Halting Hackers on the Holidays

Expert tips for keeping your information safe while you shop online
November 25, 2020 Updated: November 25, 2020

Commentary

As we approach major holidays, with Black Friday and Cyber Monday right around the corner and a massive increase in shopping for the Christmas season, we can count the breaches and total personally identifiable information records lost in the billions.

According to Cyber Defense Magazine, someone loses their identity to a breach every two seconds. Every American has had an identity theft event happen in their life more than once by the time they reach the age of 30. There are over 25 billion records stolen on the internet as of today. Most of them include personally identifiable information such as names, addresses, credit cards, emails, phone numbers, and passwords, and many have medical records information in them.

With major holidays and an increase in online shopping, cybercrime isn’t going away—it’s huge. In fact, it’s now the biggest form of crime worldwide, surpassing drug crime. Cybercrime is estimated to account for over $7 trillion in theft and damages by 2021.

So, with identity theft on the rise and privacy disappearing, cyber hackers and criminals love the holidays: There’s a surge in debit and credit card usage; there are more packages for “porch pirates” to steal; and online shopping is easily turned into a cybercrime honeypot.

Now is the most important time to understand the latest threats and to be vigilant. This is your chance to help halt hackers on the holidays. With that said, here are my top 10 expert tips to help you enjoy the Thanksgiving and Christmas shopping experiences without losing your privacy and identity or putting your children’s safety at risk.

1. Understand Email Security Basics

In an email phishing attack, you’ll receive a hyperlink that, if you click it, installs malware. Or there’ll be an attachment with a name you think you can trust, but if you try to open the attachment, you’ll also get infected.

Don’t trust any hyperlinks or attachments in emails unless you’re 100 percent certain you can trust the source.

2. Learn to Guard Against Even More Sophisticated Spear Phishing Attacks

Every day, there’s a cybercriminal somewhere in the world looking to gain access to your identity and credit. They’re getting smarter and they’re using even more sophisticated techniques to send emails and SMS messages that look really good—like they came from someone you trust. It will usually have a link or attachment that leads to a malware infection.

Some people have clicked links from banks with America in their name, but the hackers tricked them by using a font that makes an “r” and an “n” look like an “m,” so it was really Arnerica. If you’re really busy, you might not notice the “r” and “n” and click the link and get infected.

Don’t click the links and don’t open the attachments. Talk to your family, friends, and business associates and confirm the email really came from them. Most likely, it’s a cyberattack.

Ultimately, if it looks too good to be true, especially an email or even an SMS message, it probably is—so be extra cautious and vigilant this holiday season.

3. Don’t Fall for Bank, Lawsuit or IRS Telephone Scams

Your bank, a lawyer, or the IRS won’t call you and ask for your password over the phone, or tell you that you’re about to be sued or that you’re going to be arrested for not paying taxes.

It costs you nothing to put yourself on the National Do Not Call Registry—it won’t stop everyone but it will cut down on unwanted telemarketers. Visit DoNotCall.gov and put all your phone numbers on the Do Not call list. If someone really annoys you and keeps calling you, report it to this group who will investigate it for you.

Also, go to AnnualCreditReport.com for your free once-a-year credit report and look for anything strange. If you see something odd, call all three credit bureaus and tell them you want a credit freeze and to put a lock on your credit report account.

4. Change your Passwords—All of Them

Do it now and do it as frequently as you can tolerate. If you don’t want to change them often, use any unique characters you can think of, such as a dollar sign ($) or an exclamation mark (!) or replace a letter “o” with a 0 (zero).

This goes a long way in preventing brute-force attacks against your password. If hackers can’t get your password easily, they’ll probably give up and try to attack someone else. Make it hard for them with strong passwords that you change as frequently as you’re comfortable with, and no less than once per year—and especially after the news that one of your accounts has been compromised.

5. Clean up Your Apps and Show Your Children

Assume most of your smartphone or tablet apps are malware that spy on you and your online behavior. Do you really need them? Delete any apps you don’t use often. Replace apps that take advantage of too many of your privacy settings with similar apps that don’t.

On an iPhone, you’re not being eavesdropped on until you run the app. However, I’ve discovered flashlight apps, Bible apps, and emoji keyboard apps that appear trustworthy and turn out to be spyware that passed the “security” tests by Google Play and Apple iTunes online app stores.

You really need to know who made the app and what permissions it really needs—does your flashlight need to turn on your microphone? Does your emoji keyboard need to have any form of internet access, i.e., send your keystrokes to China? And the list goes on.

If an app uses too many permissions, or has a strange website or no customer support telephone number and the developers won’t answer your emails, better to delete the app and find one from someone you can trust and, if they lose your identity, someone you can get some form of reparations from for the damages of identity theft.

Teach your children to be smart about whom they talk to online and let them know that meeting a stranger at a mall whom they met online could lead to their kidnapping. Many online predators pretend to be a 10–13-year-old so they can make friends with younger children and trick them. Talk with your kids about this and other safety issues frequently.

6. Shop Online Only From Websites You Trust

If you don’t know where the merchant is located, don’t shop online there.

If they don’t have a corporate address or are located in another country, it could be iffy whether you ever see the goods you think you purchased. And, if their shopping-cart experience is not an HTTPS browser session, then everything you type in—your name, address, and credit card information—is going over the internet unencrypted, in plain view.

Also, if you receive emails from the merchant, no matter the reason, don’t give them your credit card information over email. If the shopping website looks too good to be true, it probably is. Only shop at sites where you know the owner, such as a small business site, or at big sites like Amazon.com where you have built-in identity theft protections.

7. Check Websites have SSL Encryption

Never buy online using your credit card on a site that doesn’t have SSL (secure sockets layer) encryption installed. It’s easy to tell you’re in a secure, encrypted session: You should see an icon of a locked padlock in your browser and the website URL starts with HTTPS not HTTP.

8. Don’t Use Cash or Debit Cards

You have three major choices when shopping—cash, credit, or debit. In rare, but growing, instances, there’s even a fourth option called Bitcoin, which is now accepted at some merchants, including Overstock.com. Bitcoins could be considered the equivalent of the cash option, because once used, you can’t get them back.

So, if you have to choose among these options, the best is the credit card. Here’s why: If you experience identity theft, credit card laws allow you to keep all of your credit immediately, with no responsibility during an identity theft or fraud investigation. With a debit card, your bank’s policy can be to tie up your money in the amount of the fraudulent transactions for up to 30 days. Some have been known to take up to 60 days to resolve the issue.

9. Don’t Use Public WiFi Without Using SSL Encryption

Public WiFi networks can be a hacker’s dream. If they want, they can see what websites you’re visiting and insert malware into your computer or another device. The hacker also has access to any information you’re sending out over the internet, which could include credit card numbers or other critical information.

Do some research about trustworthy VPNs (virtual private networks) and consider installing a VPN on all your devices. I trust BestVPN.com for the list of some great personal VPN software, and I’ve found one from my research on their site that I like a lot. Most personal VPNs cost between $5 to $10 per month. If you find a free VPN you should not trust it.

All your device traffic flows through your VPN, so the more you pay, most likely, the better the service (software, support, telephone, email, etc). Many offer discounts for annual payment versus monthly payment plans, and you might even find some coupons online where you’ll get a VPN for half price for the first year.

10. Be Wary of Porch Pirates and Scummy Skimmers

There are hackers who have learned how to track packages online. Some of them may be criminals in your city or town. If they know a package is arriving on your porch when you aren’t home, they might just nab it.

It’s best to have items delivered to your office, or to a family or friend’s house where you know someone will be home during the day, so they can sign for it and take it inside where it will be safe.

Also, credit card skimmers have been found on gas pumps that are not monitored frequently, such as at major highway liquor store/shopping areas. Go inside and put your card into the machine at the cash register area to be safe. Skimmers are nearly invisible, and when you find out you’ve been skimmed, it’s usually after they’ve used your credit card to make illegal purchases.

Finally, I just want to remind you that if it’s too good to be true, it probably is a scam.

There are attacks online where the hacker pretends to be a family member or friend you haven’t seen in years by faking their Facebook account or stealing their password. Then, they claim you can trust them to go give $500 to the U.S. government to get a $10,000 grant. They have the fake U.S. government agent’s Facebook account contact you in Messenger and confirm that it’s all real and you can trust them.

Then there are online dating scams, where your future soulmate asks you for money online because he or she needs it for the plane ticket to see you. These people are also fraudsters who should be in jail.

Just remember: Money doesn’t fall from trees, and if you give anyone a penny of your hard-earned money, never expect to see it back.

Remember, if someone calls you claiming to be from the IRS, or a law firm, or Microsoft technical support asking for money, these are the three biggest phone scams lately. Never give your credit card or personal information to anyone over the phone, especially if they are calling you.

If you think you’ve been a victim of an identity theft, visit IdentityTheft.gov and follow their instructions.

Gary Miliefsky is a cybersecurity, breach prevention, and privacy expert. He is CEO of Cyber Defense Media Group and a founding member of the U.S. Department of Homeland Security, the National Information Security Group, and the OVAL advisory board of MITRE responsible for the CVE Program.

Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.