There are few new trends in online identity theft, although some attacks are becoming more sophisticated, the basic steps to prevent exploits remains the same.
Be on the lookout for attacks that use broken English in the message body. While most now use proper English and use the same style and logos that are used by the companies the message purports to be from, many attacks can be detected through awkward and incorrect use of grammar.
Phishing attacks are also becoming more focused. Businesses that frequently use FedEx to ship packages often see forged emails that appear to be a warning about shipping delays or undeliverable packages. Law firms are seeing emails that ask employees if they remember working on a specific case. And just this week the US-CERT issued a warning about email-based phishing campaigns targeting airline consumers.
There are several steps that people should take to reduce the likelihood they will succumb to an online attack, easily identify when their online identity has been compromised, and recover from an infection.
If a service that you use offers multi factor authentication or two-factor authentication, enable it and use it.
Do not reuse your work passwords for any non-work services. Use a unique password for each service. Use a good password manager that includes a password generator (as long as the use of a password manager does not conflict with your employer’s policies).
Consider using an obfuscated unique username for any financial management, banking, or healthcare related sites that do not use an email address as your username. If the system’s list of usernames is stolen, this can help prevent attackers from using the information from multiple sites to craft a well targeted phishing attack. For example, if my typical username is John_Smith, I might use 77JMS_47 as a banking username. If I receive an email from my bank that contains the username John_Smith I know to delete it.
Here are key tips to remember:
- Do not click on embedded links in an email message unless you explicitly trust the source of the email.
- Do not download any software that you are offered from the Internet. If you think you need a software package, ask your corporate IT department for advice or authorization.
- Make sure your antivirus is installed, current, active, and is configured to automatically update at least once a day.
- Make sure you have an automatic backup process and that backups are being performed successfully. Take the time to learn how to perform a restoration from backup before you need to do it in an emergency.
- Do not send information that an attacker might be able to use to steal your identity in clear text. This includes passwords, account numbers, personally identifying information. (This advice also extends to any information that you would prefer never to appear on a public web page and associated with your name.)
- Be cautious about visiting websites. In the physical world, people are cautious about visiting neighborhoods known to have a high crime rate. The same judgment should be used when surfing the web.
- Segregate all of your online purchases on a single credit card and your offline purchases to a different card so you will able to more easily recognize fraud.
- When getting rid of an old computer, physically remove the hard disk and destroy it, or securely store it, so that nobody can read any data that might remain on the disk.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.