Week 6:
3/4 Online Safety
Our agenda today:
Our web lesson contains lots of information. In our lesson, we will focus on some of the more important and topical areas.
Review from last time ( web browsers)
Presentation
Homework:
Take the quiz
Review web lesson. Lots of information.
Spend time looking at resources, both if you have had a breach and how to be safe.
Look at some of the suggestions for a safer you and consider making some changes.
Read the supporting information from previous classes on Online Safety
Recording:
There was a lot of information to this class. Review the recording of our Tuesday class. Then, use the website below for clarification and even more information. And, if you hear of any scams or phishing attempts, let us know via the Canvas discussion board.
Bonus:
By request, this is a summary of what to do if. Includes what to do as well as important websites and informational summaries.
Quick links:
Zoom room:
https://sdccd-edu.zoom.us/j/9191959460?pwd=OXh0RE9ZTVZTWElTMUQ0ZzAxQzExdz09
Passcode (if asked): emeritus
In this lesson
In this lesson we will:
Look at threats involving older adults. Discuss how they trick us, and the potential outcomes of engaging with the scammers
Recognizing and avoiding scams including phishing, secure websites and questioning unsolicited contact
Identifying ways to stay safe including strong passwords, two factor authentication, software updates and security software
Resources to get help if you are a victim of a scam
Hands on activities to help spot phishing and discussion of scams others have heard of
Online safety includes Identifying and Avoiding Threats
Technology has exploded in recent years, creating multiple ways to stay connected, increase efficiency and productivity and provide entertainment and learning opportunities. But with this technology, we are faced with threats. And older adults are more likely to be involved in a variety of these threats, including phishing emails, fake tech support calls, requests from loved ones for money, lottery scams, romance scams. We will begin with phishing, and discuss definitions, techniques, results and protecting yourself from phishing. We will then look at some common scams and what we might do if we encounter them.
Phishing can occur in many ways using many types of bait. Will you take the bait?
Phishing
What is Phishing?
Phishing is a type of cyberattack where attackers attempt to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal details, by masquerading as a trustworthy entity. The term "phishing" is a play on the word "fishing," as the attackers "fish" for information from unsuspecting victims. It is important to remember that (like fishing), casting the line is not harmful to the fish. It is only when the fish bites and takes the bait. In this case, you are the fish and the information that the scammer is seeking is the bait.
Phishing scams are popular among cybercriminals due to the relatively low cost, ease of execution and the high success rate. The FBI’s Internet Crime Complaint Center (IC3) reports annually on different types of cybercrime, and these reports often show phishing as one of the top types of cyberattacks. Cybersecurity companies also produce regular reports of internet threats, many of them highlighting that phishing is a substantial percentage of cyberattacks, with some reports suggesting up to 80% of security incidents are phishing. Of course, these numbers can change, but phishing appears to be a major way to infect our devices and extract information and even money.
How does phishing look?
Phishing messages usually arrive via email, but could be phone calls (vishing), text messages (smishing) or fake websites. In these cases, the message will direct you to do something. In some cases, phishing will be in the form of deceptive emails, where the attacker will pretend to be from a well-known company, bank or service provider, and the email may have logs and formatting which look legitimate.
Phishing emails will often have common traits. They may use urgent or threatening language, prompting you to act quickly or an account may be closed. They may also contain links to fake websites designed to look like legitimate ones. In all cases, the scammer is trying to bait you, hoping that you will take the bait.
Regardless of how they arrive, and regardless of the ways that we can identify them, falling for a phishing attempt will almost always end up with something compromised (identity, financial value, trust)
Different types of phishing:
Although the term phishing is broad, there are many types of phishing. Here are some of them.
In some cases, phishing may be targeted attacks. This can be used in corporate email accounts and prominent wealthy individuals. And in some cases, you might encounter “spear phishing”, which uses personal information to make the attack more convincing. We have heard about scammers who trick one person in a large organization into revealing their personal login information, which then opens the door for scammers to impersonate insiders and gain valuable information about the organization. If the target is a very well-known person, the phishing may be referred to as “whale phishing”.
Example:
A company's financial officer receives an email seemingly from the CEO, urgently requesting a wire transfer to a new vendor. The email, crafted with details from the company's recent activities, appears legitimate but is actually from a cybercriminal mimicking the CEO's email address. Believing the request to be genuine, the officer makes the transfer, leading to a significant financial loss.
With social networks, many people have given up their own privacy for the sake of connecting with friends and relatives. However, this information is not always private. Social networks can use this information for “social engineering”, or using the information so that you will provide even more personal information. Have you ever answered a quiz on Facebook? What have you “liked” on social media? If you have, you may be a victim of of social engineering.
Example:
A hacker creates a fake profile, pretending to be a friend of the target on a social network, and sends a message with a malicious link, claiming it's a funny video. The target, trusting their "friend," clicks the link, inadvertently installing malware.
Many older adults experience problems with their technology and search for answers. In some cases, they may find themselves on a fake customer support site. The person on the other end may seem very helpful and may ask you for sensitive information or to share your screen. These tactics are especially dangerous because they prey on the vulnerability of the person needing assistance. This type of phishing is known as “angler phishing”.
Example:
A customer tweets at their bank's support account asking for help with a login issue. A hacker, monitoring such interactions, quickly replies from a lookalike account, offering assistance and directing the customer to a fake login page to steal their credentials.
Even to the trained eye, it can sometimes be difficult to recognize an authentic email versus a scamming one. Both emails may include logos, business information, and appear to be from the official site. But there will be one tell-tale sign that this is not legitimate, usually in the email address which sent the note. Understanding how to identify the real site versus the fake one can be confusing. When a scammer creates a site which resembles a real site, it is known as “clone phishing”.
Example:
An attacker sends an email that replicates a legitimate previously sent message, complete with original attachments or links, but with the links or attachments replaced by malicious versions, tricking the recipient into downloading malware or divulging sensitive information.
While phishing occurs when the user is tricked into clicking on a link, “pharming” can be more brutal. In this case, pharming manipulates the Internet to guide users to a malicious site automatically. This can be done by manipulating the DNS server (the server which interprets the domain name into an IP address), redirecting users to the fraudulent website even if they type the correct address into the browser. Or it can be accomplished by malware which alters the DNS settings, forcing the user’s computer to go to the fake one. This type of phishing is designed to extract your personal and financial information and other sensitive data. It can be avoided by using secure connections (HTTPS), up to date antivirus software and regularly updating your browser and operating system.
Example:
A user types the URL of their bank's website into their browser, but due to malware on their computer that has altered the DNS settings, they are redirected to a fraudulent website that looks identical to the real one, where their login details are stolen.
We all have our favorite websites, whether they be your bank, your social network, or a business that you visit often. Some skilled scammers might be able to use this information to set up a website that resembles this true site. They might then send you an email to the site which you are familiar with, only to find that this site is now compromised. This type of phishing is known as “watering hole phishing”.
Example:
Cybercriminals compromise a website frequently visited by employees of a targeted company. When an employee visits the site, they unknowingly download malware that gives the attackers access to the company's network.
Phones are not immune to phishing. In a version known as “vishing”, the scammer will send a short message. It may be a message which appears to be meant for someone else, or it may be a short message with a link (maybe to a picture from the past). It can also be in the form of an account closing, a delivery which could not be completed, or many other possibilities. Another type of phishing for phones is called “smishing” and is a blend of texting and phishing. In this case, text messages are sent which are disguised as communications from businesses like Amazon or FedEx. Because they are text, they appear more personal, and we are more apt to click on them. Again, always go to the company instead of clicking on the link.
Example:
VIshing: A scammer calls a victim, pretending to be from the victim's bank, claiming there's a problem with their account. They persuade the victim to share their account details and password over the phone, thereby gaining unauthorized access.
Smishing: A user receives a text message claiming to be from a delivery service, asking them to click on a link to update their delivery preferences. The link leads to a fake website designed to steal personal information.
We will be seeing an influx of creative phishing in the future, due to Artificial Intelligence. One of those new forms is known as "quishing", which exploits QR codes. In these scams, attackers embed malicious links in QR codes, which, when scanned, lead victims to fraudulent websites. These websites often mimic legitimate services, prompting users to enter sensitive information like login credentials or financial data.
Example:
In late 2023, a U.S. energy company was targeted by over 1,000 malicious emails, with around 29% of them containing QR codes. These phishing campaigns used Bing redirect URLs and sometimes exploited other domains like Salesforce applications and Cloudflare’s Web3 services. The QR codes were embedded within a PNG image or PDF attachment to evade email filters and reach recipients’ inboxes.
Recognizing phishing
The key to avoiding phishing scams is to be aware of it and to look for tell-tale signs. Here are some of the signs to look for:
Grammatical errors and odd phrases: Scams are often created in other countries and translated into many languages. As a result, you may find errors in grammar or odd ways to put together a sentence. You should read it aloud to see if it makes sense.
Example:
An email arrives stating, "Dear costumer, Your account will be close for failing to verify details. Please to click below for avoid problem." The message is riddled with grammatical mistakes and awkward wording, signaling a phishing attempt.
Fake Logos: When setting up a fake website, the scammer wants to make it look as real as possible. So they will want to include the logos of the official site. It is very easy to reproduce a logo, often as easy as copying and pasting it into the site, which can result in a low-resolution logo. (Unfortunately, with AI, this may not be a tell-tale sign in the future.).
An odd URL: We have spent several classes discussing URLS (the web address of a site). By now, you should be skilled at recognizing the domain where the email or website is from. Scammers may alter it by a single character. For example, usbank.com may become usbank.co. Or usbanc.com. It is important to look closely at the URL and make sure that it is exactly where you want to go. A good rule of thumb is to go to the site directly from your device instead of clicking on a link in the email.
Unsolicited mail: You may receive an email from a company which you think is legitimate. It may ask you to complete a survey and say that you will receive a gift card if you do. These can be especially alluring to users looking for a quick reward. Another example is an email from a company describing the purchase that you made. You will then promptly respond by saying you did not order this item, in which case, you will be targeted for more information.
Example:
"You've been selected for a survey by [Your Bank Name]! Complete this quick survey and win an exclusive reward. Click here to start: [FakeURL].com/survey. Hurry, offer ends soon!"
Tech support: You may receive an email from Best Buy, Apple or Microsoft saying that there is a problem with your device, but they are here to help! Just contact them via this link and they will assist you online. This is particularly harmful because you may end up providing them with access to your device and compromising your own privacy. Just consider this: How would this company (Microsoft , Apple, Best Buy) know that you are having problems? They don’t!
Example:
"Important Security Notice: We've detected unusual activity on your computer indicating a virus threat. Please click the link below to initiate a remote scan and fix the issue immediately: [FakeTechCompany].com/repair."
Taxes: We all file taxes and we all would love to receive a refund. You may receive an email providing instructions on how to get this refund. The email will send you to the IRS site. Only it will be an imposter site. There is only one website for the IRS, which is irs.gov. Any other domain is not legitimate!
Example:
"IRS Notice: You have a pending tax refund due to an overpayment! To claim your refund, please submit your banking details at: [FakeIRSLink].com/refund. Act now to avoid delays!"
Unusual activity: You may receive an Email warning you about unusual activity from a supposed legitimate company (Microsoft or Wells Fargo), including a link or asking you to call a number. The scammer will appear to be legitimate and may include things like recording the call, caller ID with the proposed company, or even requesting that you do a 2-factor authentication or answer the special question to gain access to a site (known as CAPTCHA, or Completely Automated Public Turing Test to tell Computers and Humans Apart).
Example:
"We've noticed unusual activity on your account and suspect an unauthorized attempt to access it. Please verify your identity immediately by clicking here: [FakeCompanyURL].com/verify."
Suspended accounts: You may receive a note from a company saying that your account will be suspended if you don’t update your billing information. It will then ask you to click on a link. Never access your account via this method! Instead, go to the account via your web browser, sign in and update your account via their company portal.
Example:
"Urgent: Your account will be suspended within 24 hours due to outdated billing information. Update your details now to avoid service disruption: [FakeBillingUpdate].com."
Social media: Can you trust those links on Facebook or Instagram? Likely you cannot. Often scammers will provide links to products, services or other things which are important to you. How do they know what you like? They use social engineering. So they can target you via your political leanings, your friends, your likes, your personal information on the site and much more.
Example:
"Just saw your profile and thought you might be interested in this exclusive opportunity I found. Check it out here before it's too late: [FakeOpportunityLink].com. Let's make some easy money!"
Phishing via email:
Email is one of the keyways that phishing is delivered. What are some of the ways that you can identify a phishing email? Here are some clues:
Check the Sender: Is it from someone you know? Is the email address unusual? Also remember that a scammer can name an email account anything they want. So, a scammer might gain access to a list of your contacts, and then create an email with your name showing but their email address. Always double check the email address to see if it is legitimate. If it does not match what you have, contact them directly. Do not respond if you do not recognize the email.
Examples:
"support@amaz0n-secure-payments.com"
"customer.care@apple-idverify.co"
"john.doe1234@outlookk.com"
Context is Key: Did you expect to receive an attachment? Does the content of the email match the attachment? For example, you may receive an email from a scammer which contains an attachment called “invoice”. We all want to make sure we pay our bills, so we will be tempted to open that attachment. Attachments can contain malicious codes, so once you open it, you have taken the bait!
"Subject: Urgent: Invoice #4567 Overdue
Dear [Recipient's Name],
We hope this email finds you well. Our records indicate that invoice #4567, issued on [Date], for the amount of $2,985.75 remains unpaid. This is a friendly reminder that the payment is now 15 days overdue.
To avoid any late fees or service interruptions, please make the payment via the link below as soon as possible:
[PhishingLink].com/make_payment
We appreciate your prompt attention to this matter. If you have any questions or believe this to be an error, please contact us immediately at [FakeEmail]@invoicesupport.com.
Thank you for your cooperation.
Best Regards,
[Your Company's Name] Finance Team"
Generic or Vague Content: Did the email have a generic greeting or lack details? If the email is from a bank, they should address you by name and reference your account (not the entire account number, but the last four digits). If it is from a company who is saying that they will have to close your account, it should be addressed to YOU and not Madam or Sir.
"Dear Customer,
We've noticed some suspicious activity on your account and need you to verify your information immediately to prevent unauthorized access. Please click the link below to confirm your identity:
[GenericPhishingLink].com
Thank you for your prompt attention to this matter.
Best, Customer Support Team"
File Extension: If the email comes with an attachment, look at the attachment. You can tell a lot about the file from the name. The name will include a “file extension” which provides information about the type of file. Common file extensions for documents are .doc, .pdf, .xls, etc. Be cautious of unusual or double extensions like .pdf.exe. Malicious attachments often use .exe, .scr, .bat, .com, or .vbs extensions. IF you hover over the attachment, you may be able to find more details. But in the long run, do not open any file that is not expected. Instead, contact the sender using another way (call them, visit the website, etc.). Also, when receiving an attachment, you might be asked to enable macros. Macros are a set of instructions to perform a task. They can be used to automate repetitive tasks or to customize a program. But they can also be used to provide malicious codes to your device. Avoid enabling macros unless you are certain that the document is legitimate and safe
Example:
"Invoice_#0325.pdf.exe"
"Account_Details_Update_Form.docx.scr"
"Payment_Receipt_Confirmation.zip"
"Employee_Survey_Response_Required.xls.exe"
Use Antivirus Software: Keep your antivirus up to date and scan the attachment if possible. Most antivirus software will allow you to scan a document before opening it. Some will alert you to scan as part of their service (such as Malware Bytes).
Check Digital Signatures: Some legitimate attachments might be digitally signed. Check for valid digital signatures that confirm the sender and ensure the attachment hasn't been tampered with. This would be in cases of very sensitive documents like loans and financial transactions. If in doubt, consult a professional to assist you.
Preventing digital signature fraud
Look for Encryption: Most modern email programs are encrypted. You can tell because they use https. Google, Yahoo, Outlook, AOL are all encrypted. However, there are email programs which may not have the https protocol. If the email has sensitive information and is not encrypted (https), treat with caution.
Examples of phishing
Below are a collection of examples of different types of phishing. This site did not include the emails where they were sent from, which would be the first way of determining if they are legitimate. Remember that the email address needs to include the real domain. The name identifying the account may seem legitimate but look at the actual email.
These examples also do not allow us to take advantage of the hover option. With active links (buttons, underlined text), you can hover over the link with your cursor and view where the link is sending you. This is crucial to remember, because clicking on a bad link can begin the string of behaviors. You can also right click on a link and copy it. Then paste it into a web browser. Do not go to the site, instead just inspect it to see what domain it is pointing to.
Avoiding phishing:
From our lesson, we have discussed how phishing occurs and what to look for. But embedded in the lesson are some key takeaways for avoiding them. They include:
Always updating your operating system, browser, antivirus accounts and apps for the best protection
Use encrypted and secure sites (HTTPS) when entering sensitive information like passwords and accounts
Scan attachments before opening
Study email for tell-tale signs of phishing and trust your instincts if they don’t seem legitimate
Take note of the web address and the email address. Check the email address where the note was sent to make sure it is coming from the correct domain. Do rely on the name in the email.
Hover over links to see where you will go when clicking on them. Or, right click on the link and paste into a web browser and then inspect it to make sure it is pointing to the correct domain.
Use 2-factor authentication for sensitive sites
Use strong passwords, and do not use the same password for multiple accounts. Use password managers for more security.
Other scams targeting older adults
Phishing is the most direct and easy way for a person to be scammed. But there are other scams which you may observe which can affect you emotionally and financially. Here are some of the scams which are currently targeting older adults:
Grandparent Scams:
Scammers pretend to be a grandchild in distress, asking for money to resolve an urgent situation. This contact begins with a question such as “Hi Grandma. Do you know who this is?” Once the grandparent confirms with a name, the scam begins. The scammer will tell of an emergency, an arrest, being stuck in a foreign country or other reasons to need immediate financial assistance.
This scam will come with a sense of urgency and a need for quick action. They will also ask that you not tell family members to avoid embarrassment or legal complications. They will request money immediately, in the form of non-traceable sources (wire transfers, prepaid gift cards or mobile payment apps). They will include how to send the funds.
These scams are often followed by further requests due to changes in the circumstances. It will probably go on until the victim begins to ask questions and then disappear.
Be aware that this exists. You might want to set up a code word or phrase that can be used to identify family members in emergencies. Also, remember to pause and verify these calls. Do not share any personal information with the scammer (or anyone that you are not sure of the identity of) and report the scam if you are a victim.
Artificial intelligence has created ways to clone voices, which can make this type of scam even more difficult to determine. Realize that this exists, and contact someone directly who can confirm that it is legitimate.
Romance Scams:
Online dating sites have become a fountain of opportunity for scammers. In this example, scammers create fake profiles, build relationships over time with their victims, and then ultimately exploit them financially using the emotional connection they have established.
Romance scams start with their profile, using attractive photos and interesting narratives to lure victims. They then establish a relationship which can last for weeks or months. They may transition the communicating form the dating site to personal sites like email, text and phone calls. Once that relationship has been established, they will share a story about a medical emergency, travel costs to visit the victim, legal troubles or business financial issues and will request money to help. Payment will be a form that is hard to trace or recover, such as wiring money, using prepaid gift cards, or cryptocurrency. After exploiting the victim, they may either continue or simply vanish.
There are red flags for potential scammers with a romance scam. They include:
Profiles that seem too good to be true, or a romance that quickly escalates to love or deep affection before meeting the person
Typically, scammers will avoid face-to-face contact. They may also avoid video calls or provide excuses on why they cannot meet in person or by video.
Any time where a relationship shifts to assistance financially is a red flag!
Scammers may include a sense of urgency to the request, pressuring their victim to act quickly
Sometimes, scammers will move to the private channel (email, phone call). Although this may seem OK, it is being done to avoid detection.
How can you protect yourself from a romance scam?
If you have experienced any of the red flags, and this person is asking you for financial help, you can first verify their identity. Use online searches, submit their image via a reverse image search and confirm that they are who they are. Stick to the dating service platform. Never send money to someone you have met online. Talk with your family and friends, who might offer a more objective view of the situation. And, if you suspect that you are a victim, report it.
Home Improvement Scams:
These contractors often target homeowners who are looking to make improvements. They may comb a neighborhood door-to-door, offering services (roof repairs, driveway sealing, landscaping) at significantly reduced rates, or simply saying that they are in the neighborhood and have leftover materials. After natural disasters (fire, flood) they may target affected homeowners offering quick repairs. In this case, they are taking advantage of the urgency to fix the property. They might also advertise through flyers, newspapers or online platforms, promising low prices for their services. Some might entice older adults by promising a senior discount.
Some red flags can be seen in their pitch. They may offer a too-good-to-be-true offer, claiming that you must act now to get this price. They may include pressure to act immediately and avoid other quotes. They will typically ask for a substantial upfront payment.’
The scam can be a failure to start of complete the work. Or, if the work is done, it can be substandard (poor quality, subpar materials, unskilled labor). They might even just disappear after receiving payment.
Protect yourself from home improvement scams by researching the contractor. Ask for references and check online reviews. Verify that they have the necessary licenses and permits. Insist on a detailed contract that includes the scope of work, materials that will be used, timelines and payment schedules. Avoid contractors requesting significant upfront payments. It is standard practice to pay a deposit or to pay in stages. And obtain quotes from several contractors to make sure that everything is reasonable and expected.
Investment Scams:
Investment scams involve tricking victims into putting their money into fraudulent schemes with promises of high returns with little risk. Although they vary, a typical scam will include common features.
It begins with the scammer contacting potential victims via phone, email, social media or websites, promising an exclusive or once-in-a-lifetime investment opportunity. They will often have professional looking websites, brochures or documents and may claim to be part of a legitimate company.
The pitch will promise high returns with low risk, often claiming insider information or a foolproof strategy. It will include a sense of urgency (time-sensitive) and that it needs to be acted on immediately. It may also include testimonies, reviews and endorsements (all of them fake), presented to make the investment appear safe.
This scam may begin small and gradually get larger, asking you to invest more money, suggesting that you take out loans or use your savings. The scammers may show fake reports or accounts showing significant profits and encourage you to invest more.
The scam begins to unfold as the victim tries to withdraw their money. They may encounter delays, additional fees or simply be unable to get to their funds. Eventually, the scammer disappears along with the money.
There are different types of these scams.
Ponzi scams pay returns to earlier investors with the capital of newer investors.
Pyramid schemes show profits based on new recruits instead of real investment or sale of goods
High-Yield investment programs will include unregistered investments with unsustainably high return on the investment
Advanced fee frauds ask for money up front in exchange for a promise of high returns
You can avoid these scams by researching the investment and the company. Considering consulting with someone you trust before investing. Be skeptical of anything which seems too good to be true. And realize that legitimate investors will not pressure you to make a quick decision.
Other examples of scams may include:
Sweepstakes and Lottery Scams: Victims are informed they've won a prize but need to pay fees or taxes to claim it.
Charity Scams: Scammers pose as charitable organizations seeking donations for fake causes.
Government Impersonation Scams: Fraudsters pretend to be government officials, demanding immediate payment for taxes or fines.
Utility Scams: Scammers threaten to cut off utilities unless immediate payment is made, often requesting payment via gift cards or wire transfers.
Healthcare Scams: Scammers offer fake medical products or services, promising miraculous cures, or treatments for various conditions.
If you are the victim of a scam:
1. Document Everything: Save all communications you've had with the scammer, including emails, text messages, and call logs. Note any details you remember about the scam, such as how you were contacted and what was said.
2. Notify Your Bank or Credit Card Company: If you've sent money or shared financial information, contact your bank or credit card issuer immediately to report the fraud. They can help secure your account and guide you on the next steps, such as canceling cards or changing account numbers.
3. Report the Scam:
Local Law Enforcement: Report the scam to your local police department. They can provide an official report, which can be helpful for disputing unauthorized transactions or for insurance claims.
Federal Trade Commission (FTC): Report the scam to the FTC, which helps combat fraudulent activities. You can file a complaint online at ftc.gov/complaint.
Internet Crime Complaint Center (IC3): If the scam occurred online, file a complaint with the IC3, a partnership between the FBI and the National White Collar Crime Center, at ic3.gov.
Consumer Financial Protection Bureau (CFPB): For scams involving financial products or services, file a complaint with the CFPB at consumerfinance.gov/complaint.
4. Social Media or Websites: If the scam involved social media or a specific website, report the scammer's profile or ad directly to the platform. Most platforms have a process for reporting fraudulent activity.
5. Protect Your Identity: If your personal information was compromised, contact the three major credit reporting agencies (Equifax, Experian, and TransUnion) to place fraud alerts or a credit freeze on your accounts. This prevents scammers from opening new accounts in your name.
Equifax: equifax.com
Experian: experian.com
TransUnion: transunion.com
6. Consult an Attorney: If you've suffered significant financial loss, consider consulting with an attorney to explore your legal options for recovery.
7. Stay Informed and Educate Others: Use the experience to educate yourself and others about the dangers of scams to prevent future occurrences. Many government and consumer protection sites offer resources and alerts about new scams.
What to do if...
Our lesson offers suggestions if you are scammed. Here is additional information for additional scenarios such as the tech support scam, getting hacked and
You are contacted by a scammer:
Research the person, business or government agency to see if they are a scam
Hang up if it is a computer issue
Don’t trust caller ID
Don’t send money to someone you do not know
If someone claims to be a friend or relative, validate before giving money.
You are a victim of a tech support scam::
Disconnect your computer from the Internet immediately
Use another PC to change passwords
Check browser for unfamiliar extensions or add-ons and remove them
Run your anti-virus and ant-malware programs
You are hacked
If your computer is acting differently (can’t turn it off, running slowly, opening pages you didn’t select, popups) then you may have been hacked. Steps to take:
Stop: Stop shopping, banking and entering passwords until the problem is resolved
Update: Update your security software. Install a new version.
Find and Delete: Using security software, scan your system. It will flag malware, which you can delete (or archive). Restart your computer. Contact a professional if problems persist.
After cleaning: Change critical passwords to long and strong passwords
Final notes: Keep your operating system and web browsers up to date
You are the victim of a data breach
A breach typically exposes personal information and not passwords, but if there is a concern, change your password. If you have used the password in other places change them. If your account has been hacked as well, you will need to confirm or repair all recovery information. Consider two-factor authentication. Additionally, if your accounts are breached, you can:
Freeze your credit. Make sure to include all three credit bureaus
If it was your phone account, change your cell phone account password and PIN numbers.
Consider multifactor authentication
Follow the advice of data breach letters and take advantage of free monitoring if offered
Be on the lookout for phishing. They may want to exploit what they know already.
Monitor your financial accounts (credit cards, banking, utilities)
Contact the DMV is your license has been exposed
Resources when your identity is breached:
Website: Have I been pawned? This website will check if your email or phone is in a data breach. https://haveibeenpwned.com/
Consider contacting the Identity Theft Center . You can call (888.400.5530) or live-chat on the company website www.idtheftcenter.org. You can also check their website for information on latest breaches and additional resources.
Norton (as in anti-virus) provides information on 5 different types of breaches and what to do in each one.
Were you affected by the T-Mobile breach? Here are some suggestions from Consumer Reports
Want to cut down on data collection and hackers? Consumer Reports offers a free personalized plan to help you organize your digital life. Here were the suggestions made when I completed the form.
What can you do for a safer you?
Use a good antivirus program
There are many antivirus programs available. Some are free, others have costs involved. Unfortunately, you may find that the anti-virus program you downloaded is actually malware! And, when googling anti-virus programs, you may end up with malignant sources as well. The go-to site for best antivirus programs can be found at AV-Test, which is an independent IT-Security Institution. On this site, you choose your device (mobile Android, Windows, Mac or Business) and you can see the operating systems which were tested during that period. Sites are tested for protection, performance, and usability. Some will receive a top billing. For example, the top-rated antivirus programs for Windows 10 are: Avira, Bitdefender, Kaspersky, Quick Heal and Trend Micro. Unfortunately, among the lowest scoring for protection is Microsoft Windows Defender. You can learn more about this by visiting their website at: av-test.org
Use a strong password:
Strong (over 8 characters include letters, numbers and symbols. Mix letters and numbers.
Do not use personal information in a password
Use a password generator to set one up, and to store passwords. Examples include Last Pass (https://lastpass.com/) or Dashlane (https://www.dashlane.com).
Do not share with others
Don’t store them on your device. If you must, hide and encode.
Consider using a VPN:
A VPN (virtual private network) is a method used to add security and privacy to public and private networks. It allows the user to send and receive data across public networks, using a private network instead of the public network. There are many types of VPNs. Some are free, and others cost money. It is better to pay for your VPN, as the free ones may often violate privacy standards. Remember if you are using your own Wi-Fi or a cellular connection, you probably do not also need a VPN. Also, if your surfing on public Wi-Fi systems is pretty basic (web searches, basic websites), then a VPN is not necessary.
VPNs protect your online identity and data sent online. It does not protect you from malware, phishing scams nor does it protect your data on your devices. Some possible suggestions from various sources:
Express VPN (https://www.expressvpn.com/)
NordVPN (https://nordvpn.com/)
Mullvad (https://mullvad.net/en/)
TunnelBear (https://www.tunnelbear.com/)
The website whatismyipaddress.com lists a number of VPNs and includes some specifics about them. While you are there, learn more about IP addresses, checking how sent you that email, and are you blacklisted? Someday, we will do more on this interesting topic!
Consider using your cellular hot spot or purchasing a hot spot:
Many cell phones offer the capability of using your cellular connection for a portable Wi-Fi. This is especially useful when you are away from home and want to access a sensitive site. The process involves setting up your phone for this, which will include a password, then opening your other device and looking for your phone network. You will have to enter your password on your phone onto the other device. A purchased hot spot will be set up in a similar fashion.
Extra reading materials
Online safety is an important topic. We have taught it many semesters, each time with a slightly different emphasis. Below is some of the content from previous semesters. Even if we do not touch on these topics this week, it would be a good idea to browse through this section, especially if you are new to online and want to be as safe as possible!
Malware and more
Malware is any software installed on your machine which performs unwanted tasks, often for another party’s benefit. They can just be annoying (popups) or serious (stealing passwords or data or infecting other computers on network). Malware gets through by bundling (attached to other software), email attachments or links, or finding security holes in your browser. If you get a note saying that software is needed to view a site, this may be malware. Or, a site may say that clicking on certificate verification will make it safer. Not the case! Once installed, it can be very difficult to remove.
Malware is spread using different methods including:
Free software offers
File sharing
Torrent (sharing music or movie files through a service)
Malicious files and mobile apps
Removable media (like thumb drives, external drives and discs)
Phishing emails
Smartphones:
Your smartphones are not immune to malware.
Some apps may send premium text messages running up charges. They may also enroll your smartphone in a malicious “bot” network, which uses cellular data.
In the wrong hands, your cellphone can get infected with malware which can steal money and credit card information, view and contact your contacts and photos, track your location, read your text messages, save your passwords, send texts in your name and more.
You can also get malware from clicking on a link in your text
Unsolicited calls may also result in malware (or other security problems). Watch for people claiming to be government, utilities or tech firms. Charities can be scam as well as calls pitching for products or services too good to be true. Suspect any offers for free product trials, cash prizes, cheap travel, medical devices, preapproved loans, debt reduction and more.
Social networks are also vulnerable:
By merely receiving a notice in messenger that a friend has mentioned you, you click on it. You are taken outside Facebook to download malware. Attacker adds the post to your timeline so others can click on it. Malware takes over (hijacks) your browser, which is disguised to look like the real one. The attacker captures traffic and hijacks accounts. In the background, others scripts download which protect the malicious code from analysis and makes it invisible to antivirus software. Attackers now own the Facebook account (and anything associated with the hijacked browser (Google drive, Microsoft One Note).
Malicious email:
If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information. You may find yourself in an Email scam by responding to a questionable email. Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you).
Malicious email attachments:
According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment. With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud. Downloading the attachment alone can release the malware and do damage.
Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.
Websites:
Sometimes a fairly innocuous site may contain links to sites which are not to be trusted. One way is through clickbait. Clickbait is when you see a headline on a website, but you can’t reveal the answer until you click on it. Clicking on the image will not give you malware, but it will send you to yet another web page, which may contain additional links which are not reputable. Clickbait is attractive because we don’t like ambiguity, and we find it difficult to leave a site after having our interest piqued.
Examples of Malware
Botnet:
Hacker sends out virus or worm to infect vulnerable home computers. This creates a slave network called botnet. In the next stage, the hacker sells or hires out the botnet to other criminals who use it for fraud, spamming, DDS attacks and other cybercrimes.
Ad blockers:
We don’t like those ads. But sometimes, the ad blocker can be fake and might have the ability to remotely inject malicious code into unsuspecting customers of the ad blocker. Some browsers, such as Google Chrome, now have built-in ad blocking, which blocks negative ads such as popups, auto-playing video ads with sound, ads with a countdown and large stick ads. If the browser suspects a website is running these ads, they may choose not to load any ads on that website.
Virus
Virus: A self-replicating code. It must be opened or executed to run it. It looks for programs to infect. It can live in the system (resident), which would mean it could strike again. Or it can only be activated when clicked (non-resident). Computers can become infected with a virus in a number of ways including:
· Accepting software or download without reading the fine print (Trojan Horse)
· Downloading infected software from a bad source
· Opening email attachments containing a virus
· Using an infected disc or thumb drive
· Visiting a malicious site
· Not running updates on browser, programs and operating system
· Using a file distribution network for pirated movies/software
Clickbait
Clickbait is a technique used in websites which is designed to have you click on links that look interesting. In fact, the goal of clickbait is for you to click on the link. It really doesn’t care if clicking on the link provides you with a satisfactory answer. They get paid either way! Clickbait is not in itself malware but could direct you to a bad website.
Examples of clickbait:
· She dragged her plate across the pool. What happened next blew my mind
· When you read these 19 shocking food facts, you'll never want to eat again
· He thought it was Bigfoot's skull, but then experts told him THIS
· 87 yr old trainer shares secret to losing weight
Clicking on any of these links will only disappoint you (see the presentation).
Why are we attracted to clickbait? It is because of our “curiosity gap”. That is the difference between what we know and what we want to know. This is powerful because
· We do not like ambiguity (not knowing). By clicking now, we will discover the answer
· We are most likely to remember an unfinished task. That fascinating headline will bug us until we look for the story.
We all have a fear of missing out (FOMO). What are those shocking food facts anyway?
Adware:
Software that provides unwanted advertising. Includes pop-up ads, banners and in-text links. May redirect to another website, install third party software, track or affect system performance. May even prevent you from using ad removal software.
Spyware:
Script which collects information about your device and transmits it to other sites. So, these sites know where you have visited and will provide sometimes fake websites that would interest you.
Keyloggers:
Software that captures anything that you type. Not only dangerous for your devices (think passwords) but also in terminals at gas stations and ATM machines (known as POS or point of service terminals)
RAM scraping malware
RAM scraping malware is also used for POS interactions, where data is stored unencrypted for just a couple of milliseconds. RAM scrapers use this window of time to grab card data and save as a .txt file.
Browser hijacking software:
Advertising software that modifies your browser settings. Although installing a program may result in a new default browser (not too bad), this new browser can have malicious links in it (that is bad). Always check when installing new software for permissions.
Ransomware:
A particularly malicious software which blocks access to your computer until a sum of money is paid, usually in bitcoin or gift cards. The ransomware encrypts your data in such a way that only they can unencrypt. It is not recommended, though, that you pay the ransom. Instead, contact a professional if this happens to you.
Hacking
Hacking is unauthorized intrusion into a computer or network. Uses scripts or code, gains access through methods such as passwords, bundled software or email. The hacker will find scripts, learn about hacking opportunities and share what they find on the Dark web using special browsers like Tor. They will then share what they have found using Tor (a private browser) to set up botnets, break a security network or share sensitive documents. There are also forums on the dark web where sensitive information is shared. There is a site on the dark web called FreeHacks, which give tips on how to hack and example of hacks to try.
Malicious email:
If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information. You may find yourself in an Email scam by responding to a questionable email. Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you).
Malicious email attachments:
According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment. With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud. Downloading the attachment alone can release the malware and do damage.
Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.
Do not open any attachments that you were not expecting. Documents, PDFs, images and other attachments might be dangerous. When in doubt, contact the sender and ask. But don’t contact by using the reply, as it might be malicious. Call and ask if they did indeed send you an attachment.
There is no sure way to tell if it is malicious. Still, here are some things to consider:
· Your email provider should be scanning for malicious attachments. If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message. You can choose to send without an attachment. If the virus is attached to an email sent to you, they should reject the message and let the sender know. If the virus is found in an attachment in your inbox, you won’t be able to download the attachment. This is true in theory, but things can still get through. So, keep reading!
· Filenames: avoid bizarre filenames and misspelled words. Spreadsheets are usually not named a random string of symbols (this would be suspicious as well)
· EXE files: These are executable files. Only open if you have downloaded them from a reputable source. Do not open an EXE file in an email attachment.
· Zipped files: If you have any doubt, confirm by phone or email (but not replying to this email because you are not sure if it is legitimate)
· Office documents: These can contain hidden macros or scripts that will “allow macros” without knowing what you are allowing to run. Macros can then enable installed malware.
Phishing
Phishing is an attempt to get information from you. It is intentionally designed to trick you into believing. What does phishing look like?
Malicious attachments (like invoice, software or another file that seem urgent). They can infect your device with malware, or send you to a website where you enter sensitive data
Malicious links: They take you to an imposter website like the real one. They want to fool you into entering credentials. The links can be imbedded in email or as links in a website
Requests for sensitive data designed to seem legitimate.
There are ways to spot possible phishing attempts. They include:
Unknown sender, sender you recognize with a suspicious looking email, or incorrect address
The sender doesn’t seem to know you. ( “Dear Customer”)
Embedded links: Hover over to see if it is from a trusted source
Language, spelling and grammar: Many of these are created in other countries and translated into English. Content is bizarre or unbelievable: Think of the Nigerian Prince.
There is a “call to action” button. This is encouraging you to click there, which can trick you into downloading a malicious code.
Activity:
View this assortment of phishing examples. Would you have spotted them?
Answers: How did you do?
Super challenge:
This quiz has 14 screens. You look at the screen and decide whether it is Phish or Real. When you are done, you can see the things that indicate that something was phishing.
Rogue Email:
This presentation was created for a past class to help identify how to tell when an email has gone bad. Learn anything?
How to spot phishing
There are ways to spot possible phishing attempts. They include:
Unknown sender, sender you recognize with a suspicious looking email, or incorrect address
The sender doesn’t seem to know you. ( “Dear Customer”)
Embedded links: Hover over to see if it is from a trusted source
Language, spelling and grammar: Many of these are created in other countries and translated into English. Content is bizarre or unbelievable: Think of the Nigerian Prince.
There is a “call to action” button. This is encouraging you to click there, which can trick you into downloading a malicious code.
How can you tell if an email is malicious?
Unknown sender or even a sender you recognize with a suspicious looking email. Or the address is incorrect. Check the email as well as the sender name. And remember the sender address can be different by just a letter or two. So, look carefully!
The sender does not seem to know you. They address you as “Dear Customer” or may have no contact information.
Embedded links: You can see a link by hovering over it as it is on the page. Before clicking on a link, hover your mouse over the link. This will show you the actual web address embedded in the link. Check this against the actual web address of the trusted source. If you are still unsure, contact the source through another trusted channel (for example, a customer support number listed on the official website) to verify the email is legitimate.
Language, spelling and grammar: Many of these are created in other countries and translated into English. Look for mistakes, even minor ones.
Content is bizarre or unbelievable: Think of the Nigerian Prince.
There is a “call to action” button. This is encouraging you to click there, which can trick you into downloading a malicious code.
The email is asking for sensitive information, hoping that one person will fall for it! (This is known as phishing)
How to tell if an email attachment is legitimate
There is no sure way to tell if it is malicious. Still, here are some things to consider:
Your email provider should be scanning for malicious attachments. If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message. You can choose to send without an attachment. If the virus is attached to an email sent to you, they should reject the message and let the sender know. If the virus is found in an attachment in your inbox, you won’t be able to download the attachment. This is true in theory, but things can still get through. So, keep reading!
Filenames: avoid bizarre filenames and misspelled words. Spreadsheets are usually not named a random string of symbols (this would be suspicious as well)
EXE files: These are executable files. Only open if you have downloaded them from a reputable source. Do not open an EXE file in an email attachment.
Zipped files: If you have any doubt, confirm by phone or email (but not replying to this email because you are not sure if it is legitimate)
Office documents: These can contain hidden macros or scripts that will “allow macros” without knowing what you are allowing to run. Macros can then enable installed malware.
How to tell if a website is malicious
A scamming website performs its work in 3 steps:
1. Bait: Draw users in via email, social media, texts, messaging, other websites
2. Compromise: Users do something to expose information or devices to attackers
3. Execute: Attackers exploit the users to misuse their private information
Look for these clues:
Emotional language (is there an elevated level of urgency, optimism or fear?)
Poor design quality (low resolution images, odd layouts)
Odd grammar (spelling mistakes, broken or stilted English or grammar errors)
Absence of identifying web pages (is it missing contact us or about us? Is there a phone number? Can you call it?
Check the spelling (there is a difference between amazon.com and amozon.com)
Check the prefix (Phishers are now learning that many browsers ignore the prefix, which should be http:// or https://. So they are using http:\ as their prefix. This can send you to a non-legitimate site.)
Check the domain name (usbank.com is not the same as usbank.co, FBI.gov is not the same as FBI.com)
How to identify an imposter scam:
Occasionally, you will be contacted by a specific person or representative of a business (such as bank) or government (such as IRS). They might call, send a text or email. Here are some warning signs that this may not be legitimate:
· Money needed immediately
· You need to pay a fee to get somethings for “free”
· You won a prize, but they need more information
· Something is wrong with your computer
· A friend or relative needs to borrow money
· A person or business requests money in the form of a gift card, wire transfer or prepaid debit
Other examples of scams
· Social security scam calls
· Parcel tracking text scan
· Amazon Prime Renewal phone scams
· Gift card scams
· Navy Federal Credit Union scams through email
· TSA Precheck Renewal
· Email asking to validate your COVID-19 status
· Scammers promoting local police support
· Letter from a law firm telling you that you have inherited money
· Note from company (Netflix) saying you need to update your billing information
· Phone call from tech support saying your device is not working properly
· Message from Publishers Clearing house claiming you are a winner
Below are several examples of phishing emails. Would you have recognized them?
Activity:
Can you spot an online scam? Try this short quiz to find out.
Apps:
Can you get a virus from an app?
No, but you can get other forms of malware which may steal money, steal credit card information, steal contacts and sensitive photos, track your location, read text messages, save passwords, send SMS messages, and spend your money.
Can you get malware from an App from the Apple App store?
Unlikely, although it has happened. To be sure, only install apps from the Apple App store. These apps go through thorough testing and verification prior to release. Your iPhone is protected as long as you did not jailbreak it or use third party apps. Apps outside the Apple App store require that you jailbreak the phone.
Can they be trusted? Short answer no!
· Not necessarily safe if in the Google or Apple App store
· Definitely can be unsafe if not on the Google or Apple App store
· Who makes the app? Special caution for beauty apps, VPN apps, and antivirus apps
Tips on how to tell if an app is safe:
· Find out how the app uses your personal information. If it is sharing with others, it could be malicious. How do you know? First, if it is free, they are not obligated to disclose their advertising and tracking service, so it is probable they are tracking you.
· Permissions: The app may require permission for certain features. For example, a heart rate workout tracker would want access to your health access, and you might have to enable certain aspects of that health data. Once set up, the permissions are made and the data will be exchanged. Make sure it makes sense. A flashlight app will need access to the camera flash, but nothing else. A book app does not need access to the camera. On an Android device, app permissions are included in settings. ON the iPhone, clicking on the app in settings will show you what it has access to. Beware of apps which ask for lots of permission (such as managing files, using contact information from friends, or camera).
· Understand when and why the app will track your location. This information would be part of the license agreement that we often scroll past.
· More research on the app:
o Look at the developer’s name right under the app’s name. You can do a Google search to find more information about the developer such as a website. If they have created a number of apps (well-reviewed), then it is probably safe.
o Look how many times it has been downloaded. The more downloads, the safer it may be (to an extent of course!)
o Look for an app that has been around for a while, but has been recently updated. In the Google Play store, you can find this information under “read more”.
o Read reviews. There should be lots of reviews, and they should have some positive and some negative points in them.
o Spelling and grammar errors: Since often apps are created in other countries, the grammar or spelling may be incorrect. This is a red flag.
o Unbelievable discounts: If it seems too good to be true, it probably is!
· Avoid third-party apps: These are ones which are found outside the App Store or the Google Play Store. Third party apps bypass security measures making it easier for a hacker to infect your device with a bad app.
· NOTE: If you suddenly have lots of ads after downloading an app, you may be a victim of “targeted advertising”. Although not malicious, they can be annoying and might slow down the phone. Delete any apps which seem to get these ads.
Additional resources
Website: What are some common email scams and what can you do to avoid them? This is an interesting assortment of them. Particularly intrigued by Swatting...
Activity: How good are you at spotting Email scams? BTW, I took these quizzes and did miss a few. Fun way to see how much you learned!
Here is the Phishing quiz by Google that we did in class
Another good phishing quiz. It asks for your email address, but you don't have to fill it in.
This is a nice basic quiz designed for seniors.
Website: All about Email scams. Includes activities and lots of examples.
Resource: Have you been a victim of Identity Theft? Visit the Identity Theft Government site to learn more.
Resource: Hacking is a problem that seems to affect all of us at one point or another. Here is a great informational site on hacking.
Interesting web article: How does the information used by hackers become available? Follow this story as the author goes onto the dark web to discover more about Russian hackers.
Adware: Learn more about adware, and then learn how to clear your browsers of adware.
Ram scraping: How do they do it? This article outlines how ram scraping is done. Maybe a little technical, but eye-opening!
Website: The FDA offers some tips on preventing skimmers at the pump. Very informative!
Online presentation: At a 2018 conference, information was presented on some prominent Russian hackers. This presentation shows what they did, how much money they made, and what was used. Very fascinating!
Video: Street Smarts for Seniors, a presentation by the Brooklyn Police Department. It is about 30 minutes long, but easy to follow and very useful.
Tutorial: Avoiding Malware from GCFLearnFree
Flyer: Basic tips for online safety
News article: Sure, a VPN offers secure connections. But they are not all the same. And some are worse than public Wi-Fi!
News article: Here are some of the more reputable VPNs (includes more information on VPNs)