Editor’s Note: The following post is the first in a series of blasts that we will be sharing for readers who are – or who know people that are – not technically savvy. We will touch on topics that we in the security community are very aware of and attempt to break them down into language that those who are not as internet skilled may understand. If you have suggestions for topics you wish for us to cover in this series, please share in the comments.
You’ve all been there. You open your email and your mom has sent you something. You see the two letters you dread: FW. Oh look, it’s an email with a link to a YouTube video about a cat who just can’t seem to figure out that the sliding glass door is a solid object. You contemplate sending back an email saying ‘Come on Mom, you should know to never ever click on links in emails,’ but you don’t want to ruin her fun — and more than likely she won’t understand WHY clicking on links in emails is a bad thing. You could try to explain it to her, but you’re afraid her brain will explode if you start talking about things like “Cross Site Scripting”. Well folks, I’m going to try and help you out. In this new blog series, I am aiming to provide tips and advice that you can share with your less-than-tech-savvy friends and family – whether its your mom, grandpa, cousin Vinny or whomever. These are posts that I intend for you to FW: (uh oh, there are those letters again) the links to your mom (or whomever) so that they can get a non technical explanation of the dangers of the ‘internets.’ Now begins the non-technical explanation, here we go!
Hello there! You’re no doubt reading this as a result of your son/daughter/grandson/granddaughter having sent you here for guidance. Fear not, I will help guide you through the dangers of the internet and help you be more secure with your personal information. No doubt you’ve heard of recent credit card breaches in stores you visit every day. You’ve also probably heard about ‘phishing’ emails that ask for your personal information in an email or ask you to click some link. You may have seen emails that say ‘Your credit card has been stolen, please email your Social Security number, mother’s maiden name and birthdate to this email address.’ The good news is that you can prevent yourself from being a victim of these scams.
The first thing you’ll need to know is that you should be very, VERY paranoid about anything you get in an email. If someone knocks on your front door, you’re always skeptical about what they want; the same principle should be applied to email. Anyone and everyone can email you and not all emails should be trusted, particularly from contacts that you do not know or that ask you for personal information. Most businesses make it a point to not request such information over email, so if you get such a request, it is quite likely a scam. Secondly it is very easy to fake the sender of an email. Just because it says ‘email@example.com’ doesn’t mean it is. Never trust that your email is coming from the business that it purports to be coming from.
Furthermore, links and attachments in emails can be bad news. Just as it’s very easy to make it look like an email is coming from someone else, it’s just as easy to make a link in an email look different. I can easily make it look like it’s going to ‘www.youtube.com/someFunnyCatVideo’ but really when you click on the link it will take you to ‘www.ImSoEvil.com/LookAtHowEvilIAm.’ Fake sites are set up under the guise of seemingly legitimate URLs in an effort to get you to click on them which could lead to theft of personal information or worse. Attachments in emails from unknown sources are also bad news. You could be unknowingly downloading malware — software that can interfere with the proper functioning of your computer, damage your privacy or even install the dreaded virus.
All this sounds pretty frightening already. You may think you now need to go make a tin foil hat and build a bunker in your backyard. But with this knowledge you are well-armed to combat identity thieves. Here are a few simple things you can do to help protect yourself:
* Never give your personal information to anyone. No legitimate business will ask you to email them your Social Security number, credit card number, passwords, date of births, etc., over email. If they’re asking for that information it is 99.9% likely that it’s a scam. Sometimes an attacker will send an email that makes it sound like there’s an emergency — if you don’t do what they’re asking for right away something horrible will happen! Instead of doing what the email says, if it looks like it might be from a legitimate business – like a bank that you do actually have an account with – contact that business directly. Don’t use any links from that email. Let them know what email you received and that you want to confirm whether or not it was a legitimate email.
* Never click on a link in an email — it’s just asking for trouble. If you really want to watch that cat video, copy the link address into your browser window so you can be sure you’re sending your browser where you actually want it to go.
* If you receive an email that has an attachment and you were not specifically expecting that person to send you that attachment, contact them directly and confirm that they sent it and it’s a legitimate attachment. More than once a friend of mine has found out that their email account was hacked because I contacted them about a suspicious attachment.
This is all but the beginning of your training and you should come back to this blog often to hear more helpful (and hopefully easy to understand) advice on how to better protect yourself on the internet. Go forth and click on!