Unlike the offline world, where we can readily spot shady alleys to avoid and intuit when we’ve drifted into the wrong part of town, the online world is host to many traps which look welcoming and trustworthy. Each user registration form we fill out and app we authorize for download could be a front for a wide range of nefarious entities. A mindless moment with our defenses down can result in identity theft, malware infections, and personal security risks. Fortunately, developing privacy awareness can provide an essential defense against common online hazards. In this article, we’ll examine the threats and share ways you can “make sure it’s legit before you submit.”
Warning: Social Engineering Ahead
A good hacker knows it is far easier to fool a person than it is to defeat a well-defended database. Like a swindler who tricks you into giving up sensitive information, determined criminals look for opportunities to instill a false sense of trust. Usernames, passwords, credit card numbers, social security numbers, and access to email accounts to distribute spam in your name are all prize catches in “phishing” scams. Phishing is the use of electronic communication to lure unsuspecting users into divulging private data.
In recent years, phishing scams have become quite sophisticated. Typically, the scammer will send email, instant messages, or text/SMS messages claiming to be social media sites, banks, or government agencies. According to a study by security firm Kaspersky Lab, roughly one third of all phishing attacks are aimed at financial institutions. These messages usually lead users to a dummy page or a malware-infected site designed to look identical to the legitimate company’s website.
Recent phishing attacks have hit a wide range of internet services, including the Netflix “canceled account” scam and the Dropbox ransom attack. PayPal recently reported a 73% increase in phishing attacks in Q1 2014. Even the satirical news site The Onion found its Twitter account hijacked, and came away from the experience with four helpful tips which would have prevented the problem. With the start of the World Cup, cybercriminals are also expected to piggyback attacks on the wave of media buzz the games will generate.
One particularly insidious scam focused on fake security apps on Amazon and Google Play. Customers who believed they were downloading apps to protect themselves were really downloading placebo apps which took payment for the app but offered no services.
Use Discernment
Discernment is the act of determining the value and quality of a subject or event. It is comprised of intellectual analysis and emotional sensitivity, and with practice can become a valuable habit to protect yourself against social engineering.
We are often lulled into automatic behaviors online and aren’t paying particular attention when asked to submit personal information. Discernment empowers us to be mindful of our privacy and security online.
The emotional portion of discernment requires you:
1. Slow down.
2. Stop multitasking and pay attention to the present moment.
3. Prepare your concentration and give the request all of your focus.
4. Listen to your gut. If something doesn’t feel right, stop.
Next, proceed into the analytical phase of discernment. What specifically should you look for?
1. Spot the common signs of phishing. An article on phishing symptoms by Microsoft urges users to look for spelling errors, masked links, threats if action is not taken, and impersonation of reputable companies.
2. Look for “social proof” of security and privacy practices. These can include privacy trust marks and security seals in the form of images linked to security firms or agencies which can verify the site’s identity. Common examples include a TRUSTe seal, Norton Secured seal, McAfee Secure seal, and the Better Business Bureau seal. Recognize, however, that criminals will often try to exploit the use of these seals to deceive you. Be smart and visit the seal holder’s site directly, as many will allow you to perform independent searches to verify the information.
3. Check for a privacy policy. Links to privacy policies are often found in the website footer or registration area of the page where you’re being asked to enter your information. On your mobile device look in “About” or “Settings.” Posting a privacy policy is a sign of a mature company who has taken some time to communicate to users their privacy practices. If on online business is based in California or has customers in the state, it is legally required to publish a privacy policy. Policies should discuss information being collected, how it will be used, who has access to it, and who it may be shared with. It should inform you of your choices related to the information collected as well as how you can access it with the company, the security procedures which protect it, and forms of redress available to you if you feel the policy has been violated.
4. Check with authorities for scam alerts. The FTC website publishes warnings about scam alerts, and can help you stay one step ahead with the latest info and practical tips on consumer protection. Sort the topics by most recent to see the newest scams posted. It’s also helpful to Google the subject lines of phishing messages with the word “scam” attached. The results may help you identify emerging scams.
As you spend time online, don’t bite the phishing bait out of habit or inattention. There are many hooks out there waiting to catch us. Cultivate your ability to discern. It’s one more way to develop a sound privacy practice.
Share Mindfully