It’s all a numbers game. Nothing ever will guarantee that you will never be victimized online but following a fairly simple set of rules will drastically reduce the chances that you will be a victim.
Rule One
Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way that could have happened anywhere and required no computer skills or knowledge. For example, some clever hacker writes an email that looks like it came from your boss and asks you to send him the payroll list with usernames and bank account deposit numbers. Or someone claiming to be your favorite niece calls from Uzbekistan asking you to send a five-hundred-dollar Amazon gift card to her at a post office box in Tashkent because she’s in a jam. Or you get a phone call from Microsoft asking for your account password.
These and similar debacles have all resulted in substantial losses to the victims. Never be rushed. Take time to think it through. Find a way to verify that the request is real. Call your boss, your niece’s mother. Check with Microsoft’s published support number. Do the sensible thing.
Almost everyone knows not to respond to fabulous offers from Nigerian princes, but online criminals are clever, and they know how to play on your emotions and fears. Even the largest and most sophisticated online attacks start with social trickery.
Rule Two
Avoid dodgy websites. You know the sites I mean. The ones that appeal to base instincts or offer something too good to be true. Military super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.
Some of you remember the ads for spark plugs that triple your gas mileage in the back of men’s magazines, or the ads for miraculous youth-rejuvenating serums on after hours television. Or x-ray vision glasses in comic books. In the old days, you sent in your money and got nothing in return.
Today, click on one of those kind of web sites and you are likely not just to waste your money; you can also infect your computer with nasty malware that will hurt for months to come if the infection is not detected and removed.
Rule Three
Be careful with downloads and installs. Downloading and installing an app is a lot like surgery. When you start an install, you are a patient on the operating table whose life is in the hands of a surgeon. You are completely vulnerable. If your surgeon is a crook, your goose is cooked and laid out on the platter for carving.
Most developers honestly offer useful software and services, but the simplest and most effective way to compromise your computer, laptop, tablet, or phone is to get you to install an application that appears to entertain you or perform useful work, but also opens your device to exploitation.
To protect yourself, get your installs from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. An app that has been downloaded many times with tons of good reviews is more likely to be safe.
Before you install, check the reviews and the reputation of the developer on the network. Always download from secure (HTTPS) sites. Get your drivers directly from operating system and device manufacturer sites. Third party comprehensive driver sites may be convenient, but the risks are higher.
Rule Four
Scan regularly for malware. There are many anti-malware tools available and almost all are quite effective when used properly. Computer virus is a technical classification of types of nasty stuff that can land on a computer. Malware is more general. A tool that only scans for viruses is old school and ineffective.
Anti-malware tools are very competitive, and the malware landscape changes quickly. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans. Windows Defender, which is automatically installed and activated with Windows 10 is a good choice because it is updated regularly and scans automatically. It may not be the best on a given day, but it’s probably better than a competitor without the latest updates. If you prefer not to think much about malware scans, it is a good choice.
A note about Apple devices. Contrary to the marketing stories, they too are vulnerable to hacking. Regular, updated, malware scans will help.
Rule Five
Keep your operating system and apps patched. Hackers are industrious devils, always on the prowl for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Malware scans spot and thwart attacks after they occur but stopping the invaders before they get in is better. Automatic updates may seem like a hassle, but the benefits outweigh the annoyance. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that is happening less and less as the sources get better at patching, and a botched patch is far less damaging that a successful attack.
Rule Six
Use strong passwords. Password cracking has become much more sophisticated. Long (sixteen characters or more) random passwords are still very difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the most egregious breaches in recent years have been based on duplicated passwords.
When available, use multi-factor authentication (MFA) in addition to a password. MFA is much more difficult to hack into than even the strongest password. For example, sites and devices that request a finger print or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low. The strongest multi-factor systems use an app generated token, like a 5 character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.
If you follow these rules, I can’t guarantee that you will not suffer from an attack, but the chances that you will be a victim will be far less.
I’ve been brief in this post. If you need more information, I am available from 3pm-4pm the first and third Wednesdays of each month at the Ferndale Public Library, or you can read my book Personal Cybersecurity. It is available from the library, or you can buy it on Amazon here.
I gave a talk on these rules at the Whatcom County Library System North Fork Community Library on October 19, 2019. The fall colors were stunning. I’ll be giving the same talk at the Ferndale and Lynden Public Libraries in February and March. I’ll also be giving talks on online privacy at Ferndale and Lynden.