Many websites will have security and privacy and tools to ensure your information is kept secure and restricted only to those that you want to be able to see it.
One example of this is if you were to set up a Google account; here are some of the steps you can take to stay safe:
2-step verification – This requires a code that gets sent to your mobile phone to be entered when you log in. This means that even if someone were to guess or steal your password, they still would not be able to access your account without your phone
Incognito/privacy mode – This is where you can browse the internet without the pages you access, or anything you download, being recorded in your browser or download history
Me on the web – this helps you understand what people can see if they were to search for you on Google. You can set up alerts to notify you if anything appears about you online
Unlisted and private videos on YouTube – sometimes you may not want the world to see! By choosing ‘unlisted’ or ‘private’ when you upload a video, it means you can choose for just a small group of people to see it.
Facebook security settings
On Facebook, you have additional security settings and privacy settings. In the privacy settings, you are able to control things such as who can see your posts, who can send you a friend request, and who can search for you using your phone number or email address.
Passwords are used for a person to prove identity or to gain access to a resource. They are used to access most of the systems we interact with for work, entertainment, and everyday living.
Passwords are the first internal line of defence in a system; the stronger your password, the more protected your computer and information will be from hackers or people trying to steal your information.
Passwords are essential for keeping your information secure. Think about each time you create an account online – what information do you divulge? Maybe your name or your address? Debit or credit card numbers perhaps? All of this information is protected by your password. This is why passwords are so important!
Most people will choose their password based on how easy it is to remember, but by doing this they are also making it easier for hackers! There are many measures you can take to ensure your password is as robust as you can make it; these will all be covered later in this module!
The average length of a password is 6 characters. However, the recommended length of your password should be 14 characters. Many sites require a minimum of numbers and characters and ask for a mix of letters, numbers and symbols, which helps to make your password strong.
What makes a strong password?
When creating passwords, you need to make them as strong as possible. The stronger your password, the less chance you have of your account being hacked or attacked by malicious software. You need to make your password as difficult as possible to prevent criminals being able to access your information.
Tips for creating a strong password are as follows:
One thing to always keep in mind is to have different passwords for all of your accounts. Think of it this way: if you had the same key for your home, car, and office, and that was stolen, all of those places could potentially be compromised. It’s the same with passwords. Although this may seem inconvenient, choosing multiple passwords keeps you safer. At the very least, make sure you use a unique password for your online banking.
With the average person now having 26 different online accounts, remembering passwords for each of those will be tricky. It is not necessarily a bad idea to write them down, but write them down in a way that wouldn’t be recognised by anyone else and make sure you hide them in a secret place. Don’t leave notes with your passwords in plain sight, such as on your computer or desk.
If you forget your password or get locked out, you will need a way to get back into your account. Many services will let you send a password reset email, so make sure that you always keep your recovery email address up to date. Sometimes you can also add a phone number so that you can receive a code to reset your password via text message. Having a mobile number on your account is one of the easiest and most reliable ways to help keep your account safe. Your mobile phone is a more secure identification method than a recovery email address or a security question because unlike the other two, you have physical possession of your mobile phone.
Another best practice is to regularly change/update passwords to increase security. Of course if you think your password may have been compromised, then change it straight away.
How to stay safe from Social Engineering
What is Social Engineering?
‘Social engineering’ is the act of manipulating or tricking people into certain actions including divulging personal or financial information … a kind of confidence trick.
Social engineering exploits human nature and often plays on victims’ willingness to be helpful, or please others. It is a factor in many types of fraud
Social engineering can be elaborate and is generally highly convincing, with approaches usually made by somebody you trust or in authority
It is sometimes made more believable by snippets of information which the fraudsters already have about you
Private individuals and businesses can both be victims of social engineering.
How to Avoid Social Engineering Attacks
Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers
Be very careful that people or organisations to which you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or phone call
If you receive a phone call requesting confidential information, verify it is authentic by asking for a full and correct spelling of the person’s name and a call back number
If you are asked by a caller to cut off the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card – but be sure to use another phone from the one you received the call on. If you cannot access another phone, be sure to hang up for at least five minutes before you dial out, or call a friend (whose voice you recognise) before making another call
Do not open email attachments from unknown sources
Do not readily click on links in emails from unknown sources. Instead, roll your mouse pointer over the link to reveal its true destination, displayed in the bottom left corner of your screen. Beware if this is different from what is displayed in the text of the link from the email
Do not attach external storage devices or insert CD-ROMs/DVD-ROMs into your computer if you are not certain of the source, or just because you are curious about their contents.
Be aware of ‘phishing’ and ‘vishing’
So they can take money from your bank account, fraudsters may try to trick you into divulging personal information, account details, and security credentials. For years, fraudsters have used fake emails and websites to do this and, more recently, they have also been tricking people over the telephone.
Phishing is the illegal practice of of sending an email or conventional letter pretending to be from a all well-known and reputable company in order to fool an individual into revealing confidential and person information such as card numbers and pins, Passwords and other information such as addresses and dates of birth.
Phishing email messages are designed to steal your information so criminals can gain access to your bank accounts or use your identity. They ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal data. A few clues can help you spot fraudulent email messages or links within them.
What does a phishing email message look like?
The emails look like they are from legitimate organisations and give a plausible story to try to trick you into giving away your information.
Phishing email messages take a number of forms
Often the emails are made to look like they’re from your bank and claim you need to update or verify your account information, threatening to block your account if you don’t act quickly
They might appear to come from a company you regularly do business with, such as Microsoft, PayPal or Amazon, or from your social networking sites.
They might appear to be from someone you in your email address book
They might ask you to make a phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data
They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages
They often include links to spoofed websites where you are asked to enter personal information and account details.
Here is an example of what a phishing email might look like.
This example of a phishing email message includes threat of account closure and malicious links designed to trick you into entering your account information.
To make these phishing email messages look even more legitimate, the scam artists use graphics that appear to go to the legitimate websites (Windows Live Hotmail and Woodgrove Bank, respectively), but actually take you to a phony scam site or possibly a pop-up window that looks exactly like the official site.
Watch this video to see what Phishing may look like.
Here are a few phrases that are commonly used in phishing email scams:
"Verify your account."
Businesses should not ask you to send passwords, logon information or user names, Social Security numbers, or other personal information through email.
If you receive an email message from your bank or any other business asking you to update your credit card information, do not respond; this is a phishing scam.
"You have won the lottery."
The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft. There is no Microsoft Lottery.
"If you don't respond within 48 hours, your account will be closed."
These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing email message might even claim that your response is required because your account might have been compromised.
Your bank may email you, but they will:
Never email you a link that takes you straight to the Online Banking log-in page
Never email you asking you to verify your account details
Never email (or call) you to ask for your card details, PIN, authorisation codes or passwords
Never email you asking you to confirm a recent transaction.
If you do get a suspicious email, or any email claiming there is a requirement for you to update or verify your account information and encourages you to click on a link, the best thing to do is ignore it and delete it.
Example of a masked web address
Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as:
Tips for Avoiding Threats
Never open an email that you are suspicious of even if it is from someone you know but were not expecting, people can ‘spoof’ an email address. Even then examine who the email is from, is this their usual email address?
Look for telltale signs such as bad grammar and how the email has been written. Is the way the email is written their usual style of writing?
Be careful of following links in email. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g. .com versus .net) Do not click on the links as they may lead to a phishing site or malicious file download. Hover over the links without clicking, the original destination will show up in the bottom left of your screen or in the pop-up window above the link and you can evaluate whether it looks legitimate.
Be suspicious of urgent demands. Malicious emails tend to use scare tactics and threats to get a quick response.
If you receive a suspicious email please err on the side of caution and delete the email.
Should you be a victim of Phishing please reach out to the Police Action Fraud Service.
You have just heard about online "phishing" scams designed to steal money from unsuspecting Web users, but now criminals are using another type of scam called "vishing" to commit similar crimes.
What is vishing?
Vishing is the practice of trying to obtain personal information from an individual over the telephone in order to commit fraud or identity theft. Vishing relies on “social engineering” techniques to trick you into providing information that others can use to access and use your important accounts. People can also use this information to pretend to be you and open new lines of credit.
How does it work?
‘Vishing’ involves a phone call from a fraudster, who will come up with a plausible story to try to get you to divulge your information. In a common example, the fraudster claims to be calling from your bank’s fraud department and tells you there are suspicious payments due to go out of your account. They will say you need to give them a token-generated authorisation code in order to stop the payments (e.g. a code from your PINsentry reader) but they'll then use the codes to make fraudulent Online Banking payments from your account.
In another example, the fraudster says they’re from a satellite TV provider, phone, or utility company and offer you a refund. To process the refund, they'll ask you for your bank account details or for token-generated authorisation codes. Again, they will use this information to take money from your account.
Fraudsters also call pretending they’re the bank or the Police and tell you there’s a problem with your account, and that you need to transfer funds to a new ‘safe’ account or a holding account to keep your money safe.
To add authenticity to their story, a caller may suggest you ring back or call your bank. However, the caller may be able to keep the line open if they don’t hang up at their end. You hang up and think you’re making a call to the bank or the Police, but the fraudster is still on the line and you will be speaking to them or an accomplice. They’ve even been known to play fake dial tones and switchboard messages. Phone companies are working on reducing the length of time it takes to disconnect the line when the original caller does not hang up, but it can still take a few minutes in some cases.
Notice in the following example that resting (but not selecting) your mouse pointer on the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address. This is a sign that the email is suspicious.
Caller ID spoofing
Fraudsters also use a technique called caller ID spoofing to make it look like calls are coming from a legitimate or known phone number. It's a very similar technique to email spoofing, which makes email addresses look like they are coming from a trusted source, but instead it is a phone call that is made to look like it is coming from the bank, for example. Because people typically trust the phone service and caller ID, spoofing phone numbers can be particularly damaging.
Just like with online phishing attacks, which direct consumers to phony web sites, vishing attacks can have a recorded message that tells users to call a Freephone number or an option to press a number to be connected to an advisor. The caller is then typically asked to punch in account details or other personal information.
Some sophisticated attacks combine vishing and phishing.
These scams typically start with a phishing email that says there has been a problem with an online account from a known Website, such as a bank, credit card company, or online retailer, and it directs users to call a number and enter information to verify their account.
What can consumers do to protect themselves? Here is some advice from security experts:
Consumers need to know that these scams exist. To find out more information you can surf the internet and listen to friends and family. Quite often, scams are reported via social networking sites as friends have fallen victim.
Be suspicious of all unknown callers
People should be just as suspicious of phone calls as they are of emails asking for personal information. Some experts suggest letting all calls from unknown callers go to voicemail.
Don't trust caller ID
Just because your caller ID displays a phone number or name of a legitimate company you might recognise, it doesn't guarantee the call is really coming from that number or company. As explained earlier, fraudsters can spoof the caller ID.
If someone is selling you something or asking for personal or account information, tell them you will call them back. Always check the company is legitimate and call back on a number you have found yourself from the organisation’s website, from a bill or statement, or if it's a bank or credit card company, from your card. Don’t forget that fraudsters can keep the phone line open, so always wait at least five minutes before calling back, call someone you know first, or use a different phone line.
Never share your account information, PIN, PINsentry codes, or passwords with anyone who contacts you. No legitimate organisation should ask for this information when they call, text, or email you.
Act with care
Banks and the Police will never ask you to handover your PIN, cards, or cash, or buy high value items or transfer funds to a new account. If someone calls asking you to do this, end the call. Always check the call is properly disconnected before calling the bank or Police to report it.
Register your number
You can register your number with the Telephone Preference Service (TPS) to reduce unwanted calls. Even though criminals and unscrupulous telemarketers may ignore the list, if you are on the list and get a call from a supposed telemarketer, that could be a tip that the offer is bogus. Most legitimate telemarketers obey the rules and laws about contacting consumers. The TPS website also provides a place where complaints can be filed.
How to avoid being fooled by a vishing attempt
If you receive an email or phone call asking you to call and you suspect it might be a fraudulent request, look up the organisation’s customer service number and call that number rather than the number provided in the solicitation email or phone call.
Forward the solicitation email to the customer service or security email address of the organization, asking whether the email is legitimate.
Should you be a victim of Vishing please reach out to the Police Action Fraud Service.