As we wind down National Cyber Security Awareness Month in October, we count the breaches and total personally identifiable information records lost at more than 13 billion since 2013.
We’ve all heard about Facebook losing millions of records, and Google forgetting to disclose their breach for many months and then announcing they will shut down Google Plus as a result of the breach. That’s just the tip of the iceberg.
According to the Breach Level Index, we’re looking at 73 records hacked and stolen every second. That’s more than 4,000 records per minute, every minute, of every day. This includes email accounts, passwords, credit cards, Social Security numbers, dates of birth, addresses, and much more personally identifiable information.
Now that we’re approaching the busiest online shopping season, with Black Friday and Cyber Monday right around the corner, it’s the most important time to understand the latest threats and to be vigilant. This is your chance to help halt hackers on the holidays.
Here are my top 10 expert tips to help you enjoy the Thanksgiving and Christmas shopping experiences, without losing your privacy and identity or putting your children’s safety at risk.
1. Understand Email Security Basics
In an email phishing attack, you’ll receive a hyperlink that, if you click it, installs malware. Or there will be an attachment with a name you think you can trust, but if you try to open the attachment, you will also get infected.
Don’t trust any hyperlinks or attachments in emails unless you are 100 percent certain you can trust the source.
2. Learn to Guard Against Even More Sophisticated Spear Phishing Attacks
Every day, there’s a cybercriminal somewhere in the world looking to gain access to your identity and credit. They are getting smarter and they are using even more sophisticated techniques to send emails and SMS messages that look really good—like they came from someone you trust. It will usually have a link or attachment that leads to a malware infection.
Some people have clicked links from banks with America in their name, but the hackers tricked them by using a font that makes an “r” and an “n” look like an “m,” so it was really Arnerica. If you are really busy, you might not notice the “r” and “n” and click the link and get infected.
Don’t click the links and don’t open the attachments. Talk to your family, friends, and business associates and confirm the email really came from them. Most likely, it’s a cyberattack.
Ultimately, if it looks too good to be true, especially an email or even an SMS message, it probably is—so be extra cautious and vigilant this holiday season.
3. Don’t Fall for Bank, Lawsuit, or IRS Telephone Scams
Your bank, a lawyer, or the IRS won’t call you and ask for your password over the phone, or tell you that you are about to be sued or that you’re going to be arrested for not paying taxes.
It costs you nothing to put yourself on the National Do Not Call Registry—it won’t stop everyone but it will cut down on unwanted telemarketers. Visit DoNotCall.gov and put all your phone numbers on the Do Not Call list. If someone really annoys you and keeps calling you, report it to this group, who will investigate it for you.
4. Change Your Passwords—All of Them
Do it now and do it as frequently as you can tolerate. If you don’t want to change them often, use any unique characters you can think of, such as a dollar sign ($) or an exclamation mark (!) or replace a letter “o” with a 0 (zero).
This goes a long way in preventing brute-force attacks against your password. If hackers can’t get your password easily, they will probably give up and try to attack someone else. Make it hard for them with strong passwords that you change as frequently as you are comfortable with, and no less than once per year—and especially after the news that one of your accounts has been compromised.
5. Clean Up Your Apps
Assume most of your smartphone or tablet apps are malware that spy on you and your online behavior. Do you really need them? Delete any apps you don’t use often. Replace apps that take advantage of too many of your privacy settings with similar apps that don’t.
On an iPhone, you’re not being eavesdropped on until you run the app. However, I’ve discovered flashlight apps, Bible apps, and emoji keyboard apps that appear trustworthy and turn out to be spyware that passed the “security” tests by Google Play and Apple iTunes online app stores.
You really need to know who made the app and what permissions it really needs—does your flashlight need to turn on your microphone? Does your emoji keyboard need to have any form of internet access, i.e., send your keystrokes to China? And the list goes on.
If an app uses too many permissions, or has a strange website or no customer support telephone number and the developers won’t answer your emails, better to delete the app and find one from someone you can trust and, if they lose your identity, someone you can get some form of reparations from for the damages of identity theft.
6. Shop Online Only From Websites You Trust
If you don’t know where the merchant is located, don’t shop online there.
If they don’t have a corporate address or are located in another country, it could be iffy whether you ever see the goods you think you purchased. Also, if their shopping-cart experience is not an HTTPS browser session, then everything you type in—your name, address, and credit card information—is going over the internet unencrypted, in plain view.
Also, if you receive emails from the merchant, no matter the reason, don’t give them your credit card information over email.
7. Check Websites have SSL Encryption
Never buy online using your credit card on a site that doesn’t have SSL (secure sockets layer) encryption installed. It’s easy to tell you are in a secure, encrypted session: You should see an icon of a locked padlock in your browser and the website URL starts with HTTPS not HTTP.
8. Don’t Use Cash or Debit Cards
You have three major choices when shopping—cash, credit, or debit. In rare, but growing, instances, there’s even a fourth option called Bitcoin, which is now accepted at some merchants, including Overstock.com. Bitcoins could be considered equivalent to the cash option, because once used, you can’t get them back.
So, if you have to choose among these options, the best is the credit card. Here’s why: If you experience identity theft, credit card laws allow you to keep all of your credit immediately, with no responsibility during an identity theft or fraud investigation. With a debit card, your bank’s policy can be to tie up your money for the amount of the fraudulent transactions for up to 30 days. Some have been known to take up to 60 days to resolve the issue.
9. Don’t Use Public WiFi Without Using SSL Encryption
Public WiFi networks can be a hacker’s dream. If they want, they can see what websites you are visiting and insert malware into your computer or another device. The hacker also has access to any information you are sending out over the internet, which could include credit card numbers or other critical information.
Do some research about trustworthy VPNs (virtual private networks) and consider installing a VPN on all your devices. I trust BestVPN.com for the list of some great personal VPN software, and I’ve found one from my research on their site that I like a lot. Most personal VPNs cost between $5 to $10 per month. If you find a free VPN you should NOT trust it.
All your device traffic flows through your VPN, so the more you pay, most likely, the better the service (software, support, telephone, email, etc). Many offer discounts for annual payment versus monthly payment plans, and you might even find some coupons online where you’ll get a VPN for half price for the first year.
10. Be Wary of Porch Pirates
There are hackers who have learned how to track packages online. Some of them may be criminals in your city or town. If they know a package is arriving on your porch when you aren’t home, they might just nab it.
It’s best to have items delivered to your office, or to a family or friend’s house where you know someone will be home during the day, so they can sign for it and take it inside where it will be safe.
Finally, I just want to remind you that if it’s too good to be true, it probably is a scam.
There are new attacks online where the hacker pretends to be a family member or friend you haven’t seen in years by faking their Facebook account or stealing their password. Then, they claim you can trust them to go give $500 to the U.S. government to get a $10,000 grant. Then they have the fake U.S. government agent’s Facebook account contact you in Messenger and confirm that it’s all real and you can trust them.
Just remember: Money does not fall from trees, and if you give anyone a penny of your hard-earned money, never expect to see it back.
Then there are online dating scams, where your future soulmate asks you for money online because he or she needs it for the plane ticket to see you. These people are also fraudsters who should be in jail.
Remember, if someone calls you claiming to be from the IRS, or a law firm, or Microsoft technical support asking for money, these are the three biggest phone scams lately. Never give your credit card or personal information to anyone over the phone, especially if they are calling you.
If you think you’ve been a victim of an identity theft, visit IdentityTheft.gov and follow their instructions.
Gary Miliefsky is a cybersecurity, breach prevention, and privacy expert. He is CEO of Cyber Defense Media Group and a founding member of the U.S. Department of Homeland Security, the National Information Security Group, and the OVAL advisory board of MITRE responsible for the CVE Program.
Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.