EIT

Holiday Online Shopping Security Tips

The holidays are the most vulnerable times for online shoppers as it is the prime time for fraudsters, scammers and hackers that are looking to take advantage of unsuspecting online shoppers.

To stay safe while making purchases online, follow these simple steps:

  • Check your devices:
  • Before making online purchase, ensure the device you are using to shop online is up to date i.e. your browser, antivirus and operating system.
  • If you purchase an internet-connected device, change the default password to a different password as soon as you receive your purchased device.
  • Check the purchased device’s privacy and security settings to make sure you understand how your information will be used and stored.
  • Do your shopping via trusted sources:
  • Ensure you are making online purchase on the genuine company website by verifying that you are on the legitimate website before supplying any personal information online.
  • Don’t connect to unsecure public Wi-Fi to make an online purchase.
  • Use the official retailer apps to shop online if you prefer to make purchase on your mobile device.
  • Don’t make purchase from spam or phishing emails. If you’re unsure if an email is legitimate, type the website address of the retailer into your web browser.
  • Never provide your password, personal or financial information in response to an unsolicited email no matter how enticing the offer is.
  • Use safe methods for online purchases:
  • Make purchases using your credit card as opposed to debit card. Credit cards have some extra-legal defense that limit your liability for fraudulent charges but the same may not be available with your debit cards. It also gives you leverage if there is dispute in transaction with a seller. Alternatively, you can use prepaid debit cards because the money is not connected to your bank account.
  • Keep an eye on your credit and bank statements for any fraudulent charges. Keep a record of your online transactions by holding on to your receipts.
  • Ensure you do not share more information than necessary with any retail store when making your online purchase.

Remember the best defense against these online threats is awareness on the part of the customer.

Reference: https://www.dhs.gov/news/2019/11/26/holiday-online-shopping-safety-cisa

How to Identify Phishing Emails

How to Identify Phishing Emails


Phishing HookPhishing attacks can be carried out through various methods such as phone calls, text messages (also known as SMS) or instant messaging. However, the common form of phishing attack is delivered through email messages because of the number of people it can be delivered to at once.Phishing is a form of fraud in which a cybercriminal pretends to be a known associate or a legitimate organization in an attempt to obtain sensitive information such as login credentials or account information, which can be used to steal money, data and even people’s identity.

In email phishing, cybercriminals use a convincing pretense to lure recipients into performing an action such as clicking on a link or opening an attachment in a received email. Despite how much we think we know about phishing, many of us still consistently fall victim to this.

We will use real-life examples to demonstrate clues to help identify phishing emails.

1. Take a closer look at the email address, not just the displayed sender name

Many times, people don’t make the effort to look at the email address that a message was received from. Once our inbox displays a name that we are familiar with (or think we know), we instinctively let our guards down and jump straight into the contents.

When cybercriminals create bogus email addresses, they often have the choice to select a display name, which does not have to relate to the email address being created.


Emails with disguised sender names.

 2. If the email message creates a sense of urgency

Email messages urging you to take immediate action should be handled cautiously especially if the email message contains a request that appears out of place or something that does not follow normal operating procedures. Cybercriminals know that most of us give priority to an urgent email request from our boss or when senior management are supposedly waiting on you to act on a received email request. A typical example looks like this:

3. Look for grammatical mistakes, not just spelling mistakes

It is no longer sufficient to depend on spelling mistakes to spot phishing email. We now have readily available spellcheckers or translation applications that can be used by cybercriminals when crafting phishing emails. These will often provide them all the right words but not necessarily the right context.

4. A request to update or validate email account

The major goal of phishing email is to obtain sensitive information. Cybercriminals like to request for this information by posing as a popular financial institution and asking you to update or verify your information such as password update or verification, banking details or credit card number. These types of changes must first be initiated by you and not the other way around.

5. Email containing suspicious attachment or links 

As stated earlier, phishing emails come in many forms, but one thing they have in common is they contain a payload. This will either be in the form of infected attachment or a link to a bogus website that requires you enter your login credential or other sensitive information. Any email attachment or links sent to you without prior request or discussion with you should be treated with caution.

The attachment could appear harmless but when opened, it unleashes malware on your computer. A good example is if you receive a pop-up warning about the file’s legitimacy or if the application asks you to make adjustments to your settings, then don’t proceed with opening the attachment. Instead contact the sender through an alternative means of communication and ask them to verify it is legitimate.

For emails containing links, train yourself to hover your mouse over the links so as to know where the links lead to before opening them. If the email message is read on a mobile device, hold down on the link and a pop-up will appear containing where the link leads to.

6. Lastly, never send a reply message to a suspicious email

Replying to a phishing email alerts the sender that your email address is active and this can encourage the sender to continuously send you phishing emails. Efforts spent on this will affect your productivity at work.

Kindly contact the EIT helpdesk by email helpdesk@smu.ca or phone: 902-496-8111, if you need further assistance with a suspicious or phishing email. 

References:

Luke Irwin, 5 Ways to detect a phishing email - with examples, https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email 

How to spot Phishing Attacks, https://www.microage.ca/regina/wp-content/uploads/sites/28/2016/08/How-to-Spot-Phishing-Attacks.pdf

Password Managers: What are they?

The main focus of the security awareness in the month of April was making passwords user friendly, and it was advised that password managers should be utilized. This prompted the question, what is a password manager?

In a world where different passwords are used daily on a variety of devices, it has become increasingly difficult to remember each unique password and keeping it secured without writing it down.  

A password manager is a software application that is used to store and protect all of our passwords in one secure place on our devices e.g. mobile devices or computers. In other words, it serves as a virtual vault for your passwords.

Benefits of using a password manager.

  • It helps you to create complex, distinct, secure passwords for each of your accounts e.g. for websites, applications etc., and stores them.
  • It is capable of entering the passwords for you.
  • You don’t have to memorize or write down your passwords.
  • It removes the temptation to re-use same password for multiple accounts.
  • You need to know and remember just one password referred to as the “master password” to access all of your passwords stored in a password manager.

Note of warning: The downside of using a password manager is that you must never forget your “master password”, otherwise you will lose access to all of your other passwords. It should be noted that once your master password is forgotten no one can retrieve them for you not even the product owner/vendor and you will have to reset the passwords on all sites/areas you used the password. It is therefore important you don’t forget what this “master password” is.

List of Password Managers

There are many types of password managers. ITSS does not endorse or provide any support for a particular product. Below is a list of widely used password managers.

 Things to consider when choosing a good password manager

  • Is it user friendly? (ease of use)
  • Is it actively updated and patched? (always use the latest version)
  • Does it create strong passwords?
  • Where is the data stored and how is it encrypted?
  • Does it have multifactor authentication?
  • Can you use it across many devices?
  • Does it offer you a way to securely share passwords in a team?

Remember, there is never a perfect solution in information security, this also applies to password managers. As you use password managers, you still have to maintain good cybersecurity habits such as keeping your software up-to-date, not leaving your password manager running when you are not actively using it, and ensure that you use two-factor authentication for extra protection.

Resources:

Password Managers, A Higher Education Information Security Council (HEISC) Resource, July 2019 Available https://library.educause.edu/-/media/files/library/2015/7/passwordmanagers-pdf.pdf

Making Passwords User Friendly

The KISS principle has been in use since the 1960’s with its roots in the U.S. Navy. The acronym, which stands for “Keep it simple, stupid” forwards the notion that simplicity should be the goal for any design or system and complexity should be avoided whenever possible.

With the 90’s and the rise of the Internet, password requirements have become increasingly more complex. First, we had to include a minimum of six or eight characters, then a mix of alphanumeric characters, the addition of upper case letters, and eventually special characters. The complexity required in passwords today have caused a new problem for users: we tend to forget them.

Passwords are key to protecting your accounts and knowing simple ways to securely create and manage all your passwords is vital for digital security and our digital quality of life. This month our focus will be on making passwords fun to create and manage effectively.

The following steps will help reduce the pain in creating and managing passwords:

Passphrases

The traditional approach to creating a password has been to make it very complex. This trend makes the passwords difficult to remember and ultimately people use shortcuts or workarounds that jeopardize security. Passphrases, however, can be fun and much easier to remember (KISS). A passphrase is a type of strong password that uses random words or short sentences. Here are examples of passphrases:

  • The-future-is-now-says-the-president-in-march
  • I really look forward to summer days in the Atlantic Provinces!

The examples above are strong, fun to create, easy to remember, and contain over thirty characters which makes it more difficult to crack. Remember, the key to strong passphrases is to make them long - the more characters you have, the better.

Password Managers

It is important to use a unique password or passphrase for each account that you have. Reusing the same password for different accounts makes you vulnerable to hackers. A hacker who has accessed one of your accounts will try to reuse the stolen password to access other accounts that you have.

Password managers are special programs that securely store all your passwords in an encrypted vault. You only need to remember the password for the password manager in order to access all the passwords that you have saved in it. There are other features that come with password managers that may vary from one application to the next. One caution: always remember the password for your password manager.

There are both paid and free password managers available. See a list of free password managers HERE (Fossbytes.com).

Two-Factor or Multi-factor Authentication

Two-factor or multi-factor authentication adds an additional layer of security to your account. This means an additional step is required to log into your accounts apart from entering your password. For example, you will need your password and an automated numerical code sent to your phone, or an authentication message sent to your phone prompting you to verify you are trying to access your account (this is similar to a two step verification used on popular email platforms such as Gmail, yahoo mail etc.). Other examples include using biometrics, key fobs or cryptographic keys, or smartphone enabled applications. These methods of authentication provide a strong additional layer of defence for the user without unduly burdening the user.

Further Reading:

Making Passwords Simple: https://www.sans.org

Long Live the Passphrase: https://www.sans.org

 

Published April 12, 2019

Staying Safe During Tax Season

As tax season nears, we begin to collect all the necessary paperwork and fret over whether we will have to hand over even more of our hard-earned money to the government. It is also the time of year that questionable phone calls and emails start coming in.

Tax season could become the CRA tax scam season.


Security Awareness Education Tax Scam imageCRA tax scams come in various forms – via phone calls, emails, or text messages. Typically, the caller or email sender poses as an agent or representative from the Canada Revenue Agency (CRA) in an attempt to gather personal information (such as name, social security number, date and place of birth, mother’s maiden name etc.) or intimidate an individual into providing financial payment. These types of scams have become so common that the CRA has put together tips on how to stay safe and how to report scams.

 

Here are some highlights from that page:

The CRA will never:

  • Give or ask for personal or financial information by email and ask you to click on a link
  • Send an email with a link to your refund
  • Demand immediate payment by Interac e-transfer, bitcoin, prepaid credit cards or gift cards from retailers such as iTunes, Amazon, or others
  • Use aggressive language, threaten you with arrest, or a prison sentence
  • Set up a meeting with you in a public place to take a payment
  • Contact you via text messages or an instant messaging application (such as Facebook Messenger or WhatsApp)

 Here are some examples of tax scams:


security awareness education tax scam text message

(text message)


security awareness education tax scam email

(email)


To read more, check out the following links:

 

Published March 01, 2019


 

Dating in a Digital World

Love is in the air!... maybe…

As Valentine’s Day approaches, single people often feel an extra push to “get out there” (even if “getting out there” means signing up for one of the many dating sites while sitting at home in pajamas). Online dating is now one of the most common ways that people meet potential mates. With the rise in online dating, came the increase in romance scams, which is a common way for scammers to seek out new victims. Romance scams are fraud conducted by individuals who use the promise of love, romance, or a night of hedonistic fun in order to entice and manipulate online victims into giving money, gift cards, or worse.

Typically, these scams come in the form of “catfishing”. Catfishing is the practice of pretending to be someone you are not in order to attract others. A common example of this would be someone who uses a set of photos they found online in order to draw in potential victims.

Without a doubt, online dating is a great way to expand your dating sphere and learn more about someone before you take the time to meet and get to know them in person. It is important to remember that there are good people out there as well – the key is to know how to tell the difference.  

Here are some tips to keep you safe after you’ve swiped right:

  1. If they are looking for money, it’s likely a scam. Send them a link to an employment site and block them.
  2. Always meet in a public place until you feel safe to head somewhere more private.
  3. Let a friend or family member know where you are going and check in with them.
  4. Do some research – search for the lucky person on search engines and social media sites. You can even try a reverse image search to see if their photo is fake.
  5. Consider a video chat before meeting in person.
  6. Be careful using apps that track your location. For example, if a dating app shows the distance between you and a potential partner, your location is being tracked.
  7. Don’t share personal information before getting to know the person.
  8. Don’t add your social media accounts to your public profile in a dating app – this could reveal your real name, surname, university, or place of work.
  9. Be careful when someone suggests you take the conversation to personal email or another website.
  10. Be cautious about sending images. Practice caution and use judgement if you choose to.
  11. Install antivirus software on your smartphone. This will notify you of any privacy breaches.
  12. Go with your gut – if something seems “off”, back out. If things get worse, block them and report to the local police.

Read more about staying safe on popular dating apps:

https://internet.frontier.com/resources/how-to/cyber-security-checklist/

Published February 11, 2019


 

January 28 is Data Privacy Day

Data privacy for individuals means reviewing privacy settings on social media, being mindful of entering data into websites, and taking ownership of one's online identity.

The internet is full of data about you and me. Whenever we play a game, shop, browse websites, or use any of the numerous apps, our activities and some of our personal information may be collected and shared. This also applies to our connected devices such as smart TVs, phone trackers, GPS, security cameras, wearables, and smart appliances. These devices make our lives pretty convenient but also keep our “digital footprint” on the internet afterwards. The Internet of us (based on our shared information) and Privacy define our online presence. It is therefore critical to learn how to protect our information and guard our privacy online.

The following tips will help to protect your online privacy:

Use long and complex passwords or passphrases. 

These are often the first line of defense in protecting an online account. The length and complexity of your passwords can provide an extra level of protection for your personal information. Avoid using the same password for multiple websites, accounts, or apps. Use a password manager to manage numerous passwords.

Take care what you share. 

Periodically check the privacy settings for your social networking apps to ensure that they are set to share only what you want, with whom you intend. Be very careful about putting personal information online. Remember, what goes on the Internet, usually stays on the Internet.

Go stealth when browsing. 

Your browser can store quite a bit of information about your online activities, including cookies, cached pages, and history. To ensure the privacy of personal information online, limit access by going "incognito" and using the browser's private mode when necessary.

Using Wi-Fi? 

If only public Wi-Fi is available, restrict your activity to simple searches (no banking!) or use a VPN (virtual private network) when necessary. The latter provides an encrypted tunnel between you and the sites you visit.

Should you trust that app? 

Only use apps from reputable sources. Check out user reviews or from other trusted sources before downloading any app that is unfamiliar.

Has your privacy been compromised?

Change the password of any site or app that you believe may have been compromised. If you reuse passwords for multiple sites you should change them all to make sure your information is safe.

Visit the EIT Help Desk if you have any further concerns.

Published January 22, 2019