Online Security Guide

Introduction

The Town of Hempstead has compiled a guide to help residents in online security. As we become more and more revolved around our personal devices and smartphones it's easy to overlook basic security. There is a lot of personal and financial information stored on these devices. If you were to lose your phone today, how would you handle all your lost passwords, your lost pictures, and your compromised information? All of this information can be used by an attacker to steal your identity which can lead to malicious activities on your social accounts, as well as the attacker having the ability to open up credit cards with your information!

Table of Contents

  1. Introduction

  2. Passwords

  3. Mobile: Secure Your Phone

  4. Social: Understand What You're Sharing

  5. Email & Cloud: Decide What Data to Keep

  6. Phishing: What Is It and How Can I Avoid It?


Passwords

Let's face it, people are terrible at passwords. We use passwords that are easy to guess, we re-use them across sites, and we keep all sorts of terrible password practices.

Given how much sensitive information of ours is kept in our online accounts, the first thing you can do to beef up your security is to secure the way you log in online.

The risk: You use a password at a mom-and-pop website to create an account. That website gets hacked, and it turns out the company stored your password in plain text in their database. If you re-use that password for another sensitive account (bank, social media, email , etc.) an attacker can use it to access your other accounts.
General Password Practices

General Password Practices

  • Use a unique, random password consisting of 16+ characters for each account.

  • Include uppercase, lowercase, numbers, and characters.

  • Manage the passwords with a cloud password manager such as LastPass, OnePass, or others.

  • Change all the passwords at least once per year.

  • Implement 2-factor authentication (2FA) for all sites that offer it. 2FA adds an extra level of security, often requiring an SMS message or code from your phone when someone tries to log in from an unknown device.

Get a Handle on All Your Accounts

The first thing to do when securing your logins is to get a comprehensive list of all the places you have online accounts. This can be daunting, and can be upwards of 100+, but this is the true scale of our online profile.

The risk: An online service account you no longer use has an old, insecure password and stores sensitive data. This account may also belong to a website that has poor security practices, and is vulnerable to hacking (especially if you’re not using it anymore).

Places to look to get a list of all the places where you have passwords to secure:

  1. Your phone: every app you have probably has a login. Write it down.

  2. Your email: many of the places that email you have accounts.

  3. Chrome saved passwords: Google Chrome can give you a readout of the saved passwords it has for you.

Don't Forget to Check the Following:

Adobe, Airlines (Delta, United, JetBlue, etc.), Apple, Banks / Credit Unions (Chase, Bank of America, etc.), Craigslist, Dropbox, eBay, eCommerce Stores, Eventbrite, Facebook, Github, Google, Groupon, Healthcare (Cigna, ZocDoc, etc.), Heroku, Hotel Loyalty (Hilton, SPG, etc.), Imgur, Internet Providers (GoDaddy, CloudFlare, etc.), Intuit, Kickstarter, LinkedIn, Lyft, Mailchimp, Meetup, Mint, Mobile Phone (Verizon, T-mobile, etc.), Netflix, Online Training Providers (Udacity, etc.), PayPal, Publications (WSJ, NYT, etc.), Reddit, Slack, Spotify, Square, Starbucks, Student Loans, Tableau, Tax Services (TurboTax, TaxAct, etc.), Ticketmaster, Trello, Tumblr, Twilio, Twitter, Uber, University Email, UPS, Vimeo, Yahoo…

Get a Handle on All Your Accounts
If You Haven't Been Using a Password Manager

If You Haven't Been Using a Password Manager

  • We highly recommend migrating all your passwords to one, and systematically going through to change every password to a unique random one.

  • Every new account you create can also have a unique random password tracked by the system.

If You Have One Already, Do the Following Every Year

  • Change the LastPass master password.

  • Change the password on every account in your password manager.

  • Implement 2–factor authentication, if available. We are a fan of Authy for any 2FA that uses an authenticator app (because it backs up the codes, which is useful if you switch phones).

  • Check that any back-up codes you have for 2FA are up to date. Print, and store in a safe place. You’ll need these to get access to your account if you ever can’t access your 2FA device.

  • If the site allows, log out of all open sessions on all devices. This will force you to log in again, but will disable any unauthorized open sessions you may have missed.

  • Remove any un-necessary data in your account (see Data Retention Policy below).

  • If you no longer use the account, have the account deactivated or deleted.

  • Review the connected devices to your account, and remove any devices that you no longer use.

  • Log out, and make sure that you can log back in successfully with the new credentials.

  • Remove any duplicates of the password in your password manager, to make it clear which one to use.

  • If the site offers third-party access to the account, check the list of sites that have authorized access. Revoke any access that isn’t needed.

  • In general, take note of the data that is stored in the account. If the account were to be hacked, how bad would it be?

Once you’re done, run a security challenge through your password manger. This will tell you:

  • If any of your accounts re-use the same password.

  • If any have been involved in a known compromise (i.e., the server of the company got hacked).

  • If any of the passwords are old.

  • If any of the passwords are insecure (too short, etc.).

If You Have One Already, Do the Following Every Year

Mobile: Secure Your Phone

Most people don’t consider just how much personal data is sitting in their pocket, which can potentially be compromised. In this section, we go over several common topics that come into play when securing an iPhone (though many of these topics have similar processes for Android and other operating systems).

Passcode

Passcode

  • Turn on your passcode (if you haven’t already) and add a secure password of 6+ characters. Don’t use a repeating code like 111111 or simple incremental code like 123456.

  • Require the passcode immediately, to minimize the amount of time the phone is unlocked after use.

  • Set the phone to erase after 10 failed passcode attempts are made. iPhones are set with full disk encryption by default, so these protections go a long way to safeguard your data.

TouchID

Many in the security community point out that using TouchID (using your thumbprint to log in) is a bad idea for several reasons:

  • A thumbprint can be compelled by law enforcement as a search in the United States, whereas a passcode is protected by fifth amendment self incrimination protections. If you’re an activist or concerned about US law enforcement search of your phone, disabling TouchID (or turning off your phone when concerned) are potential mitigation methods.

  • Thumbprints can also be taken while you’re sleeping or otherwise incapacitated, where passcodes cannot.

This is an area where convenience conflicts with security: each person should make an informed choice on what they’re comfortable with.

TouchID
Location Services

Location Services

Location services are the systems on your phone which provide GPS location access to the apps on your phone. We often don’t consider the different ways that applications use our location data, but if unchecked, this can leak more information than we intend to tech companies who track our location, or through social media posts that attach location information to what we share.

The risk: Your location data can leak your home or work address.

Another risk: Publicly shared location can signal to potential thieves that your home is unoccupied.

Yet another risk: Publicly sharing your location in real-time can signal people to come meet you in public venues when you don’t intend.
  1. Some people like to turn location services off. If you prefer not to turn off location services entirely, make an active choice as to what situations are warranted.

  2. Note that most photos you take are Geotagged by default. Some like to have their photos geotagged when they take them as a way of documenting the location of the photo. But, be aware that this information is embedded into the metadata of photos and can be published by the applications that use the photos (e.g., social media sites).

  3. Manage which applications should have access to your location, and when. Go to Settings -> Privacy -> Location Services to see which apps have location services enabled. It’s very rare that apps really need the “Always” setting, and most can do fine with “While you’re using the app.” There’s a ton of settings in here you can personalize to your liking to balance the convenience / privacy of your phone.

Access to Contacts

Go to Settings -> Privacy -> Contacts to see which apps can access your contacts. Not so much a security concern as a privacy concern, but it’s personal preference.

The risk: You start a social media account which you aren’t ready to publicly broadcast, but your social media profile is attached to your contact list, and the social network sends out a notification as soon as you set up the account to all other people who you know on the network.

Another risk: The social media site who stores your contacts gets hacked, and your contact list becomes public.
Access to Contacts
Limit Ad Tracking

Limit Ad Tracking

This is more of a privacy-related setting than security-related, but you can tweak the default ad tracking settings by going to Settings -> Privacy -> Advertising -> Limit Ad Tracking (Turn on).

Data Accessible Outside Lock Screen

Check out what data is available when your phone is unlocked, and make sure you’re comfortable with it.

  • Several functions on the phone (calendar, directions, etc) are made available outside the lock screen through iOS’ “Control Center.” To turn off outside access altogether go to Settings -> Control Center -> Access on Lock Screen (turn off).

  • Just take a moment to decide if you’re okay with your text messages and emails showing in notifications outside your lock screen. You can disable message content showing outside the lock screen by going to Settings -> Notifications -> Messages -> Show on Lock Screen (turn off).

  • Go through each app and check if you’re comfortable showing the data from that app outside the lock screen. This can be changed from the app’s entry in Settings -> Notifications.

Data Accessible Outside Lock Screen
iMessage on Laptop and Desktop

iMessage on Laptop and Desktop

The iMessage apps on desktop and laptop leak more personal info than we feel comfortable. For example, iMessages have shown up on a computer’s notifications when not logged in, and personal messages have come up on the computer during business presentations. We suggest to log out of iMessage altogether on devices other than your phone.

Calls on Other Devices

There’s a feature on iOS that allows you to ring multiple devices when your phone rings. For example, ringing your MacBook when your phone rings. You can disable this at Settings -> Phone -> Calls on Other Devices.

Calls on Other Devices
Explore In-App Security

Explore In-App Security

Many apps allow the option to add passcodes or TouchID inside the app. Imagine a situation where you give your phone to someone (like a curious 10-year-old nephew who wants to play a game) — is there any app you wouldn’t want that person to access?

iMessage Retention Policy

One of the main concepts in digital security is about not just preventing a breach, but minimizing the amount of data that is available in the event of a breach. In the case of iMessage, most people set their phones on the default of keeping their messages forever, but this offers a huge trove of potential data to an attacker that might access this data.

You can set your phone to delete messages after a certain amount of time — I’ve set mine to delete messages after 30 days, in Settings -> Messages -> Keep Messages (set to 30 days).

Setting the retention policy helps to keep personal and sensitive information from persisting.

iMessage Retention Policy

Social: Understand What You're Sharing

We probably don’t have to tell you about how prevalent social media in our lives. According to Pew Research, 69% of all US adults use at least one social media site. It’s everywhere.

Because social media use is so pervasive, most people are rather lax about the risks it can present. The social pressure to participate is strong.

It’s possible to marry participation with security if you educate yourself about the risks. Below, are outlined several common risks to using social media in general, as well as several tips for how to configure your privacy and security regimen for each platform.

Common Risks

Common Risks

  • Essentially assume that everything you post has the potential to become public. Such is the nature of the internet: nothing can be taken back once it’s posted.

  • Know that it’s very easy for people to take comments out of context online. Couple that with the fact that text doesn’t often convey emotional subtext, and you can have a recipe for regret if you aren’t careful. Think before you post.

  • Analyze your online presence from the perspective of prospective employers or clients.

  • Most social networks have privacy controls to allow you to control who can view what types of content. Spend some time on each network to set the privacy settings to what you’re comfortable with.

  • Spam accounts are sometimes very convincing. Once people are in your network, they are often connected to you in numerous ways. Everyone has their own preference level for connecting with people who they don’t know personally, but make sure you’re making that choice consciously.

  • Social media profiles are fertile sources of personal information that attackers can use hack other accounts, use in social engineering scams, or other things. When sharing, consider how what you’re sharing could be used against you.

  • Social media can inadvertently be a source of a client confidentiality breach for your work. If your work requires you to maintain confidentiality, remain vigilant that your posts on personal social media sites don’t jeopardize that.

Facebook

  • Use the same password practices mentioned above when dealing with Facebook (and all the social networks in this section). You can find this on Facebook under Settings -> Security and Login.

  • Essentially every settings page in Facebook is worth reviewing to ensure it meets your privacy expectations.

  • We recommend restricting your posts to be viewed only by friends. If you do this, consider restricting your past posts to the same privacy group with the “Limit Past Posts” option.

  • Check the business pages you have access to. If you still have access to pages you are not currently involved with, remove yourself from the admin access to remove yourself as a potential source of security breach for the page.

Facebook
LinkedIn

LinkedIn

  • Review the third-party apps that are authorized to access your LinkedIn account. Remove the ones that are no longer needed.

  • Check your public profile, and customize what people can view about you if you aren’t connected.

  • Decide if you want your contacts to be able to be viewed by the public, people in your network, or only you. We recommend restricting contacts to only be able to be viewed by yourself, to reduce people using my network for sales and marketing purposes.

  • FYI, 2-step verification on LinkedIn is buried at the bottom of the Privacy section for some reason.

Twitter

  • Decide if you want your tweets to be protected or open to the public.

  • Pay special attention if you’re making a previously-closed account public. You may not have been so careful with your past posts if you expected them to be private.

  • The “Settings and Privacy” section of Twitter is worth spending some time in.

  • Location information in tweets are a source of several security concerns. In Settings -> Privacy and Safety, you can remove location information from your tweets, and delete it from past tweets. You can also turn off location services in the app (through my phone’s settings).

Twitter
Snapchat

Snapchat

  • Despite the fact that Snapchat used to bill itself as a “disappearing photos” application, it keeps all the photos that are sent through the service. From a design perspective, it appears that the photos disappear off the recipient’s screen after a certain amount of time — this reinforces a false sense of security that the photos “disappear” after they’re sent and opened.

  • In fact, the FTC settled charges with the company in 2014 on the basis that it “deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.”

  • Any organization can be hacked, and think through the possibility that all the “disappearing” photos we have collectively sent as Snapchat users could one day be released through a security breach.

On Anonymous Accounts

Some people create accounts for social media profiles that they want to be anonymous. Pay special attention to these accounts, because the platforms make it very difficult to remain anonymous.

The risk: Your email is linked to your public profile, and the platform uses this in recommender algorithms to suggest your real friends.

Another risk: You use the application on your phone which uploads your contact information, inviting your contacts to connect with your “anonymous” account.

Yet another risk: The geolocation embedded in your posts, combined with other subtle cues, allows people to identify you.

The practicalities of remaining anonymous in social media accounts are beyond the scope of this guide, but suffice it to say that it is very difficult.

On Anonymous Accounts
Search Yourself

Search Yourself

A cyber-security audit isn’t complete without searching yourself to see what public information is available about you. There are two broad categories of information available to people searching for you: information you put out about yourself (through social media, your website, etc.) and information put out about you by third parties (news articles, data brokers, etc.).

It’s a good practice to do a “background check” on yourself to see what you find. A couple places to try:

  1. Google

  2. Bing

  3. Pipl

  4. Spokeo

  • Make sure there isn’t any information about you that is out of date. If so, attempt to remove it. If the information comes from an out of date social media site you control, you can attempt to remove the information or lock down the privacy settings.

  • Audit the information from the perspective of a hacker. Is there any information about you that could aid in an attack on your personal information?

Lastly, consider how the information you find about yourself could be used in a social engineering attack against you. The data you share here could be used to gain access to your accounts. For example, if you use your dog’s name as a recovery password, and post your dog’s name publicly, it could be used to guess a password.


Email & Cloud: Decide What Data to Keep

In this section, we will discuss emails. Despite the imagery portrayed of emails being like a sealed envelope, unencrypted emails are often sent through multiple servers in plain text on their way to their destination.

Once they get there, a pile of 10’s of 1000’s of emails can be a treasure trove of personal information to hackers.

In this section, we explore some of the security practices around securing the data we keep in email and the cloud.

Most of the security practices mentioned in the above sections are focused at preventing security breaches of your data. When it comes to email and cloud, these practices are especially important. If you haven’t already, make sure that you’ve hardened the logins for all your email and cloud file storage systems using the steps in the Password Section above.

It’s not enough to assume that we’ll be perfect when it comes to preventing security breaches. The next level of security considers how to minimize the amount of data that would be compromised if your data were to be breached.

This is where a “Data Retention Policy” comes in.

The main idea in a data retention policy is to switch from a mindset of “do I need to keep this?” to a mindset of “why am I not destroying this?”

The risk: Nearly any piece of personal data accessed by an attacker in a breach can be used to access other areas of your personal life, be used to gain access to other accounts, or be used in a social engineering attack. It can contribute to identity theft, be used to damage your reputation, be used as blackmail material, be released to the public directly, or be sold to third parties.

This way, if your data is ever breached, the amount of data that is compromised will be much less than if you had emails going back several years.

Overview of Data Retention Policy Example

  • Only keep emails in your main email accounts for a period of 1 year.

  • Emails older than this will be deleted.

  • Emails in any accounts that you no longer actively use will be deleted entirely.

  • Any email you deem important for more than 1 year will get stored outside email for a particular reason. This includes Legal contracts, documents, regulatory things (taxes, employee filings, etc), Software License Keys, and a few others.

  • Actively delete any sensitive information you send or receive (SSN, credit card numbers, passwords, etc).

Important: People working in certain industries may be prohibited from doing this for legal compliance reasons. You may want to check with an attorney if you’re doing this for other than personal email.

Overview of Data Retention Policy Example
How to Do This in GSuite

How to Do This in GSuite (Google’s Paid Email Solution)

How to Do This in Gmail

How to Do This in Gmail
Apply the Same Concept to Other Cloud Data

Apply the Same Concept to Other Cloud Data

Once implementing a data retention policy for the data kept in email, apply the same idea to all the places your data is stored in the cloud.

  • Consider other Google Services, like Google Drive, Calendar, Contacts.

  • Consider cloud file storage platforms like Dropbox, Box, OneDrive and others.

Backup and On-Disk Data Retention

It’s a good practice to make sure that you would easily survive any of your devices being stolen or lost — not just things in the cloud. This entails two major areas:

  • Make sure your devices are backed up, such that they could be stolen at any time and you wouldn’t lose any data.

  • Assume that, once stolen, attackers would be able to access any data on your device. Is all the data you keep necessary?

Backup and On-Disk Data Retention
Browsing History

Browsing History

The browsing history and cookies in your browser can sometimes be a security risk. It’s a good practice to clear these regularly. To do this:

  • In Chrome: History -> History -> Clear Browsing Data

  • In Safari Mobile: Settings -> Safari -> Clear History and Website Data

Old Accounts

  • Go into any old accounts you used to have and do your best to remove your data from their servers.

  • Watch out for trash: Deleted items can end up here and are still stored until permanently removed from the trash bin.

Old Accounts

Phishing: What Is It and How Can I Avoid It?

Phishing is an easy way for cybercriminals to steal your personal information, such as credit card numbers and account passwords, even if they don’t have the skillset to hack your network and steal that information. In most cases, scammers are able to convince or coerce their victims into giving over their information willingly.

It's extremely important to protect your personal information, especially sensitive things like your Social Security number. SSNs are nearly impossible to replace, and once a scammer has yours, they can use it indefinitely for a wide variety of crimes.

Phishing

How Does it Work?

Phishers may contact you through a fraudulent email, phone call, or a fake website. They often disguise themselves as reputable companies, such as a bank, cell phone service providers or a social media account or website for a major brand, and try to persuade you into divulging your personal information.

They are often trying to collect personal details like your address, credit card number, passwords, phone numbers, and even your insurance numbers.

Generally, phishers will claim the victim has won something, they are missing out on a limited-time deal or they are facing a final warning that an account will be removed if he or she does not enter their login credentials.

Recently, many individuals in the US and Canada have been targeted by revenue agency scams where scammers claim the individual has unpaid tax debt. Too many people fall victim to these scams for one reason or another, usually out of fear for having broken the law.

Here's an Example

Say you receive an email from Amazon, a site you visit frequently for online shopping. The email is actually fake, but you don’t realize it at first. After all, it looks official with the company logo in the corner, and the tone sounds a lot like other emails you’ve received from the company. When you click the link, the page even looks like Amazon’s website. Even the checkout process is the same.

The message offers you an unbelievable discount on a laptop and provides a link to the buying page. You click the link to buy it, enter your credit card information, and complete your order.

However, you’ve just became a victim of a phishing attack. The product page was fake and disguised very convincingly like the real thing. Instead of placing your order, the website sent your payment details straight to a thief.

How Can you Recognize the Scam?

In the above case, there were three tell-tale signs.

  1. Once you log into your Amazon account to make the purchase, your payment method should be stored. Amazon rarely requires you to re-enter the number, unless you’re purchasing a gift card or shipping the item to someone else.

  2. If you look closely at the original email, it likely came from a spin-off domain with typos, extra extensions, and other things that demonstrate Amazon wasn’t the sender. For example, an email that’s anything other than @amazon.com.

  3. Another sign would be the lack of links on the actual product page. Amazon is loaded with products, pages, and other content. Even if the phishers tried to make it seem legitimate, there would be no way for them to replicate that.

Phishing Exmaple
Common Types of Phishing

The 6 Most Common Types of Phishing

With the rise of things like the Internet of Things (IoT), smartphones, and social media, the number of opportunities for phishing has grown considerably. Attacks can now affect more than just banking. PayPal, eBay, and Amazon accounts have all reported incidents of phishing attempts on unsuspecting customers.

Watch out for these common types of phishing attacks:

1. Deceptive Phishing

Deceptive phishing is the most well-known lure. This strategy involves impersonating a legitimate business’s website to steal data. It takes a phisher with strong knowledge in social engineering to pull this tactic off effectively.

2. Whaling

Also known as “CEO Fraud,” whaling occurs when a top executive at a company has his identity compromised. The phisher then orders employees to send funds to a separate account.

Whaling can also affect other high-profile individuals such as celebrities and politicians. Plus, given its focused nature, whaling can be difficult to detect since many departments never have contact with company executives.

3. Phishing Kits

Phishing kits are basically collections of software utilities you can download by mistake. Once installed, these tools can launch large phishing campaigns and send mass emails to spread the phishing attempts.

4. Spear Phishing

Some phishers can personalize the fraudulent messages they send you to make them more believable. These might contain your name, workplace, and phone number gathered through websites like LinkedIn. In fact, 95% of all attacks on enterprise networks are the result of spear phishing.

By its very nature, spear phishing is almost always used in whaling attempts and can involve impersonation of acquaintances and use of data from the victim’s social media sites, such as Twitter and Facebook.

5. Pharming

Pharming programs work through a bit of DNS trickery and automatically redirect your web browser to a malicious site even if you input the correct URL to a genuine site.

Pharming was the culprit in a 2005 hijack of New York Internet service provider Panix, in which the website was redirected to another unrelated website in Australia. No losses were recorded, but the outcome demonstrated how dangerous pharming can be.

To fight back against pharming, make sure you only enter login information and personal data on URLs beginning with “https,” which denotes a secured connection.

6. Login Interception

Pretending to be the login page for a major online service like Google Drive, for instance, is a common and effective tactic.

Utilizing two-factor authentication (using two different authentication factors to verify yourself, such as a password AND facial recognition software) can greatly reduce your chances of becoming a victim as every login will require a second form of authentication to legitimize the login.

Common Phishing Lures

There are many methods phishers have developed to lure you into submitting your personal information and data. Knowing what to look out for puts you in a better position to detect and overcome these types of attacks.

Some common phishing tactics include:

  • An email claiming you’ve won a major prize or are at risk of losing access to your account. The message will prompt you to provide your login credentials or payment information to follow through with the prompt.

  • A phone call. There have been reports of fake Microsoft employees offering technical support for Windows machines. Once the victim gives the phisher access to his or her machine, the victim’s data is compromised.

  • A fake website. One of the most common types of phishing involves a fake website made to look like a real login page, such as the one to your Yahoo! email account. Phishers can gain a lot from accessing a victim’s email.

You should also be on the lookout for:

— Threats of Deactivation

You receive an email from your bank threatening to shut down your account unless you verify your credit card information on their website immediately. In this example, the link they give you will lead to a fake site.

— The “Too Good To Be True” Scams

A common tactic is the “Nigerian prince” email scam. Written in a poor, almost comical style, the extravagant story promises great riches should the victim send payment information.

As many of the stories go, the fake prince’s fortune has been locked behind a paywall. The scammer begs you to send money in order to restore access to this vast fortune, promising to pay you back many times over should you help.

While it may seem ridiculous, the silliness of the message is intentional, as only the most gullible will fall for the trick.

— Fake FBI Arrests

A phisher wants you to act on impulse, and what gets you worried more than the threat of being arrested? In the United States, phishers might send fake emails, or even calls from the FBI or IRS, threatening arrests for random crimes like tax evasion or music piracy.

Rest assured, the government will never send communication like this simply through an email and certainly won’t request funds with it. This type of lure tends to come bundled with ransomware as well, so avoid opening them at all costs.

— Fraudulent Tech Support

Fake 1-800 numbers are easier to obtain than you think. These types of phishers will offer to inspect your machine for malware, pretend to find it, and send in a software package to help you “fix” it.

The irony is these scammers who offer to clean your computer will actually infect it with malware, keyloggers, and other phishing tools to extract your personal information.

Remember, a random tech support agent from a large corporation will never call you unless you have contacted them first.

— Text Message Phishing

Even our cell phones aren’t safe anymore. SMS phishing solicits personal information through text messages in the same way an email or website phishing does, with the added concern of being unexpected. SMS Phishing can also result in vishing or voice phishing (telephone phishing).

— Hunting the Job Hunters

Phishers may sometimes post phony job offers on the Internet, primarily targeting teenagers who don’t know what they’re doing. Hired hands are employed to help in money laundering operations. While they sometimes do get paid like a real job, they’re also at a risk of criminal charges as a result.

— Search Engine Viruses

Search engine viruses are essentially a Trojan with a strong standing in the search engine results. A virus might be advertised as the perfect solution to a technical problem you might be facing. SEO optimization plays a big role in ensuring the site shows up in your search.

Once you download and install the Trojan, relieved you finally fixed your technical problems, the malicious code takes over and your problems only get worse.

— SWATting

While not a direct form of phishing, SWATting can be a dangerous consequence. SWATting occurs when the phisher steals the victim’s phone number and calls in a fake bomb threat.

Emergency or not, having a SWAT team around your house is a stressful and dangerous experience, and in some cases, it can even be deadly, as SWAT teams are trained to treat every operation with maximum severity. Thankfully, modern law enforcement is now aware of SWATting attempts and usually know how to handle it.

Common Phishing Lures
How to Protect from Phishing

How to Protect yourself from Phishing Attacks

Phishing is clearly a serious issue every online user must address, but it still begs the question: “What can I do to protect myself and my business from a phishing attack?”

Educate yourself

Knowing that a problem exists is the first step to fighting back. Careless Internet surfing can leave you vulnerable to phishing attacks.

Build good browsing habits, such as:

  • Double-checking every link

  • Never downloading unknown and untrusted attachments

  • Always using different passwords for different accounts

  • Changing passwords regularly

  • Ignoring requests for file transfers, account transfers, or divulged passwords, even if they come from within the company

  • Verifying all of the requests verbally before complying

Use Software to Defend your Devices Against Phishing

Your computer, when configured correctly, can protect itself. As a basic checklist, ensure that you have the following installed on every client machine:

  • Email spam filters, especially ones that look for suspicious links and unverified attachments

  • Powerful antivirus solutions with security updates

  • Web filters to block out malicious websites (usually these are built-in to antivirus programs)

  • Anti-phishing toolbars and browser extensions that display the reputation of a website before you click the link

  • A firewall (many antivirus programs come with a built-in firewall)

  • Pop-up blockers

  • An up-to-date web browser supporting all the modern security features

Preemptive Measures

Decide on your needs based on how much you are willing to spend and how much you expect to save by protecting yourself.

Other Miscellaneous Tips

  • Disable HTML emails if possible. Text-only emails cannot launch malware directly.

  • Encrypt your company’s sensitive data and communications

  • Check your bank account’s activity routinely for suspicious charges

The Best Antivirus Programs with Anti-Phishing Protection

We’d recommend investing in a powerful antivirus that comes with a firewall to block the malicious attacks, as well as making sure that these programs are updated regularly. Some popular options are:

  • McAfee

  • BullGuard

  • Panda

  • Norton LifeLock

  • Heimdal Security

Best Antivirus
Avoid Phishing Emails

How to Avoid Phishing Emails

Like many types of phishing attacks, you can’t prevent some malicious emails from entering your inbox. They’re common junk mail. You certainly can, however, learn to recognize what’s right from wrong and what to do when you’re at risk.

What they Look Like

Phishing emails might...

  • Contain hyperlinks to suspicious websites with unrecognizable URLs.

  • Contain attachments with ransomware, malware, and other viruses. Most file types can carry these viruses with the exception of the plain text file (.txt). Even Excel spreadsheets can contain malicious macros and code.

  • Present a sense of urgency, such as a great deal on a product or a giveaway/lottery to call you to action.

  • Refer to you as a “valued customer” without mentioning your name. Phishers, after all, don’t know who you are.

  • Contain spelling and grammatical errors.

  • Have a strange sent time, such as 4AM on a Sunday.

  • Have an irrelevant or weird subject line.

  • Be sent by addresses you aren’t familiar with, though keep in mind thieves can sometimes forge the identity of your coworkers to deliver a more potent phishing email. Check whether your acquaintances seem out of character in their emails.

How to Prevent them

  • Spam filters are the most obvious solution. These usually come with most email clients and work by assessing the origin of the message and analyzing its content for spam-like characteristics. They aren’t 100% reliable and sometimes give false positives but are still worth using.

  • Check the URL for any hyperlinks and determine whether or not the site it leads to is fraudulent.

  • Never open attachments if you suspect a phishing email.

  • Don’t click links in emails. At most, copy and paste the web address into your address bar.

  • Simply be smart. Major organizations will never ask for your personal information directly through an email. They will more likely than not offer some form of verification in the email itself too, such as an account number.

  • When in doubt, verify with the organization contacting you to ensure the communication is genuine.

How to Avoid Phishing Calls

Voice phishing, also known as “vishing,” is a phishing attack via telephones and Voice-over-IP services.

What they Sound Like

Vishing can take many forms, but some common examples are:

  • Fake charities advertising a fake organization website.

  • Fake calls from the government and IRS demanding action to prevent a major fine or arrest.

  • Fake calls claiming to offer tech support and requesting access to your machine.

How to Prevent them

  • Ask the caller if he or she knows your name. Vishers are not likely to.

  • Know that your bank will never ask for sensitive information such as your Social Security Number, PIN, or password over the phone.

  • Don’t be afraid to ask for verification that the call is not fraudulent. Legitimate businesses are happy to do so.

Avoid Phishing Phone Calls
Avoid Phishing Websites

How to Avoid Phishing Websites

Often, you have the usual fake websites masquerading as a genuine online service. Most of the time, a phishing email might direct you to one of these.

What they Look Like

Malicious websites designed for phishing can be hard to identify sometimes, as attackers have become good at emulating the appearance and functionality of real sites. However, a key giveaway is the URL. Phishing sites may use a slightly different web address containing a small mistake.

PayPal is a commonly masked URL as the lowercase L could be replaced with an uppercase I. Look for these subtle clues before you engage with the site.

How to Prevent them

  • Enable your web browser’s built-in protection settings. Many modern browsers will automatically block suspected phishing sites from opening.

  • Report any phishing sites to the organization affected, such as your bank.

  • If a website is asking for login credentials or sensitive information, ensure the site is legitimate.

    • Contact the company beforehand to verify directly.

    • Make sure the URL is both correct and contains the “https” heading denoting a secured connection.

    • Use two-factor authentication whenever you can.

Famous Phishing Incidents from History

While phishing attempts are becoming more and more clever, it certainly isn’t a new cybercrime. Events like the hypothetical one above have occurred with disturbing regularity throughout the years, victimizing both individuals and entire corporations.

Here are some famous phishing attacks from history:

AOHell, the First Recorded Example

Back in early 1994, a malicious program called AOHell was developed by a Pennsylvania teenager and was intended to crack America Online (AOL) accounts.

Among other things, the program ran on top of the AOL client, stealing user’s passwords and using the program’s credit card generator to create fake accounts, which they would then use to impersonate AOL customer service. Regular users were asked to verify their accounts for security purposes, making this arguably the earliest form of phishing.

The Nordea Bank Incident

In 2007, Swedish bank Nordea lost over 7 million kronor when phishers managed to send fraudulent emails out to bank customers, luring them to install the “haxdoor” Trojan disguised as anti-spam software.

Dubbed the “biggest ever online bank heist” by digital security company McAfee, Nordea customers were hit with phishing emails containing Trojan viruses that installed a keylogger into the victims’ computers and directed them to a fake bank website where hackers intercepted login credentials.

While the exact blame can’t be reliably placed, it is worth noting that most customers failed to have a running antivirus installed on their machines.

Operation Phish Phry

2009 saw one of the FBI’s biggest cybersecurity busts ever after $1.5 million was stolen via bank frauds by various cyber thieves located in the United States and Egypt.

Former Director Robert Mueller noted that phishing attempts were a new part of the digital arms race, with cybercriminals always working to stay ahead of law enforcement by taking advantage of new developments in technology. He established the National Cyber Investigative Joint Task Force specifically designed for these kinds of attacks.

RSA

In 2011, the United States’s defense suppliers were breached when security firm RSA fell victim to spear phishing due to an Adobe Flash vulnerability.

Disguised as recruitment plans for that year, the email targeted mid-level employees with just one line of text: “I forward this file to you for review. Please open and view it.”. Only one employee had to open the email for phishers to gain backdoor access on the victim’s desktop. The phishers then managed to bypass the company’s SecurID two-factor authentication to steal company data.

Dyre Phishing Scam

In late 2014, malware produced by Russian hacker group Dyre resulted in the loss of millions of dollars. The phishers posed as tax consultants and convinced thousands of victims to download malicious executable files.

Dyre’s long list of victims included paint and materials company Sherwin-Williams, engine parts manufacturer Miba, airliners RyanAir, and several other companies throughout the US, the UK, and Australia.

When the victim failed to enter their credentials into the fake phishing site, the hackers called the victim through Skype pretending to be law enforcement officers and bank employees to encourage the transfer.

While the final arrests were made in late 2015, the legacy of the cyberattack lives on. A new phishing malware named TrickBot was created shortly after, using the same elements from Dyre to target similar financial institutions.

The Sony Pictures Leak

2014 also saw a huge data leak from Sony. Over 100 Terabytes containing confidential company activities was breached, resulting in well over $100 million lost. The phishers pretended to be colleagues of the top-level employees who opened the malicious attachments in the phishing emails.

Specifically, a fake Apple ID verification email was used in the attack. Through a combination of LinkedIn data and Apple ID logins, the phishers managed to find passwords that matched the ones used for the Sony network — a great example of why using different passwords for different online accounts is so important.

Facebook and Google

This is a huge one. Two of the world’s largest tech giants, Facebook and Google, lost $100 million in this single email scam from Lithuania. While an arrest was made, the story shows that even the most advanced tech entities are susceptible to phishing attacks.

2018 World Cup

The Federal Trade Commission released this statement regarding phishing attempts during the 2018 World Cup in Russia. The scam claimed the victim won tickets to the World Cup through a lottery and prompted them to enter their personal information to claim the prize.

At the same time, a handful of rental scams were reported as well. Cybercriminals stole the email addresses of genuine landlords in Russia and offered ridiculously low prices for their properties during the sporting event. Once a “lucky buyer” accepted the offer, his or her credit card information was stolen.

Phishing Exmaples
Phishing Summary

Let's Summarize Phishing

  • Phishing is a cybercrime when someone pretending to be a trustworthy entity solicits sensitive information from an unsuspecting user.

  • Phishing is a common problem that has cost millions of dollars in damages to companies and individuals.

  • Installing the right web filters, spam filters, and antivirus software can help make your machine phishing-proof.

  • Good browsing habits and general education about the phishing threat are your best line of defense, especially for businesses.

  • Make sure you understand how to combat phishing by email, phone, and websites.

  • Phishing emails may contain malicious attachments and links to fraudulent websites.

  • Phishing phone calls may direct you to provide your information to seal a deal, avoid criminal charges, or provide fake support.

  • Phishing websites may masquerade as a real login or buying page and steal your credentials or credit card information.

All images were acquired from FlatIcon
Information in this guide was sourced from Nick Rosener on Medium
Information from the Phishing section sourced from Eric C. on Safety Detective