Week 6:

3/4  Online Safety

Our agenda today:

Our web lesson contains lots of information.  In our lesson, we will focus on some of the more important and topical areas.

Review from last time ( web browsers)

Presentation

Homework:

Recording:

There was a lot of information to this class.  Review the recording of our Tuesday class.   Then, use the website below for clarification and even more information.  And, if you hear of any scams or phishing attempts, let us know via the Canvas discussion board.

Bonus:

By request, this is a summary of what to do if. Includes what to do as well as important websites and informational summaries.  


In this lesson

In this lesson we will:


Online safety includes Identifying and Avoiding Threats

Technology has exploded in recent years, creating multiple ways to stay connected, increase efficiency and productivity and provide entertainment and learning opportunities.  But with this technology, we are faced with threats.  And older adults are more likely to be involved in a variety of these threats, including phishing emails, fake tech support calls, requests from loved ones for money, lottery scams, romance scams.  We will begin with phishing, and discuss definitions, techniques, results and protecting yourself from phishing.  We will then look at some common scams and what we might do if we encounter them.

phishing

Phishing can occur in many ways using many types of bait.  Will you take the bait?

Phishing

What is Phishing?

Phishing is a type of cyberattack where attackers attempt to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal details, by masquerading as a trustworthy entity. The term "phishing" is a play on the word "fishing," as the attackers "fish" for information from unsuspecting victims. It is important to remember that (like fishing), casting the line is not harmful to the fish.  It is only when the fish bites and takes the bait.  In this case, you are the fish and the information that the scammer is seeking is the bait.

 

Phishing scams are popular among cybercriminals due to the relatively low cost, ease of execution and the high success rate.  The FBI’s Internet Crime Complaint Center (IC3) reports annually on different types of cybercrime, and these reports often show phishing as one of the top types of cyberattacks.  Cybersecurity companies also produce regular reports of internet threats, many of them highlighting that phishing is a substantial percentage of cyberattacks, with some reports suggesting up to 80% of security incidents are phishing.  Of course, these numbers can change, but phishing appears to be a major way to infect our devices and extract information and even money.

How does phishing look?


Phishing messages usually arrive via email, but could be phone calls (vishing), text messages (smishing) or fake websites.  In these cases, the message will direct you to do something. In some cases, phishing will be in the form of deceptive emails, where the attacker will pretend to be from a well-known company, bank or service provider, and the email may have logs and formatting which look legitimate. 


Phishing emails will often have common traits.  They may use urgent or threatening language,  prompting you to act quickly or an account may be closed.  They may also contain links to fake websites designed to look like legitimate ones.  In all cases, the scammer is trying to bait you, hoping that you will take the bait. 


Regardless of how they arrive, and regardless of the ways that we can identify them, falling for a phishing attempt will almost always end up with something compromised (identity, financial value, trust)


Different types of phishing:

 

Although the term phishing is broad, there are many types of phishing.  Here are some of them.

In some cases, phishing may be targeted attacks.  This can be used in corporate email accounts and prominent wealthy individuals.  And in some cases, you might encounter “spear phishing”, which uses personal information to make the attack more convincing.  We have heard about scammers who trick one person in a large organization into revealing their personal login information, which then opens the door for scammers to impersonate insiders and gain valuable information about the organization.  If the target is a very well-known person, the phishing may be referred to as “whale phishing”. 

Example:

A company's financial officer receives an email seemingly from the CEO, urgently requesting a wire transfer to a new vendor. The email, crafted with details from the company's recent activities, appears legitimate but is actually from a cybercriminal mimicking the CEO's email address. Believing the request to be genuine, the officer makes the transfer, leading to a significant financial loss. 

With social networks, many people have given up their own privacy for the sake of connecting with friends and relatives.  However, this information is not always private.  Social networks can use this information for “social engineering”, or using the information so that you will provide even more personal information.  Have you ever answered a quiz on Facebook?  What have you “liked” on social media?  If you have, you may be a victim of of social engineering.

Example:

A hacker creates a fake profile, pretending to be a friend of the target on a social network, and sends a message with a malicious link, claiming it's a funny video. The target, trusting their "friend," clicks the link, inadvertently installing malware. 

Many older adults experience problems with their technology and search for answers.  In some cases, they may find themselves on a fake customer support site.  The person on the other end may seem very helpful and may ask you for sensitive information or to share your screen.  These tactics are especially dangerous because they prey on the vulnerability of the person needing assistance.  This type of phishing is known as “angler phishing”. 

Example:

A customer tweets at their bank's support account asking for help with a login issue. A hacker, monitoring such interactions, quickly replies from a lookalike account, offering assistance and directing the customer to a fake login page to steal their credentials. 

Even to the trained eye, it can sometimes be difficult to recognize an authentic email versus a scamming one.  Both emails may include logos, business information, and appear to be from the official site.  But there will be one tell-tale sign that this is not legitimate, usually in the email address which sent the note.  Understanding how to identify the real site versus the fake one can be confusing.  When a scammer creates a site which resembles a real site, it is known as “clone phishing”.

Example:

An attacker sends an email that replicates a legitimate previously sent message, complete with original attachments or links, but with the links or attachments replaced by malicious versions, tricking the recipient into downloading malware or divulging sensitive information. 

While phishing occurs when the user is tricked into clicking on a link, “pharming” can be more brutal.  In this case, pharming manipulates the Internet to guide users to a malicious site automatically.  This can be done by manipulating the DNS server (the server which interprets the domain name into an IP address), redirecting users to the fraudulent website even if they type the correct address into the browser.  Or it can be accomplished by malware which alters the DNS settings, forcing the user’s computer to go to the fake one.   This type of phishing is designed to extract your personal and financial information and other sensitive data.  It can be avoided by using secure connections (HTTPS), up to date antivirus software and regularly updating your browser and operating system.


Example:

A user types the URL of their bank's website into their browser, but due to malware on their computer that has altered the DNS settings, they are redirected to a fraudulent website that looks identical to the real one, where their login details are stolen. 

We all have our favorite websites, whether they be your bank, your social network, or a business that you visit often.  Some skilled scammers might be able to use this information to set up a website that resembles this true site.  They might then send you an email to the site which you are familiar with, only to find that this site is now compromised.  This type of phishing is known as “watering hole phishing”.


Example:

Cybercriminals compromise a website frequently visited by employees of a targeted company. When an employee visits the site, they unknowingly download malware that gives the attackers access to the company's network. 

Phones are not immune to phishing.  In a version known as “vishing”, the scammer will send a short message.  It may be a message which appears to be meant for someone else, or it may be a short message with a link (maybe to a picture from the past).  It can also be in the form of an account closing, a delivery which could not be completed, or many other possibilities.  Another type of phishing for phones is called “smishing” and is a blend of texting and phishing.  In this case, text messages are sent which are disguised as communications from businesses like Amazon or FedEx.  Because they are text, they appear more personal, and we are more apt to click on them.  Again, always go to the company instead of clicking on the link.


Example:

VIshing: A scammer calls a victim, pretending to be from the victim's bank, claiming there's a problem with their account. They persuade the victim to share their account details and password over the phone, thereby gaining unauthorized access. 

Smishing: A user receives a text message claiming to be from a delivery service, asking them to click on a link to update their delivery preferences. The link leads to a fake website designed to steal personal information. 

We will be seeing an influx of creative phishing in the future, due to Artificial Intelligence.  One of those new forms is known as "quishing", which exploits QR codes. In these scams, attackers embed malicious links in QR codes, which, when scanned, lead victims to fraudulent websites. These websites often mimic legitimate services, prompting users to enter sensitive information like login credentials or financial data.   

Example:

In late 2023, a U.S. energy company was targeted by over 1,000 malicious emails, with around 29% of them containing QR codes. These phishing campaigns used Bing redirect URLs and sometimes exploited other domains like Salesforce applications and Cloudflare’s Web3 services. The QR codes were embedded within a PNG image or PDF attachment to evade email filters and reach recipients’ inboxes. 

Recognizing phishing


The key to avoiding phishing scams is to be aware of it and to look for tell-tale signs.  Here are some of the signs to look for:

Grammatical errors and odd phrases:  Scams are often created in other countries and translated into many languages.  As a result, you may find errors in grammar or odd ways to put together a sentence.  You should read it aloud to see if it makes sense. 

Example:

An email arrives stating, "Dear costumer, Your account will be close for failing to verify details. Please to click below for avoid problem." The message is riddled with grammatical mistakes and awkward wording, signaling a phishing attempt. 

Fake Logos:  When setting up a fake website, the scammer wants to make it look as real as possible.  So they will want to include the logos of the official site.  It is very easy to reproduce a logo, often as easy as copying and pasting it into the site, which can result in a low-resolution logo.  (Unfortunately, with AI, this may not be a tell-tale sign in the future.). 

example of fake logos

An odd URL:  We have spent several classes discussing URLS (the web address of a site).  By now, you should be skilled at recognizing the domain where the email or website is from.  Scammers may alter it by a single character.  For example, usbank.com may become usbank.co.  Or usbanc.com.  It is important to look closely at the URL and make sure that it is exactly where you want to go.  A good rule of thumb is to go to the site directly from your device instead of clicking on a link in the email. 


example of fake URL
example of fake url
example of fake URL

Unsolicited mail:  You may receive an email from a company which you think is legitimate.  It may ask you to complete a survey and say that you will receive a gift card if you do.  These can be especially alluring to users looking for a quick reward.  Another example is an email from a company describing the purchase that you made.  You will then promptly respond by saying you did not order this item, in which case, you will be targeted for more information.


Example:

"You've been selected for a survey by [Your Bank Name]! Complete this quick survey and win an exclusive reward. Click here to start: [FakeURL].com/survey. Hurry, offer ends soon!" 

Tech support:  You may receive an email from Best Buy, Apple or Microsoft saying that there is a problem with your device, but they are here to help!  Just contact them via this link and they will assist you online.  This is particularly harmful because you may end up providing them with access to your device and compromising your own privacy.  Just consider this:  How would this company (Microsoft , Apple, Best Buy) know that you are having problems?  They don’t! 

Example:

"Important Security Notice: We've detected unusual activity on your computer indicating a virus threat. Please click the link below to initiate a remote scan and fix the issue immediately: [FakeTechCompany].com/repair." 

Taxes:  We all file taxes and we all would love to receive a refund.  You may receive an email providing instructions on how to get this refund.  The email will send you to the IRS site.  Only it will be an imposter site.  There is only one website for the IRS, which is irs.gov.  Any other domain is not legitimate! 

Example:

"IRS Notice: You have a pending tax refund due to an overpayment! To claim your refund, please submit your banking details at: [FakeIRSLink].com/refund. Act now to avoid delays!" 

Unusual activity:  You may receive an Email warning you about unusual activity from a supposed legitimate company (Microsoft or Wells Fargo), including a link or asking you to call a number.  The scammer will appear to be legitimate and may include things like recording the call, caller ID with the proposed company, or even requesting that you do a 2-factor authentication or answer the special question to gain access to a site (known as CAPTCHA, or Completely Automated Public Turing Test to tell Computers and Humans Apart). 


Example:

"We've noticed unusual activity on your account and suspect an unauthorized attempt to access it. Please verify your identity immediately by clicking here: [FakeCompanyURL].com/verify." 

Suspended accounts:  You may receive a note from a company saying that your account will be suspended if you don’t update your billing information.  It will then ask you to click on a link.  Never access your account via this  method!  Instead, go to the account via your web browser, sign in and update your account via their company portal. 


Example:

"Urgent: Your account will be suspended within 24 hours due to outdated billing information. Update your details now to avoid service disruption: [FakeBillingUpdate].com." 

Social media:  Can you trust those links on Facebook or Instagram?  Likely you cannot.  Often scammers will provide links to products, services or other things which are important to you.  How do they know what you like?  They use social engineering.  So they can target you via your political leanings, your friends, your likes, your personal information on the site and much more. 


Example:

"Just saw your profile and thought you might be interested in this exclusive opportunity I found. Check it out here before it's too late: [FakeOpportunityLink].com. Let's make some easy money!" 

Phishing via email:

Email is one of the keyways that phishing is delivered.  What are some of the ways that you can identify a phishing email?  Here are some clues:

Check the Sender: Is it from someone you know?  Is the email address unusual?  Also remember that a scammer can name an email account anything they want.  So, a scammer might gain access to a list of your contacts, and then create an email with your name showing but their email address.  Always double check the email address to see if it is legitimate.  If it does not match what you have, contact them directly.  Do not respond if you do not recognize the email.


Examples:

"support@amaz0n-secure-payments.com" 

"customer.care@apple-idverify.co" 

"john.doe1234@outlookk.com" 

Context is Key: Did you expect to receive an attachment? Does the content of the email match the attachment?  For example, you may receive an email from a scammer which contains an attachment called “invoice”.  We all want to make sure we pay our bills, so we will be tempted to open that attachment.  Attachments can contain malicious codes, so once you open it,  you have taken the bait!


"Subject: Urgent: Invoice #4567 Overdue

Dear [Recipient's Name],

We hope this email finds you well. Our records indicate that invoice #4567, issued on [Date], for the amount of $2,985.75 remains unpaid. This is a friendly reminder that the payment is now 15 days overdue.

To avoid any late fees or service interruptions, please make the payment via the link below as soon as possible:

[PhishingLink].com/make_payment

We appreciate your prompt attention to this matter. If you have any questions or believe this to be an error, please contact us immediately at [FakeEmail]@invoicesupport.com.

Thank you for your cooperation.

Best Regards,

[Your Company's Name] Finance Team"


Generic or Vague Content: Did the email have a generic greeting or lack details?  If the email is from a bank, they should address you by name and reference your account (not the entire account number, but the last four digits).  If it is from a company who is saying that they will have to close your account, it should be addressed to YOU and not Madam or Sir.


"Dear Customer,

We've noticed some suspicious activity on your account and need you to verify your information immediately to prevent unauthorized access. Please click the link below to confirm your identity:

[GenericPhishingLink].com

Thank you for your prompt attention to this matter.

Best, Customer Support Team"


File Extension: If the email comes with an attachment, look at the attachment.  You can tell a lot about the file from the name.  The name will include a “file extension” which provides information about the type of file.  Common file extensions for documents are .doc, .pdf, .xls, etc. Be cautious of unusual or double extensions like .pdf.exe. Malicious attachments often use .exe, .scr, .bat, .com, or .vbs extensions.  IF you hover over the attachment, you may be able to find more details.  But in the long run, do not open any file that is not expected.  Instead, contact the sender using another way (call them, visit the website, etc.).  Also, when receiving an attachment, you might be asked to enable macros.  Macros are a set of instructions to perform a task.  They can be used to automate repetitive tasks or to customize a program.  But they can also be used to provide malicious codes to your device.  Avoid enabling macros unless you are certain that the document is legitimate and safe


Example:

"Invoice_#0325.pdf.exe" 

"Account_Details_Update_Form.docx.scr" 

"Payment_Receipt_Confirmation.zip" 

"Employee_Survey_Response_Required.xls.exe" 

Use Antivirus Software: Keep your antivirus up to date and scan the attachment if possible.  Most antivirus software will allow you to scan a document before opening it.  Some will alert you to scan as part of their service (such as Malware Bytes). 


Check Digital Signatures:  Some legitimate attachments might be digitally signed. Check for valid digital signatures that confirm the sender and ensure the attachment hasn't been tampered with.  This would be in cases of very sensitive documents like loans and financial transactions.  If in doubt, consult a professional to assist you. 


example of electronic vs digital signature
preventing digital signature fraud

Preventing digital signature fraud

Look for Encryption:  Most modern email programs are encrypted.  You can tell because they use https.  Google, Yahoo, Outlook, AOL are all encrypted.  However, there are email programs which may not have the https protocol.  If the email has sensitive information and is not encrypted (https), treat with caution.


Examples of phishing

Below are a collection of examples of different types of phishing.  This site did not include the emails where they were sent from, which would be the first way of determining if they are legitimate.  Remember that the email address needs to include the real domain.  The name identifying the account may seem legitimate but look at the actual email.

These examples also do not allow us to take advantage of the hover option.  With active links (buttons, underlined text), you can hover over the link with your cursor and view where the link is sending you.  This is crucial to remember, because clicking on a bad link can begin the string of behaviors.  You can also right click on a link and copy it.  Then paste it into a web browser.  Do not go to the site, instead just inspect it to see what domain it is pointing to.  

Avoiding phishing:

From our lesson, we have discussed how phishing occurs and what to look for.  But embedded in the lesson are some key takeaways for avoiding them.  They include:


Other scams targeting older adults

Phishing is the most direct and easy way for a person to be scammed.  But there are other scams which you may observe which can affect you emotionally and financially.  Here are some of the scams which are currently targeting older adults:

Grandparent Scams

Scammers pretend to be a grandchild in distress, asking for money to resolve an urgent situation.  This contact begins with a question such as “Hi Grandma. Do you know who this is?”  Once the grandparent confirms with a name, the scam begins.  The scammer will tell of an emergency, an arrest, being stuck in a foreign country or other reasons to need immediate financial assistance.

This scam will come with a sense of urgency and a need for quick action.  They will also ask that you not tell family members to avoid embarrassment or legal complications.  They will request money immediately, in the form of non-traceable sources (wire transfers, prepaid gift cards or mobile payment apps).  They will include how to send the funds.

These scams are often followed by further requests due to changes in the circumstances.  It will probably go on until the victim begins to ask questions and then disappear.

Be aware that this exists.  You might want to set up a code word or phrase that can be used to identify family members in emergencies.  Also, remember to pause and verify these calls. Do not share any personal information with the scammer (or anyone that you are not sure of the identity of) and report the scam if you are a victim.

Artificial intelligence has created ways to clone voices, which can make this type of scam even more difficult to determine.  Realize that this exists, and contact someone directly who can confirm that it is legitimate.


Romance Scams

Online dating sites have become a fountain of opportunity for scammers.  In this example, scammers create fake profiles, build relationships over time with their victims, and then ultimately exploit them financially using the emotional connection they have established. 

Romance scams start with their profile, using attractive photos and interesting narratives to lure victims.  They then establish a relationship which can last for weeks or months.  They may transition the communicating form the dating site to personal sites like email, text and phone calls.  Once that relationship has been established, they will share a story about a medical emergency, travel costs to visit the victim, legal troubles or business financial issues and will request money to help.  Payment will be a form that is hard to trace or recover, such as wiring money, using prepaid gift cards, or cryptocurrency.  After exploiting the victim, they may either continue or simply vanish.

There are red flags for potential scammers with a romance scam.  They include:

How can you protect yourself from a romance scam?

If you have experienced any of the red flags, and this person is asking you for financial help, you can first verify their identity.  Use online searches, submit their image via a reverse image search and confirm that they are who they are.  Stick to the dating service platform.  Never send money to someone you have met online.  Talk with your family and friends, who might offer a more objective view of the situation.  And, if you suspect that you are a victim, report it.


Home Improvement Scams

These contractors often target homeowners who are looking to make improvements.  They may comb a neighborhood door-to-door, offering services (roof repairs, driveway sealing, landscaping) at significantly reduced rates, or simply saying that they are in the neighborhood and have leftover materials.  After natural disasters (fire, flood) they may target affected homeowners offering quick repairs.  In this case, they are taking advantage of the urgency to fix the property.  They might also advertise through flyers, newspapers or online platforms, promising low prices for their services.  Some might entice older adults by promising a senior discount.

Some red flags can be seen in their pitch.  They may offer a too-good-to-be-true offer, claiming that you must act now to get this price.  They may include pressure to act immediately and avoid other quotes.  They will typically ask for a substantial upfront payment.’

The scam can be a failure to start of complete the work.  Or, if the work is done, it can be substandard (poor quality, subpar materials, unskilled labor).  They might even just disappear after receiving payment.

Protect yourself from home improvement scams by researching the contractor.  Ask for references and check online reviews.  Verify that they have the necessary licenses and permits.  Insist on a detailed contract that includes the scope of work, materials that will be used, timelines and payment schedules.  Avoid contractors requesting significant upfront payments.  It is standard practice to pay a deposit or to pay in stages.  And obtain quotes from several contractors to make sure that everything is reasonable and expected.


Investment Scams:

 Investment scams involve tricking victims into putting their money into fraudulent schemes with promises of high returns with little risk.  Although they vary, a typical scam will include common features. 

It begins with the scammer contacting potential victims via phone, email, social media or websites, promising an exclusive or once-in-a-lifetime investment opportunity.  They will often have professional looking websites, brochures or documents and may claim to be part of a legitimate company.

The pitch will promise high returns with low risk, often claiming insider information or a foolproof strategy.  It will include a sense of urgency (time-sensitive) and that it needs to be acted on immediately.  It may also include testimonies, reviews and endorsements (all of them fake), presented to make the investment appear safe. 

This scam may begin small and gradually get larger, asking you to invest more money, suggesting that you take out loans or use your savings. The scammers may show fake reports or accounts showing significant profits and encourage you to invest more.

The scam begins to unfold as the victim tries to withdraw their money.  They may encounter delays, additional fees or simply be unable to get to their funds.  Eventually, the scammer disappears along with the money.

There are different types of these scams. 

You can avoid these scams by researching the investment and the company.  Considering consulting with someone you trust before investing.  Be skeptical of anything which seems too good to be true.  And realize that legitimate investors will not pressure you to make a quick decision. 


Other examples of scams may include:

Sweepstakes and Lottery Scams: Victims are informed they've won a prize but need to pay fees or taxes to claim it.

Charity Scams: Scammers pose as charitable organizations seeking donations for fake causes.

Government Impersonation Scams: Fraudsters pretend to be government officials, demanding immediate payment for taxes or fines.

Utility Scams: Scammers threaten to cut off utilities unless immediate payment is made, often requesting payment via gift cards or wire transfers.

Healthcare Scams: Scammers offer fake medical products or services, promising miraculous cures, or treatments for various conditions.


If you are the victim of a scam:

1. Document Everything: Save all communications you've had with the scammer, including emails, text messages, and call logs. Note any details you remember about the scam, such as how you were contacted and what was said.

2. Notify Your Bank or Credit Card Company: If you've sent money or shared financial information, contact your bank or credit card issuer immediately to report the fraud. They can help secure your account and guide you on the next steps, such as canceling cards or changing account numbers.

3. Report the Scam:

4. Social Media or Websites: If the scam involved social media or a specific website, report the scammer's profile or ad directly to the platform. Most platforms have a process for reporting fraudulent activity.

5. Protect Your Identity: If your personal information was compromised, contact the three major credit reporting agencies (Equifax, Experian, and TransUnion) to place fraud alerts or a credit freeze on your accounts. This prevents scammers from opening new accounts in your name.

6. Consult an Attorney: If you've suffered significant financial loss, consider consulting with an attorney to explore your legal options for recovery.

7. Stay Informed and Educate Others: Use the experience to educate yourself and others about the dangers of scams to prevent future occurrences. Many government and consumer protection sites offer resources and alerts about new scams.


What to do if...

Our lesson offers suggestions if you are scammed.  Here  is additional information for additional scenarios such as the tech support scam, getting hacked and 

You are contacted by a scammer:

You are a victim of a tech support scam::

You are hacked

If your computer is acting differently (can’t turn it off, running slowly, opening pages you didn’t select, popups) then you may have been hacked.  Steps to take:

You are the victim of a data breach

A breach typically exposes personal information and not passwords, but if there is a concern, change your password.  If you have used the password in other places change them.  If your account has been hacked as well, you will need to confirm or repair all recovery information.  Consider two-factor authentication.  Additionally, if your accounts are breached, you can:


Resources when your identity is breached:


smarter than a scammer
phone scams
protecting data
protecting digital identity

What can you do for a safer you?

Use a good antivirus program

There are many antivirus programs available.  Some are free, others have costs involved.   Unfortunately, you may find that the anti-virus program you downloaded is actually malware!  And, when googling anti-virus programs, you may end up with malignant sources as well.  The go-to site for best antivirus programs can be found at AV-Test, which is an independent IT-Security Institution.  On this site, you choose your device (mobile Android, Windows, Mac or Business) and you can see the operating systems which were tested during that period.  Sites are tested for protection, performance, and usability.  Some will receive a top billing.  For example, the top-rated antivirus programs for Windows 10 are:  Avira, Bitdefender, Kaspersky, Quick Heal and Trend Micro.  Unfortunately, among the lowest scoring for protection is Microsoft Windows Defender.   You can learn more about this by visiting their website at:  av-test.org

Use a strong password:

Consider using a VPN:

A VPN (virtual private network) is a method used to add security and privacy to public and private networks.  It allows the user to send and receive data across public networks, using a private network instead of the public network.  There are many types of VPNs.  Some are free, and others cost money.  It is better to pay for your VPN, as the free ones may often violate privacy standards.  Remember if you are using your own Wi-Fi or a cellular connection, you probably do not also need a VPN.  Also, if your surfing on public Wi-Fi systems is pretty basic (web searches, basic websites), then a VPN is not necessary.  

VPNs protect your online identity and data sent  online.  It does not protect you from malware, phishing scams nor does it protect your data on your devices.  Some possible suggestions from various sources:

The website whatismyipaddress.com lists a number of VPNs and includes some specifics about them.  While you are there, learn more about IP addresses, checking how sent you that email, and are you blacklisted?  Someday, we will do more on this interesting topic!

Consider using your cellular hot spot or purchasing a hot spot:

Many cell phones offer the capability of using your cellular connection for a portable Wi-Fi.  This is especially useful when you are away from home and want to access a sensitive site.  The process involves setting up your phone for this, which will include a password, then opening your other device and looking for your phone network.  You will have to enter your password on your phone onto the other device.  A purchased hot spot will be set up in a similar fashion. 

Extra reading materials

Online safety is an important topic.  We have taught it many semesters, each time with a slightly different emphasis.  Below is some of the content from previous semesters.   Even if we do not touch on these topics this week, it would be a good idea to browse through this section, especially if you are new to online and want to be as safe as possible!

Malware and more

Malware is any software installed on your machine which performs unwanted tasks, often for another party’s benefit.  They can just be annoying (popups) or serious (stealing passwords or data or infecting other computers on network).  Malware gets through by bundling (attached to other software), email attachments or links, or finding security holes in your browser.  If you get a note saying that software is needed to view a site, this may be malware.  Or, a site may say that clicking on certificate verification will make it safer.  Not the case!  Once installed, it can be very difficult to remove.   

types of malware

Malware is spread using different methods including:

Smartphones: 

Your smartphones are not immune to malware.  


Social networks are also vulnerable

 By merely receiving a notice in messenger that a friend has mentioned you, you click on it. You are taken outside Facebook to download malware.  Attacker adds the post to your timeline so others can click on it.  Malware takes over (hijacks) your browser, which is disguised to look like the real one.  The attacker captures traffic and hijacks accounts.  In the background, others scripts download which protect the malicious code from analysis and makes it invisible to antivirus software.  Attackers now own the Facebook account (and anything associated with the hijacked browser (Google drive, Microsoft One Note).

Malicious email: 

 If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information.  You may find yourself in an Email scam by responding to a questionable email.  Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you).  

Malicious email attachments:  

According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment.  With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud.  Downloading the attachment alone can release the malware and do damage.

Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.

Websites:  

Sometimes a fairly innocuous site may contain links to sites which are not to be trusted.  One way is through clickbait.  Clickbait is when you see a headline on a website, but you can’t reveal the answer until you click on it.  Clicking on the image will not give you malware, but it will send you to yet another web page, which may contain additional links which are not reputable.  Clickbait is attractive because we don’t like ambiguity, and we find it difficult to leave a site after having our interest piqued.  


Examples of Malware

Botnet: 

Hacker sends out virus or worm to infect vulnerable home computers.  This creates a slave network called botnet.  In the next stage, the hacker sells or hires out the botnet to other criminals who use it for fraud, spamming, DDS attacks and other cybercrimes.

Ad blockers: 

We don’t like those ads.  But sometimes, the ad blocker can be fake and might have the ability to remotely inject malicious code into unsuspecting customers of the ad blocker. Some browsers, such as Google Chrome, now have built-in ad blocking, which blocks negative ads such as popups, auto-playing video ads with sound, ads with a countdown and large stick ads.  If the browser suspects a website is running these ads, they may choose not to load any ads on that website. 

Virus

Virus:  A self-replicating code.  It must be opened or executed to run it.  It looks for programs to infect.  It can live in the system (resident), which would mean it could strike again.  Or it can only be activated when clicked (non-resident).  Computers can become infected with a virus in a number of ways including:

·         Accepting software or download without reading the fine print (Trojan Horse)

·         Downloading infected software from a bad source

·         Opening email attachments containing a virus

·         Using an infected disc or thumb drive

·         Visiting a malicious site

·         Not running updates on browser, programs and operating system

·         Using a file distribution network for pirated movies/software


Clickbait

Clickbait is a technique used in websites which is designed to have you click on links that look interesting.  In fact, the goal of clickbait is for you to click on the link.  It really doesn’t care if clicking on the link provides you with a satisfactory answer.  They get paid either way!  Clickbait is not in itself malware but could direct you to a bad website. 

Examples of clickbait:

·         She dragged her plate across the pool. What happened next blew my mind

·         When you read these 19 shocking food facts, you'll never want to eat again

·         He thought it was Bigfoot's skull, but then experts told him THIS

·         87 yr old trainer shares secret to losing weight

Clicking on any of these links will only disappoint you (see the presentation).

Why are we attracted to clickbait?  It is because of our “curiosity gap”.  That is the difference between what we know and what we want to know.  This is powerful because

·         We do not like ambiguity (not knowing).  By clicking now, we will discover the answer

·         We are most likely to remember an unfinished task.  That fascinating headline will bug us until we look for the story.

We all have a fear of missing out (FOMO).  What are those shocking food facts anyway?

Adware: 

Software that provides unwanted advertising.  Includes pop-up ads, banners and in-text links.  May redirect to another website, install third party software, track or affect system performance.  May even prevent you from using ad removal software.

Spyware: 

Script which collects information about your device and transmits it to other sites.  So, these sites know where you have visited and will provide sometimes fake websites that would interest you.

Keyloggers:

Software that captures anything that you type.  Not only dangerous for your devices (think passwords) but also in terminals at gas stations and ATM machines (known as POS or point of service terminals)

RAM scraping malware

RAM scraping malware is also used for POS interactions, where data is stored unencrypted for just a couple of milliseconds.  RAM scrapers use this window of time to grab card data and save as a .txt file. 

Browser hijacking software: 

Advertising software that modifies your browser settings.  Although installing a program may result in a new default browser (not too bad), this new browser can have malicious links in it (that is bad).  Always check when installing new software for permissions. 

Ransomware: 

A particularly malicious software which blocks access to your computer until a sum of money is paid, usually in bitcoin or gift cards.  The ransomware encrypts your data in such a way that only they can unencrypt.  It is not recommended, though, that you pay the ransom.  Instead, contact a professional if this happens to you.

Hacking

Hacking is unauthorized intrusion into a computer or network.  Uses scripts or code, gains access through methods such as passwords, bundled software or email.  The hacker will find scripts, learn about hacking opportunities and share what they find on the Dark web using special browsers like Tor.  They will then share what they have found using Tor (a private browser) to set up botnets, break a security network or share sensitive documents.  There are also forums on the dark web where sensitive information is shared.  There is a site on the dark web called FreeHacks, which give tips on how to hack and example of hacks to try.

Malicious email: 

If malware is software that performs unwanted tasks, email is the vehicle that delivers it to your device. Emails can be harmful to your computer, causing you to click on sites that can leave malware on your system, or trick you into providing some personal information.  You may find yourself in an Email scam by responding to a questionable email.  Some of these include the old-fashioned fraud emails (business opportunities, health and diet, cable descrambler kits), discount software, advance fee fraud (like the Nigerian Prince), Phishing email (looking for information) or Trojan Horse emails (entice you into installing software, then turning on you). 

Malicious email attachments: 

According to a 2017 Verizon report, 66% of malware was installed via a Malicious Email attachment.  With a malicious email attachment, the attacker will fool the user into downloading malware or other things which can include invoice fraud.  Downloading the attachment alone can release the malware and do damage.

Malicious attachments that look like legitimate file attachments, usually an invoice, software update, or other file that seems urgent in nature. These attachments can infect your device with malware that can spread to other systems. Some attachments will take you to a website which asks you to enter your credentials to access the file. However, the file is bogus, and your credentials are now in the hands of the attacker.

Do not open any attachments that you were not expecting.  Documents, PDFs, images and other attachments might be dangerous.  When in doubt, contact the sender and ask.  But don’t contact by using the reply, as it might be malicious.  Call and ask if they did indeed send you an attachment.

There is no sure way to tell if it is malicious.  Still, here are some things to consider:

·         Your email provider should be scanning for malicious attachments.  If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message.  You can choose to send without an attachment.  If the virus is attached to an email sent to you, they should reject the message and let the sender know.  If the virus is found in an attachment in your inbox, you won’t be able to download the attachment.  This is true in theory, but things can still get through.  So, keep reading!

·         Filenames:  avoid bizarre filenames and misspelled words.  Spreadsheets are usually not named a random string of symbols (this would be suspicious as well)

·         EXE files:  These are executable files.  Only open if you have downloaded them from a reputable source.  Do not open an EXE file in an email attachment.

·         Zipped files:  If you have any doubt, confirm by phone or email (but not replying to this email because you are not sure if it is legitimate)

·         Office documents:  These can contain hidden macros or scripts that will “allow macros” without knowing what you are allowing to run.  Macros can then enable installed malware.

Phishing


Phishing is an attempt to get information from you.  It is intentionally designed to trick you into believing.  What does phishing look like?

 

 

There are ways to spot possible phishing attempts.  They include:

 

 



example phishing
example phishing
example phishing

Activity:  

View this assortment of phishing examples.  Would you have spotted them?

Answers: How did you do?

Super challenge:

This quiz has 14 screens.  You look at the screen and decide whether it is Phish or Real.  When you are done, you can see the things that indicate that something was phishing.  

Rogue Email:

This presentation was created for a past class to help identify how to tell when an email has gone bad.  Learn anything?

Rogue Email.pptx

How to spot phishing

There are ways to spot possible phishing attempts.  They include:

How can you tell if an email is malicious?

How to tell if an email attachment is legitimate

There is no sure way to tell if it is malicious.  Still, here are some things to consider:

Your email provider should be scanning for malicious attachments.  If a virus is included in the attachment that you are trying to send, you will see a “Virus detected”” error message.  You can choose to send without an attachment.  If the virus is attached to an email sent to you, they should reject the message and let the sender know.  If the virus is found in an attachment in your inbox, you won’t be able to download the attachment.  This is true in theory, but things can still get through.  So, keep reading!

How to tell if a website is malicious

A scamming website performs its work in 3 steps:

1.    Bait:  Draw users in via email, social media, texts, messaging, other websites

2.    Compromise:  Users do something to expose information or devices to attackers

3.    Execute:  Attackers exploit the users to misuse their private information

Look for these clues:

How to identify an imposter scam:

Occasionally, you will be contacted by a specific person or representative of a business (such as bank) or government (such as IRS).  They might call, send a text or email.  Here are some warning signs that this may not be legitimate:

·         Money needed immediately

·         You need to pay a fee to get somethings for “free”

·         You won a prize, but they need more information

·         Something is wrong with your computer

·         A friend or relative needs to borrow money

·         A person or business requests money in the form of a gift card, wire transfer or prepaid debit

Other examples of scams

·         Social security scam calls

·         Parcel tracking text scan

·         Amazon Prime Renewal phone scams

·         Gift card scams

·         Navy Federal Credit Union scams through email

·         TSA Precheck Renewal

·         Email asking to validate your COVID-19 status

·         Scammers promoting local police support

·         Letter from a law firm telling you that you have inherited money

·         Note from company (Netflix) saying you need to update your billing information

·         Phone call from tech support saying your device is not working properly

·         Message from Publishers Clearing house claiming you are a winner



Below are several examples of phishing emails.  Would you have recognized them?

Activity:

Can you spot an online scam?  Try this short quiz to find out.

Apps: 

Can you get a virus from an app?

No, but you can get other forms of malware which may steal money, steal credit card information, steal contacts and sensitive photos, track your location, read text messages, save passwords, send SMS messages, and spend your money.

Can you get malware from an App from the Apple App store?

Unlikely, although it has happened.  To be sure, only install apps from the Apple App store.  These apps go through thorough testing and verification prior to release.  Your iPhone is protected as long as you did not jailbreak it or use third party apps. Apps outside the Apple App store require that you jailbreak the phone.

Can they be trusted? Short answer no!

·         Not necessarily safe if in the Google or Apple App store

·         Definitely can be unsafe if not on the Google or Apple App store

·         Who makes the app?  Special caution for beauty apps, VPN apps, and antivirus apps

Tips on how to tell if an app is safe:

·         Find out how the app uses your personal information.  If it is sharing with others, it could be malicious. How do you know?  First, if it is free, they are not obligated to disclose their advertising and tracking service, so it is probable they are tracking you.

·         Permissions:  The app may require permission for certain features.  For example, a heart rate workout tracker would want access to your health access, and you might have to enable certain aspects of that health data.  Once set up, the permissions are made and the data will be exchanged. Make sure it makes sense.  A flashlight app will need access to the camera flash, but nothing else.  A book app does not need access to the camera.  On an Android device, app permissions are included in settings.  ON the iPhone, clicking on the app in settings will show you what it has access to.  Beware of apps which ask for lots of permission (such as managing files, using contact information from friends, or camera).

·         Understand when and why the app will track your location.  This information would be part of the license agreement that we often scroll past.

·         More research on the app:

o   Look at the developer’s name right under the app’s name.  You can do a Google search to find more information about the developer such as a website.  If they have created a number of apps (well-reviewed), then it is probably safe.

o   Look how many times it has been downloaded.  The more downloads, the safer it may be (to an extent of course!)

o   Look for an app that has been around for a while, but has been recently updated.  In the Google Play store, you can find this information under “read more”. 

o   Read reviews.   There should be lots of reviews, and they should have some positive and some negative points in them.

o   Spelling and grammar errors:  Since often apps are created in other countries, the grammar or spelling may be incorrect.  This is a red flag.

o   Unbelievable discounts:  If it seems too good to be true, it probably is!

·         Avoid third-party apps:  These are ones which are found outside the App Store or the Google Play Store.  Third party apps bypass security measures making it easier for a hacker to infect your device with a bad app. 

·         NOTE:  If you suddenly have lots of ads after downloading an app, you may be a victim of “targeted advertising”.  Although not malicious, they can be annoying and might slow down the phone.  Delete any apps which seem to get these ads. 

Additional resources

Website:  What are some common email scams and what can you do to avoid them?  This is an interesting assortment of them.  Particularly intrigued by Swatting...

Activity:  How good are you at spotting Email scams?  BTW, I took these quizzes and did miss a few.  Fun way to see how much you learned!

Website:  All about Email scams.  Includes activities and lots of examples.  

Resource: Have you been a victim of Identity Theft? Visit the Identity Theft Government site to learn more. 

Resource: Hacking is a problem that seems to affect all of us at one point or another. Here is a great informational site on hacking. 

Interesting web article:  How does the information used by hackers become available?  Follow this story as the author goes onto the dark web to discover more about Russian hackers.  

Adware:  Learn more about adware, and then learn how to clear your browsers of adware.  

Ram scraping:  How do they do it?  This article outlines how ram scraping is done.  Maybe a little technical, but eye-opening!

Website:  The FDA offers some tips on preventing skimmers at the pump.  Very informative!

Online presentation:  At a 2018 conference, information was presented on some prominent Russian hackers.  This presentation shows what they did, how much money they made, and what was used.  Very fascinating!

Video: Street Smarts for Seniors, a presentation by the Brooklyn Police Department.  It is about 30 minutes long, but easy to follow and very useful.  

Tutorial: Avoiding Malware from GCFLearnFree

Flyer: Basic tips for online safety

News article: Sure, a VPN offers secure connections. But they are not all the same. And some are worse than public Wi-Fi! 

News article: Here are some of the more reputable VPNs (includes more information on VPNs)