Protecting yourself from scams

I listened to the Ontario Today show on the CBC recently about online and telephone scammers, and felt very sorry for the people who had been scammed.

There are a number of ways that you can protect yourself against online, in person, and telephone scammers.

Unique passwords

Set up unique passwords for each online service that you use, especially for ones that you use a lot. You can get your browser software to remember the password. This means that if you get hacked on one service that you use, the hackers do not get access to your password for all the other services you use. You can also use password management software (such as the password storage in your browser) to remember all these unique passwords for you.

Two-factor authentication

If the service you are using has two-factor authentication, enable it. It’s like having two levels of password protection. A lot of services now use face or fingerprint recognition for the second level of authentication, so it is very easy to use.

However, it is best to turn face and fingerprint recognition off for any situations where someone could force you to unlock your phone against your will.

Phone calls

If someone claiming to be from your bank calls you, they are probably not from your bank. I always say, “No thank you, I will call the bank directly.” When I call the bank, there are several layers of security checks for me to prove that I have the right to access my bank account. The same is not true if your bank calls you. So even if it was a legitimate call, I would prefer it if I called them and went through all the security checks.

Recently I set up a profile for Carnelian Web Services on Yelp, and I get a lot of calls from people who want to sell me advertising as a result. I have learned to recognize these calls, because they always follow the same pattern.

If someone calls claiming to be the police, or Microsoft, or whoever, they are probably a scammer. Legitimate organizations will never object if you say that you will call them instead of them calling you. One lady on the radio show asked for the employee number of the person who called her pretending to be from a company, and when she rang the company, it was not a genuine employee number.

Sounds too good to be true?

One of the guests on the Ontario Today programme pointed out that if the scammers are offering you something (whether it’s money in your bank account, or an investment opportunity, or a chat with a tech billionaire) and it sounds too good to be true, it probably is.

This also applies to online dating sites, where unscrupulous individuals try to get people’s email addresses by asking them to use email instead of the dating site’s messaging system. This is called catfishing.

Emails

Most email software has filters that remove spam, scams, and phishing emails from your inbox, but some of it still gets through.

Before clicking on any link in an email, preview the link before opening it. On a desktop device, hover over it with your mouse pointer. The link will appear in the bottom left of your browser window. Check that it goes to the legitimate website of the company it purports to be. If you’re unsure, do not click on it.

On a mobile device, you can press and hold the link to get a preview of the destination. Practice doing this in an email that you know is legitimate.

How do I know this is a legitimate email and a legitimate link? There are no spelling mistakes in the email. It is from a domain that is the same as the website that I visited. It uses the company’s colours and branding. When I hover over the link, I can see that it is the same web address as that of the company that I signed up for IP geolocation services with (for a map page in an application that I am building).

There are multiple browser extensions that show you a popup preview of the target website – but it is still a good idea to look at the web address itself.

Identifying phishing emails

Here’s a phishing email that I received. Luckily my email software recognized it as spam. It looks almost convincing, except that they missed off the e at the end of “Revenue”. The “My Account” / “Mon compte” (note the inconsistent use of capitalization) link goes to a dodgy link, https://flavoorviours.info/exo/auth/. Needless to say, I did not click on it. The sender of the email was vanessa@contact.bg, whoever she may be. The large refund from the CRA probably comes under the heading of “too good to be true” and is unlikely to happen in November.

Internet security

If you have employees, it is a good idea to educate them regularly about online security, using a platform like KnowBe4. Most companies I have worked for do this at least annually. Check out KnowBe4’s list of free security tools.

Developers should keep up with the annual OWASP security top ten list, and learn secure coding practices.

Resist psychological manipulation

One of the things that scammers do is exploit people’s desire to help others. They get into otherwise secure areas by tailgating – exploiting people’s tendency to hold a door open for the person behind them. Sometimes they even dress up as maintenance staff.

The scammers use a lot of psychological trickery to get people to give them money or passwords or social insurance numbers. One thing they do is try to convey a sense of urgency, like pretending to be the police to instil fear into their victim.

Another tactic is to pretend to be a relative or friend who is stranded abroad and needs money. Usually the scammer has hacked into the person’s email account, which is even more convincing. Luckily banks have safeguards in place to discourage people from sending large amounts of money abroad.

KnowBe4 has a list of different types of social engineering used by hackers and scammers.

If you have tips for recognizing and preventing scams, let me know in the comments!