethingyoudon'thavetoshareif
youdon'twant.
Don'ttrust,justverify.Therearelotsofreasons(mostofthembad)whysomeonemight
impersonateorfalsifyanidentityonline.Thequestionbecomes,howcanyouverifythatthe
pagebelongstowhoyouthinkitdoesbeforesharingtoomuchinformationorclickingon
links?Startbybeingonthelookoutforanythingunusualoroutoftheordinary.Ifthecontent
onthesitedoesn'tlooklikeorsoundlikethepersonyouknow,avoidit.E-mailorcallyour
friendtoverifythesiteislegit.Letthemknow,too,ifyouthinksomeoneelseisfakingyour
friend'sidentityonline.
Avoidaccidentallysharingpersonaldetails.Socialnetworkingsitesmakeiteasytoletdetails
slipyouwouldn'totherwisetellfriendsorstrangers.Beawareofwhatinformationyouputout
therewhichothersmightusefornefariouspurpose.
Forgetthepopularitycontest.Putanumberonsomethingandsuddenlyyouhavea
competition.Thepersonwiththemost"friends"isn'tnecessarilythewinnerinsocial
networking,unlessofcourseyouarerunningforpresidentoryouareinsometypeof
recruiting,salesormediabusiness.That'sjustmorepeople,includingpossiblystrangers,who
nowhaveaccesstomoreofyourinformation.Itisbesttoonlyfriendpeoplewhoreallyareor
havebecomeyourfriends.Yourpersonalinformationhaslessopportunityformisuse.Ifyou
dogetanunsolicitedinvitetoconnect,checkthemoutfirstandtrytofigureoutwhyyouknow
themorifyouevendoatall.
Createasmallersocialnetwork.Biggerisn'talwaysbetter.There'smoretosocialnetworks
thanMySpace,FacebookandTwitter.Selfformingcommunitiesoftenformaroundvery
narrowtopicsandthesecaneasilygetlostonthebiggersites.Youmaybebetterserved
creatingasmaller,morefocusednetworkusingtoolsaimedtohelpnarroworsmallergroups.
Bynarrowingyourpurposeandusingtoolsappropriateforsmallergroups,youcankeep
unwantedsolicitations,invitestoconnect,applicationsandspamtoaminimum.You'llalsofind
youbuildcloserrelationshipswithcommunitymember.
SetupanOpenIDaccount.OpenIDisanopensourcestandardforcreatingasinglesign-onto
multipleonlineservicesandapplications.
FacebookSafety
HowtoProtectYourFacebookAccountfromSpammers?
Reviewyoursecuritysettings:CheckoutFacebook'sinformationonsettingyourprivacysettingsto
besureyouaren'tsharingpersonalinformationwithstrangers.Lookhereforinformationonwhat
canbefoundpubliclyinsearchengines.
WhoCanContactYou:Clickonthepadlockicononthetoptoolbar(ontherighthandside),then
click‘Whocancontactme’.
BasicFiltering:Bydefaultthisissetupas‘BasicFiltering’toallowfriendsandpeopleyoumay
knowtheopportunitytosendyouamessage.Ifyouwantonlyfriendstobeabletocontactyou,you
canincreasethefilteringonyourinbox.Othermessageswillthenbedivertedtoyour‘other ’folder
whichyoucanaccessfromtheMessagesscreen.
StrictFiltering:Todothis,click‘StrictFiltering’under‘WhosemessagesdoIwantfilteredintomy
Inbox?’Fromthisareaofthescreenyoucanalsolimitwhoisabletosendyouafriendrequest,
choosingbetweeneveryoneorjustfriendsofyourfriends.
FriendRequests:NeveracceptFacebookfriendrequestsfromunknownpeople.
ScammersfindyourinformationthroughFacebookorothersocialmediaaccounts.Somesetupfake
accountsandsendoutfriendrequests.Whenyouaccepttherequest,theycanviewyourfriendsand
personalandcontactinformation.Otherscammersrelyonsocialmediausersnotlockingdowntheir
privacysettings,sobasicinformation,suchasyourname,emailaddressandfriends'names,is
publiclyavailable.
Links:Don'tclickonstrangelinks,evenifthey'refromfriends.Notifythepersonwhosentyouthe
emailifyouseesomethingsuspicious.Forexample,youreceiveanemailthatappearstobesentbya
friendorfamilymember.Themessageaddressesyoubyname,butthecontentisstrange.Usually,it's
justalinktoawebsite.Ifyouclickonit,youcouldendupdownloadingmalwaretoyourcomputer.
Notifications:Considerenablingloginnotifications,soyouwillknowwhensomeoneusesanew
devicetoaccessyouraccount.
PublicWifi:WhenaccessingFacebookfrompublicwi-fiinplaceslikehotelsandairports,text"otp"
to32665toreceiveaone-timepasswordtoyouraccount.
TimelinePosts:Makesureonlyyourfriendscanseeyourtimelineposts.Whilecertainelementsof
yourprofileareviewedbyeveryone,manyotheraspectsofyourtimelinecanbeblocked.
FuturePosts:Makesureallyourfuturepostsarelockeddown.Clickonthepadlockicononthetop
toolbar(ontherighthandside),thenclick‘Whocanseemystuff?’.
Under‘Whocanseemyfutureposts’,choosefrom:Public.Friends,Onlyme,Custom(whichallows
youtolimitsomeofyourfriendsfromseeingyourposts).Pickwhat’sbestforyou,butmakesure
‘Public’isn’tselected.Whateveryouchoosewillthenbecomethedefaulteverytimeyoupostan
update(thoughyoustillhavetheoptionofselectivelychangingthisforeachindividualupdateyou
postinthefuture).
PreviousPosts:Clickthearrowheadonthetoptoolbar(ontherighthandside).Choose'Settings'>
'PrivacySettings'
LoginApprovals:Youcanchoosetohaveanextralayerofsecuritywhenaccessingyouraccount
fromanunknownbrowser.Facebookwillsendacodetoyourphonewhichyouwillthenneedtouse
tologin.
Clickthearrowheadatthetoprightofanypageandchoose‘Settings’,then‘Security’fromtheleft
handmenu,then'Login'approvals.Checktheboxthatsays‘Requireasecuritycodetoaccessmy
accountfromunknownbrowsers’.Facebookwillthentakeyouthroughtheprocessofsettingup
loginapprovalssoclickon‘GetStarted’tobegin.
Onceyouhavesetuploginapprovalsyouwillonlyneedtoenteracodewhenyoutrytologinfroma
newdevice.Itisafeaturethatmakesitthatmuchharderforahackertogainaccesstoyouraccount
andassuchiswellworthenabling.Note:ifyourbrowserclearsyourhistoryonexit,orhasprivate
browsingswitchedon,youmayneedtoenteracodeeverytimeyoulogin.
PrivacySettings:Scammersaretappingintothepersonaldataavailablethroughsocialnetworksto
poseasyourfriendsinfraudulentemails.Watchoutforthesepersonalizedscammessagesandtake
stepstopreventthem.
ClickPrivacyonthelefthandmenu,andunder‘Whocanseemystuff’,click‘Limitpastposts’.From
hereyoucanchangeallyourpastpostvisibilityto‘Friends’.
AboutUsSection:It’salsoworthcheckingoutthevisibilityofthestufflistedunderthe‘About’
sectionofyourprofile.
Onyourtimeline,click‘Updateinfo’andthenclick‘Edit’nexttotheareayouwishtochangethe
visibilityfor.Choosefromtheoptionsof‘Public’,‘Friends’,‘Onlyme’ora'Custom'listofpeople.
AnglerPhishing
Whatisanglerphishing?
Thisattackisnamedaftertheanglerfish,whichusesabioluminescentluretoenticeandattacksmaller
prey.Inthiscase,theglowinglureisafakecustomersupportaccountthatpromisestohelpyour
customersbutsecretlystealstheircredentialsinstead.
Howdoesithappen?
Fraudsterscreatehighlyconvincingfakecustomerserviceaccountsandthenmonitorsocialmedia
channelsforcustomersupportrequests.Anglerphishinghackersoftenwaittostrikeoneveningsor
weekendswhenyourbrandislesslikelytomonitorsocialmediainteractions.Whenthehackerseesa
customercontactyourbrand,theyhijacktheconversationbyrespondingdirectlytothatcustomer
usingtheirfakesupportpage.
Example1:FakecustomerserviceaccountsonTwitter
Onlinecriminalssetupfakecustomerserviceaccountstophishforbankloginandpassword
informationandothersensitivedata.Theseimposteraccountslookverysimilartothatofreal
businesses,butareoftenonecharacteroff--ortheyincludeanextraunderscoreorotherkeyboard
character.
Whensomeonetweetsattheirbankorexample,scamartistswillintercepttheconversation,andreply
tothatmessagewithwhatseemslikeanauthenticanswer.
Let'[email protected],thehackerswereabletointercepthistweetand
[email protected]ponsewillleadJohntoa
perfectreplicaofthebank’sloginpage.Therethehackerscanstealhisonlinebankingcredentials,
ATMpin,securityquestionsandanswers,andmore.
Example2:PayPalfraud
Inthisattack,ananglerphishertargetedPayPalusersfromtwofakePayPalTwitteraccounts.The
tweetencouragesrecipientstoclickovertotheactualPayPalTwitteraccount,@PayPal,for
assistanceinanurgentmatter.However,thefraudstersaremonitoringtherepliesontheofficial
PayPalTwitterpageinordertosweepuprepliestoexploitfortheirattacks.
Inaddition,whenvictimsreceiveareplyfromthephonyPayPalTwitteraccounts,they'refooled
againasthereplyhasthePayPallogoemboldenedasanaccountimage,andthehandleseems
official,exceptitamendstheword“Ask”atthebeginningofthehandle.
TargetsareluredintoenteringtheirPayPalcredentialsintotheseeminglylegitimate,butfakepage.
Thebadactorsarethusprovidedwiththepersonalinformationtheyneedtogainaccesstoaccounts
andtransferoutfundsheldthere.
Whoisatrisk?
Fraudulentcustomersupportaccountsareaproblemforanybusinessthatprovidescustomerservice
onsocialmedia.However,2016researchfromtheAnti-PhishingWorkingGroupshowsthatmore
than75%ofphishingattemptstargetfinancialserviceandecommerceorganizationstostealbanking
credentialsandmakefraudulentpurchases.
HowcanIstopanglerphishingattacks?
ForConsumers:
NeverLOGINtoanaccountifthelinkisprovidedtoyouthroughemailorsocialmedia.
Ifyouareunsureaboutalinkinasocialmediapost,doNOTcopyandpastethelinkinyourweb
browser.Youcouldstillendupatthemalicioussiteandpotentiallyloadmalwareonyourcomputer
ornetwork.Ifyouareunsurewhetheralinkyoureceivedinapostissafe,itisnotsafetocopyand
pastethelinkintheURLsectionofyourwebbrowser.
Accesswebsitesthroughyourwebbrowser.TypingtheaddressofawebsitedirectlyintoyourWeb
browserwillensurethatyouaregoingtothelegitimateWebsiteandnotaphishingsitethatwas
designedtomimicthelookoftherealthing.Unlessthesitewashijackedoryourcomputerhasa
virus,typingthewebaddressyourselfisthebestwaytoguaranteetheauthenticityofawebsite.
Technology-basedsecuritymeasuressuchasfirewalls,encryption,anti-virus,spamfilters,and
strongauthenticationwillNOTpreventsocialengineeringfraud.Nomatterhowmuchsecurity
technologyyouimplement,youcannevergetridoftheweakestlink-thehumanfactor.Asocial
engineerissomeonewhousesdeception,persuasionandinfluencetogetinformationthatwould
otherwisebeunavailable.
Usecautionwhenyouclicklinksthatyoureceiveinmessagesfromyourfriendsonyoursocial
website.Treatlinksinmessagesonthesesitesasyouwouldlinksinemailmessages.
Don'ttrustthesenderinformationinane-mailmessage.Evenifthee-mailmessageappearstocome
fromasenderthatyouknowandtrust,usethesameprecautionsthatyouwouldusewithanyotheremailmessage.Fraudsterscaneasilyspooftheidentityinformationinane-mailmessage.
Knowthesocialmediaaccounthandleforthecompanyyouaredealingwith.Makesureyou
communicateonlywiththelegitimateaccount.
Lookcloselyatthereplyyoureceiveandbeskeptical.LookformisspelledTwitterhandles,email
addresses,etc.
ForBusinesses:
Thesetypesofattackswillbeaproblemforanybusinessthatprovidescustomerserviceonsocial
media.Thefollowingisalistofsomekeyactionsanorganizationcantaketohelppreventangler
phishingattacks:
Identifyyourorganization’ssocialmediaplatforms,accountsandkeyindividuals.
Documentwhoisresponsibleforthecorporateaccounts.Theseaccountsshouldhavestrong
passwordsthatarecontinuouslybeingchangedeveryfewmonths.
Whenapplicable,useverifiedaccounts.TwitterandFacebookofferanoptionforverifiedaccountsto
helpensureauthenticity.
Continuallymonitorforfraudulentaccounts.Makesureyoutakedownanysuspiciousactivityand
reportittoyourITteamorserviceprovider.
Enhanceyoursecuritybyleveragingemailsecuritysolutions.
Fakenews&hoaxes
Thedangersofmisinformation&howtooutsmartfakenews
Theamountofmisinformationthatisspreadonthewebisstaggering.Itisspreadmainlyvia
Websites,SocialNetworks,andEmail.TheHotTopicsforsuchmisinformationarePolitics,
GovernmentPolicies,ReligionandvariousScamsandHoaxes.Researchrevealsfalserumorsreally
dotravelfasterandfurtherthanthetruth.Whatisimportanttounderstandisthatsharing
misinformationcanleadtofraudulentwebsitesandmalware.
Socialnetworkingsitesprovideuserswiththecapabilitiestospreadinformationquicklytoother
userswithoutconfirmationofitstruth.Wetendtotakewritteninformationastruthandassumeitis
accurateunlessweknowforcertainthatitisnot.Ifwereadsomethingaboutasubjectwhichweare
notveryknowledgeableabout,weassumethattheauthorhasthecredentialstobepostingthat
information.
Malwarefromclickbait
Therealtroubleisthatclickbaitisoftenmorethanjustasimpleinsulttoourintelligence-itcanlead
torealtroublelikemalwareandscamsthatcanleadtoidentitytheftormonetaryloses.Oftentimes
clickingonaseeminglyharmlessarticlewillleadyoutonothingmorethanauselesspop-upfora
fakevideoplayerorafakesurvey,noarticleinsight.Butifyouclickthelinkanddownloadthe
playerorfillinthesurvey,you'llwindupwithaPCfullofmalwareandviruses.
PreventionTips:
Becautious:Approachsharingandopeningpostsfromfriendsascautiouslyasyouwouldyour
emails.Socialmediacanbeawonderfultoolbutitcanbereallydangerousaswellandit'sbeyond
importanttokeepthatinperspective.Anothergoodpieceofadviceistonevertrustthelinks,
especiallythoseclickbaitones.
Becarefulclosingpop-ups:ClosingaPOP-UPbyclickingtheXcaninadvertentlysharethe
maliciouscodewithoutyourknowledge.Thisiswhymostpeoplethatshareditsaytheyneverclicked
onanythingsuspicious.
HerearesomeoptionsinclosingaPOP-UP:
ChromeonWindowsorMac:Shift+Esc,selectthetabcontainingthepop-up,thenclick"End
Process".
Windows:PressCtrl+Shift+Esc,selectthewebbrowser,thenclick"EndTask."
Mac:Command+Option+Esc,selectyourwebbrowser,thenclick"ForceQuit."
Android:Pressthesquarebuttonatthebottomrightcornerofthescreen,thenswipeall
browserwindowsoffthescreen.
iPhone:Double-pressthehomebutton(ifyou'reusingiPhone6s,3DTouchpresstheleftside
ofthescreen),thenswipeallinstancesofthebrowseroffthescreen.
Anotheroption:SincethepopupiscontrolledbyJavaScript,thebestoptionistodisablethe
executionofanyscripts(byconfigurationorbrowseradd-ons).Thiswillimpacthowmost
websiteslookandfeel,howeveryoucanalwaysaddsitestotheexceptionlistonceyouknow
theyaresafe.
Thedangersofmisinformation
Wetendtotakewritteninformationastruthandassumeitisaccurateunlessweknowforcertainthat
itisnot.Ifwereadsomethingaboutasubjectwhichwearenotveryknowledgeableabout,weassume
thattheauthorhasthecredentialstobepostingthatinformation.
Misinformationregardingdrugsandhealthremedieshaveprovendeadlyformanypeople
aroundtheworld.
Misinformationthroughsharingemailsorsocialmediaspamcanexposeyoutofraudulent
phishingwebsites.
Misinformationregardinginvestmentadvicehasleadtopersonalfinanciallosses.
Tipsforanalyzingnewssources
Avoidwebsitesthatendin"lo"ex:Newslo.Thesesitestakepiecesofaccurateinformationand
thenpackagingthatinformationwithotherfalseormisleading"facts"(sometimesforthe
purposesofsatireorcomedy).
Watchoutforwebsitesthatendin".com.co"astheyareoftenfakeversionsofrealnewssources
Watchoutifknown/reputablenewssitesarenotalsoreportingonthestory.Sometimeslackof
coverageistheresultofcorporatemediabiasandotherfactors,butthereshouldtypicallybe
morethanonesourcereportingonatopicorevent.
Odddomainnamesgenerallyequaloddandrarelytruthfulnews.
Lackofauthorattributionmay,butnotalways,signifythatthenewsstoryissuspectand
requiresverification.
Somenewsorganizationsarealsolettingbloggerspostunderthebannerofparticularnews
brands;however,manyofthesepostsdonotgothroughthesameeditingprocess(ex:BuzzFeed
CommunityPosts,Kinjablogs,Forbesblogs).
Checkthe"AboutUs"tabonwebsitesorlookupthewebsiteonsiteslikeWikipediaformore
informationaboutthesource.
BadwebdesignanduseofALLCAPScanalsobeasignthatthesourceyou'relookingat
shouldbeverifiedand/orreadinconjunctionwithothersources.
Ifthestorymakesyoureallyangryit'sprobablyagoodideatokeepreadingaboutthetopicvia
othersourcestomakesurethestoryyoureadwasn'tpurposefullytryingtomakeyouangry
(withpotentiallymisleadingorfalseinformation)inordertogeneratesharesandadrevenue.
Ifthewebsiteyou'rereadingencouragesyoutoDOX(researchingandbroadcastingprivateor
identifiableinformationaboutanindividualororganization),it'sunlikelytobealegitimate
sourceofnews.
It'salwaysbesttoreadmultiplesourcesofinformationtogetavarietyofviewpoints.
Thereisaroleeveryoneshouldplayinstoppingthespreadofrumorsandhoaxes.Misinformation
andmisleadingorincorrectfigureswhenpresentedasfactsandrepeatedfrequentlyshouldberefuted
beforetheybecomeacceptedasgenuineandusedtopromotespecificagendasorspreadmalware.
Tohelpyoudetermineifsomethingisfactorfiction,goto:www.FraudSmarts.com/hoaxHere
you’llbeabletosimplypastethetextofastoryorpostinasearchboxbelow.Theresultswillhelp
youdeterminewhetherthetopicbeingdiscussedistrueorjustarumor.
SocialMediaIDtheft
Thereareseveralthingsyoucanandshoulddoinordertomanageyoursocialmediaidentity,which
maypreventsocialmediaidentitytheft.
Whatexactlyissocialmediaidentitytheft?It’saformofcybersquattingusingsocialmediasites.
1. Ifyou’veeverattemptedtojoinasocialmedia,morecommonlyknownasasocialnetworking
site,orappliedforanemailaccount,andfoundthatyourfirstandlastnamewerealreadytaken,
thatmayormaynothavebeensocialmediaidentitytheft,orcybersquatting.
2. Theremaybesomeoneouttherewhosharesyourexactnameandhappenedtoregisterfirst,or
elsethereissomeoneouttherewhotookyournamesothatyoucan’thaveit,orwhowantsto
sellitbacktoyou,orwantstoposeasyouanddisruptyourlife.Theseareallpossibilities.
3. Themostdamagingpossibilityoccurswhensomeonewantstoposeasyouinordertodisrupt
yourlife.Thisdisruptioncantakeonmanyforms.Theymayposeasyouinordertoharassand
stalkyou,ortoharassandstalkpeopleyouknow.Ortheymaystealyoursocialmediaidentity
forfinancialgain.Thethievesuseacombinationofemailandsocialmediatoextractfunds
fromothers,ortoopennewaccounts.
4. Therearehundreds,ormaybeeventhousands,ofsocialmediasites,web-basedemailproviders
anddomainextensions.Thentherearealltheblogportals,suchasWordPressandBlogspot.
Evenyourlocalonlinenewspaperhasaplaceforusercomments,andmostpeoplewouldwant
toregistertheirownnamesbeforesomeoneelsecommentsontheirbehalf.
5. Socialmediawebsitesoffertheoptiontoprovideyourrealnameaswellasausername.The
usernamemaybeafunchathandleoranabbreviationofyourrealname.Thekeyistogive
yourrealnamewhererequestedandalsotouseyourrealnameasyourusername.Evenifyou
don’tplanonspendinganytimeonthesite,ortousethedomainoremail,youwanttoestablish
controloverit.
6. Thegoalistoobtainyourrealfirstandlastnamewithoutperiods,underscores,hyphens,
abbreviationsorextranumbersorletters.Thisstrategywon’tpreventsomeoneelsefrom
registeringwithyournameandaddingadotoradash,butittrimsdowntheoptionsforathief.
7. Somenamesareverycommon,orarealsoownedbysomeonefamous.Ifthatappliestoyour
name,youcanstilltakeactionstomanageyouronlinereputation.Ifthereisanyuniquenessto
yournameorthespellingofyourname,it’sstillagoodideatoclaimyournameinsocial
mediaandworktowardmanagingyouronlinereputation.
8. Understandthatyournameisyourbrand.Yournameisfrontandcenteroneverydocumentyou
signandeverywebsitethatshowsupwhenyournameissearched.Thephrase,“AllIhaveismy
goodname,”hasneverrungtruerthantoday.Ifyouareawriter,blogger,personalityofany
sort,oranyonewho“putsitoutthere,”youprobablyalreadyknowenoughtodothesethings.
Butthereismoretodo.
ManageYourSocialIdentity
Ifsomeone,perhapsapotentialemployerormateorclient,searchesyournameonGoogleWeb,
GoogleBlogsorGoogleNews,whatwilltheyfind?Willitbesomeoneelseposingasyou?Willitbe
apictureofyoudoingakegstand?Orwillitbeyouinyournicestoutfit,acceptinganawardforan
accomplishment?Eitherway,youneedtomanageyouronlineidentityandworktowardpreventing
socialmediaidentitytheft.
1. Registeryourfullnameandthoseofyourspouseandkidsonthemosttraffickedsocialmedia
sites,blogs,domainsorwebbasedemailaccounts.Ifyournameisalreadygone,includeyour
middleinitial,aperiodorahyphen.It’suptoyoutodecidewhetherornottopluginyour
pictureandbasicbio,butconsiderleavingoutyourageorbirthday.
2. SetupafreeGoogleAlertsforyournameandgetanemaileverytimeyournamepopsup
online.
3. Startdoingthingsonlinetoboostyouronlinereputation.Bloggingisbest.YouwantGoogleto
bringyourgivennametothetopofsearchinitsbestlight,sowhenanyoneissearchingforyou
theyseegoodthings.Thisisacombinationofonlinereputationmanagementandsearchengine
optimizationforyourbrand:YOU.
4. Ifyoueverstumbleuponsomeoneusingyourlikenessinthesocialmedia,beverypersistentin
contactingthesite’sadministrators.Theytoohavereputationstomanageandiftheysee
someoneusingyourphotoorlikenesstheywouldbesmarttodeletethestolenprofile.
Spearphishingrisks
Oneofthemostsophisticatedtypesofphishingattacksiscalledspearphishing.Thisiswhenahacker
willtargetaspecificgroupororganizationandwilltailortheirattackstomakethemlookrelevantto
therecipient.Hackerswillcarryoutthesetypesofattacksinordertogainaccesstosensitive
corporatedata,andbecausetheemailstheysendwilllookgenuinetheycanoftenbeverysuccessful.
1. However,despitetheseworryingstatisticsthereareanumberofstepswhichcanhelptoidentify
potentialphishingemails.Whenreceivingemails,usersshouldlookatthefollowing:
2. Doyouknowthesender,andistheemailaddressoneyouwouldexpectthemtouse?Anemail
purportingtobefromyourCEO,butsentfromaGmailaccount,shouldalwaysringalarm
bells.
3. Areyouexpectingamessagefromtheperson?Doestheemaillooksuspicious?Doesthelink
lookgenuine?
4. Thecontentoftheemailcanbeagiveaway.Oneofthemostbasicreasonsthatphishingattacks
workisthattheypreyonauser ’semotionalresponse-fear,curiosityorreward,andemails
thatevokestrongemotionssuchastheseshouldbeconsideredtriggers.
5. Istheemailspecific?Doesitmakesense?Althoughcriminalshavealotofinformationabout
individualstheywillstillkeepmessagesgenerictopiqueyourinterest,andmakeyoutake
action.
6. Grammarmistake.Whilegrammarhasimprovedinrecentyears,mistakesareoftenan
indicatorthatallisnotasitseems.
Phishingisoneofthemostcommonattackmethodsforcyber-criminals,howeveraneffective
trainingprogramanduserawarenesswillminimizetheriskofemployeesfallingvictim.Once
employeesknowwhattolookfortheywillbeabletoquicklyidentifyanypotentialphishingemails
andreportthembeforeanydamageisdone.
AnatomyofaSpearPhishingAttack:
Taxfiling
Identitytheftisacrimethat'sanonymousinmanycases,butinthecaseoftaxidentitytheft,the
governmentdoesn'thaveinplacethelevelofprotectionthatmanyotherfinancialinstitutionsdoto
preventfraud.Atthismoment,theIRSisoneoftheweakestlinksinthefinancialservicesworldand
asaresultishighlytargeted.TheIRSallowsfilingoftaxesasearlyasJan.19,andpromptthieves
willfileimmediatelywiththehopesofbeatingmorecautiousindividualstotheirownreturns.
WhatRebate?Farmoreadvancedthansimplyintersectingarebatecheckorprepaidcard,thieves
arestealingyear-endstatements,W-2sandotherincomeinformationtofilereturnsonvictims'
behalf.Americanscanlegitimatelyreceivetheirrefundsinavarietyofways:directdeposit(oftenthe
fastest),loadedontoaprepaidcard,orviacheckmailedtoalocationoftheirchoosing.Thieveswill
oftenchooseprepaidcards.Prepaidcardsareasourceofsignificantamountsoffraud.Ifyouusetax
filingassistantlikeHRBlockorTurboTaxyoucouldgetarefundonaprepaidcard.They're
beautifulfromataxIDtheftperspectivebecausethey'rejustlikecash.
HowtoProtectYourself
1. Shredanypaperworknotneededfortaxpreparation.
2. WhattoShred.Checksfromacreditcardcompanyofferinglowannualpercentageratesfor
balancetransfersandotherpre-approvedcreditoffersshouldbeshreddeduponreceiptifyou
don'tplantousethem.Oncereconciledwithcorrespondingaccounts,ATMreceipts,canceled
checks,andpaystubscanallbeshredded.
3. WhattoKeep.Hangontomonthlybanking,brokerageaccount,andcreditcardstatements.
"Manypeoplejustmakethepaymentanddon'tlookatthefeesandcharges,"Personsays.
"Comparethecurrentstatementtothepreviousstatement.Verifythattherewerenomistakesor
differencesbetweenlastmonth'sendingbalanceandthismonth'sstartingbalance."Onceyou've
reviewedthestatementsandaddressedanyinaccuracies,youcanshredthemwhentheyear-end
statementarrives.Certainpapersshouldbekeptforlife,includingdivorceandestatedocuments
andannualretirementplanforms.PerIRSrecommendation,keepfiledtaxreturnsthatdon't
requireadditionalpaymentsforthreeyears.
4. GoDigital.Thebestwaytominimizeyear-endpaperworkistominimizepaperworkin
general.Wheneverpossible,optoutofcreditcardoffers,requestthatbanksnotsendblank
checksifyoudon'tplantousethem,andchoosetoreceiveformsdigitally.Signupforonline
bankingwhenit'savailabletoeliminatetheneedforphysicalchecks(aswellasenvelopesand
stamps),andopttogetdigitalalertswhenbillshavearrivedandpaymentsaredue.
Taxreturnscanalsobefileddigitallyonsecureservers,andcopiesofthecompletedforms
downloadeddirectlytoapersonalcomputer.UserscanopttohavetheirSocialSecuritynumber
partiallystrickenfromthedownloadforadditionalsecurity.Bewaryofaslow-running
computerorout-of-placepop-upswhenfilingtaxesonline.
5. BesuspiciousofanyphonecallsoremailsclaimingtobefromtheIRS,evenwiththe
appropriatelogos.AccordingtotheIRSwebsite:"TheIRSdoesnotinitiatecontactwith
taxpayersbyemailtorequestpersonalorfinancialinformation.Thisincludesanytypeof
electroniccommunication,suchastextmessagesandsocialmediachannels."
6. Don'tputyourreturninyourofficemailboxorinoutgoingmailbinatwork.Whenfiling
taxesbypaper,takethemdirectlytothepostofficeandputthemrightintoapostalworker's
hands.Taxreturnsareusuallyprettyobvious,andcaneasilybesnatched.
7. Finally,don'tgetcomplacent.Oddsareyouwillfileyourtaxreturnswithoutincidentthis
year,buttaxIDtheftisagrowingtrend.Thebestwaytoavoidbeingavictimthisyear,andin
futuretaxseasons,istoremainvigilant.
Taxpayerswhosuspectthey'vebeenvictimsofidentityfraudshouldcalltheIRSIdentityTheft
departmentat800-908-4490withacopyofapolicereport,thecompletedIRSaffidavitForm14039
andstate-issuedidentification.You'llfindmoreinformationintheTaxpayerGuidetoIdentity
Theft(http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft)ontheIRSwebsite.
DebtCollectionScams:
Here’swhattoknowifcontactedaboutdelinquenttaxesbyanIRSprivatecollector:
1. PrivatecollectorsfortheIRScannotacceptdirectpayments-allpaymentsshouldbemadeto
theU.S.Treasury.Theagencywillnotrequirespecifictypesofpaymentssuchaswiretransfers
orprepaiddebitcards.Scammerspreferthesemethodsbecausetheyarehardtotraceandcan
beredeemedanywhereintheworld.
2. UnlesstheIRShasanincorrectaddress,boththeagencyanditsprivatecollectorsshouldfirst
makecontactbymailedletter.
3. Thosewhoowetaxdebtbutcannotpayinfullwillbeofferedaninstallmentplanforuptofive
years.Iffiveyearsisn’tenough,“thecollectorasksfortaxpayerfinancialinformationtosee
whatsortofdealthetaxpayershouldget,”explainsRobertW.Wood,whocoverstaxesand
litigationforForbes.
4. Thesamerulesonothercollectorsapply:Nocallsbefore8a.m.orafter9p.m.Youmustbe
sentawritten“validationnotice”tellingyouhowmuchmoneyyouowewithinfivedaysafter
firstcontact.Noharassing,abusiveorthreateninglanguageallowed.
5. Certaintaxbills(andthereforephonecalls)cannotbehandledbyprivatecollectorsfortheIRS:
thosefortaxpayerswhoaredeceased,underage18,inadesignatedcombatzone,oravictimof
identitytheft.Debtorscurrentlyinaudit,litigationorcriminalinvestigationarealsooff-limits
tothird-partyhiredguns.
Techsupportscams
Scammershavebeenpeddlingbogussecuritysoftwareforyears.Theysetupfakewebsites,offer
free“security”scans,andsendalarmingmessagestotrytoconvinceyouthatyourcomputeris
infected.Then,theytrytosellyousoftwaretofixtheproblem.Atbest,thesoftwareisworthlessor
availableelsewhereforfree.Atworst,itcouldbemalware—softwaredesignedtogivecriminals
accesstoyourcomputerandyourpersonalinformation.
Thelatestversionofthescambeginswithaphonecall.Scammerscangetyournameandotherbasic
informationfrompublicdirectories.Theymightevenguesswhatcomputersoftwareyou’reusing.
Oncetheyhaveyouonthephone,theyoftentrytogainyourtrustbypretendingtobeassociatedwith
well-knowncompaniesorconfusingyouwithabarrageoftechnicalterms.Theymayaskyoutogo
toyourcomputerandperformaseriesofcomplextasks.Sometimes,theytargetlegitimatecomputer
filesandclaimthattheyareviruses.Theirtacticsaredesignedtoscareyouintobelievingtheycan
helpfixyour“problem.”
Oncethey’vegainedyourtrust,theymay:
1. askyoutogivethemremoteaccesstoyourcomputerandthenmakechangestoyoursettings
thatcouldleaveyourcomputervulnerable
2. trytoenrollyouinaworthlesscomputermaintenanceorwarrantyprogram
3. askforcreditcardinformationsotheycanbillyouforphonyservices—orservicesyoucould
getelsewhereforfree
4. trickyouintoinstallingmalwarethatcouldstealsensitivedata,likeusernamesandpasswords
5. directyoutowebsitesandaskyoutoenteryourcreditcardnumberandotherpersonal
information=
Regardlessofthetacticstheyuse,theyhaveonepurpose:tomakemoney.
IfYouGetaCall
Ifyougetacallfromsomeonewhoclaimstobeatechsupportperson,hangupandcallthecompany
yourselfonaphonenumberyouknowtobegenuine.Acallerwhocreatesasenseofurgencyoruses
high-pressuretacticsisprobablyascamartist.
Keeptheseothertipsinmind:
1. Don’tgivecontrolofyourcomputertoathirdpartywhocallsyououtoftheblue.
2. DonotrelyoncallerIDalonetoauthenticateacaller.CriminalsspoofcallerIDnumbers.They
mayappeartobecallingfromalegitimatecompanyoralocalnumber,whenthey’renoteven
inthesamecountryasyou.
3. Onlinesearchresultsmightnotbethebestwaytofindtechnicalsupportorgetacompany’s
contactinformation.Scammerssometimesplaceonlineadstoconvinceyoutocallthem.They
paytoboosttheirrankinginsearchresultssotheirwebsitesandphonenumbersappearabove
thoseoflegitimatecompanies.Ifyouwanttechsupport,lookforacompany’scontact
informationontheirsoftwarepackageoronyourreceipt.
4. Neverprovideyourcreditcardorfinancialinformationtosomeonewhocallsandclaimstobe
fromtechsupport.
5. Ifacallerpressuresyoutobuyacomputersecurityproductorsaysthereisasubscriptionfee
associatedwiththecall,hangup.Ifyou’reconcernedaboutyourcomputer,callyoursecurity
softwarecompanydirectlyandaskforhelp.
6. Nevergiveyourpasswordonthephone.Nolegitimateorganizationcallsyouandasksforyour
password.
7. PutyourphonenumberontheNationalDoNotCallRegistry,andthenreportillegalsalescalls.
IfYou’veRespondedtoaScam
Ifyouthinkyoumighthavedownloadedmalwarefromascamsiteorallowedacybercriminalto
accessyourcomputer,don’tpanic.Instead:
1. Getridofmalware.Updateordownloadlegitimatesecuritysoftwareandscanyourcomputer.
Deleteanythingitidentifiesasaproblem.
2. Changeanypasswordsthatyougaveout.Ifyouusethesepasswordsforotheraccounts,change
thoseaccounts,too.
3. Ifyoupaidforbogusserviceswithacreditcard,callyourcreditcardproviderandaskto
reversethecharges.Checkyourstatementsforanyotherchargesyoudidn’tmake,andaskto
reversethose,too.
4. Ifyoubelievethatsomeonemayhaveaccessedyourpersonalorfinancialinformation,visitthe
FTC’sidentitytheftwebsite.Youcanminimizeyourriskoffurtherdamageandrepairany
problemsalreadyinplace.
HowtoSpotaRefundScam
Ifyoupaidfortechsupportservices,andyoulatergetacallaboutarefund,don’tgiveoutany
personalinformation,likeyourcreditcardorbankaccountnumber.Thecallisalmostcertainly
anothertricktotakeyourmoney.
Therefundscamworkslikethis:Severalmonthsafterthepurchase,someonemightcalltoaskifyou
werehappywiththeservice.Whenyousayyouweren’t,thescammeroffersarefund.
Orthecallermaysaythatthecompanyisgoingoutofbusinessandprovidingrefundsfor
“warranties”andotherservices.
Ineithercase,thescammerseventuallyaskforabankorcreditcardaccountnumber.Ortheyaskyou
tocreateaWesternUnionaccount.Theymightevenaskforremoteaccesstoyourcomputertohelp
youfilloutthenecessaryforms.Butinsteadofputtingmoneyinyouraccount,thescammers
withdrawmoneyfromyouraccount.
Ifyougetacalllikethis,hangup.
Telephone
Whenyousendmoneytopeopleyoudonotknowpersonallyorgivepersonalorfinancial
informationtounknowncallers,youincreaseyourchancesofbecomingavictimoftelemarketing
fraud.Someofthemostsuccessfulscamscomeintheformofaphonecallfromanorganizationor
personyouthinkyoucantrust.Toprotectyourselffromthedamageofidentitytheftandfraud,
exercisecautioninhowyourespondtothesecallers.
1. TheIRS
Taxscamspersistyear-round,threateningpeoplewithjailtimeorprosecutioniftheydon’tpay
debtstotheInternalRevenueService.
GiventhatfakeIRSphonecallscontinuetoplagueconsumers,theIRSitselfhasrepeatedly
publishedalistofthingsyouwillnotexperiencewithalegitimateIRSrepresentative,including
phonecallsdemandingpayment,threateningarrestandaskingforspecificpaymentmethods
likeaprepaiddebitcard.
1. Yourself
Ifyourownphonenumbereverpopsuponyourphonescreen,don’tanswer.Itmayseem
harmlessinthemoment,butthisscamreportedlycollectsandclassifiesnumbersofpeoplewho
answerthephoneasgoodnumberstotargetwithotherscams.Itmaybetemptingtoseewho’s
ontheotherendoftheline—sinceitclearlyisn’tyou—butyoumaybesigningyourselfup
formanymoreunwantedphonecalls.
2.YourGrandkids
AcallfromthegrandkidsisatreatformanyAmericans,butthisisn’tthatkindofphonecall.In
thisheist,ascammercallsthevictimandposesasafamilymember(grandchild)inneedof
financialhelp.Theideaistocreateasenseofurgencysothevictimwillquicklywiremoneyto
thedesperatefamilymember.
Inamorefrighteningversionofthiscommonruse,scammerswill“virtuallykidnap”aloved
oneandcallarelativetodemandransom.
3.APaydayLender
“Congratulations,you’vebeenapprovedforapaydayloan!”Thisisavariationonthe
sweepstakesscamandthecallfrom“yourcreditcardcompany”offeringyoulowerinterest
rates.Agoodruleofthumb:Ifyoudidn’tapplyforaloan,askforarateadjustmentorentera
sweepstakes,it’sprobablyascam.
4.TechSupport
Mostpeopleknowtoavoidsuspicious-lookingemails,becausetheymaycontainmalwarethat
willinfectyourcomputerandcompromisetheinformationonit.Hackersknowpeopleare
awareofthis,sothey’lltrytogetintoyourcomputerbywayofaphonecall.
Youmaygetacallfromsomeoneclaimingtobepartofawell-knowntechcompanysayingthe
companyhasdetectedmalwareonyourcomputer,andtheyneedremoteaccesstoyourmachine
toresolvetheissue.Byagreeing,you’relettingthescammerintoyourcomputer,whenheor
shedidn’thaveaccessinthefirstplace.
Conclusion:Allofthesetacticscanputyouatriskforidentitytheft,fraudorfinanciallossesthat
coulddamageyourcreditorfinancialstability.Ifyoureceiveasuspiciousphonecall,youcan
reportittotheFederalTradeCommission,andasafraud-monitoringprecaution,it’sagoodidea
toregularlyreviewyourcreditscoresandreportsforsignsofabuse.
Warningsigns-whatacallermaytellyou:
"Youmustact'now'ortheofferwon'tbegood."
"You'vewona'free'gift,vacation,orprize."Butyouhavetopayfor"postageandhandling"or
othercharges.
"Youmustsendmoney,giveacreditcardorbankaccountnumber,orhaveacheckpickedup
bycourier."Youmayhearthisbeforeyouhavehadachancetoconsidertheoffercarefully.
"Youdon'tneedtocheckoutthecompanywithanyone."Thecallerssayyoudonotneedto
speaktoanyoneincludingyourfamily,lawyer,accountant,localBetterBusinessBureau,or
consumerprotectionagency.
"Youdon'tneedanywritteninformationabouttheircompanyortheirreferences."
"Youcan'taffordtomissthis'high-profit,no-risk'offer."
Ifyouhearthese-orsimilar-"lines"fromatelephonesalesperson,justsay"nothankyou,"andhang
upthephone.
TipstoAvoidTelemarketingFraud:
1. Don'tbuyfromanunfamiliarcompany.Legitimatebusinessesunderstandthatyouwantmore
informationabouttheircompanyandarehappytocomply.It'sneverrudetowaitandthink
aboutanoffer.Besuretotalkoverbiginvestmentsofferedbytelephonesalespeoplewitha
trustedfriend,familymember,orfinancialadvisor.Alwaystakeyourtimemakingadecision.
Legitimatecompanieswon'tpressureyoutomakeasnapdecision.
2. Alwaysaskforandwaituntilyoureceivewrittenmaterialaboutanyofferorcharity.Ifyou
getbrochuresaboutcostlyinvestments,asksomeonewhosefinancialadviceyoutrusttoreview
them.But,unfortunately,beware-noteverythingwrittendownistrue.
3. Doyourresearch.Alwayscheckoutunfamiliarcompanieswithyourlocalconsumer
protectionagency,BetterBusinessBureau,stateAttorneyGeneral,theNationalFraud
InformationCenter,orotherwatchdoggroups.Unfortunately,notallbadbusinessescanbe
identifiedthroughtheseorganizations.
4. Askforinformation.Obtainasalesperson'sname,businessidentity,telephonenumber,street
address,mailingaddress,andbusinesslicensenumberbeforeyoutransactbusiness.Somecon
artistsgiveoutfalsenames,telephonenumbers,addresses,andbusinesslicensenumbers.Verify
theaccuracyoftheseitems.
5. Sendingmoney.Beforeyougivemoneytoacharityormakeaninvestment,findoutwhat
percentageofthemoneyispaidincommissionsandwhatpercentageactuallygoestothe
charityorinvestment.Neversendmoneyorgiveoutpersonalinformationsuchascreditcard
numbersandexpirationdates,bankaccountnumbers,datesofbirth,orsocialsecuritynumbers
tounfamiliarcompaniesorunknownpersons.
6. Youmustnotbeaskedtopayinadvanceforservices.Payservicesonlyaftertheyare
delivered.Someconartistswillsendamessengertoyourhometopickupmoney,claimingitis
partoftheirservicetoyou.Inreality,theyaretakingyourmoneywithoutleavinganytraceof
whotheyareorwheretheycanbereached.
7. Don'tpayfora"freeprize."Ifacallertellsyouthepaymentisfortaxes,heorsheisviolating
federallaw.
8. Beforeyoureceiveyournextsalespitch,decidewhatyourlimitsare-thekindsoffinancial
informationyouwillandwon'tgiveoutonthetelephone.
9. Neverrespondtoanofferyoudon'tunderstandthoroughly.Beforeyousendmoney,ask
yourselfasimplequestion."WhatguaranteedoIreallyhavethatthissolicitorwillusemy
moneyinthemannerweagreedupon?"
Travel
BeforeTraveling:
1. Checks.Leavecheckbooksandchecksathome,inalockedsafe.Usecash,traveler ’schecksor
creditcardsforpurchases.Chancesarethatyouwillnotbewritingchecks.Leavetheseandany
extradebitcardsorcreditcardsthatyouwillnotbeusingathome.
2. ATM/DebitCards&CreditCards.ConsiderrestrictingtheuseofyourATMcardto
securelylocatedAutomatedTellerMachines.FakeATMmachinesareknowntohavebeen
placedinhightraffictouristareas.Debitcardsalsoprovidethieveswithadirectpipelineto
yourbankaccounts.WhenusedwithaPIN,youneednotsignforthepurchase.Whenusedfora
“credit”purchasewithasignature,noconfirmingPINisneeded.
3. Usecreditcardswhiletraveling.Onlycreditcardsareprotectedbyfederallawastothe
amountofmoneythatyouareresponsibleforiflostorstolen,andmostcompaniesnowextend
azeroliabilitypolicytocustomers.
4. Leavebillsathome.Businesstravelersoftentakeadvantageofquieteveningsinhotelstocatch
upwithbookkeepingandpayingbills.Unfortunatelymanypeoplehaveaccesstoyourroom
whileyouareatmeetingsandvictimshavereportedthataccountinformationandcheck
informationhasbeenstolenthisway.
5. Wallets.Don’ttakeanythinginyourwalletthatisnotabsolutelynecessary.Leaveallcardswith
SocialSecurityNumbersonthemathome.Ifnecessary,makeaphotocopyofahealthcard,cut
offthelast4numbersoftheSocialSecurityNumberfromthephotocopyandcarrythatwith
you.Makesurethatyouhaveanemergencyphonenumber(contactperson)foremergency
medicalpersonneltouse.
6. PutThingsOnHold.Putyourmailon“postalhold”statingthatforaperiodoftimeyouwish
tohaveyourmailheldatthepostoffice.Wepreferthattermratherthan“vacationhold”sothat
postalclerkswillnotknowthatyouwillbegone.Learnmoreat:
https://holdmail.usps.com/holdmail
7. Makeyourhomelooklived-in.Arrangeforfriendsorfamilyyoutrusttopick-upnewspapers,
mail,andadvertisementflyersinordertoavoiddrawingattentiontoyourhome.Thiswill
reducetheriskofbreak-inswhichmayresultinthelossofvaluables,includingyouridentity.
Nothingsays“we’reoutoftown”morethanapileofnewspapers.Don’tforgettostopdelivery
untilyoureturn.Alsostopanyotherautomaticdeliveries,suchasbottledwater.
8. Neighbors,relativesandhouse-sitters.Ifyouhavesomeonethatisgoingtocheckthehouse
andhasakeytoyourhouse,thenlockupanydocumentswithaccountnumbersorSocial
SecurityNumbers.
9. RegisterintheSmartTravelerEnrollmentProgram:Visithttps://step.state.gov/step/to
enrollinSTEP,whichprovidescomprehensivetravelerinformation,includingtravelalertsand
restrictions;informationonvisasorvaccinations;crime,stabilityandroadconditions;lawsof
thecountryyou’revisiting;andconsularcontactinformation.
Gothroughyourwallet,purseand/orbriefcaseandremoveanyofthefollowingitemspriorto
travel:
SocialSecuritycard
Checkbook&depositslips
Birthcertificate
Creditcardreceipts
Bills
ExtraCreditCards
Librarycard
Videorentalcard
10.Scanimportanttraveldocumentsandstoretheminasecureonlinerepository.Intheevent
thatyourinformationislostorstolen,usinganonlinerepositoryallowsyoutoeasilyaccess
copiesofyourpassport,driverslicense,visa,andanyothervitalidentificationfromanywhere
intheworld.Remembertodothisforeverypersontravelingwithyou,includingchildren.
11.Leaveyourdebitcardathome.Makecreditcards,notATMcards,yourcardofchoice.
12.Minimizenumberofcreditcardsinwallet.Nomorethantwo(2).
13.Placealltheremoveditemsaboveintoalockedsafe.
14.Paybillsbeforeyougooutoftown.
15.Placemailon“postalhold”withthePostOffice.Arrangesomailmayonlybepickedupby
youandrequestthatidentificationmustbeshowntoreceiveheldmail.
16.Stopdeliveryofnewspapersoranyotheritemsyoumaynormallyhavedelivered(water,
automaticallyscheduleddeliveriesofproducts,etc).
17.Makecopiesofyouritinerary,passportdatapage,visasanddriver’slicensetoleavewith
designatedemergencycontact.
18.Notifyaneighbortowatchyourhouse.Letthemknowyouarenotmoving.
DuringTravel:
1. Don'tleaveimportantdocumentsinyourcar.Veryoftenpeopleleavetheirimportant
documentsinthecarthinkingthatthedocumentsaresafe.Yourdocumentswillbeassafeas
yourcarmightbe.
2. Neverleaveyourpersonaldocumentsunsecuredinthehotelrooms.Thisrulespecially
appliestoglobaltravelsecuritywherecertainpassportsmaybevaluable.Lockupallvaluables
inroomsafesorhotelsafeswhileyouareoutofyourroom.Thatincludeslaptops,PDA's,
jewelry,passports,andotherdocumentsthatcontainpersonalidentifyinginformationorthat
wouldbeofinteresttoathief.Asuitcaseisnotasecurewaytolockupinformation.
3. Bewareofpickpockets.WhilepickpocketinghasbeenonthedeclineintheU.Sforthepast
fiftyyearsorso,it’sstillamajorprobleminEurope.Pickpocketsoftenworkingroups,are
oftenchildrenandaretypicallywell-dressed.Beextravigilantaroundtouristattractions,public
transportation,restaurants,barsandhotellobbies.
4. Carryvaluablessafely.Yourvaluablesandidentificationareamereswipeawayfromapurse
snatcherorpickpocket.Moneybeltskeptunderclothingarethesafest.Forstowingcash,credit
cardsandidentification,insidepocketsandsturdyshoulderbagswithstrapsacrossthechestare
muchbetterthanhandbags,fannypacksoroutsidepockets.Vacationtravelersshouldusefanny
packsortravelpouchesthatareworninsideyourshirttocarryimportantdocuments.Business
travelersshouldbeawarethatpickpocketsarealsolookingforlaptopsandPDA'sthatare
temporarilyoutofyourcontrol-atairports,inlobbiesandindiningareas.
5. Shouldersurfers.Besidespickpockets,identitythievestakeadvantageofpeopleviashoulder
surfing."ShoulderSurfing"usedtoonlyapplytothosewholooked"overyourshoulder"tosee
6.
7.
8.
9.
10.
11.
12.
13.
14.
information.Withthecommonuseofcellphones,itisimportanttorememberthatyouareina
publicvenueandmaytalkaboutthingsthatathiefcanuse.
Back-upmaterial:Carryphotocopiesofalltraveldocumentsincludingplanetickets,hotel
reservationsandpassports.Keeptheseinaseparatelocationfromtheoriginals.
Publicrestrooms.Ladies,donothangyourpursefromahookonthedoor.Itistooeasyfor
someonetoreachoverthetopofthedoorandtakeitbeforeyouhavetimetoreact.Thebest
placetostoreyourpursewhileintherestroomisbesideyouorhungaroundyourbody.
Don'tplacevaluableinformationoncomputers.Unlessyousecurethatcomputerlikeyou
secureyourIDcardordriver'slicense.Moreoftenthannot,sensitiveinformationisplacedon
laptopswhicharecarriedaroundtopublicareaslikerestaurants,poolsandbarswithoutany
regardfortravelsecurityrisks.Individualsandbusinessesneedtounderstandtheidentitytheft
risksassociatedwithtakinglaptopscontainingsensitiveinformationwiththemwhentheytravel
anddeveloppoliciesandprocedurestoproperlyaddressthesecurityoftheirinformation.
Takethecopies.Carryphotocopiesinsteadoftheoriginalswhennecessaryandpossible.For
example,copiesofpassportsarenotacceptableformsofidentification;however,copiesof
birthcertificatesmaybeinsomecaseswhenpresentedwithotheroriginaldocuments.So,itis
notnecessarytocarryalloriginalsallthetime.
Bewareofyoursurroundings.WhenusingyoursecretcodestoaccesscashatATMs,useyour
debitcardatstoreswhereyouhavetoenteraPIN,accessyourpersonalorbusinesslaptop
computerinpublicareaslikeairports,sende-mails,oraccessyourvoicemails,bewareofyour
surroundingsandtheeyeslookingoveryourshoulders.Coveryourhandwhentypingthe
secretcode.Don'tbeembarrassedasweallmightgetsometimeswhenwetryhardtobe
secretive.It'sbettertobesafethansorry.Afterall,youareyourowntruetravelsecurityagent.
Readaboutaccesscodeexposure.
Bepreparedtodealwithalostorstolenpassportcase.Knowwhattodoimmediatelyincase
ofstolenorlostpassportduringyourtripsorathometopreventidentitytheft.Alwaysbe
preparedfortheworstcasescenario.Assumingyoumayloseyourpassportorothertraveland
personalinformationduringatrip,bepreparedandhaveaplan'B'tonotifyandgetpassport
replacementinordertomoveonwithyourtravelarrangements.Copiesofyourbirthcertificate
andpassportorphonenumbersofyourcreditcardcompaniescomeinveryhandywhenyou
needthem,especially,ifyou'reoutoftownandloseyourcreditcardorpassport.So,be
preparedandhaveacontingencyplanforanypersonaldocumentloss,aspartofyouroverall
travelsecurityplans.
Don'tcheck-inyourpersonaldocumentation.Neverplaceyourpersonalandtravel
documentsinaluggagewhichyouintendtocheck-inattheairports.Onceyoudothat,youhave
justlostcontroloversecurityofyourpersonaldocuments.
Avoididentitytheftwhenyouvisitthegym.Ifyouthinkyourpersonalitemsaresafeatyour
favoritegymandhealthclubwhileyouworkout,thinkagain.Protectyourpersonalbelongings
whileyouworkoutatthegym.
Watchyourbelongingsontheplane.Toensuretravelsecuritybyair,alwaysplaceyour
personalbelongingsinanoverheadcompartmentontheoppositesideoftheaisleyouare
seating.Thisway,youcandetectanyunauthorizedsearchandtheftofyourpersonalitems
duringtheflight.Inanyfullflight,peoplereorganizetheoverheadcompartmentstomake
roomfortheirownitemsandsomeonemaygothroughyouritemsorevenstealyouritems
whilepretendingtobelookingforextraspace.
15. Travelwithyouritemsinthesecuritychain.Whenyougothroughthetravelsecuritychecks
attheairports,makesureyouritemsdon'ttravelinthex-raymachinefasterthanyougo
throughyourbodyscanastheymaybevulnerabletotheftattheendofthescanprocessifyou
encounterdelaysinyourownbodyscanprocess.Makesureyousendyourfamilymembers
throughthescansfirstandsubmityourvaluablepersonalitemsrightwhenyou'rereadytogo
throughthescansyourself.
16. TakecautionwithpubliccomputersandWi-Fi.Ifpossible,avoidusingpubliccomputersto
accessanythingsensitive,suchasconductingonlinebanking,makingpurchases,oraccessing
emailaccounts.Thesecomputerscouldpotentiallyhavemalwarethatisdesignedtocapturethe
informationyouhaveentered.AvoidthesesameactivitieswhenusingapublicWi-Fi
connectionastheinformationcaneasilybecapturedbycriminalsonthesameconnection.
MakesuretouseanencryptedInternetconnectionwheneveryougoonline.
17. Beawareofsocialmediaupdates.Weallliketosharephotosonlinewithourfamilyand
friendsaswearetraveling.However,whenyoutellpeoplewhereyouare,youarealsotelling
themwhereyouarenot-athome.
Wi-Fi
Wi-Fihotspotsincoffeeshops,libraries,airports,hotels,universities,andotherpublicplacesare
convenient,butoftenthey’renotsecure.IfyouconnecttoaWi-Finetwork,andsendinformation
throughwebsitesormobileapps,itmightbeaccessedbysomeoneelse.
Toprotectyourinformationwhenusingwirelesshotspots,sendinformationonlytositesthatare
fullyencrypted,andavoidusingmobileappsthatrequirepersonalorfinancialinformation.
1. Remember–anydevicecouldbeatrisk.Laptops,smartphones,andtabletsareallsusceptible
tothewirelesssecurityrisks.
2.TreatallWi-Filinkswithsuspicion.Don’tjustassumethattheWi-Filinkislegitimate.It
couldbeaboguslinkthathasbeensetupbyacybercriminalthat’stryingtocapturevaluable,
personalinformationfromunsuspectingusers.Questioneverything–anddon’tconnecttoan
unknownorunrecognizedwirelessaccesspoint.
It'sprettyeasyforsomeonewhowantstointerceptyourdatainaman-in-the-middleattackto
setupanetworkcalled"FreeWi-Fi"oranyothervariationthatincludesanearbyvenuename,
tomakeyouthinkit'salegitimatesource.
WINDOWS:IfyouareconnectingviaWindows,makesuretoturnofffilesharingandmark
theWi-Ficonnectionasapublicnetwork.YoucanfindthisoptionintheControlPanel>
NetworkandSharingCenter>ChangeAdvancedSharingSettings.UnderthePublicheading,
turnoffthefilesharingtoggle.YoumayalsowanttoturnontheWindowsFirewallwhen
connectingtoapublicnetworkifit'snotalreadyactivated.Thesesettingsarealsofoundin
ControlPanel>WindowsFirewall.
MAC:OpenupSystemPreferencesandnavigatetotheSharingicon.Then,untickthecheckbox
nexttoFileSharing.Here'safullrundownonhowtodisablesharingandremovingpublic
homefoldersharingoptionsinOSX.YoucanalsoturnonthefirewallwithinOSXbyheading
toSystemPreferences,Security&PrivacyandclicktheFirewalltab.
3.Don’tAssumeaWi-FiHotspotisSecure.MostWi-Fihotspotsdonotencryptthe
informationyousendovertheinternetandarenotsecure.
4.WhenusingaWi-Fihotspot,onlyloginorsendpersonalinformationtowebsitesthat
youknowarefullyencrypted.Ifyouuseanunsecurednetworktologintoanunencryptedsite
-orasitethatusesencryptiononlyonthesign-inpage-otherusersonthenetworkcansee
whatyouseeandwhatyousend.
Theycouldhijackyoursessionandloginasyou.Newhackingtools—availableforfree
online—makethiseasy,evenforuserswithlimitedtechnicalknow-how.Yourpersonal
information,privatedocuments,contacts,familyphotos,andevenyourlogincredentialscould
beupforgrabs.
Animpostercoulduseyouraccounttoimpersonateyouandscampeopleinyourcontactlists.
Inaddition,ahackercouldtestyourusernameandpasswordtotrytogainaccesstoother
websites–includingsitesthatstoreyourfinancialinformation.
5.Don’tstaypermanentlysignedintoaccounts.Whenyou’vefinishedusinganaccount,log
out.
6.Donotusethesamepasswordondifferentwebsites.Itcouldgivesomeonewhogains
accesstooneofyouraccountsaccesstomanyofyouraccounts.
7.Manywebbrowsersalertuserswhotrytovisitfraudulentwebsitesordownload
maliciousprograms.Payattentiontothesewarnings,andkeepyourbrowserandsecurity
softwareup-to-date.
8.IfyouregularlyaccessonlineaccountsthroughWi-Fihotspots,useavirtualprivate
network(VPN).VPNsencrypttrafficbetweenyourcomputerandtheinternet,evenon
unsecurednetworks.YoucanobtainapersonalVPNaccountfromaVPNserviceprovider.In
addition,someorganizationscreateVPNstoprovidesecure,remoteaccessfortheir
employees.ByusingaVPNwhenyouconnecttoapublicWi-Finetwork,you’lleffectivelybe
usinga‘privatetunnel’thatencryptsallofyourdatathatpassesthroughthenetwork.Thiscan
helptopreventcybercriminals–thatarelurkingonthenetwork–frominterceptingyourdata.
9.Trytoverifyit’salegitimatewirelessconnection.AlwaysconfirmthelegitimacyofaWi-Fi
networkbeforeconnectingtoit;donotrelyonthenamealone.Iftherearemultipleaccess
pointsforthesamevenue,askastaffmemberwhichonetouse.Someboguslinks–thathave
beensetupbymalicioususers–willhaveaconnectionnamethat’sdeliberatelysimilartothe
coffeeshop,hotel,orvenuethat’sofferingfreeWi-Fi.Ifyoucanspeakwithanemployeeatthe
locationthat’sprovidingthepublicWi-Ficonnection,askforinformationabouttheirlegitimate
Wi-Fiaccesspoint–suchastheconnection’snameandIPaddress.
10.Avoidusingspecifictypesofwebsite.It’sagoodideatoavoidloggingintowebsiteswhere
there’sachancethatcybercriminalscouldcaptureyouridentity,passwords,orpersonal
information–suchassocialnetworkingsites,onlinebankingservices,oranywebsitesthat
storeyourcreditcardinformation.
11.Software.NeverinstallsoftwarewhileusingpublicWi-Fi,asitcouldintroducevirusesinto
yourcomputer.Forexample,acommonattackistoinformtheuserthathisbrowserisusing
outdatedFlashandthenredirecttheusertoafakeAdobewebsitethatwillinstallavirusinstead
oftherealsoftware.
12.Forgetthenetwork.OnceyouarealldonewithyourWebbrowsing,makesuretologoff
anyservicesyouweresignedinto.Then,tellyourdevicetoforgetthenetwork.Thismeansthat
yourphoneorPCwon'tautomaticallyconnectagaintothenetworkifyou'reinrange.
Windows:Uncheckthe"ConnectAutomatically"checkboxnexttothenetworknamebefore
youconnect,orheadtoControlPanel>NetworkandSharingCenterandclickonthenetwork
name.Clickon"WirelessProperties"andthenuncheck"Connectautomaticallywhenthis
networkisinrange."
Mac:GotoSystemPreferences,gotoNetwork,andundertheWi-FisectionclickAdvanced.
Thenuncheck"Remembernetworksthiscomputerhasjoined."Youcanalsoindividually
removenetworksbyselectingthenameandpressingtheminusbuttonunderneath.
Android:EnterintoyourWi-Finetworklist,longpressthenetworknameandselect"Forget
Network."OniOS,headtoSettings,selectWi-Finetworks,clickthe"i"iconnexttothenetwork
nameandchoose"ForgetThisNetwork."Asanextraprecaution,youshouldalsoturnon"Ask
ToJoinNetworks"whichisalsofoundintheWi-Finetworksmenu.
13.Enabletwo-factorauthentication.It'sgoodpracticetoenabletwo-factorauthenticationon
servicesthatsupportit.Thisway,evenifsomeonedoesmanagetosniffoutyourpassword
whenonpublicWi-Fi,youhaveanaddedlayerofprotection.Also,useoneformoftwo-factor
forloggingin,andasecond,differenttwo-factorcomboforrecovery.
Hereisalistofsitesthatoffertwo-factorauthentication:
http://www.FraudSmarts.com/twofactor
Testyourknowledge
Interactivecalculatorstofindoutwhatyouknowandwhatyouneedtoknowtoreduceyourrisk
SafeSocialNetworking
HowwelldoyouprotectyourI.D.onsocialsites?
www.FraudSmarts.com/test/socialnetworking
Travel&MobileSafety
Areyoustayingsafeinhot-spotsandwhentraveling?
www.FraudSmarts.com/test/travel
SocialEngineering
Areyouabletoavoidbeingtrickedbyahacker?
www.FraudSmarts.com/test/socialengineering
ATM,Credit&DebitCard
Areyoudoingeverythingyoucantoprotectyourself?
www.FraudSmarts.com/test/cards
PreventingIdentityTheft
WhatisyourriskofbecominganI.Dtheftvictim?
www.FraudSmarts.com/test/idtheft
SmartPhoneSecurity
Areyouprotectedagainstmobilesecuritythreats?
www.FraudSmarts.com/test/smartphones
SeniorCitizens
Areyouasafe,protected&securitymindedseniorcitizen?
www.FraudSmarts.com/test/seniors
DataBreach
Canyouputyourselfatlessriskwhenthere'sadatabreach?
www.FraudSmarts.com/test/data
RemovableDevices
Howvulnerableisyourvaluablebusinessdata?
www.FraudSmarts.com/test/devices
SmallBusinessFraud
Isyourcompanyororganizationatriskforfraud?
www.FraudSmarts.com/test/business
ForEmployees&Managers
Understandingfraudlawsandregulations.
www.FraudSmarts.com/test/employees
CollegeStudents
Collegestudentsareatthemostriskforidentitytheft.
www.FraudSmarts.com/test/students
Phishing
Areyouabletonavigatethedarkwatersandavoidaphishingscam?
www.FraudSmarts.com/test/phishing
InvestmentFraud
Doyoumakesureyourinvestmentsaresafe?
www.FraudSmarts.com/test/investment
Computer&HomeNetwork
Areyousurethatyou'reprotectedathome?
www.FraudSmarts.com/test/home
OnlineShopping
Doyouknowhowtokeepyourmoneysafe?
www.FraudSmarts.com/test/shopping
MoreResources
OnlineTools&FreeSoftware
www.FraudSmarts.com/tools
VideoLibrary
www.FraudSmarts.com/watch
PrintPlanningGuides&Handouts
www.FraudSmarts.com/print
Victimhelp&resources
Whattodorightawayifyouridentityisstolen:
Didsomeonestealanduseyourpersonalinformation?Actquicklytolimitthedamage.
Step1:Callthecompanieswhereyouknowfraudoccurred.
1. Callthefrauddepartment.Explainthatsomeonestoleyouridentity.
2. Askthemtocloseorfreezetheaccounts.Then,noonecanaddnewchargesunlessyouagree.
3. Changelogins,passwordsandPINSforyouraccounts.
Tip:YoumighthavetocontactthesecompaniesagainafteryouhaveanIdentityTheftReport.
Step2:Placeafraudalertandgetyourcreditreport.
Contactoneofthethreecreditbureaus.Thatcompanymusttelltheothertwo.
Equifax.com/CreditReportAssistance
1-888-766-0008
Experian.com/fraudalert
1-888-397-3742
TransUnion.com/fraud
1-800-680-7289
Tip:Afraudalertisfree.Itwillmakeitharderforsomeonetoopennewaccountsinyour
name.You’llgetaletterfromeachcreditbureau.Itwillconfirmthattheyplacedafraudalert
onyourfile.
Getyourfreecreditreportrightaway.Gotoannualcreditreport.comorcall1-877-322-8228.
Didyoualreadyorderyourfreeannualreportsthisyear?Ifso,youcanpaytogetyourreport
immediately.Orfollowtheinstructionsineachfraudalertconfirmationlettertogetafree
report,butitmighttakelonger.
Reviewyourreports.Makenoteofanyaccountortransactionyoudon’trecognize.Thiswill
helpyoureportthethefttotheFTCandthepolice.
Step3:ReportidentitythefttotheFTC.
1. CompletetheFTC’sonlinecomplaintform(http://www.ftc.gov/complaint).Giveasmany
detailsasyoucan.Thecomplaintformisnotavailableonmobiledevices,butyoucancall1877-438-4338tomakeyourreport.
2. Askthemtocloseorfreezetheaccounts.Then,noonecanaddnewchargesunlessyouagree.
3. PrintandsaveyourFTCIdentityTheftAffidavitimmediately.Onceyouleavethepage,you
won’tbeabletogetyouraffidavit.
Tip:Basedontheinformationyouenter,theFTCcomplaintsystemwillcreateyourIdentity
TheftAffidavit.You’llneedthistocompleteothersteps.
Doyouneedtoupdateyouraffidavit?Call1-877-438-4338.
Step4:Fileareportwithyourlocalpolicedepartment.
Gotoyourlocalpoliceofficewith:
1.
2.
3.
4.
5.
acopyofyourFTCIdentityTheftAffidavit
agovernment-issuedIDwithaphoto
proofofyouraddress(mortgagestatement,rentalagreement,orutilitiesbill)
anyotherproofyouhaveofthetheft(bills,IRSnotices,etc.)
FTC'sMemotoLawEnforcement.
Tellthepolicesomeonestoleyouridentityandyouneedtofileareport.Iftheyarereluctant,show
themtheFTC'sMemotoLawEnforcement
(http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0088-ftc-memo-lawenforcement.pdf).
Askforacopyofthepolicereport.You’llneedthistocompleteothersteps.
CreateyourIdentityTheftReportbycombiningyourFTCIdentityTheftAffidavitwithyourpolice
report.
Tip:Youridentitytheftreportprovestobusinessesthatsomeonestoleyouridentity.Italso
guaranteesyoucertainrights.Knowyourrights,gohere:https://www.identitytheft.gov/Know-YourRights
WhatToDoNext
Closenewaccountsopenedinyourname.
Explainthatsomeonestoleyouridentity.
Askthebusinesstoclosetheaccount.
Askthebusinesstosendyoualetterconfirmingthat:
-thefraudulentaccountisn’tyours
-youaren’tliableforit
-itwasremovedfromyourcreditreport
Keepthisletter.Useitiftheaccountappearsonyourcreditreportlateron.
ThebusinessmayrequireyoutosendthemacopyofyourIdentityTheftReportorcompletea
specialdisputeform.Thissamplelettercanhelp(https://www.identitytheft.gov/sampleletters/identity-theft-dispute-new-account.html).
Writedownwhoyoucontactedandwhen.
Removeboguschargesfromyouraccounts.
Callthefrauddepartmentofeachbusiness
Explainthatsomeonestoleyouridentity.
Tellthemwhichchargesarefraudulent.Askthebusinesstoremovethem.
Askthebusinesstosendyoualetterconfirmingtheyremovedthefraudulentcharges.
Keepthisletter.Useitifthisaccountappearsonyourcreditreportlateron.
ThebusinessmayrequireyoutosendthemacopyofyourIdentityTheftReportorcompletea
specialdisputeform.Thissamplelettercanhelp(https://www.identitytheft.gov/sampleletters/identity-theft-dispute-new-account.html).
Writedownwhoyoucontactedandwhen.
Correctyourcreditreport.
Writetoeachofthethreecreditbureaus.Thissamplelettercanhelp
(https://www.identitytheft.gov/sample-letters/identity-theft-credit-bureau.html).
IncludeacopyofyourIdentityTheftReportandproofofyouridentity,
likeyourname,address,andSocialSecuritynumber.
Explainwhichinformationonyourreportcamefromidentitytheft.
Askthemtoblockthatinformation.
Equifax.com
P.O.Box105069
Atlanta,GA30348-5069
1-800-525-6285
Experian.com
P.O.Box9554
Allen,TX75013
1-888-397-3742
TransUnion.com
FraudVictimAssistanceDepartment
P.O.Box2000
Chester,PA19022-2000
1-800-680-7289
Resolvetax-relatedidentitytheft.
IfyougetanIRSnoticeinthemail,followtheinstructionsprovided.
CompleteIRSForm14039,IdentityTheftAffidavit(http://www.irs.gov/pub/irs-pdf/f14039.pdf)
Mailorfaxtheformaccordingtotheinstructions.Includeproofofyouridentity,likeacopyof
yourSocialSecuritycard,driver ’slicenseorpassport.
Didthenoticesayyouwerepaidbyanemployeryoudon'tknow?Sendalettertotheemployer
explainingthatsomeonestoleyouridentity,andthatyoudon’tworkfortheemployer.
Fileyourtaxreturn,andpayanytaxesyouowe.Youmighthavetomailpapertaxreturns.
Writedownwhoyoucontactedandwhen.Keepcopiesofanylettersyousend.
Ifthesestepsdon’tresolveyoursituation,contacttheIRSforspecializedassistanceat1-800908-4490.
ReportamisusedSocialSecuritynumber.
SocialSecuritycardlostorstolen?
Applyonline(http://www.ssa.gov/ssnumber/)forfreetogetareplacementcard.
DoyouthinksomeoneelseisusingyourSocialSecuritynumberforwork?
ReviewyourSocialSecurityworkhistorybycreatinganaccountat
socialsecurity.gov/myaccount.
Ifyoufinderrors,contactyourlocalSSAoffice(https://secure.ssa.gov/ICON/main.jsp).
Stopdebtcollectorsfromtryingtocollectdebtsyoudon'towe
Writetothedebtcollectorwithin30daysofgettingthecollectionletter.Thissamplelettercan
help(https://www.identitytheft.gov/Sample-Letters/identity-theft-debt-collector).
Tellthedebtcollectorsomeonestoleyouridentity,andyoudon’towethedebt.
SendcopiesofyourIdentityTheftReportandanyotherdocumentsthatdetailthetheft.
Contactthebusinesswherethefraudulentaccountwasopened.
Explainthatthisisnotyourdebt.
Tellthemtostopreportingthisdebttothecreditbureaus.
Askforinformationaboutthedebt,andhowithappened.Thebusinessmustgiveyoudetails
ifyouask.Thissamplelettercanhelp
(https://www.identitytheft.gov/Sample-Letters/request-records-related-identity-theft).
Forexample,ifsomeoneopenedacreditcardinyourname,askforacopyofthe
applicationandapplicant’ssignature.
Ifyouhaven’talready,askthecreditbureaustoblockinformationaboutthisdebtfromyour
creditreport.
Writedownwhoyoucontactedandwhen.Keepcopiesofanylettersyousend.
Replacegovernment-issuedIDs.
SocialSecuritycardlostorstolen?Applyonlineforfreetogetareplacementcard
(http://www.ssa.gov/ssnumber/).
Driver ’slicenselostorstolen?ContactthenearestDMVbranchtoreportit
(http://www.usa.gov/Topics/Motor-Vehicles.shtml).
Thestatemightflagyourlicensenumberincasesomeoneelsetriestouseit,ortheymight
suggestthatyouapplyforareplacementlicense.
Passportlostorstolen?CalltheStateDepartmentat1-877-487-2778orTTY1-888-874-7793.If
youwanttoreplacethepassport,youhaveseveraloptions:
(http://travel.state.gov/content/passports/english/passports/information/where-toapply/agencies.html.)
Ifyouaretravelingwithinthenexttwoweeks,makeanappointmenttoapplyinpersonat
aPassportAgencyorCenter.
Ifyouarenottravelingwithintwoweeks,submitFormDS-11
(http://www.state.gov/documents/organization/212239.pdf)andDS-64
(http://www.state.gov/documents/organization/212245.pdf)inpersonatanauthorized
PassportApplicationAcceptanceFacility(http://iafdb.travel.state.gov/).
Resolvechildidentitytheft.
FollowtheusualstepsforWhatToDoRightAwayandWhatToDoNextwith2exceptions:
1. Whenrequestingacreditreport,askforasearchbasedonlyonyourchild’sSocialSecurity
number(SSN).You’llneedtodothisbyphoneoremail
2. TheSSN-onlysearchmeansthatanyitemsassociatedwithyourchild’sSSNareincludedinthe
report-evenifthethiefusedyourchild’sSSNwithadifferentname.
Equifax
1-800-525-6285
Experian
1-888-397-3742
TransUnion.com
[email protected]
Whenyoucorrectyourchild’screditreport,sendeachcreditreportingagencytheMinor ’s
StatusDeclarationform(http://www.consumer.ftc.gov/articles/pdf-0095-uniform-minor-statusdeclaration.pdf).Itprovidesproofthatyourchildisaminor.Includealetterwiththeformthat
asksforallinformationassociatedwithyourchild’snameorSSNtoberemoved.Ifyoudo
this,youdon’thavetosenda"blocking"requestforthechild.
Becauseaminorcannotlegallyagreetocontracts,anydebtsonyourchild’screditreportare
fraudulentbydefinition.
Resolvemedicalidentitytheft.
Ifyouthinkathiefusedyourpersonalinformationtogetmedicalservices,getcopiesofyour
records.
1. Contacteachdoctor,clinic,hospital,pharmacy,laboratory,andhealthplanwherethethief
mayhaveusedyourinformation.Askforcopiesofyourmedicalrecords.
2. Completetheproviders’recordsrequestformsandpayanyfeesrequiredtogetcopiesof
yourrecords.
3. Checkyourstate’shealthprivacylaws(http://www.healthinfolaw.org/comparative-
analysis/individual-access-medical-records-50-state-comparison).Somestatelawsmake
iteasiertogetcopiesofyourmedicalrecords.
Federallawgivesyoutherighttoknowwhat’sinyourmedicalfiles.
Didyourproviderrefusetogiveyoucopiesoftherecordstoprotecttheidentitythief’sprivacy
rights?Youcanappeal.Contactthepersonlistedinyourprovider ’sNoticeofPrivacyPractices,
thepatientrepresentative,ortheombudsman.Explainthesituationandaskforyourfile.
Iftheproviderrefusestoprovideyourrecordswithin30daysofyourwrittenrequest,youmay
complaintotheU.S.DepartmentofHealthandHumanServicesOfficeforCivilRights
(http://www.hhs.gov/ocr).
Reviewyourmedicalrecords,andreportanyerrorstoyourhealthcareprovider.
1.
2.
3.
4.
5.
Writetoyourhealthcareprovidertoreportmistakesinyourmedicalrecords.
Includeacopyofthemedicalrecordshowingthemistake.
Explainwhythisisamistake,andhowtocorrectit.
IncludeacopyofyourIdentityTheftReport.
Sendtheletterbycertifiedmail,andaskforareturnreceipt.
Yourhealthcareprovidershouldrespondtoyourletterwithin30days.Asktheprovidertofix
themistakeandnotifyotherhealthcareproviderswhomayhavethesamemistakeintheir
records.
Notifyyourhealthinsurer.
1. SendyourIdentityTheftReporttoyourhealthinsurer ’sfrauddepartment.Tellthem
aboutanyerrorsinyourmedicalrecords.
Iftherearemedicalbillingerrorsonyourcreditreport,notifyall3creditreporting
companies.
Writedownwhoyoucontactedandwhen.Keepcopiesofanylettersyousend.
Formoreinformation,visit:https://www.identitytheft.gov
Government&LawEnforcementAgencies
InternationalGovernmentAgencies
CACanadaParliament-http://www.parl.gc.ca/
CADepartmentofJustice-http://canada.justice.gc.ca/
UKHerMajestyTreasury-http://www.hm-treasury.gov.uk/
UKCCTAGovernmentInformation-http://www.open.gov.uk/
Banking&Finance
AmericanBankersAssociation-http://www.aba.com/
AmericanExpress-http://www.americanexpress.com/
MasterCardInternational-http://www.mastercard.com/
Mondex-http://www.mondex.com/
NOVUS-http://www.novusnet.com/
VisaInternational-http://www.visa.com/
WallStreetJournal-http://wsj.com/
WorldBank-http://www.worldbank.org/
U.S.GovernmentAgencies
DepartmentoftheTreasury-http://www.ustreas.gov/
FederalTradeCommission-http://www.ftc.gov/
FedWorldInformationNetwork-http://www.fedworld.gov/
FinancialCrimesEnforcementNetwork-http://www.fincen.gov/index.html
OfficeoftheDirectorofCentralIntelligence-http://www.odci.gov/
SecuritiesandExchangeCommission-http://www.sec.gov/
TheUnitedStatesSenate-http://www.senate.gov/
TheWhiteHouse-http://www.whitehouse.gov/
THOMAS-U.S.CongressontheInternet-http://thomas.loc.gov/
U.S.HouseofRepresentatives-http://www.house.gov/
DeptofState-FINANCIALCRIMES-http://www.state.gov/g/inl/
USSupremeCourt-http://www.supremecourtus.gov/
U.S.Marshals-http://www.usmarshals.gov/
LawEnforcementAgencies
Canada-RoyalCanadianMountedPolice-http://www.rcmp-grc.gc.ca/
Interpol-http://www.interpol.int/
U.S.AlcoholTobacco&Firearms-http://www.atf.treas.gov/
U.S.FederalBureauofInvestigation-http://www.fbi.gov/
U.S.ImmigrationandCustomsEnforcement-http://www.ice.gov/cornerstone
U.S.InternalRevenueService-http://www.irs.ustreas.gov/
U.S.PostalInspectionService-https://postalinspectors.uspis.gov/
U.S.SecretService-http://www.treas.gov/usss/
FindLaw-http://www.findlaw.com/
Forensic&BiometricsSciences
AmericanAcademyofForensicSciences-http://www.aafs.org/
AmericanSocietyofCrimeLaboratoryDirectors-http://www.ascld.org/
CanadianSocietyOfForensicScience-http://www.csfs.ca/
FBICrimeLab-http://www.fbi.gov/programs/lab/fsc/current/index.htm
NationalAssociationofDocumentExaminers-http://expertpages.com/org/nade.htm
Healthcare&Drugs
Toreportproblemswithamedicationormedicaldevice:
FDA-Findoutwhereyourcomplaintshouldgoat:
http://www.fda.gov/opacom/backgrounders/problem.html.
ToreportscamsandsuspiciousactivityinvolvingMedicare:
HHSOfficeofInspectorGeneral(OIG)-CalltheOIG’sfraudhotlineat
1-800-447-8477(TTY:1-800-377-4950).
FTC-Visitftc.gov/complaint,orcall1-877-382-4357(TTY:1-866-653-4261).
ToreportfraudorabuserelatedtoaMedicarePartDprescriptiondrugplan:
MedicareDrugIntegrityContractors(MEDICs)-Call1-877-772-3379.
Forhelpwithacomplaintaboutalong-termcarefacility:
Yourstatelong-termcareombudsman—FindanombudsmanwiththeOmbudsman
Locator:at:ltcombudsman.org.
Toreportsuspectedelderabuse,neglect,orexploitation:
NationalCenteronElderAbuse-Visit:http://www.ncea.aoa.gov/,orcall1-800-677-1116.
ReportPhishing&Spam
[email protected]pany,bank,or
organizationimpersonatedinthephishingemail.Mostorganizationshaveinformationontheir
websitesaboutwheretoreportproblems.
[email protected]heAnti-Phishing
WorkingGroup,aconsortiumofISPs,securityvendors,financialinstitutionsandlaw
enforcementagencies,usesthesereportstofightphishing.Ifyoubelieveyou'vebeenscammed,
fileyourcomplaintathttps://www.ftccomplaintassistant.gov.Victimsofphishingcanbecome
victimsofidentitytheft.
Creditbureaus&advocacygroups
CreditBureaus
AnnualCreditReport-https://www.annualcreditreport.com
Obtainyourfreeannualcreditthroughthisofficialsite.
OptOutofPre-ApprovedCreditOffer-https://www.optoutprescreen.com
Registerwithcreditbureaustopermanentlyremoveyournamefrompre-approvedcredit
lists.
Equifax-http://learn.equifax.com/identity-theft
Findoutaboutfraudinyourlocalareaandthedifferencebetweenafraudalertanda
securityfreeze.
Experian-http://www.experian.com/credit-education/identity-fraud-index.html
Learnthewarningsignsoffraudandhowtopreventit.
TransUnion-http://www.transunion.com/corporate/personal/fraudIdentityTheft.page
Discoverhowtospotandrecoverfromfraudandidentitytheft.
Dun&Bradstreet-http://www.dnb.com
ConsumerGuides
USPS-KnowYourRights-https://about.usps.com/publications/pub308.pdf
Aguideforvictimsandwitnessesofcrimes
Fraud.org-http://www.fraud.org
AprojectoftheNationalConsumerLeague
FinancialReportingOrganizations
ISOInsuranceServices-http://www.iso.com/Products/A-PLUS/Consumers-Order-YourFree-A-PLUS-Loss-History-Report.html
ObtainanA-PlusReportonyourinsurancelosshistory.
MedicalInformationBureau(MIBGroup)
http://www.mib.com/html/request_your_record.html
GetacopyofyourMIBconsumerfilecontaininginformationonmedicalconditionsand
treatment.
AdvocacyOrganizationsandTools
IdentityTheftResourceCenter(ITRC)-http://www.idtheftcenter.org
Acquireinformation,research,preventiontips,victiminformationguides,andother
resourcesfromthisnonprofitorganization.
NationalDo-Not-CallRegistry-http://www.fcc.gov/cgb/donotcall
Registeryourphonenumbers,includingwirelessnumbers,ontheFCC'sNationalDoNot-CallRegistry.
DirectMarketingAssociationNameDeletionList-https://www.dmachoice.org
Addyournametothemailandemail"namedeletionlists"usednationwidebymarketers.
PrivacyRightsClearinghouse-http://www.privacyrights.org
Accessadditionalidentitytheftresources,consumerinformationandotherresources.
LegalResources
FindLaw-http://www.findlaw.com
Informationaboutaspecificlegaltopic
AustralasianLegalInformationInstitute-http://www.austlii.edu.au
AjointfacilityofUTSandUNSWFacultiesofLaw
CACanadianBarAssociation-http://www.cba.org
U.S.SupremeCourt-http://www.supremecourtus.gov
U.S.AmericanBarAssociation-http://www.abanet.org
U.S.LawLibraryofCongress-http://www.loc.gov/rr/law
Onlinesourcesofinformationongovernment&lawbyregion,countryorU.S.state.
U.S.NationalAssociationofAttorneysGeneral(NAAG)-http://www.naag.org
DataBreachSafety
WhenInformationIsLostorExposed
Didyourecentlygetanoticethatsaysyourpersonalinformationwasexposedinadatabreach?
Didyouloseyourwallet?Orlearnthatanonlineaccountwashacked?Dependingonwhat
informationwaslost,therearestepsyoucantaketohelpprotectyourselffromidentitytheft.
SocialSecuritynumber
Ifacompanyresponsibleforexposingyourinformationoffersyoufreecredit
monitoring,takeadvantageofit.
Getyourfreecreditreportsfromannualcreditreport.com.Checkforanyaccountsor
chargesyoudon’trecognize.
Considerplacingacreditfreeze.Acreditfreezemakesitharderforsomeonetoopena
newaccountinyourname.
Ifyouplaceafreeze,bereadytotakeafewextrastepsthenexttimeyouapplyforanew
creditcardorcellphone-oranyservicethatrequiresacreditcheck.
Ifyoudecidenottoplaceacreditfreeze,atleastconsiderplacingafraudalert.
Trytofileyourtaxesearly-beforeascammercan.Taxidentitythefthappenswhen
someoneusesyourSocialSecuritynumbertogetataxrefundorajob.Respondright
awaytolettersfromtheIRS.
Don’tbelieveanyonewhocallsandsaysyou’llbearrestedunlessyoupayfortaxesor
debt-eveniftheyhavepartorallofyourSocialSecuritynumber,ortheysaythey’re
fromtheIRS.
Continuetocheckyourcreditreportsatannualcreditreport.com.Youcanorderafree
reportfromeachofthethreecreditreportingcompaniesonceayear.
Onlineloginorpassword
Logintothataccountandchangeyourpassword.Ifpossible,alsochangeyourusername.
Ifyoucan’tlogin,contactthecompany.Askthemhowyoucanrecoverorshutdownthe
account.
Ifyouusethesamepasswordanywhereelse,changethat,too.Learnmoreaboutpassword
here
Isitafinancialsite,orisyourcreditcardnumberstored?Checkyouraccountforany
chargesthatyoudon’trecognize.
Debitorcreditcardnumber
Contactyourbankorcreditcardcompanytocancelyourcardandrequestanewone.
Reviewyourtransactionsregularly.Makesurenoonemisusedyourcard.
Ifyoufindfraudulentcharges,callthefrauddepartmentandgetthemremoved.
Ifyouhaveautomaticpaymentssetup,updatethemwithyournewcardnumber.
Checkyourcreditreportatannualcreditreport.com.
Bankaccountinformation
Contactyourbanktoclosetheaccountandopenanewone.
Reviewyourtransactionsregularlytomakesurenoonemisusedyouraccount.
Ifyoufindfraudulentchargesorwithdrawals,callthefrauddepartmentandgetthem
removed.
Ifyouhaveautomaticpaymentssetup,updatethemwithyournewbankaccount
information.
Checkyourcreditreportatannualcreditreport.com.
Driver'slicenseinformation
Contactyournearestmotorvehiclesbranch(linkisexternal)toreportalostorstolen
driver ’slicense.Thestatemightflagyourlicensenumberincasesomeoneelsetriesto
useit,ortheymightsuggestthatyouapplyforaduplicate.
Checkyourcreditreportatannualcreditreport.com.
Copyright
Copyright©2017byDanSzabo
Allrightsreserved.Thisbookoranyportionthereofmaynotbereproducedorusedinany
mannerwhatsoeverwithouttheexpresswrittenpermissionofthepublisherexceptfortheuseof
briefquotationsinabookrevieworscholarlyjournal.
SecondPrinting:2017
ISBN978-1-365-62251-9
eFraudPrevention,LLC
P.O.Box832
Southbury,CT06488
www.fraudsmarts.com
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement