Have you ever heard of phishing? We are sure you hear about Internet scams or stolen personal information on the daily – yet none of us ever think we’re the ones it is going to happen to. As scamming gets more sophisticated – and personal – it may seem harder than ever to keep your info protected, but there are many steps you can take to keep yourself out of trouble. To get some tips on how to keep your accounts secure and your social media safer, Richard Magazine spoke with renowned security expert Dr. Eric Cole.
Dr. Cole is the CEO of Secure Anchor, the former CTO of McAfee and Lockheed Martin, a member of the Commission on Cyber Security for the 44th President, the security advisor for Bill Gates and his family, and author of the upcoming book, Online Danger: How to Protect Yourself and Your Loved Ones From the Evil Side of the Internet. He shared a wealth of knowledge with us, so be sure to check out our exclusive Q & A below.
Richard Magazine: In your personal experience, how have you witnessed online scams or cyberattacks changing over the years?
Dr. Eric Cole: The big changes that I’ve seen is that they are becoming more and more realistic, and harder for individuals to be able to determine legitimate vs. scams. We probably all remember 18+ years ago, the “I love you” virus, where everyone received an “I love you” message from co-workers. The thing that amazed me with that is that it was pretty obvious it was a scam, yet people still clicked on it.
However, today you’ll go in and receive a message from a co-worker or friend where it looks legitimate, it seems legitimate, and unless you step back and say, “wait a minute, why would they be asking me for this information? Or wanting money and doing an out of band verification?” You can can get in trouble very, very quickly. So the adversary is getting really, really smart. They’re understanding how humans respond, and are going in and doing these scams with a couple of key facts.
First, there is always an urgency. It is always, “We need an answer immediately. I need the money right now.” You’ve probably heard of the one with Facebook where you get a message from a friend that says, “I decided to take a last minute trip to Europe, and what a bad idea. I lost my passport and wallet and I’m stuck. Can you please wire me $300? If I do not receive it in the next hour, I’m going to have to sleep on the street.” So there is that urgency component. They are always asking for money or for you to do something, some action. And it’s always an emotional type decision. It’s always, “I’m stranded, I’m going to have to sleep on the streets.” So if you can train yourself, whenever you get any messages that have an urgency, an action, and some emotional component, step back and say, “Wait a second, is this really legit?” And if you think it is, pick up the phone. Text or call that person to be able to verify.
Richard Magazine: Can you tell us about phishing, and why it’s something even a casual social media user or online shopper should know about?
Dr. Eric Cole: Any time there’s money involved, so online shopping or even social media when friends might request money, you’re going to go in and have phishing. Basically, the adversary is after two things: personal information, things that they can use to sell information, or money, bank accounts, credit card information. And since both of those are very active, a lot of those phishing attacks are going to be targeting individuals and tricking them to give out information they normally wouldn’t give.
Image Source: Dreamstime
Richard Magazine: How can you recognize signs that untrustworthy sources may be trying to obtain your personal information?
Dr. Eric Cole: As I mentioned, that’s very difficult because they look and seem legitimate. The big advice I can give is don’t click on links. If you believe this is a legitimate site, it should be bookmarked in your browser or go directly to that site. Links are very, very dangerous. I know many people who say, “oh no Eric, I hover over the link so I can see where it’s going.” Adversaries are so clever that even if you hover over, it can look and seem legitimate, and you can still get in trouble. So, resist the temptation, don’t click on links. And don’t believe what you’re receiving if it asks you to take some action or transfer some money.
Richard Magazine: What should someone’s first steps be if they believe they are being targeted, or have become a victim of phishing?
Dr. Eric Cole: It’s pretty common that you’re going to be targeted. So if you just believe you’re being targeted, honestly just block that person, don’t take action. You could, if you believe that it’s a real threat, and that you and your family are in danger, that you could call the police. The problem is that if it’s just your standard scam where they’re trying to get money, there’s just so much of it out there. It’s coming from foreign countries, and the probability of investigation is very low.
If you just think you’re being targeted, that’s everybody. But if you believe you’ve been a victim, then what you want to do is minimize the damage as much as possible. You want to notify your banks, notify your credit card: whatever you believe has been compromised or impacted, you want to be proactive to notify them and change that information. Typically, one of the first steps is to change your passwords, because usually that’s what they compromised to get into your different accounts. So you want to get those passwords changed as soon as possible, and then notify anything that could cause financial harm or damage to yourself.
Richard Magazine: Are there any apps out there more prone to this activity than others?
Dr. Eric Cole: What it really comes down to is a numbers game for the adversary. So they’re going to go after the bigger sites. Facebook has always been a huge, huge area. Instagram, you’re going to see a lot more there. LinkedIn is starting to increase. Twitter, a little bit, but just because of the shorter messages – you don’t really open attachments and there’s not as much messaging so you don’t see as much there.
It’s not the security or vulnerability of the app, per say. Because all apps have the same potential security, it’s all dependent on what you turn on and what you configure. But it’s really the more popular apps that the adversaries go after, just because of the numbers game.
Richard Magazine: We spend so much of out time on social media. What are some ways you would you recommend to making our accounts more secure?
Dr. Eric Cole: The biggest recommendation is that these accounts are not secured by default. The good news is, there is a lot of security. But you have to turn it on. Now everyone always asks me, “Now, why can’t the vendor just turn it on?” It’ simple: vendors want happy customers. Customers are happy when things work. Customers are sad when things don’t work. So if you go in, and they had all of the security turned on, and you couldn’t do anything but had to spend 15 minutes turning off or minimizing it, you would be frustrated and angry. So the fact that you can go in and everything works is great, the fact that you’re exposed and there’s not security, it’s sort of a negative.
But unfortunately, as a society we’re not there yet, where people are willing to openly accept the inconvenience of security out of the gate. Of course, once they become a victim, then they’re willing to accept the security. But unfortunately, usually something bad has to happen for that to occur.
Image Source: Dreamstime
Richard Magazine: How do you suggest users ensure their online banking and shopping information be protected?
Dr. Eric Cole: This is going to sound like a pretty silly solution, but it works really well: use two computers. So have one computer where you’re checking email, doing random surfing, doing things that have a high probability of compromise, and then have a second computer that you only use for your online banking and going to specific sites. Also, use different credit cards for each of those different apps, so if it gets compromised, you know where it came from and can control the damage.
I always use two computers, and now if my first computer gets compromised, the impact is minimal because my critical data is on a second computer. Now I know some people say, “Oh but Eric, I can’t afford a second computer.” My response to that is that you can’t afford NOT to have a second computer. Just do the basic math, you can buy a second computer for $500. Now what if you don’t do that, what if you have a single computer. What is the probability in the three years you have that computer, that you do something stupid? Very, very high. Now if that occurs and you get infected, and all of your banking and other information is compromised, what is going to be the impact? Really, the question is will it cost you more than $500? Absolutely. So you want to be proactive in protecting and securing your information.
Richard Magazine: A lot of times we see cool fashion brands or indie labels promoting their e-commerce stores on social media. What are some steps shoppers can take to make sure these are legit businesses with trusted credit card transactions?
Dr. Eric Cole: This goes back to my previous comment, stick to the well-known sites. There’s no such thing as a deal that is too good to be true. We saw this a lot during Christmas where people would get ads, “You can get this gift for 80% off!” And people were like, “Wow, that’s awesome!” Step back for a moment. What is the probability that somebody is going to really be selling the legitimate product for 80% off?
The problem is these scams, they play off your emotion, and if you stepped back and thought about it, you would think, “Wait a minute, this doesn’t make any sense at all.” But you’re just so tied up in getting that gift, and in the emotional response, you click on it. Most people that have become victims that I deal with, they always go, “Eric, it just didn’t feel right. And after I clicked it, I knew something was wrong. But it already happened.” So the trick is really, think before you click. Stick with the main, known sites that are archived in your browser. And resist the temptation to click.
Richard Magazine: What tips would you suggest for those of us who have trouble remembering passwords – and resort to writing them down, using the same one everywhere, or auto-saving everything?
Dr. Eric Cole: You just highlighted the big things you don’t want to do! My recommendation is a couple things. One is, don’t think “password,” think “pass phrase.”
So if I was teaching this or we were together, I would write down a password that looked really difficult. It would have letters, it would have numbers, and special. And you’d look at it and go, “Wait, there is no way I would remember that.” And then I’d say, “My first son was born at Fairfax Hospital at 11 o’clock.” So now I’d take the first letter of each word. I’d have an uppercase M, the number 1, s, w, b, the @ symbol, FH, @ 11. So now you have letters, numbers, and special. It looks difficult, but it’s very easy to remember. So the trick is think pass phrases, and it’s much easier.
Second, if you do need to use a password vaulting program, that’s better than making your passwords the same or writing them down. The way password vaulting works is that it’s an encrypting program on your phone that uses two-factor, so you can use a biometrics or a password, or a combination. Then you can have all your passwords very secure, stored in that app. If you have trouble remembering your passwords, password vaulting is the recommended solution.
To learn more about crucial cybersecurity from Dr. Eric Cole, be sure to visit his website, OnlineDanger.com. Keep an eye out for his book of the same name, coming to major retailers in March 2018.
— Kristine Hope Kowalski