Shopping, banking, and connecting online have changed our lives in a few short years, but the more time you spend online, the more you put yourself at risk—unless you know how to protect yourself
By Olev Edur
The Internet can be a terrific resource. You can buy anything you want, often at discount prices, and have it delivered to your door; you can find answers to virtually all your questions; you can do your banking, book airline tickets, communicate with loved ones and friends and so much more, all from the comfort and safety of your home.
But the Internet also has a darker side, as many Canadians have already discovered. All the information about yourself that you put online can come back to haunt you. Just being online without taking precautions can leave you exposed to cybercrime. As a result, if you want your cake without it eating you, you need to be cautious whenever you’re using cyber technology.
Passwords are your first line of defence; they are the key that can unlock the vault, so to speak, and provide the criminal element with access to your innermost secrets and treasures. But there are many ways you can get taken for the proverbial ride online, whether you’re adequately password-protected or not.
“The more we go digital, the greater the danger,” says Ritesh Kotak, a Toronto-based cyber security expert who works with the Toronto Police Service and various other organizations. “There are risks and rewards, and I think the rewards outweigh the risks. But you do need to be careful. It’s tricky, because the landscape is always changing.”
The Nature of the Beast
So what is it about the Internet that attracts all these miscreants, how do they operate, and most important, what can you do about it?
“There’s one reason criminals are gravitating to the Web, and that’s because it’s a lot easier than robbing a bank,” says Daniel Tobok, chief executive officer of Cytelligence, a Toronto-based cyber security company. “They don’t need to wear a mask or watch Hollywood movies to learn how they should yell at people in the bank.
“Hacking has become a huge business,” Tobok says. “It now accounts for about $40 billion a year in Canada alone. It has bypassed narcotics, construction fraud, and all other sources of income and is now the single biggest revenue generator for organized crime.”
Even on smaller scales, a typical hacker working out of his or her basement can make US $140,000 a year without leaving the house, according to Tobok. “And they’re from Russia, Ukraine, Romania, Bulgaria, all places that have no extradition treaty with us,” he says. “So as far as catching them goes, we’re out of luck.”
“Unfortunately, most people think they’re not a target,” Tobok says. “But criminals can get into your system, and it’s not a matter of how big or small the victim is. It’s not like in the old days when they just hacked banks: now every computer and smartphone is a target.”
So, while we may regularly read about those big corporate data breaches at banks and social media sites, there are many more immediate—and avoidable—causes for concern.
“A lot of the worst cases of individual users being affected by cybercrime are self-inflicted wounds,” says Andy Ellis, the chief security officer at Akamai Technologies in Cambridge, Massachusetts.
Social Media Concerns
Ellis points to people’s behaviour on social media as being a widespread cause of problems, an idea with which Tobok and Kotak both agree. “Everybody puts way too much information out there,” Tobok says. “People don’t use common sense, although older people—those of our generation—aren’t so bad. We’re not quite as trusting.”
By now we’ve probably all heard a story about someone posting his or her vacation plans on a social media page and coming home to find the house stripped of everything but the paint. This kind of online eavesdropping is common, Kotak points out, because the bad guys are continually searching (“phishing”) for any kind of useful personal information. “There are always more people listening than you think,” Ellis cautions.
“Finding personal information is much easier these days,” Kotak says. “People can easily do a word search, for example, that includes ‘vacation’ and ‘Ottawa.’ In fact, they may not even be doing the searching themselves. They may have automated ‘bots’ [robots] that search for keywords such as ‘vacation,’ and they get a notification whenever there’s a hit. They get the information pushed to them without any effort, and if they get your phone number, they can easily do a reverse-411 search to get your address, too.”
What to do about it? The first and most obvious line of defence on social media sites is your privacy settings.
“If your social media sites are completely open, scammers can use that information against you,” Kotak says. “For example, we’ve all heard about the telephone scam where the ‘grandson’ or ‘cousin’ calls to say he needs money because he’s stuck somewhere. If your information isn’t properly secured, such scammers may be able to get enough information—birth dates and ages, recent communications and so on—that they can make up a very believable story. They can even call or e-mail you using the grandson’s phone number or e-mail address, so it can be very convincing.”
“Personal information is okay among friends, but your settings may be public—if you post that information, anyone can see it,” Tobok says. “You should ensure that your settings are as private as possible. And even so, you should post information about vacations after you come back, not before you go.”
However, Ellis cautions that privacy settings, while helpful, are no cure-all. “You may control your own privacy settings, but you can’t control the privacy on your friends’ pages, and that includes everything you send to them,” he points out. “Even if your privacy settings are all on tight, you should assume that anything you put on your computer is public information.”
All three experts agree that the only real solution, when it comes to security on social media, is discretion.
“Don’t be a jerk online, and tell your kids not to be, either,” Ellis says. “If you put nasty information on your social media page, how would it look if that information were published on the front page of The New York Times? Somebody can easily take a screen-shot of the information and include it in an article about nasty people. The bottom line is, don’t put anything online that you wouldn’t say in a church or synagogue.”
Kotak says, “Sometimes when people are creating their digital footprints, they may post pictures of family members without those people knowing it. For example, I’ve seen grandparents create Facebook accounts for their grandkids without the grandkids’ knowledge. But the reality is that there’s no such thing as ‘delete’ for information that’s been put online. You have to treat any online information as being out there forever, so what you’re doing is taking away their right to privacy in the future.”
Online Scamming Approaches
Then there are all those e-mail or telephone scams, often using personal information that may have been gleaned from online sources such as social media.
For example, a Good Times newsletter article by writer Matt Smith (“Don’t Fall for Tech Support Scams”) cautions against falling prey to a so-called “tech support” or “malware” scam, whereby a pop-up ad suddenly appears on your computer screen indicating that your system has been infected and needs to be serviced immediately (by the people behind the ad).
In recent years, too, there has been a dramatic growth in attacks in which you get an e-mail or phone call purportedly from your bank or from Canada Revenue Agency (CRA) demanding some immediate action such as sending a pile of money to avoid further grief (such as lawsuits or even jail time).
“The very first thing you should keep in mind is that if anybody contacts you by phone or e-mail demanding money right away, that’s probably a good sign that they’re not legitimate,” Ellis says. “For example, the government will send you a letter containing a phone number you can call to discuss a problem with your account.”
(In rare cases, someone may indeed call from your bank or CRA, but if it is a legitimate call, the person certainly won’t mention the subject matter-— knowing that your phone messages can be hacked as easily as your computer—or make any demands, but will simply provide a name and telephone number to call. The telephone number can be easily verified.)
When it comes to e-mails, one of the most obvious signs of malfeasance can be seen by looking at the sender’s e-mail address—if the address looks like jumbled nonsense, then it’s definitely fake. Kotak agrees: “You may get an e-mail message that’s supposedly from your bank, for example, but if you look at the e-mail address, it will be something completely different from your bank’s normal e-mail address.”
“Nobody legitimate is going to demand money on the first call,” Ellis says. “What these people do is try to create pressure to act right away. What they say, in effect, is ‘Boy, have I got a deal for you, but only if you act now.’ It’s the same approach that’s applied in used car lots: if you don’t buy it right away, the deal will be gone. They basically play on your fears to make you afraid, to try to play with your emotions.”
“These Revenue Canada scams are presented as an emergency, telling you that you have to act right away, and a lot of people get terrified,” Kotak says. “There’s always a sense of urgency, because they’re trying to scare you into doing something. The key is not to be alarmed into doing something foolish.
“If you do get these calls, tell them you have to go but will get back to them, then hang up and go to the company or agency website or pick up the phone and call to verify that it is actually them,” Kotak says. “Always double-check any suspicious calls or e-mails, and never give out your username or password.”
“If you get a call or e-mail demanding money, you have two options,” Ellis says. “The first is to stall: say, ‘Thank you but I have to go right now,’ or tell them you’ve got to talk to your lawyer or accountant first. Ask for the case number and a phone number and say you’ll get back to them, then check the phone number against the agency website to see if it’s legit.
“Your second option is to have some fun with it. Ignore their demands and start asking stupid questions or talk about something totally unrelated. Let them get mad and hang up. You also might want to call the police just to put it on record. They may be unable to do much, but they do like to be informed about these things.” (The Canadian Anti-Fraud Centre can be reached at 1-888-495-8501.)
Ellis adds that it’s always worthwhile to shine the broadest possible light on your experience. “When it happens, you should tell everyone about it—your neighbours, your relatives, everyone,” he suggests. “Then if they try to call your neighbours, they’ll remember and say, ‘Oh, that’s that scammer you warned us about.’ You can help protect others, as well as yourself. The best inoculation against these kinds of scams is to raise awareness.”
More Cyber-Safety Tips
Strong password protection, prudent use of social media, and caution in responding to e-mails, phone calls, and pop-ups can go a long way to preserving your online security, but there are a number of additional measures you can take to help ensure you’re not taken for a costly cyber-ride. The following are some further security precautions recommended by the experts.
Update your software: “Make sure you always install all the updates for your software,” Kotak says. “Contrary to what you may think, most of these updates are not to install new features; they’re usually to add more security to your system.”
“It can be a struggle to maintain a modern operating system, but it’s always best to be wary,” Ellis says. “Use up-to-date software and install all the security patches that you are offered.”
Consider antivirus software: “Antivirus software is always helpful, although its effectiveness can depend on how modern and up-to-date your software is,” Ellis says. “If you do want antivirus software, you should look at a full package with features such as backup, for example, so you’re getting some value.”
Back up your files: “You should always have everything backed up so that all your vital files aren’t just on one piece of hardware,” Ellis says. “Often the worst harm from an attack is losing all the pictures and memories of your loved ones.” Kotak notes that backup is particularly important if you’re using “the cloud” for storage.
Surf with care: “Antivirus software alone isn’t enough,” Tobok says. “You have to be careful where you surf. Don’t go to shady websites, because you can get infected very easily.”
In fact, you can get into trouble even on a legitimate website if you’re not careful. “You might go to a site and be redirected by a scammer to an adult site,” Tobok explains. “A month later you get an e-mail saying, ‘We took over your computer’s camera and videoed whatever you did while on the website, and you have to pay us $1,000 or we’ll send the video to everyone on your e-mail list.’
“There are a lot of shady sites out there,” Tobok adds. “It’s much worse than it was before. It’s truly an epidemic we have today, so you have to be very careful whenever you’re online.”
Watch your downloads: “Be careful about what you download, because there are a lot of viruses and types of malware out there,” Kotak says. “If they come as e-mail attachments, they need to be deleted right away. And make sure any apps you download come from reputable sources. If you get an app that supposedly comes from Scotiabank, for example, make sure it’s actually the bank. Go to the website and check before downloading it, or go into your local branch and have someone there set it up in your system.”
Avoid dodgy e-mails: “Never open e-mails unless you know who they’re from,” Tobok says. “Check the address and if it looks like garbled nonsense, trash it right away. And never ever open any attachments or click any links unless you know what they are and where they’re from.”
Use only secured Wi-Fi: “Avoid using public Wi-Fi for important communications because it’s not at all secure and people can easily eavesdrop,” Kotak says. “It might be okay to do a map search or a bit of web-surfing while you’re killing time at an airport, but avoid anything to do with money or personal matters. You should definitely avoid banking on public Wi-Fi. And if you use Wi-Fi at home, make sure it is password-protected.
“We tend to take security for granted,” Kotak adds. “For the most part, we are decent, trusting people, and these crooks understand that and use it against you.”