This week seems to be all about my ranting. Oh well. Here’s another one.
I was notified today that a human resources employee at the company where I work unintentionally gave personally identifiable information to a phishing scammer. The scammer impersonated the company CEO via email, and the HR staffer didn’t check the address to ensure it was legitimate. Upon the scammer’s request, she handed over information from employee W-2s for 2015: names, Social Security numbers, and wage and salary information. The company is addressing this by terminating the employee responsible (they did this within hours of learning who did it), and through offering various credit monitoring and protection services for the next year.
It was mentioned that this sort of scam is common and widespread. It’s happening more and more. Personal information that can be exploited for illicit purposes is a growing market. It’s imperative that everyone protect themselves. This isn’t an issue solely in the workplace–it can strike at home, too.
Given the endless breaches of people’s personal data, you’d think everyone would take their own cybersecurity more seriously, but many don’t. While you can’t prevent every possible compromise scenario, there are a number of steps you can take to minimize your chances of being scammed or compromised.
Check the source.
Whether an email or a phone call, if someone is asking you for potentially sensitive or confidential information, make sure it’s who you think it is and consider whether the request makes sense. A credit card company, for instance, will never ask you for your username and password for their website. Likewise, always check the URL when you’re on a website and about to enter a username and password, or any kind of financial information. Make sure the page is secure–it should show a lock icon in the address bar in most browsers. Also make sure the site is what you think it is. If you use online banking with Chase, for instance, make sure the website domain name (the part after http:// or https:// and before the next / character) is “chase.com”. If it’s “chase.com.[anything else]“, you’re looking at a scam. Scam sites normally won’t appear as secure–you may receive a warning from your browser that the site is potentially unsafe. You should take these warnings seriously. But if such a warning doesn’t appear, always make sure to double-check the address and that it appears to be the site you think it is. Likewise, if the site itself has a different look than usual, don’t take it for granted. Is it really a redesign, or is it phishing?
One of the best ways to avoid such issues is to bookmark what you know is the legitimate site, and always use the bookmark to access it. Don’t click links in emails unless you are certain the email originated from the proper source.
With emails themselves, check the actual source (“from”) address to be certain it’s from who you think it is, too. Remember, if a request comes in via email and you’re being asked for something unusual or unexpected, it’s wise to be skeptical!
If you’re at work and you can speak to the requester face-to-face, or by phone, do so. Call them or go see them. If it’s really that important, they won’t mind the extra confirmation.
Diversify and protect your passwords.
Do you use the same one or two passwords for everything? A lot of people do. It’s a bad, bad idea. Don’t do it.
Use a password storage program like KeePass or 1Password. These can actually be more convenient because they can enter information into login screens for you automatically, with the right browser plugins.
It’s OK to have a few known, static passwords that you use for vital services, but each of them should be unique and as complex as you can make them. For instance, wherever you keep a backup of your password vault, make sure you know the password for that! (And yes, you should absolutely keep that behind a password somewhere, such as in your Dropbox account.)
Remember what “the Cloud” really is.
The Cloud is cool in a lot of ways–you can have access to your data anywhere! Your music library, your videos, your photos, it can all be at your fingertips from any device thanks to the proliferation of computing devices, data access points, and the Cloud.
But the Cloud isn’t magic. As an amusing picture making the rounds recently says, “it’s just somebody else’s computer.” This is key to remember. A Cloud system is only as secure as its designers have made it, and many companies are lax about security. They want to sell services to you, or make money showing you ads. Good security is a cost that many firms defer addressing because it’s often difficult and can be expensive.
With that in mind, be careful what you share with the Cloud. If you plan to upload anything that you’d be embarrassed or otherwise harmed by others seeing, either encrypt it (a program like 7-Zip can make encrypted archives for you) or just keep local copies for yourself.
Use a tiered access strategy.
This may sound complex but it’s actually quite simple.
Start with a PIN–a simple sequence of numbers. Don’t use your birthday or part of your Social Security number, or your kid’s or pet’s birthday. Everyone uses those and scammers know it. Pick something unique that only you know. Now, get a key safe lock, like this one. Then, attach it to a lockbox. Inside this lockbox you can keep either pieces of paper or flash drives which contain your vital passwords. Those vital passwords would be for accessing whatever services are needed to reach your automated password locker program (like KeePass or 1Password mentioned above).
While you don’t have to do things exactly this way, the purpose is to ensure that the only way you could lose access to your files is by forgetting your PIN. Given that it’s four digits, this should be easy to keep track of.
The elephant in the room is, of course, the problem of physical access. Bolt cutters and other tools can be used to compromise locks. Lockboxes can be physically broken into. Cybersecurity is not physical security–you must determine how best to protect the physical representations of your cybersecurity tools. Sometimes this can be as simple as keeping them in a hidden place no one would think to look. If one has the money and inclination, home security systems can add more peace of mind.
In the end, it is impossible to protect yourself against all possible threats. If your credit card company has lax security, you can’t do much about that. You can only control what you have direct access to. When it comes to protecting what you _do _control, the point is to make it difficult enough to compromise you that the prospective scammer will decide you aren’t worth the trouble and move on to someone who can be scammed more easily. Be careful, use difficult passwords (and secure them!), and make it harder for people with malicious intentions to get their hands on your vital information. Nothing is perfect, but taking even a few simple steps to protect yourself puts you ahead of the vast majority, and makes you that much less likely to be a victim.