Stay Secure Online - Cybersecurity Hygiene

Phishing is sort of what it sounds like: Someone is trying to catch you unaware. Bad actors send malicious links via email to steal personal information. It happens a lot, but you can be the first line of defense. Don't take the bait!  

• Hover over links before clicking to preview the URL.

• Analyze the content. Look for typos, misspelled words or poor grammar. Is the context of the email normal or are they attempting to scare or create a sense of urgency that feels suspicious?

• Don’t finish something you didn’t start. If you didn’t enter a contest and still won something, be wary before clicking a link or providing information.

• Instead of clicking on a link in the email, verify information by going to the company’s website to see if the URL or contact information matches.

• Research if a similar scam is currently in the news or on social media sites by doing a quick online search.

Autofill is amazing when you really want to buy something quickly. But before you do, make sure you know where you're shopping! Consumers should be mindful of their online shopping habits to ensure they shop safely and keep their information secure. Here are a few ways you can keep your information secure – even as you engage in some retail therapy.

• Only shop at familiar and trusted sites. Research unfamiliar sites before purchasing by doing a quick online search to see if that retailer has been listed as fraudulent or to see if the brand, items and pricing matches what you found. 

• Be wary of suspiciously low prices. Does the deal sound too good to be true? Try searching for the item (not specific to the retailer) to see how the price compares to some of the competitors.  

• Beware of fake shopping apps. Only download apps that are available in your app store. 

• When using online marketplaces between individuals, never use bank transfers with untrusted parties. Many scams begin with these bank transfers. 

• Make sure your device’s security software is up to date.

Keeping your network secure is essential. If someone gains access to your router, they can see anything connected to your network – including your phone and any internet-enabled gadgets, like your garage door or your security system. 22% of consumers have detected malicious software on a computer, Wi-Fi network, smartphone, tablet, smart home or other connected device. (Source: Norton) 

• Invest in a router with a firewall or use a personal software firewall.

• Change the default username and password on your router.

• Change the router name (aka default service set identifier (SSID)) on your router. Refer to the instruction manual for the router to see specific steps for your type of router.

• Keep the router firmware updated by following the recommendations of your internet service provider and the router’s user manual.

• Disable remote management for your router. To learn how, check the user manual for your specific router model.

The more connected our mobile device is to our online accounts and network, the more important it is to ensure you are taking the necessary steps to stay secure. 

• Enabling passcodes and biometrics (if applicable) for your phone and specific apps that contain more sensitive information like mobile banking and shopping apps. Update passcodes frequently and never share them with anyone. 

• Be careful of SMShing, which is similar to phishing but in text message form. Bad actors can use short URLs in a SMShing message to take you to a malicious site or download malware on your device. Do a quick online search to see if the message or the short URL is valid before you click or respond.

• Securely dispose of your old devices. Reset the device to factory settings and then turn it in to a reputable mobile recycling center or your mobile service provider. Do not just throw away an old device.

• Turn on automatic updates for all devices so you have the latest security patches and bug fixes updated.

• Double check privacy settings for apps including location and data sharing.

Strong passwords across accounts and devices is an important tool to keeping your privacy secure online. Accounts now have different requirements on what they define as a strong password including capitalization, symbols, numbers and total number of characters in the password. Did you know that a password like “L3ngth=Str3ngth!” takes about 412,000,000,000,000 years to crack?

Further enhance your password security by following these simple steps:

• Use a trusted password manager. 

• Do not share your passwords with anyone else. 

• Use a passphrase, which is like a sentence that strings together a few words and is longer than a traditional password but could be easier for the user to remember. Example (don’t use this one specifically): L3ngth=Str3ngth! 

• Change your passwords - yes even the strong, complex and lengthy ones – if you suspect they’ve been compromised.  

• Do not reuse usernames and passwords across multiple accounts. If account credentials are compromised on one site, bad actors could try that known username and password on other sites. Leverage trusted websites like haveibeenpwned.com and browser tools to check to see if your credentials were shared publicly. 

Vishing happens over the phone, when bad actors call posing as a trusted person to gain information by getting you to click a link, log into a website, download a file, provide credentials or obtain other information.

• Never provide personal or financial information in response to an unsolicited request, whether it is over the phone, internet, email or text. If the caller is posing as a business or someone you know, hang up and then call the business or individual back with a trusted number – not the number they used or provided.

• Don’t trust the caller ID. Bad actors can manipulate the caller ID to have it display a relevant area code for your area so it looks like a local caller.

• If you didn’t initiate the call, do not provide information the caller should already have. For example, if a company you have an account with called, they shouldn’t ask you to provide your account number.

• If they are creating a significant sense of urgency, they could be trying to rush you so you make a mistake. It’s OK to say “no” at any time or say you will need to call back later. Remember if you decide to call back, use a trusted number and NOT the number they provided.

• Do not give a caller temporary control of your device or download software if they reach out without you having to report a problem.

Cybercriminals can leverage spoofed websites to install spyware on unsuspecting victims, which can turn your latest web search into an opportunity for a bad actor to gain access to your personal information or devices.

• Use a trusted web browser. Modern browsers are regularly updated to align with the latest security standards and to defend against common tactics used by bad actors.

• Be wary of pop-ups. They are a common tool used by bad actors to get a user to visit a malicious website. Gain control over pop-ups by configuring your browser to either block or notify the user.

• Ensure your web browser is updated regularly. To make it easier to remember, enable automatic updates.

• Use bookmarks for the sites you visit often. This will lessen the chances of landing on a spoofed or malicious site.

• Beware of short URLs, which can be commonly used on social media posts and in emails. The shortened URL could mask a link that takes you to a malicious site. If you are suspicious about a shortened URL, it’s best to find the coordinate page on your own through a trusted search engine or use a reputable website that will unshorten a link so you can see the full URL before visiting the page.

The Internet of Things (IoT) is bringing every aspect of our lives online. Phones, watches, printers, thermostats, lightbulbs, cameras and refrigerators are only a handful of devices connecting to our home networks. These connected devices can make everyday tasks easier and our lives much simpler. However, IoT devices come with security issues that you should know about.

• Know all the devices that are connected to your home network and each other. Having an inventory of what’s connected can act as a checklist for ensuring updates are made periodically. If a device is no longer needed, you should disconnect it to reduce the number of devices to update.

• IoT devices may have weak security default settings, which makes them a target for ransomware. Make sure you’ve enabled higher level of security for all devices using complex passwords or system upgrades. You can also configure privacy options to limit the amount of information your devices share.

• Just like your PC and mobile devices, keep your IoT devices up to date. If your IoT device has the option to automatically update, enable it. At some point, you may want to replace an older IoT device when the existing one has too many known vulnerabilities that cannot be fixed or there are newer devices that have more security built into them.

• Many Wi-Fi routers can create additional networks, such as a guest network. Connect IoT devices to your guest Wi-Fi network instead of your primary Wi-Fi network. Another option is to purchase an additional Wi-Fi access point just for your IoT devices. This keeps your IoT devices on an isolated network, where they cannot be used to harm or attack any computer or mobile devices connected to your primary home network (which is still the main interest of cyber criminals).

• Choose your IoT devices wisely. Make sure you are buying from a trusted source and selecting a trusted brand. Some bad actors will create counterfeit IoT devices that users willingly install on their home network or can be used as rogue access points or opportunities to monitor an individual.

Kids of all ages are joining the digital world for various reasons, including schoolwork, playing games, engaging in the metaverse, watching videos and connecting with friends. It’s important that they learn safe cybersecurity behaviors at a young age.

• Many basic cybersecurity behaviors can be compared to other real-life safety measures, like being careful interacting with strangers. Tell your kids to be mindful about engaging with strangers online and to limit the personal information they share with others including not sharing their address.

• Restrict access to sites by setting up permissions to access certain websites or complete certain actions like downloading apps or plug-ins. Parental controls are never guaranteed, so start by limiting access to devices you don’t think your child has a need for. As they have needs for more connectivity, be prepared to educate them on how to ask for help, especially if they see chat or other features enabled.

• Encourage an open line of communication so that if they see something dangerous or are concerned they fell for a scam, they should notify a trusted adult right away. If they were on a device connected to your network, take steps right away to update your security protections on other devices and on your network router.

• Make sure kids properly close out of apps or shut down the device when it’s not in use. Some malicious sites can run in the background or access a device’s camera without permission.

• Limit the ability for children to make online purchases by not saving credit cards to devices they can access, and not giving them a credit card to purchase something if you haven’t validated whether the site is legitimate.

You may be aware of the dangers associated with digital files like downloading email attachments or visiting suspicious websites. However, even physical devices like USB drives, external hard drives and SD cards present a security risk for data corruption or infecting a system with malware.

• Do not connect any removeable device if you are not familiar with where it came from. If you received something in the mail, especially if it claims you won a prize or are eligible for a cash benefit if you connect the device, be wary of its authenticity.

• If transferring data on your own removable media, use complex passwords to protect the data if your device is lost or stolen.

• When you are done using a removeable device, make sure you’ve completely wiped the device before discarding it, even if it’s password protected. Redundant or expired personal data can still present a risk if it falls into the wrong hands.

• Disable any automatic run or play features on your devices so that if a suspicious removable media device is plugged in without your authorization, any programs will not install automatically.

• Install security software that will scan for any viruses or malware on your personal device, including when a removable media device is connected. Make sure to keep the security software updated.

Traveling is an opportunity to explore, relax or try something new. Staying secure while traveling allows you to focus on the trip and collecting memories – not cybersecurity threats.

• Don’t provide specific whereabouts or broadcast that you’re away from your home to minimize the chance you’re targeted for a home invasion.

• Minimize location sharing on your devices. Check the privacy and security settings on web services and apps. Set limits on what you share and the individuals or apps you share your location with.

• If someone says they lost their phone and asks to use yours, be careful. It is best to never hand over your device to a stranger. It would not take long for a bad actor to install malware or run off with it. Instead, make the call for them.

• If you are in a public place, always keep your eyes on your devices and do not leave them unattended. Even if it’s to turn around for just a moment or run to the bathroom quickly. It is important to keep your work devices concealed as much as possible.

• Bring as few devices as you can for a trip. This reduces the chance that all your connected devices are either lost or stolen. If available on your device, set up the feature that allows you to find your device or remotely disable your device. Make sure to follow our tips on mobile device security.

Who doesn’t love a freshly baked cookie? Unfortunately, in our digital world, you need to use caution when accepting cookies during your browsing sessions. Computer cookies are text files stored on your web browser that can be used to communicate to the site when you are a repeat visitor, so the website ’remembers’ you and your preferences or browsing history. However, bad actors can use cookies to monitor your other browsing activity including keystrokes.

• A common access point for cookie-based attacks is through an unsecured connection. To better protect yourself, require a secure connection by configuring your browser to send cookies through a secured connection only.

• Regularly clear cookies from your browser. Depending on your browser, the steps can vary, but it typically takes fewer than five simple steps. You can use a trusted search engine to research the steps for your preferred browser.

• First-party cookies from legitimate sites are harder to infect by bad actors, so they are typically safer. However, third-party cookies have more risk. You can block all third-party cookies through your browser in a few simple steps. You can use a trusted search engine to research the steps for your preferred browser.

• Many sites now are required to give you cookie acknowledgment options. Take the time to read them before accepting, especially for free sites.

Social engineering is the use of deception where a bad actor uses human interaction to manipulate an individual into divulging personal or confidential information that can give them access to data, accounts, systems or physical locations. There are several types of social engineering: phishing, vishing, baiting, pretexting and scareware. We covered specific tips for phishing and vishing on this page. Below are other tips that help with a variety of social engineering tactics.

• Be suspicious of unsolicited phone calls, messages and in-person interactions. What can seem like a friendly conversation with a stranger could be used to pull together pieces of information about you and used for malicious purposes, like creating a fake account or posing as an acquaintance to those close to you.

• If you’re concerned that you have divulged sensitive information like the answers to security questions on accounts, immediately reset passwords and security questions on a trusted network and browser.

• Research before providing information. If someone contacts you requesting information, take a moment to research the company and reported problem through a quick search on a trusted search engine. Oftentimes, scams are widespread and reported to news outlets or the company they are claiming to be associated with.

• Pretexting is when a bad actor uses a false identity in an in-person interaction to trick someone into revealing information. Typically, they will pose as an employee or someone in distress to gain access to restricted information, physical locations or systems.

• If you haven’t entered to win a prize, be suspicious when contacted to say you won and need to provide some information before the prize can be awarded.

Storing information on the cloud may sound like something only companies or tech-savvy individuals do, but it’s more common than you may realize.

• Use cloud-based services that encrypt your data in transit and at rest. You can research this information on the cloud service website and using a trusted search engine for reviews. You can also encrypt your data before uploading it to the cloud provider by using a trusted service.

• As with most cybersecurity tips, it’s important to use a complex password. You can find specific tips for creating passwords earlier on this page. Make sure to utilize a unique and complex password to access your data on the cloud and any of the files you encrypted.

• Disable automatic uploads to the cloud to reduce the risk that a malicious file is uploaded and then corrupts your other data or gives access to your files.

• Regularly check to see what applications or devices are connected to your personal cloud account. If you haven’t used one of the connected accounts in the last three to six months, it’s recommended to disable the connection. This reduces the risk of unauthorized access through an app or device you no longer maintain or own.

• A convenient feature of a cloud-based service is the ability to grant access to others like family members. Make sure you only grant access to confirmed and trusted email addresses or accounts. Also, regularly review who has access to what folders, files or systems and remove access rights to those you no longer wish to share your data with.