I recently got a text message prompting me to pay an overdue tollway bill. The service provider and date mentioned sort of made sense. I later returned to the message after work for a closer look. This time a few things stood out.
The URL (my wife noted) looked like a random plate number with a .com at the end of it. Nobody clicked through. Also, the message, “Pay now to save up the late fees”, felt unpolished. As it happens, I have the tollway app installed on my phone. A quick browse of my transactions put the legitimacy of this effort beyond question.
When it comes to cybersecurity, bad actors are increasingly unrelenting. In Australia, $381,256,046 has been reported in fraudulent losses at the time of writing this article. That’s just this year – 2022!
This article features a curation of measures and best practices you can implement, to help mitigate this looming threat and safeguard yourself online.
Use A Strong Password
The risk is real. And your mother’s maiden name is hardly an ideal password or password recovery question. The same is true for your pet’s name. Indeed pets are no longer as private as they once were. They now have fully-fledged identities and buoyant social lives, complete with park strolls, pet parties and (of course) social media stardom. One might argue that they should also be worrying about these online risks.
Security.org is a site dedicated to online security. They have a handy tool (linked here) to give you a sense of password security. As you type in a password, the tool calculates how quickly it could get hacked. The page also features a section on How To Create Secure Passwords. You want to have at least ten (10) characters, combining letters, numbers and symbols. A 16-character password is ideal. Most modern web browsers will serve a secure password option when a new signup is detected.
Here are two important best practices with passwords. Avoid reusing the same password on multiple sites. In the unfortunate event of a breach, this practice limits the risk to the breached website. Also, sharing your passwords with someone else is not ideal. It has nothing to do with demonstrating trust and everything to do with mitigating risk.
There is a way to check if your details are compromised. The website haveibeenpwned.com searches the email address or contact number you enter against a library of known breaches.
Use A password Manager
Most modern web browsers – including Google Chrome, Safari and Microsoft Edge – offer to save your passwords. Not having to recall and retype these every time is certainly an attractive convenience and one I’ve benefited immensely from. That said, it’s not without risks.
In the unfortunate event that the laptop or desktop device is breached, all the passwords stored on it are exposed. This is handsomely convenient for the hacker. I’ve recently had to rethink storing my passwords on web browsers.
Password managers like lastpass.com or 1password.com can help you get around this vulnerability. At the time of writing this article, lastpass.com has a free tier that’s limited to either desktop or mobile use. Technology website techradar.com compiled a more comprehensive list of the Best Password Managers of 2022, linked here. Password managers also allow you to store sensitive credit card and other personal details securely. This reduces the need to store payment details on the browser and third-party sites.
Furthermore, password managers feature additional layers of security that make it difficult for hackers to breach the data. For example, 1password.com (which I use) combines a lengthy secret key (known only to the account holder) with the user password to encrypt data. According to their site, they do not keep records of secret keys. This means that if the 1password site was hacked (hypothetically), the perpetrators would not be able to decrypt and read user data.
Two Factor Authentication (2FA)
We’re hearing a lot more about two-factor authentication lately. So what is it? Two-factor authentication combines traditional verification – typically a password – with something else to ensure that the right person is accessing the service. This could be face ID, a fingerprint, or a code that’s sent to the registered phone or email associated with an account.
The logic of two-factor authentication says You’ve done X to prove your identity. But if you are who you say you are, you should also be able to do Y. When processing transactions online, for example, financial institutions often send a text code to the user’s contact number. Entering the code is required to complete the transaction.
Many online services have integrated 2FA into their processes. It adds a layer of security to the online experience by requiring an extra verification step at crucial points. And if the user didn’t initiate the transaction, 2FA serves as a timely notification.
If you have the option, activate two-factor authentication on your online accounts. It makes it harder for cyber criminals to breach your accounts.
On Phishing Communication
Phishing is when crooks try to bait you into giving up your personal or financial information. Phishing communications take different forms, including text messages, emails, and phone calls.
If you receive an email or text message from someone you do not have any relationship with, do not click on any links in it. Mark it as spam and ignore it. A legitimate sender will have other ways to contact you.
Phishing communications typically require a fast response. Attackers present the illusion of a passing opportunity or an imminent threat. It is a mind trick. Criminals know that the best way to rid a victim of their better judgement is to induce a state of panic. A false sense of urgency can achieve this. Here are a few examples:
- We blocked a $1,000 payment on your card. Can you confirm the card expiry and security pin to secure your card?
- We noticed suspicious activity on your account and wanted to confirm your details. Please sign in via this link to verify your account.
- We’re calling to let you know you’ve won $5,000 in our raffle draw. Can we have your card details to deposit the payment?
- Your invoice is now overdue and at risk of default action. Click this link to make a payment now.
- We’re calling from your utility company. You’ve been overcharged and we’d like to apply a credit to your account. Can you verify your identity details?
On closer inspection, these information requests don’t make sense. However, being in a state of panic can compromise judgement significantly, making it hard to think straight. You’ll often hear people say things like it was my fault, or I should have known better, without realising they were panicked when the compromise occurred. One needs to recognise the false sense of urgency in communication. Once you think it through, the red flags are easy to spot.
On Online Etiquette
Here are some additional tips you can apply to improve your safety online.
Do not sign up for services you don’t need or plan to use. This just increases your digital footprint and exposes you to avoidable risks. If you must sign up for a service on a one-time basis, consider using a disposable email address.
Delete online accounts that you are no longer using. GDPR rules require the service provider to honour your request in keeping with your right to be forgotten.
When signing up for services, do not provide optional information. Doing so allows for rich user data analytics. It does not necessarily enhance your user experience. It enhances your digital footprint.
Do not pick calls from numbers you do not recognise. Phishing calls are very popular with scammers because the human connection engenders trust. If unsure, make enquiries through a secure, official channel. iPhone and Android phones now have a feature that silences calls from unknown numbers. Use it.
Finally, do not procure IT support services from third parties you do not know and trust. IT support usually requires physical or remote device access and criminals often pose as support technicians. You want to be sure you know who you’re engaging with. If you must, trust but verify.
