There are people looking to fool you, using email messages, on the phone, and on the internet. Would you be careful walking down the street in a strange city? Same applies here.
Do not click on links unless you know exactly where you are going, and the link comes from someone you know.
Almost all “exploits” start from a link to a poisoned web site. Hackers send you fake messages trying to lure you to fake websites – and all of it will look exactly like the real thing. If you fill in your password on a fake login screen, you have just given your password to a hacker, which is usually then sold and shared with other hackers. If it’s a password to several websites, you’ve now given you password to several websites.
Also, if you click on a link on a poisoned website, your computer (whether it’s a mac, linux or Windows) can have viruses and malware uploaded to it.
Hover over links in email messages or on web sites to make sure they lead where they appear to lead.
The address that appears above the link or at the bottom of the browser window when you hover over a link should look like something you’d expect. If it is a shortened link and you can’t tell where it goes, assume it is suspicious.
Do not click on a link to a file in Google Drive, Dropbox or other online services unless you know with 100% certainty that the file is something you want.
The latest attacks appear to be a link in an email message to a PDF or other online document. The links lead to poisoned websites or fake login pages that will capture your password for the bad guys.
Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.
Email attachments are still the primary method of spreading viruses and ransomware. If you open the wrong Word document or PDF, you can take down your entire company. Don’t open email attachments!
Just because something is listed in a Google search doesn’t mean it is safe.
Make a judgment about where you’re going before you click.
Back up your computers.
Even new computers develop hardware problems. Choose a backup strategy, understand how it works, and keep your backups up to date. Windows 10 users can use File History. Windows 7 users can use the built-in backup program.
You can have a local backup, and consider backing up your computers online as well.
If a web site brings something up on your screen that might be malware, do not click on “OK,” “Cancel,” or the X in the upper right corner. Just turn your computer off with the power button. On laptops, pressing the power button can make it merely go to sleep. If that is the case, take out the battery.
If your computer displays a message while you are browsing the Internet claiming that you have been hacked or infected with a virus, it is a lie.
Your computer is not infected with anything and you did nothing wrong. If you cannot close the window, shut down your computer by holding the power switch in for 15 seconds. If the message reappears after you restart, contact your regular IT support for help.
Do not call the 800 number for “tech support.” You are calling criminals who will lie to you. If you call the 800 number and give them a credit card number, you will be charged hundreds of dollars for nothing. The card number is effectively stolen and you will have to cancel it.
If you call the 800 number and give them remote access to your computer, you can never trust that computer again, no matter how thoroughly it is cleaned. You will have to wipe it out and reinstall everything from scratch. If your personal information is stored on the computer – passwords, tax information, bank account info, social security number, etc. – you should consider taking steps to protect yourself against identity theft. That might include a fraud alert in your credit report, freezing your credit report, and monitoring your credit report and financial accounts for unauthorized activity.
Set a PIN code, password, or fingerprint authentication to unlock your phone or tablet. Smartphones and tablets are easily misplaced or stolen. Do not keep confidential or privileged information on a mobile device in an unprotected app.
Run antivirus software on your computer.
Windows 10 has built-in security protection, Windows Defender. Windows 7 users should use Microsoft Security Essentials. There are also security programs from Norton, McAfee, and others, of course, but they are not recommended; most of them are poorly written and cause more problems than they solve. Many IT professionals suggest periodic scans with Malwarebytes as a supplement to Windows Defender/Security Essentials. Antivirus software barely slows down hackers and malware writers. They’ve been finding ways to avoid it for 20 years. Use your common sense. Be cautious when clicking on links. Don’t open unexpected email attachments. Read and think before you click OK.
Know the name of your security software. If you get a “security warning” that does not display the exact name of your security software, it is phony; if you click on anything, you will probably install malware.
Don’t download “free” programs or add unnecessary browser extensions.
Adware is distributed with “free” games, PDF programs, media players, and even with quite legitimate utilities like Java and Adobe Reader. Your security program will not stop you from installing adware, but adware can bring down your computer just as thoroughly as malware from bad guys.
Do a custom install of any new program and decline unnecessary extra software.
When you’re downloading and installing a program – especially a free program – scrutinize every screen that comes up. Look for checkmarks that can be unchecked. Look for weasel words that might conceal a disclosure that other programs are coming along. Always do a custom install and study the options.
Choose passwords carefully.
Your passwords are your defense against identity theft, financial loss, compromised computers, and breaches of confidentiality and privilege. If you use a weak password, or if you use the same password over and over every time something calls for one, you are jeopardizing yourself and your business. Use a different password for every site.
When large companies are hacked, the bad guys immediately test hacked passwords on other sites in case you used the same one somewhere else.
Set up emergency access for a trusted family member.
Think about using two-factor authentication.
Two-factor authentication combines a password and a second check, such as code sent to your phone in a text message. It drastically improves security. It’s more difficult to use than a single password, but it’s much less trouble than being hacked.
Microsoft, Google and Apple will not call to fix your computer.
Scammers play on our fears about online security, just like the poisoned web pages that bring up phony onscreen security warnings. Don’t lower your defenses!
Don’t answer the phone if you get a robocall. If you don’t recognize the caller or the phone number, don’t pick up. If you pick up, the number will be marked in the robocaller’s database as belonging to a live person and you’ll get more calls. If the voice message says to pick up and press a number to be put on the Do Not Call list, do not pick up and press the button. They’re lying about the Do Not Call List.
If you answer the phone and there’s a pause of half a second or so, hang up. The call is almost certainly from a scammer or telemarketer; the pause happens as the automated dialer hands off the call to a person in a cubicle.
If you answer the phone and it turns out to be a scammer or telemarketer, hang up. Don’t say another word. Don’t engage them. Don’t tell them they should be ashamed. Don’t explain why you’re hanging up. Don’t teach them a lesson by putting them on hold so their time is wasted. Don’t yell at them through a megaphone to hurt their ears. Don’t say any unnecessary words. Just hang up.
Do not approve a wire transfer without verbal authorization.
One of the worst scams for businesses starts with a targeted email. Bad guys research your business and craft a fake email asking the CFO to send a wire transfer. The request will appear to be legitimate. The bad guys might register a confusingly similar domain name to carry out the scam. They’ll intercept email and send responses that appear to be legitimate. If you authorize a wire transfer to bad guys, you have no recourse against the bank – and the bad guys are long gone with the money, of course.
Educate employees about the risk of wire fraud phishing schemes.
Set up a strict business protocol that a wire transfer cannot be approved without verbal authorization from someone known to the person approving the transfer.