Sunday, June 28, 2015

How to catch a phish

Email and SMS texting inboxes everywhere are full of spam and phishing messages. The goal of each is to social engineer* you into clicking a link, opening an attachment or responding with personal identifying information (PII) about yourself.

In many cases, just replying to a questionable email message (or text message) is enough to get you added to a database owned by spammers or tricksters. Why? Because by responding you're letting the sender know that your email address is "live" and being monitored by a human. That's why it's called phishing—if you reply, click the link or open the attachment, you've taken the bait.

Phishing attempts also occur by phone and, albeit rarely, in person; so it is important that we remain on the alert for these social engineers at all times. These guys are getting better and better at composing fake messages that appear to be from someone you know or some organization that you do business with. Know that it is very, very easy to "spoof" the name of the sender on the "From:" line. Anyone can fake the name that appears in that field in the message. Just because it says "From: Aunt Geraldine," doesn't mean that your Aunt Geraldine initiated, wrote or sent the email to you.

How can you tell when an email message might be an attempt at social engineering?

Remember, it's not always easy to tell if a message is safe. But, if you have any suspicions whatsoever about a message, treat it as suspicious until you are 100% convinced otherwise. Here are some potential red flags:
  • The message is unexpected.
  • The message is unwanted.
  • The message is alarming.
  • The message contains a hyperlink.**
  • The message contains an attachment—a file that you can click to open (which is essentially the same thing as downloading the file to your machine).
  • It appears that the message is from someone you know, but the language, tone, or verbiage is unusual; it just does not sound like something your acquaintance would say or write.
  • The grammar or spelling is bad, as if written in a language other than the writer's primary language.
  • The email tells a story about someone you love being in jail or other dire straits.
  • The message is regarding a dire emergency requiring funds.
  • The message is asking for funds. Period.
  • You have won something.
  • You need to reset your password.
  • You're over your email storage limit.
  • You have a delivery. (UPS and FedEx do not email you unless you sign up for delivery notifications. Even then, be wary of such notifications if any part of them is out of sorts.
If any of these things raise a hair with you, investigate the email more closely before proceeding; or, unless it might be extremely important (and valid), delete it.

Any more tips?

  • Use a very strong password on your email account, and make sure it isn't the same as any of your other passwords. 
  • Avoid using Hotmail or Yahoo email accounts. (Those seem to be the most hacked email accounts out there, but don't quote me on that. Any account using weak credentials like a short password can be hacked.)
  • Enable spam filtering. Providers like Google enable spam filtering automatically—or allow you to configure your email settings yourself to enable it. Many Internet service providers (ISPs) that provide you with broadband access in your home (like your cable or phone company) offer spam filtering. If not, there are plenty of reputable anti-virus (AV) software companies that provide spam filtering with their AV software.
  • Don't open email messages that land in your spam or Junk email folders. Delete these unless you are 100% certain that they are not, in fact, spam or suspicious.
  • If you receive a lot of unwanted SMS text messages, check with your cellular service provider about blocking these.
  • In email, redirect suspicious emails to your spam folder or Junk folder. (See your email service provider or email client application provider for instructions.)
  • If you are able to determine that an unsubscribe link provided in an email is safe to click, use it to be removed from a marketing email list. When in doubt, do not click; call the vendor instead.
  • Delete, delete, delete.

*If you are not familiar with social engineering, read this truly informative book by former hacker Kevin Mitnick: The Art of Deception. Everyone should read this book. Your children should read this book when they are old enough to understand the concept of deceit, scamming and trickery.

** Consider living by this rule: Never click links in email or text messages. Until/unless you are tech savvy enough to determine the real URL behind the link and know whether that URL points to a trusted domain or not, it's better to launch your web browser and navigate to the known web site yourself instead of clicking an inline link.

Saturday, June 6, 2015

Keeping kids safe online: Step 2

Step 2: Parents, talk to your kids.


As discussed in an earlier posting, the first step in keeping your kids safe online is for parents to educate yourselves. The second step revolves around communicating with your children and educating them in safe Internet practices.

When I was growing up, Mom's message was, "Don't talk to strangers." In the digital age that we live in now, these strangers are anonymous and could be communicating with your child from anywhere in the world. Worse, they are "invisible" to parents. Your child's social network is not just the playground anymore. It is vastly larger and scarier. How do you keep your children from trusting online entities? 

First, if you have not yet watched this 5-minute video, watch it now: Make the Internet Less Scary. In it, Ben Jun convinces parents of the importance of teaching your kids how to maintain communications with you so that if things get bad or scary, your child is comfortable going to you for help. Here are his tips:
  • Teach your kids boundaries. 
  • Make sure your kids know who they are speaking to online and let them know what they can and cannot share.
  • Teach your kids how to set limits, then role play with them to help them gain confidence in maintaining boundaries.
  • Inform them to treat every online conversation (even a SnapChat) as if it's going to be there forever.
  • Teach them to respect what belongs to others (such as digital photos of their friends).
  • Give your kids tools they can use.
Second, read the FBI publication A Parent's Guide to Internet Safety, and discuss it with your spouse or partner. From it, you'll learn to recognize signs that your child might be at risk. If your children have adult siblings, ensure that they read this guide as well. 

Third, talk to your children and explain the risks of online activity to them. The ISC(2) Foundation provides a Top Ten Online Safety Tips for kids. Parents, be sure your kids know these. You can make a game out of memorizing the safety tips, and reward your child for reciting all ten. Do occasional "pop quizzes" at the dinner table to ensure they are still on track.
  1. Keep passwords private
  2. Think before you send
  3. Respect yourself and others
  4. Report bullying
  5. Keep all settings private
  6. Always log off
  7. Never meet an online friend alone
  8. Tell a trusted adult of something makes you feel uncomfortable
  9. Keep personal information private
  10. Use these tips for mobile devices too
Last but not least, make online safety fun for your youngest ones. Have them watch the videos at iKeepSafe.org. Better yet, watch with them, in case they have questions. For kids of reading age, buy these books for them from SavvyCyberKids.org. And keep at it. Keep the communication going, no matter how old your child is.

More information is available at: