Categories
INTERNET SECURITY

How You Are Tracked on the Internet Every Day

Reading Time: 8 minutes

There are real threats to your privacy online, especially if you use the internet on a frequent basis. Whenever you browse the web, you leave a digital footprint that helps third parties keep track of what you do online. You are at risk of being tracked by your ISP, who has access to everything you send, websites, three-letter government agencies, digital advertising agencies, attackers, search engines, etc. The United States’ government usage of the PRISM program which allegedly tracks over 1 million internet users in the United States took a lot of Americans by surprise.

Read on to learn about the different ways you are tracked whenever you use the internet. We’re also going to look at a number of sites and browser extensions that you can use to find out exactly who might be tracking you online and how you can maintain your privacy and security whenever you’re surfing the web.

Social Media

The number one spot on this list is obviously going to be your social media accounts. Social media tracking is perhaps one of the most treasured methods utilized by advertisers and attackers. This is because through social media, we tend to provide a very detailed profile of our user habits, our likes, our hobbies and a lot more. It can be described as a gold mine of hyper-targeted information just waiting to be tapped by third parties, especially advertisers.

When you post a photo online, send a tweet or participate in a discussion on a social network, it is important to keep in mind that you’re sharing a lot more than you might think. Obviously you’re sharing the things that are in your post – photos, videos, your username – but there’s also other data that gets shared.

A post on a social network might also include:

  • Your location at the time you submitted the post.
  • Links to your social media profile.
  • Personal details such as contact info, birthday or gender.
  • Links to your friends and people you have connected with.
  • What time you submitted the post.
  • Identified locations from a photo or video.

Be extremely cautious when using social media. Take a closer look at your social media connections and don’t accepts invites from people you don’t know.

Search Engines

Most search engines have the ability to track every search you perform online. For example, Google attempts to track whaever you do online, such as the sites you visit, who you communicate with and what you might currently be in the market for. When you use Google and its affiliated services, information about you including the keywords you search for is compiled and stored in the form of a user profile. All of this data becomes part of your search history and online profile with Google.

If you are concerned about your privacy being infringed upon in this manner, you can opt to use a private search engine that maintains your privacy and delivers good search results. Note however, that these search engines may not offer the same level of sophistication or search results that Google offers. What they offer however, is privacy.

Here are the best private search engines:

DuckDuckGo

Duck Duck Go is a very popular US-based search engine. According to their terms and conditions, the service never ties saved searches to individual users, although it does use your IP address to serve local search results.

Metager

Metager is a German metasearch engine, that provides search results in English, German and Spanish. The service has it’s own web crawlers and indexers, but also gets its results from up to 50 search engines, including Yahoo and Bing.

Qwant

Qwant is metasearchengie that primarily uses and presents Bing’s search results to users. It is based in France and delivers search results in a variety of languages including English, French and Italian. According to their terms and conditions, this search engine doesn’t track you or your computing device, and promises not to record anything about your search history.

Device fingerprinting

Device fingerprinting is a creepy, privacy-invasive practice that is used to identify and track you online. It works by combining various characteristics of a computing device to identify a computer as a unique device. This includes the device’s IP address, screen resolution, operating system, computer settings, software, web browser preferences, and other similar things. This process is used to create a digital portrait of you. This information is used to pinpoint you and follow you as you browse the web and use apps. Once enough device characteristics are learned, the data can be compiled into a profile that helps identify you in the same way that a fingerprint would.

Digital fingerprinting can provide a more consistent way of tracking people online, and there is not really a way to stop companies from using this technique to track you on the web.

Cookies

Cookiers are the best-known tools for identifiying and tracking users online. A cookie is a small piece of information that websites place in your browser whenever you navigate to a website. This cookie allows the website to keep track of your visit details and store your preferences.

There are several advantages of using cookies. For example, when you sign in to a particular website, the cookie remembers your login details so that you don’t have to keep typing in the same details when you visit that same site again. This increases the speed with which you visit that same website again. But this is also how companies are able to see what items you are viewing when shopping online, what articles you’re reading, or what you’re researching on any particular day

But cookies can also track your browsing activities across various website. By knowing what pages a user visits, it can tailor the user’s experience for that website.

Third party cookies

What can be really deceitful are third-party cookies. While they can have legitimate uses, third party cookies are often used by advertising networks to track you across multiple websites, even if you are using a VPN to cover your tracks. Most websites use third-party advertising or tracking scripts. If two different websites are using the same advertising or tracking network, they can track and link your browsing history across both sites. However, Chrome give you the option of blocking cookies.

Super cookies

A very special type of cookie is called the super cookie and an example of such is the ‘evercookie’. As the name suggests, this particular cookie is ever present in your computer no matter what you do to try to get rid of it. It is able to achieve this because unlike regular cookies that are stored in one location, the evercookie stores cookie data in several places – for example, in Flash cookies, your browsing history, and HTML5 local storage.

A very clever tracking method the evercookie employs is to assign a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back. The color value of the pixels is a unique identifier that identifies the user.

When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies but not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient.

DNS leaks

DNS leaks can occur when a VPN or a DNS is not configured correctly and when your device gets compromised by hackers. These leaks can breach your privacy by exposing what you do online. The best way to avoid DNS leaks is to use a VPN that provides you with their own DNS addresses.

Downloaded apps.

Now the apps you install on your phone can be used to profile you on social media sites such as Twitter. Also the apps you’ve downloaded may be tracking your location without your knowledge by using your phone’s GPs. This is why it’s important to keep tabs on which apps have access to such sensitive information.

How can I find out who is tracking me online?

1. Panopticlick

Panopticlick analyzes your current browser setup, including add-ons and extensions, to find out just how many trackers are tracing your browser session. To use Panopticlick, hit the giant orange “Test Me” button and wait for the analysis to complete. Depending on your list of add-ons and extensions, you’re going to experience different levels of tracking.

2. Am I Unique?

Am I Unique? is a tracker analyzer with a focus on the unique fingerprint your browser broadcasts. Navigate to the Am I Unique site and click on the View My Browser Fingerprint button. Wait for the analysis to complete, then check your results.

Tools That Make You Harder to Track

1. VPN (Virtual Private Network)

If you use a VPN, your IP address is changed and your online activity is encrypted, so you cannot be tracked. Some internet service providers (ISPs) or websites may be aware that you’re using a VPN, but they will not be able to see or monitor your actual online activity. A VPN minimizes your chances of being tracked online. It does a powerful job of protecting users from things like digital spying, online tracking, data collection, invasive advertising, and cybercriminals.

It is important to keep in mind that when you’re using a VPN, the VPN has as much insight into your online activities as your ISP. This is why it is really important to be cautious, and to only choose a VPN that would never sell your data. You need to go with a VPN that retains as little information about your online activities as possible. What the VPN does with your data should be outlined in the company’s privacy policy.

2. Disconnect

Disconnect blocks over 2,000 individual trackers from following you around the internet. According to Disconnect, by blocking such a large amount of trackers, websites actually load up 27 percent faster. Disconnect is currently available for Chrome, Firefox, Safari, and Opera. Once you install Disconnect, head to a website, and open the extension. The drop-down panel shows you the entire range of trackers currently logging your browser session.

3. Adjust your privacy settings on social media.

Stay in control of your social media by choosing what things you share, and who gets to see them. By managing your privacy settings, you can choose what gets shared, where and with whom. The Office of the eSafety Commissioner provides list of all games, apps and social networks, including necessary information about how you can control your privacy settings and report abuse on each of the services. You can learn more about controlling your Facebook privacy settings from the Office of the eSafety Commissioner Facebook eSafety information page.

4. Use Piriform to delete certain aspects of your digital footprint.

Using this powerful tool will erase all cached data to help you avoid being tracked online.

5. Use an adblocker and a secure browser.

You can increase your privacy by using an ad blocker such as Privacy Badger, along with a privacy-respecting brower. These powerful tools will make a lot harder for advertising agencies and other third parties to track you online.

6. Clear your browser cache.

Every browser you use can be used to track your browsing history. This is why you should make sure that you clear your search engine browsers cache as often as you can.

Here’s how you can clear your browser cache in Chrome

  1. Open Chrome.
  2. At the top right, click More ore.
  3. Click More tools nd thenClear browsing data.
  4. At the top, choose a time range. To delete everything, select All time.
  5. Next to “Cookies and other site data” and “Cached images and files,” check the boxes.
  6. Click Clear data.

5. Your phone keeps track of everywhere you go, all the time. If this makes you uncomfortable, you are able to opt-out of location-tracking on Android and iOS. You can adjust your location services on your mobile device by disabling GP as tracking.

How to disable GPS tracking on Android:

  1. Power on your phone and navigate to the home screen.
  2. Press the “Menu” button on your phone, followed by the “Settings” option that appears.
  3. Touch “Location & Security” under the “Settings” menu and then uncheck the option that says “Use GPS Satellites.” The GPS on your Android is now blocked.

How to disable location tracking on iPhone

  1. Open the Settings app.
  2. Scroll down and tap on Privacy.
  3. Select Location Services.
  4. In the next menu, untoggle Location Services at the top.
  5. Some of the best methods of fighting against super cookies is to avoid running Adobe Flash or Microsoft Silverlight in your browser as these two apps are used by super cookies to replicate themselves. Using VPN services like Tunnel Bear or Tor is perhaps the best way of fighting cookies.
Categories
INTERNET SECURITY

Common Internet Security Terms to be Aware of

Reading Time: 15 minutes

We try to be as jargon free as possible, but in the world of internet security, technical terms cannot be avoided. We’ve therefore created this glossary where we explain common terms that you are likely to come across in the world of cyber security.

Ad injection

Ad injection is a black hat technique where ads are secretively inserted into a webpage without the website owner’s knowledge or permission. According to Google, over 50,00 browser extensions and more than 34,000 software applications engage in the practice. With ad injection, ads can be inserted on top of those that already appear, obscuring the original ads, replace ads entirely or get shown on pages that weren’t meant to show ads.

Anonymizer

An anonymizer is a collective term to describe a tool such as a VPN that you can use to make your activity on the Internet untraceable. An anonymizer accesses the Internet on your behalf, protecting your personal information by hiding your identifying information. It does this by masquerading your real Internet Protocol (IP) address and substituting it with another IP address, making it difficult to for hackers and other cybercriminals to target you online.

Furthermore, an anonymizer can be used to bypass censorship in countries where internet access is restricted, allowing access to online information. Note that when you use any type of anonymizer, your internet speed is going to be reduced because you are now going through at least one extra layer of security.

There are two types of anonymizers. The single point anonymizer passes your browsing through a single point such as a proxy server to protect your identity. The networked anonymizer such as a VPN transfers your communication through a network of computers.

Biometric Authentication

Biometric authentication involves the use of biometric data such as the face, fingerprint or voice as part of the two-factor authentication in order to get access to restricted accounts.

Bot

A bot is a type of application that has been programmed to perform a series of automated and repetitive tasks on behalf of humans on the internet. More than half of the internet’s traffic consists of bots performing one type of task or another, depending on what they have been programmed to do.

Types of bots

There are several types of bots on the internet which can be good or bad, depending on how they have been programmed. Here are examples of different types of bots.  

  • Search engine bots
  • Chatbots
  • Informational bots
  • Spambots
  • Transactional bots
  • Scrapers
  • Malware bots

Botnet

A botnet (also known as a zombie network) is a network of thousands of remote-controlled malware bots that the owner remotely manages using a server which functions as a control and command centre.

Cybercriminals use social engineering tactics to breach the security of users’ computers and turn these machines into malware bots that can be used as part of a botnet. Once infected, the devices can continue to act perfectly normal with no symptoms or warning signs.

Cookies

A cookies is a small text file that collects certain pieces of information about you when you visit a website. Every time you navigate to a website for the first time, cookies are created by your browser and saved to your computer. When you return to the website, the cookies will help it to remember certain things such as login details, information about the pages you visited and create customized web pages and ads tailored to your online preferences. The main objective with cookies is to increase the speed with which you visit that same website again.

Cookie syncing is a user identification and data collection process that is used to enhance the effectiveness of online advertising campaigns. It allows the entities that are tracking you online to share the information they have about you, and link together the IDs they’ve created to identify your device. They can compare notes and build a better profile of you, all of which is done without your knowledge or approval.

Canvass Fingerprinting

Canvas fingerprinting is a type of browser fingerprinting technique designed to uniquely identify and track visitors to a particular website without having to use browser cookies. When one of these scripts is running on a website you visit, it will instruct your browser to draw an invisible image behind the scenes. This action is completely invisible to you. Because every device will draw this image in a unique way, this process can be used to effectively create a fingerprint for your device. Your browsing can then be tracked using this fingerprint whenever you are online.

Daemon

Every web server has a daemon which is a program that is designed to wait specifically for HTTP requests and then handle them when they arrive. That’s it’s job. Now your web browser whether it’s Firefox or Google Chrome or Safari is an HTTP client, and they make requests to the web server on your behalf. So when you enter a particular site or click on the hyperlink of a web site, your browser builds an HTTP request and sends it to the IP address indicated by the URL that you’ve added to the browser. The daemon will receive your request and send back the requested file or files associated with your request.

Data harvesting

Data harvesting is the process of extracting data from specific websites with the use of malicious bots. For example, data can be collected from users of a particular app or social media site like Facebook or Twitter. That data is then analyzed and processed. The end result is a user profile which includes user details such as age, gender and location. Now, that profile of that individual can be used to determine things like what that individual would be likely to buy in the future, if they’re likely to take out a financial loan or the kind of causes are likely to support, the kinds of politicians they are likely to vote for, etc.

DDoS attack

A DDoS (Distributed Denial-of-Service) attack is a malicious attempt to render a website or online service inoperable by overwhelming the bandwidth of the targeted system. According to the Q2 2018 Threat Report, the number of distributed denial-of-service (DDoS) attacks increased in size by 500%.

DNS

DNS stands for Domain Name System, and it is responsible for translating domain names into IP addresses. So, if you wanted to go to www.dreamspath.com which has an IP address of 105.42.154.50, DNS would translate www.dreamspath.com into 105.42.154.50. Web servers and browsers don’t understand names; they only understand IP addresses. Without DNS, the alternative would be to memorize and type in an IP address whenever you want to navigate to a particular website. It is essentially the phonebook of the internet.

Now, the domain name system isn’t just one large central database that has a list of all of websites and corresponding IP addresses. It delegates the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. There are several DNS servers all over the world that can help you map IP addresses to domain names.

DNS Leak

A DNS leak refers to a vulnerability in a VPN through which the real identity of a user is revealed. DNS requests are revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. This flaw allows an ISP and other eavesdroppers to track websites a user may be visiting. Normally, the VPN automatically changes the ISP DNS to the anonymous VPN DNS. In a DNS leak, however, the browser’s DNS requests are sent to the ISP DNS server directly bypassing the VPN. You can perform standard tests at www.dnsleak.com or www.dnsleaktest.com.

Domain spoofing

Domain spoofing is when cybercriminals try to deceive users by faking the name of a legitimate website. The main objective of domain spoofing is to fool users into interacting with the malicious website as if it were the legitimate site. It is used to steal personal information such as login credentials or credit card info, or trick the visitor into downloading malware onto their computer.

Here are examples of how spammers may spoof the domain name in order to trick you into clickingon it.

  • https://fa-cebook.com -> “fa-cebook.com” is not the same as “facebook.com”
  • https://facebook.com.realwebsite.com — “realwebsite.com” is the main website. Note that “facebook.com” here, is a subdomain of “realwebsite.com”
  • https://facebook.co — “facebook.co” is not the same as “facebook.com”
  • https://www-facebook.com — “www-facebook.com” is not a subdomain of “facebook.com”. Note the hyphen in “www-facebook.com”. A genuine subdomain would be separated from the main website domain (SLD) by a period like in “www.facebook.com”.
  • https://faceboek.com — Note that the “o” in the domain name has been replaced with “e”.

Drive-by Download Attack

A drive-by download attack refers to the inadvertent download of malicious code to your PC or mobile device that exposes you to a cyberattack. This virus starts to infect your PC as soon as you navigate to a particular website. A drive-by download doesn’t rely on you to click on anything, press download, or open an email attachment to actively enable the attack. These downloads can be on any site, including safe, legitimate sites. This also includes downloads of bundled software onto a computing device that leaves you vulnerable to a cyber-attack.

Emergency Access

Some password managers provide the ability to grant one-time access to your Vault to one or more designated users. You can also specify an access delay. This means that the user you have designated tries to gain access to your information, that person would have to wait a specified time period of your choosing. During this period of time (e.g. two hours), you have the power to decline the requested access. If you do not deny the request within the specified time period, the emergency access user will be able to access your Vault.

Encryption

Encryption is the process of converting your data (such as a text message or email) into unreadable format so that its content cannot be understood even if it intercepted by hackers. When you need to send a confidential mail and you use a program that obscures the content of that email, that is an example of encryption.

GEO-BLOCKING

Geo-blocking refers to the process of limiting access to certain online services based on geographic location. These include streaming video services like Netflix, Hulu and BBC iPlayer, dating sites,  news sites, etc. For example, if you live in the UK, you won’t have access to Netflix’s full catalog of movies and TV shows that is avaiabe to US residents. Geo-blocking works by using your IP address to track your location. This means that if you are an American visiting the UK, you will only access content that is available in the UK.

HTTP

This stands for the Hypertext Transfer Protocol. It defines how messages are formatted and transmitted over the web. It also determines what actions web servers and browsers shall take in response to various commands. So HTTP basically is the mother of all protocols involving the World Wide Web. It’s basically behind how every single requests are handled between a web browser and web server.

HTTPS

This is Hypertext Transfer Protocol secure. It is the secure version of HTTP. It’s secure because communication between your web browser and the web server is encrypted. HTTPS is a must for Web sites with sensitive information like passwords and credit card details are exchanged. You should never provide your password on a site that doesn’t have HTTPS. Encryption is implemented on HTTPS through the use of TLS and SSL. Never ever provide your password or your credit card details on a site that doesn’t have HTTPS.

IP Address

IP address stands for internet protocol address. It is a uniquely identifying number that is allocated to a device (such as a computer or smartphone) that is connected to the internet. However, if you are connecting to the internet through a router, it is the IP address of your router that will be visible on the internet. Your router will dynamically assign a private IP address to the network card in your computer. This IP address will not be visible on the internet.

Your IP address is what identifies who you are and where you are browsing from on the internet, and allows you to send and receive information. Note that your IP address is publicly visible on the internet and you can find out yours by navigating to whatismyipaddress.com.

IP Leak

An IP leak occurs when your VPN leaks your real IP address to a website that you visit. When you’re using a VPN, no website should be able to see your real IP address. This can happen when your computer is unknowingly accessing default servers rather than the VPN provider’s servers.

Keylogger

Keyloggers are monitoring software used to record the keystrokes that are used on a smartphone or computer keyboard. They are one of the oldest types of online threats used by cybercriminals to steal confidential information such as passwords, credit card details and other personal data. Some sophisticated keyloggers – such as those that target mobile devices – are able to record information such as calls, information from messaging applications and GPS location.

Kill switch

Also known as VPN Kill Switch, Internet Kill Switch or Network Lock, a kill switch is a special VPN security feature that is triggered when the VPN connection suddenly drops. The VPN automatically disconnectsyour device from the Internet until the VPN connection is restored. This means it blocks traffic leaving your device if your connection is ever compromised. With a kill switch, there’s no possibility that your IP address accidentally gets exposed.

Latency

Latency refers to the amount of time between a user action and the result of that action. For example, the delay between a user clicking an image and the user’s browser showing that image. If you click a link and it takes several seconds before the image appears, you are experiencing significant latency.

Mac Address

A Mac address (media access control address) is a unique identifier that is assigned to a network interface controller (NIC) for use as a network address in communications within a local area network (LAN). Unlike an IP address that can be changed every time you connect to the internet, a MAC address is a hardware address that is embedded into the device and can never be changed.

Malicious Hotspots

This is a rogue network that fools users into thinking they are connecting to a legitimate network. Hotels are often the prime target for malicious hotspots. For example say you’re staying at The GoodNight Inn and you want to connect to the hotel’s WI-FI. When you browse the network, you may find GoodNight Inn which you might think is the hotel’s Wi-Fi, but isn’t. If you connect to that network, you’ve just connected to a rogue network that can now browse your sensitive information.

Malware Distribution

Short for malicious software, malware is a computer program that is designed to infiltrate and cause damage to computers or websites. Malware covers all types of threats to your computer including spyware, viruses, worms, Trojans and so on.  

Malvertising

This type of phishing utilizes digital ad software to publish otherwise normal looking ads with malicious code implanted within.

Man-In-The-Middle Attacks (MitM)

This attack is a form of eavesdropping. When you connect to different websites on the internet, vulnerabilities can allow an attacker to get in between these transmissions and read the content of those transmissions. These attacks are often carried out by establishing fake public Wi-Fi networks at various public locations such as coffee shops and shopping malls.

Master Password

The master password is the only password you are required to create when using a password manager. It is the key to unlock access to all of your stored credentials, including your passwords.

Multi-layer security

Multi-layer security is all about having multiple safeguards in place and using them in conjunction with one another so that if one fails, you’ve still got others to protect you. For example, instead of using just passwords as your only layer of security, you should have additional layers like two factor authentication, encryption and private networks. This ensures that even if your password is breached by a cybercriminal, they won’t be able to access your account because you have two factor authentication as an additional layer of security.  

Multi-Factor Authentication

Multi-factor authentication is a method of access control where a service grants you access only after you present multiple pieces of evidence that you are who you claim to be. This evidence comes in three forms: something you know (such as your password), something you have (such as your phone) and something inherent, which include biometric methods such as fingerprint readers, retinal scanners and facial recognition systems.

No Logs Policy

A no logs policy is about protecting your private information from everyone. It means that no information is saved about your personal details, the websites you visit or what you search for. So in the event of any unforeseen circumstance such as data breach, server hack or government investigation, nothing can be held against you because no information was recorded about you in the first place. This policy is used to safeguard your privacy and anonymity so that you can feel safe in the knowledge that what you do online is protected from everybody.

Every VPN claims to deliver anonymity and privacy with a no logs policy. However, the reality is that some VPN vendors might be unable to deliver 100% privacy, and this doesn’t have anything to do with the service provider’s technology. If the VPN provider has its headquarters in a country that’s part of the 5/9/14 Eyes Alliance, a VPN service provider can be forced to log user data and to provide logs by request of the authorities. This means you could be at risk of being exposed to the government. If online privacy is a top priority, you’ll be better off choosing a VPN provider that is not located in a country that is a member of the 14-eyes alliance

Protocols (for VPNs)

A Virtual Private Network (VPN) protocol is a set of rules that govern how data is transmitted between your computing device and a VPN server. Consider a protocol as a kind of language that multiple devices have to understand in order to be able to communicate with each other. With VPN protocols, the VPN software that you install on your device has to use the same protocol on the VPN server in order for your computer to be able to use the VPN service.

One Time Passwords

One time password is a password that is valid for only one login session. This password makes it impossible for hackers to get into your account even if your login credentials are compromised. You can also use one time passwords as part of the two factor authentication process

Password Generator

A password generator is a tool that randomly generates unique and complex passwords. When using a password generator, you have the option of specifying how long it should be or whether it can include combinations of numbers, uppercase and lowercase letters, and special characters. Some password generators are capable of creating very long passwords that can be understood and memorized.

Payload

A payload when used in the context of a computer virus or worm refers to that component of the virus that implements malicious activities. A virus or worm that has a destructive payload will be relatively more dangerous than one with a much more benign payload.

Perfect Forward Secrecy

A component of an encryption system that keeps data safe by automatically and frequently changing the key used to encrypt and decrypt information on every login and at least each hour thereafter. This means that even if one session is compromised, only a small portion of the user’s sensitive data is exposed. Keys are switched every time a user loads or reloads an encrypted web page, or every time a text message is sent. Without perfect forward secrecy, when a user logs in to a VPN for example, the entire session is encrypted based on the client’s key. But if that session is hacked, the entire conversation is compromised.

Proxy Server

A proxy server is a type of anonymizer that functions as an intermediary for requests made by clients seeking resources from web servers. The proxy sits between you and the web server that you’re trying to access. Internet traffic flows through the proxy server on its way to the address you requested. The request then comes back through that same proxy server and then the proxy server forwards the data received from the website to you.

The proxy masquerades your real Internet Protocol (IP) address and substitutes it with another IP address, making it difficult to for hackers and other cybercriminals to target you online. This allows you to defeat restrictions and censorship. In addition, proxy servers do not provide any type of encryption.

Secure Notes

Secure notes is an all-encompassing term that is used to describe any credential that is not a password. This includes credit card info, national insurance numbers, online receipts, etc. All of the data that is contained in secure notes is encrypted in the same way that passwords are.

Sideloading

Sideloading is a term similar to uploading and downloading. It involves the installation of an 3rd party application on a mobile device without using the device’s official app distribution channel. These apps are downloaded from third-party app stores. Some of these apps are particularly vulnerable to malware infection due to the fact that they aren’t installed through official channels.

Split Tunneling

If you’ve decided to run your VPN off your router rather than through your devices or apps, split tunneling allows you to decide which of your traffic goes through the encrypted VPN tunnel, and which traffic accesses the internet directly with your regular IP. For example, you can choose to protect all of the computers on your network by routing their traffic through the VPN, but keep your printer open for normal traffic. This way, you can allow some people on the web to use the printer. This is a very useful feature to have because you can lose access to some services if you use a VPN.

Resuscitator

These are files that are designed to bring a software program back to life after it has been successfully removed from a computing device.

Social engineering

The concept of social engineering refers to a situation when an attacker engineers a social situation that encourages a potential victim to feel comfortable with the attacker and let their guard down. The attacker plays some sort of mind game with the potential victim, which allows them to accomplish their malicious goal.

Snooping and Sniffing

Cybercriminals can buy special kits and devices that allow them to access everything you’re doing online, from viewing pages you have visited to being able to capture your login credentials and even hijack your accounts.

Software Vulnerability

A software vulnerability is a security hole or weakness discovered in an operating system that renders it susceptible to exploitation by hackers.

Spoofing

Spoofing is the process of substituting a message from a shady source as coming from a recognized, trusted source. It can be applied to text messages, emails, phone calls, IP addresses, DNS servers and websites. Spoofing can also lead to the rerouting of internet traffic, which can lead visitors to malicious websites designed to steal information or distribute malware.

SSL

SSL stands for secure sockets layer. It establishes a secure link between your browser and the web server to ensure that eavesdroppers and hackers are unable to see what you transmit which is a must if you process sensitive information like credit card payments on your website. SSL and TSL can help you securely process that data so that cybercriminals can’t get their hands on it.

Your web server requires an SSL certificate to be installed on it. So, if you have a website and you want to establish a secure link between your web server and any browser that wants to have any access to your website, you need to install a current SSL certificate. This certificate will serve as proof that your web site is secure with SSL. So, any time a browser from around the world tries to access your website, it will check to see if the certification has expired before completing the connection.

Torrent IP leak

A torrent IP leak occurs while torrenting. Torrenting is typically anonymized and encrypted when you’re using a VPN. A torrent IP leak occurs when the torrent client unveils the user’s real IP address while torrenting.

TLS

TLS stands for Transport Layer security, and it is the successor to SSL. It is more advanced, and offers a higher degree of encryption and security. It is just a more recent version of SSL, and it fixes some security vulnerabilities in the earlier SSL protocols. As an end-user, you don’t need to worry too much about TLS vs SSL or whether you’re using an “SSL certificate” or a “TLS certificate”.

Two-Factor Authentication

Two-factor authentication –also known as 2FA – is a type of authentication method that requires presentation of two different authentication factors in order to access certain data on a password-protected site. Two-factor authentication is probably the most effective way of securing your online accounts because attackers have to crack your password and be in possession of your smartphone to gain access to your account.

Unlocked Phone

An unlocked phone is a phone that is not associated with a specific provider. This means that the phone can be activated on any phone service provider through the use of the provider’s SIM card.

Virus

A computer virus is malicious code named after the biological organism. A computer virus resides in your device’s hardware and software. Like the biological specimen, a computer virus steals resources from your use of the device and renders the device seem “sick,” i.e. slow or unresponsive. In some cases, a virus can be designed to destroy information or even render a device completely unusable.

VPN Protocol

A VPN protocol is the technology used by the VPN provider to ensure that you get a fast and secure connection between your device and their VPN servers.

Web Server

A web server is a computer that runs websites. The main objective of the web server is to store, process and deliver web pages to users using the HTTP protocol.

Website Spoofing

Website spoofing is the process of creating a fake website that is almost indistinguishable from the real thing. The aim of this scam is to steal your login credentials by getting you to login to the fake site. The best way to determine if a website is bogus is to look at the domain name area. A fake website will always contain a variation of the actual name. For example, instead of www.nike.com, the domain name will read www.nikesales.com.   

Categories
INTERNET SECURITY

Top 15 Ways to Harden Your WordPress Blog and Protect it From Hackers

Reading Time: 12 minutes

On average 30,000 websites are hacked every day (source Sophos Security Threat Report). It is estimated that WordPress makes up about 30% of all existing websites today. This popularity makes WordPress a massive target for hackers and malwar. Statistics show that more than 70% of WordPress installations are vulnerable to hacker attacks. 83% of the roughly 90,000 websites that get hacked each day are using WordPress.

This is why it is so important to take as many precautions as possible to secure your site. Now, if you have a small blog, you might be thinking “no hacker could possibly be interested in my tiny site“. Unfortunately, that’s the type of mentality that keeps you from taking any action to prevent these attacks from occurring in the first place.

It is important to realize that most attacks are automated. Hackers simply use software to automatically identify websites with vulnerabilities which they can take advantage of, no matter how big or small the websites are. So if you leave the front door to your website wide open, so to speak, they’re likely to just come right in.

Google have stated that they blacklist 10,000 websites that have been infected with malware every day and around 50,000 for phishing every week. If a site is blacklisted by Google, it will be removed from their index. This is what can happen to you if you don’t take proper care of your website.

Whilst you cannot prevent a hacker from attacking your site, there are things you can do to make their job as difficult as possible and to encourage them to go elsewhere. Read on to find out 15 things you can do today to reduce the risk of an attack and keep your website as safe and secure as possible from attackers and other threats that exist on the web.  

1. Change your WordPress admin username.

Changing the default WordPress username is one of the simplest and quickest things you can do to protect your WordPress site.  This is because the most common WordPress attack is focused on gaining administrative access to your website by attempting to log in with your admin user name. So, if your user name is admin, you’ve already given potential hackers half of the information that they need to gain admin access to your Web site.

When choosing a username, avoid using the following names:

  • Your domain name
  • Your first, middle or last name or full name
  • Any common English names
  • The name you use to moderate comments on the site

If you’ve already setup your blog, you’re going to have to change the username to something that is unique and hard to guess such as a name with alpha-numeric characters.

2. Use a strong password that is virtually impossible to crack.

A unique and complex password that is not easy to guess is vitally important for the security of your WordPress site. You can use the password that your WordPress site generates automatically. That password typically contains a variety of numbers, nonsensical letter combinations and special characters like % or ^. That is a very strong password. But the problem with that password is that it is impossible to remember.

A better option would be to use a passphrase, which would be a lot harder for a hacker to guess. A passphrase can be anything. It can be a phrase from your favourite song or your favourite quotation. It is always going to be longer than a password and contains dashes in between words such as this: “You-cannot-have-a-harvest-without-planting-a-seed.” But the main reason you’ll want to use a passphrase is that they will be a lot easier to remember, and they will be next to impossible to crack by password cracking tools.

Click here to learn how to create a strong and complex password that would be easy for you to remember.

3. Hide your username from being found.

An attacker can easily find out your WordPress administrative username by using a tool such as WPScan. They can also find your username by typing in ?author=1 into a browser. For example: www.domain.com/?author=1. If the author ID is valid then they will be redirected to the author URL, for example: http:://www.example.com/author/admin

It is the same process even when you change the WordPress administrative username. For example, if you changed the username to iron25dude, then by requesting the URL, the user will be redirected to http://www.example.com/?author= iron25dude.

WordPress usernames can also be found in the source code of blog posts and pages. This is why it is so important to hide the username, and avoid publishing anything using the WordPress administrator account username.

Take the following actions to avoid the display of your administrative username:

  1. Go to your profile page by going to Users -> Profile and make sure the First Name, Last Name and Nickname fields are populated. Note that the nickname field is typically auto filled with your username. The nickname allows you to set the display name to something other than your username or first and last name,
  2. From the Display name publicly as drop down menu, choose a name that should appear in blog posts, pages etc. You can choose something like Admin to give attackers the impression that you’re using admin as your username.
  3. The quickest way to hide the login page is with the WPS Hide Login plugin. However, note that this also means you’ll be adding yet another plug-in to your WordPress.

4. Disable error login hints.

By default, WordPress displays an error message if you type in the wrong username or password on the login page.

 For example, WordPress displays this error message when you enter the wrong username:

WordPress displays this error message when you enter the wrong password:

This may be helpful for you, but the problem is that it is also helpful for hackers because they now know which part of the equation they have to work on.  Furthermore, since WordPress 4.5, you’re able to login to your WordPress site with your email address instead of a username. All of this can make it easy for hackers to compromise your account. Removing these error messages will make it a lot harder for hackers to know what they’ve guessed right or wrong.

To do so, you need to edit your functions that PHP file by adding the following code:

function no_wordpress_errors(){

  return 'Something is wrong!';

}

add_filter( 'login_errors', 'no_wordpress_errors' );

This will  remove the default error messages from your login screen. Now if you or anyone else enters incorrect username, password, or email, WordPress would simply show the following error without providing any hints as to what you’ve typed in wrong. 

If you don’t feel comfortable editing the functions.php file directly, you can do this using the code snippets plugin.

5. Limit the number of login attempts that a single user can make.

By default, WordPress allows unlimited login attempts. This can lead to passwords being cracked through brute force attacks. Many people use plugins in order to prevent this from happening and to stop users from continually trying to enter a new password. You can use a plugin such as the Limit Login Attempts plugin to limit the number of times a user can enter a password.

However, this is not necessarily the best option because the plugin has not been updated in years. A better option would be the Brute Protect plugin, which is now owned by the creators of WordPress. You now have Brute protect as part of Jet Pack, which, as you may be aware, comes pre-installed when you install WordPress. All you have to do is go into jetpack and activate that from your plug ins. This plug in will protect your log in when it notices too many log in attempts.

If you don’t want to add yet another plugin to your WordPress site, you can secure your login page by pasting the following piece of code to your .htaccess file:

order deny,allow

Deny from all

Allow from xx.xxx.xxx.xxxx

This code will deny anybody from logging in to your site except for the IP address that you have specified in the piece of code. You can also include the IP address of anybody else that you want to allow access to your website.

6. Setup two-factor authentication (2FA) on the login page.

You can add an additional layer of security to your WordPress by enabling 2-factor authentication. This means that before anyone can login to your site, they will have to present additional pieces of information to gain access to the WordPress backend. You can configure this with the freemium plugin Google Authenticator – Two Factor Authentication. You don’t have to upgrade to the premium plan because the free plan is probably enough for what you need.

7. Set directory permissions carefully.

If you look through your directories and files in File Manager in your CPanel, you may have noticed a permissions column with various numbers. What you may not realize is that these numbers determine the level of access anyone can have to your website.

In the image below, you can see the permissions on the right, and you’ll be able to click on the permission number, enter the numeric value and click save, But what number should you change it to? Generally speaking, the lower the number that you have for your permissions, the more secure that directory is going to be.

But one number you must absolutely avoid when setting permissions is 777. This number will allow an intruder to gain complete ccess to your files. They can modify a file, upload malicious code and take over full control of your website. To protect the entire files system, including directories, subdirectories and individual files, set directory permissions to 755 and files to 644.  This becomes even more important especially if you’re using shared hosting.

8. Do some due diligence when choosing your shared hosting provider.  

Hosting can play a big part in just how vulnerable your website is. Shared hosting is the most popular type of hosting plan because of its relatively low cost. However, this type of hosting is also the most vulnerable to issues of security. This is because if you’re on a shared hosting plan, your website can be hosted alongside thousands of websites on a single web server. This means that all of those sites coexist in the same directory, and are accessible with the same FTP account. They also all use the same public IP address. This poses a certain amount of security risks.

For example, if any one of the hosted sites do not adopt proper security measures and gets hacked, then that hacker can use that access to attack other sites on the same server.

You can also opt for a managed WordPress hosting account, so you don’t have to share space with other website owners. If you must go with shared hosting, here are some things to check about security before signing up to a shared host:

  1. Supports the most updated versions of software such as the latest PHP and MySQL versions.
  2. Isolates one website’s environment from another with a Firewall.
  3. Have intrusion detection mechanisms in place for when there are intruders on your account.

9. Update your WordPress to the latest version

Updating to the latest version of WordPress is vitally important for the security of your site. If you’re not using the latest WordPress version, it means that you’re using software with known security vulnerabilities. Hackers are always on the lookout for loopholes that will provide the opportunity to get into sites. If you have not updated to the latest version of WordPress, you’re effectively increasing the security risk by leaving the door open to attacks.

Hackers can easily look at the WordPress security log to see the loopholes that have been fixed and take advantage of sites that aren’t up to date. They can then do an automated search for websites running these older versions, which will be easy for hackers to find. The good news is that WordPress automatically rolls out updates and informs users by email whenever they do so. 

10. Only login to your site from a safe and trusted computer.

When you think about protecting your WordPress website, you should also consider the computer you’re using to access the site. This is because the device that you use to login to your site can harm your website if it has already been infected. This is something to also consider if you’re working in a public place with an insecure connection such as a Wi-Fi hotspot.

No matter how secure we make our website, if the device that we are using to access the site then the chances off our website getting hacked is higher. Before you login to your website, be sure to scan the device you’re using for any viruses or malware by running antivirus software to make sure your computer is safe.

11. Hide your database from hackers.

A WordPress website consists of both files and a database, and all of the data on your website is actually stored in this database. This is why the database is a hacker’s favourite place to attack a website because it allows them to attack multiple WordPress sites simultaneously by running automated codes for SQL injections. The default database table prefix is wp_, so hackers tend to run automated code targeting that database table.

You can easily prevent this by renaming the database table when you are installing WordPress, and it doesn’t really matter what you rename this to. Just make sure that you pick something unique and that you stay away from the wp_ database prefix. If you’ve already installed WordPress, you may have to get a developer involved because you’ll have to change the prefix in several places.

12. Avoid WordPress plugin vulnerabilites.

Plugins are wonderful because of the functionalities they can add to your site. But the way you manage plugins is crucial to your site’s security. And that is because badly coded, out-of-date plugins or rogue plugins are enough to bring your entire site down.

According to a survey by Wordfence, 55.9% of WordPress websites were breached due to plugin vulnerabilities. This is why it is so important that pay particular attention to the way you manage pluginson your website.

Here are tips for keeping your site safe through effective plugin management

  1. Scan for WordPress plugin vulnerabilities. If you’re unsure about any plugin, start by checking WPScan Vulnerability Database, which lists plugins and their known vulnerabilities.
  2. Choose the right plugins. No plugin is 100% secure; but you can significantly reduce plugin vulnerabilities by doing some due diligence before installing them. This means only installing plugins from reputable sources like Code Canyon, the WordPress plugin repository or trusted third-party sitesHere’s what to check to find out if a plugin is worth installing:
  1. User reviews.
  2. Updates and compatibility
  3. Active installations.
  4. Support and documentation
  5. Average user ratings.

3. Update plugins regularly.

Out-of-date plugins are one of the most popular methods that hackers use to attack WordPress websites. Most times, plugin developers will release new updates for the plugins and include security updates. It is vitally important to keep updated to the latest plugins.

Chart of hacked WordPress sites
Chart by Visualizer Life

According to a Sucuri analysis, three popular out-of-date (Gravity Forms, Timthumb and RevSlider) plugins caused 18%of the hacked WordPress sites they looked at in Q3 2016. So, even if you choose the right plugins for your site, your site will still be at risk if you don’t keep them up-to-date. And the best way to keep your plugins updated is to enable automatic updates, which you can do with Easy Updates Manager. This plugin is free of charge.

4. Delete unwanted plugins. Go through your list of plugins and delete any ones that you are not using to avoid leaving yet another loophole for hackers to exploit. 

5. Only install well-maintained plugins. This means you should only use plugins whose last update was no more than a year from the last update. This is because when a plugin isn’t maintained, they’re going to become vulnerable to hacking. One great thing about WordPress is that for every plugin out there, there’s always one or two alternatives to choose from. Use as few, well-maintained plugins as possible.

13. Delete any themes you’re not using.

Another way to keep your site safe and secure is to delete any themes you’re not using. Not doing so can leave you wide open to hackers who will always try to inject malicious code into vulnerable themes So, the less you have, the fewer the chances are that they will succeed in doing so. If you ever decide to switch to a new theme, you can install several themes to identify the theme that you like or prefer to use on your site. But once you have confirmed your preferred theme, be sure to go back and delete the other downloaded themes so that no malicious code can be injected into any of them.

14. Keep a record of everything that happens on your WordPress.

It is important to take control of what is happening with your WordPress website. You need to know who’s logged in, where they are logging in from and what they are doing once they are logged in. The WP Activity Log plugin keeps track of everything that happens on the site in the WordPress activity log. Once installed, the plugin keeps track of everything that is done by everyone who has logged into the site.

15. Install a security plugin.

There are several WordPress security plugins available for your website. Here are 4 free and  freemium security plugins that you can use to protect your site and keep it safe and secure.

Wordfence

WordFence is one of the most widely used security WordPress plugins. it includes an endpoint firewall and malware scanner and will scan all your WordPress files including themes, plugins, posts and comments to look for malware infections.

Features:

  • Malware scanning
  • Monitors everything that takes place on your site, such as file changes, last logins and failed login attempts
  • Protects against SQL injections, XSS and all known attacks
  • DNS-level firewalls
  • Protects against brute force attacks
  • Improves site performance by blocking malicious traffic
  • There’s a free version and the pro version is $299 per year.

All-In-One WP Security & Firewall

The All In One WordPress Security plugin is comprehensive and 100% free. Unlike most of the other plugins, it doesn’t slow down your site. This powerful plugin covers various aspects of WordPress security, and is well supported and regularly updated. It has a user-friendly interface which makes it a lot easier to setup than most of the other security plugins. Security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This allows you to implement the firewall rules using a progressive points system.

Features:

  • Completely free
  • Scans for malicious patterns
  • Uses IP filtering to blacklist specific IP addresses
  • Allows you to generate strong passwords
  • Login lockdowns after failed login attempts
  • Website-level firewall

BulletProof Security

This plugin provides security for various types of online threats. The free plan offers a diverse range of security features including malware scanner, firewall, login security, DB backup, anti-Spam & much more. You can upgrade to the premium plan if you are interested in advanced security features, but the basic plan is sufficient to secure most small business websites.

Features:

  • Completely free
  • Scans for malware
  • User-friendly interface
  • Automatically logs out idle sessions
  • Protects logins
  • Database backups
  • Firewall protection

Cerber Security, Antispam & Malware Scan

Cerber Security, Antispam & Malware Scan is a free to use security plugin. This plugin mitigates brute force attacks by limiting the number of login attempts. The plugin defends against hacker attacks, spam, trojans and malware. Additional features offered for a premium plan.

Features

  • Reduces brute force attacks
  • Limits login attempts
  • Automatically identifies and deletes spam comments
  • Advanced malware scanner
  • Two-factor authentication
  • Hides wp-admin for users that are not logged in P
  • rotects wp-login.php, wp-signup.php and wp-register.php from attacks.

Conclusion

So, there you have it. Securing your WordPress site from online threats should be a priority. I hope you now have the info you need to choose the ideal security tool for your needs.

Categories
CYBER SCAMS

Phishing Attacks – How They Work

Reading Time: 8 minutes

Phishing is one of the oldest and most common online threats used by cybercriminals to trick users into revealing sensitive information or installing malware by way of email.

Email phishing is the most widely known form of phishing where scammers send fake emails that seem to come from authentic sources in a ruse to get users into revealing personal and financial information. However, attackers can also use phone calls, text messages or social media to try to fraudulently acquire your details.

While some very complicated schemes can be devised, virtually all types of phishing are based on a basic concept: millions of untargeted phishing emails are sent out each day asking for confidential information or encouraging recipients to visit a fake website where they’re asked to update personal information.

What phishers will do is message customers with an email ostensibly from a trusted organization (such as Microsoft, your bank, Facebook, PayPal, Amazon, etc.). They know that people are more inclined to pay attention to those types of messages.

Sometimes, it can be practically impossible for the average customer to determine that the email message is not the official one of the organisation it is meant to come from. This is because it will often have the organisation’s logo and format and will look exactly like the organisation’s official email. The “From” field of the e-mail may have the .com address that looks like the company’s official website. The message will usually include a spoofed link that you can follow to conveniently login to a webpage and update your information. But the website is a spoofed version of the legitimate site. It was established with the sole purpose of stealing your personal information or infect your computing device with malware.

While this is a basic example of how phishing generally works, there are numerous accounts of increasing complexity that are typically used to try to steal confidential information. With the huge increase in remote working thanks to COVID-19, cybercriminal activities like phishing continues to be on the rise. According to security experts, as many as 3 in 10 workers worldwide clicked a phishing link in 2020. In the US, it’s 1 in 3.

So, how did these scammers get hold of your private email address in the first place? Well, here are a few methods they use.

  1. They use bots to harvest email addresses by crawling the web for the @ sign. If your email address is publicly available on any website, a scammer is likely to find it and add it to their database.  
  2. They buy lists legally or through the dark web. This is why it is important to read the privacy policy before you sign up or submit your details to an online service. You need to know exactly what they are going to do with your email address.
  3. They use specialist tools to generate common usernames and pair them with well-known domains. For example, they might send email to maryj@gmail.com, davidhamilton@yahoo.co.uk and thousands of other combinations of names.

Examples of phishing attacks

Since the first lockdown in March 2020, the number of sites impersonating online services have skyrocketed. In fact, during the first lockdown period from March 2020 to July 2020, at least 1 in 5 people worldwide received phishing emails related to covid-19. In addition, phishing email scams targeting Netflix subscribers have increased by 646%. Cybercriminals have also faked the email addresses of the NHS test and trace service, the HMRC, Amazon and Tesco. Email phishing scams have also targeted at drivers where they are asked to verify their driving license details or highlight a failed tax payment asking for banking information.

Another type of phishing scheme involves sending out emails targeting customers of well-known carrier companies. The expectation is that only very few recipients will respond. For example, over the festive period, a number of users received fake emails claiming to be from Royal Mail and delivery firm DPD, informing them that they had been unable to deliver their parcel. The legitimate looking emails asked recipients to click a link to pay a shipping fee so the parcel could be re-delivered. People who were actually expecting a package reported being caught out by the spam.

If you have any suspicions that an email or text message that you get is a phishing attempt, your first step should be to contact the company immediately. What you should also realize is that most legitimate businesses will never ask you for your password in an email. Your usernames and passwords are personal to you. You should never give your login credentials to anyone who asks you for them.

Phishing attack types:

Spear phishing

Where most phishing attacks typically cast a wide net, spear phishing are often personalized and targeted at a specific and well-researched individual, business or organization. As with other phishing attacks, the aim is to infect the recipient’s computer with malware or to steal information. Attackers tend to use information gathered from sources such as social media and other public platforms to hone in on their target. For example, if you let it be known that you will be travelling to the Caribbean on holiday, you may receive an email from a “colleague” that recommends an eatery to check out. If you click the link or attachment that is included in the email, malware is likely to be downloaded into your computer.

Smishing

This type of phishing attack is delivered to smartphone users through text messages, enticing you to click on link in the message. For example, a victim might receive a text advising that your bank account has been disabled due to suspicious activity being detected on your account, and to click a link included in the text to recover your account. These links are always dangerous and you should never click on them. They’re designed to direct you to spoofed websites that impersonate your accounts and attempt to infect your phone with malware or steal information. Some text messages specifically target HSBC customers. These messages are sent out to thousands of mobile numbers in the hope that it will reach some HSBC customers.

Social media phishing

Cybercriminals use social media sites such as Facebook as a platform to launch cyberattacks designed to steal personal information or spread malware. Some attacks are even used to hijack your accounts to attack your friends.

Examples of social media phishing attacks:

  • You receive an email claiming to be from Facebook that your account has been ‘reported for abuse’. You’re then prompted to login to a spoofed Facebook login page to provide personal information and update your credit card info to prove that your account is legit.
  • You may be prompted to like and share innocuous-looking photos of puppies and other animals on Facebook. These photos are actually posted by cybercriminals to generate tons of likes and shares. Once the photo has received a large number of likes, the fraudster will link the photo to a fake website that downloads malware to the computing device of anyone who subsequently clicks on that photo.
  • During the holidays, you’re likely to come across fake coupons from the major supermarkets, offering a certain amount off your next purchase. The ploy is to get you to fill out the details, which means you will be handing over your personal information to fraudsters.

Search engine phishing

This type of attack occurs through search engines. Cybercriminals setup well-optimized but fraudulent websites that can appear in the organic search results for popular keywords or search terms.

Voice phishing

With voice phishing (also known as vishing), the scammer impersonates a government agency or other organisation on the phone and tries to extract money or sensitive information such as banking details. Vishers use fear tactics to dupe you into thinking your money is in danger and you must act quickly. They threaten people with police arrest, deportation, license revocation, etc. Personal data can be gathered from social media profiles, providing fraudsters with sensitive details to make cyberattacks appear more legitimate. Fraudsters often spoof phone numbers to disguise the real origin of the call.

Pharming

Pharming is when a hacker manipulates the internet’s domain name system (DNS) by rerouting web traffic to a fake website with the aim of stealing confidential information. These “spoofed” websites can steal your personal data, including usernames, passwords, and banking information, or even install malware on your computer. This type of cybercrime is particularly worrisome because you can have a completely virus-free computer and still fall prey to cybercriminals.

How can I spot a phishing email scam?

The fact of the matter is, anyone can make a mistake.

It only takes a split-second lapse in judgement to fall into the hands of an attacker.

Fortunately, many phishing attacks often share the same warning signs that reveal their true nature as a phishing attempt.

According to Action Fraud, the following characteristics are common to phishing scams:

  1. One of the most obvious signs of a phishing email is that the sender’s email address will always be different from the web address of the legitimate organisation.
Notice a misspelling in the URL that claims to be from Facebook.

2. Most phishing emails often use generic greetings. Most legitimate companies have enough data about their customers to address them by name when communicating with them by email. This lack of personalization is often enough to help separate real emails from fake ones.

3. Never download an attachment from an unsolicited email even when you recognize the sender, as their email might have been hacked. The risk is simply not worth it.

According to the 2019 DBIR, email attachments were the leading cause of malware delivery in 2018 cyber incidents, with 45% of malware coming from attached Microsoft Word documents.

Account disabled phishing scam

3. Phishing email attempts will often seek a quick and emotional response from the recipient using inflammatory or threatening language, such as that your account may be terminated unless you act immediately.

4. The email contains a clickable link to a different site than the one it purports to come from. The destination web address might look like the proper address, but you should always realise that even a single character’s difference means you’re going to a different website.

5. The destination address looks fishy. If the email contains a clickable link and you want to find out where it leads without clicking the link, simply hover your cursor over the link and look at the URL in the bottom left corner.

6. The email includes a request for confidential details such as login information or bank details. Always keep in mind that most legitimate companies never ask for personal details in an unsolicited email.

7. The email claims to be from a leading brand, but is full of spelling and grammatical mistakes.

How can I avoid phishing attacks?

Phishing messages are getting more sophisticated and harder to spot. No matter how observant or vigilant you are, some may still get past you. Here are some tips to help you spot the most common phishing attacks.

  • Configure a spam filter that detects blank senders, spam, viruses, etc.
  • Always hover your mouse over links in emails to check where you’re being directed to.
  • Be especially wary of emails that try to put pressure on you to perform a specific action.
  • Update your operating system and applications with the latest security patches and updates.
  • Get a premium VPN that blocks malicious websites.
  • Install antivirus and antimalware
  • Convert HTML email into text only email.
  • Be wary of emails with links or attachments from people you don’t know.
  • Do not click on links from unfamiliar sources
  • Do not enter your personal details in to any website on the basis of an unsolicited email.

Suspicious Email Reporting Service

National Cyber Security Centre

Report a Suspicious Email to PayPal

Cyber Aware

Categories
CYBER SCAMS

Recruitment Fraud – How to Avoid Being Scammed

Reading Time: 4 minutes

With the unemployment chaos and hardship brought on by the Covid-19 pandemic, fraudsters are targeting vulnerable job seekers who are looking for work. Scammers will take advantage of every opportunity they can find, and the on-going pandemic has created a perfect storm for fake job scams to thrive. This scam has been so rampant that is has prompted some big brands to go as far as releasing public announcements stating that they never ask for money during their recruitment process.

Read on to recognize how this cruel scam works so that you know how to prevent yourself from becoming another victim of a recruitment scam.

How do fake job scams work?

Recruitment scams make it appear as if you’re being offered a job role. But in reality, there is no job, and the scammers are simply trying to get at personal information that you as a job seeker would freely provide to prospective employers. These include your full name, proof of address, social security number/national insurance number, bank details and copies of your passport. The scammers can then use these credentials to assume your identity and raid your bank account, apply for personal loans and mobile phone contracts or set up fake businesses in your name.

Recruitment scams are generally well organized and sophisticated, often using fake recruitment agencies and conducting telephone and video interviews with applicants. Some job scams even go as far as offering you employment. This can make it difficult to spot a fake job offer until it’s too late.

A fake recruitment scam typically begins with scammers flooding the jobs market with fake advertisements targeting people who are looking for work. You may discover several enticing job offers on the largest and most rusted job sites such as Indeed, Reed, CV-Library or LinkedIn. And even though they might establish fake companies to facilitate the scam, scammers can also spoof real companies and steal the identities of HR managers and recruiters to make their scam appear as authentic as possible. So, just because you find an enticing job offer on a big job site doesn’t mean that the offer itself is genuine.

Some recruitment scams also involve getting you to pay for fake online training to improve your CV so that you can be considered for the role. These bogus courses may look like they were put together by professional organisations, and you may even be provided with a certificate when you complete the course. In addition, you might be asked to complete a bogus background check that costs £50.  

What to look out for:

Fake job openings can sometimes be hard to spot. Fortunately, there are things you can do to prevent yourself from becoming a victim of a recruitment scam. Before you apply for any ‘hot job’, review the following warning signs that might indicate that the job offer is actually fake.

Does the company have a professional website?

Never assume that a job is legitimate just because the ad for the job is on a well-known platform. If you come across a job listing that looks very enticing, take the time to research the company before you apply. Start with the company’s website. If they don’t have one or the site is unprofessional or thin on content, consider that a red flag. A genuine company will have professional-looking website with real information about the company.

Look up the WHOIS information on the website to find out how old it is. If the company was only launched a few months ago, consider that another major red flag. Does the company have an active social media presence with genuine followers? If the company is not present or active on social media, it is probably safe to conclude that you’re actually dealing with a job scam.

Does the job offer sound too good to be true?

Steer clear of job listings that offers you above average income for part-time hours or where the qualification requirements are very low. Job scammers often list job requirements that are very simple to get as much interest in the role as possible. When searching for a job in your field, you should have a clear idea of the average salary your job pays, so you should be able to tell when a salary is unrealistic. If the pay rate is far higher than you would typically earn, consider this to be a major red flag. Remember, if it sounds too good to be true, there’s every chance that it is.

Check for grammar and spelling

Genuine businesses employ professional writers, and their job descriptions are always carefully worded and written with attention paid to things like punctuation, grammar and spelling. If the job requirements or description is poorly worded, vague, or is littered with capitalization, spelling and grammatical errors, consider these to be a big warning sign that the job is probably not real.

They ask you for money or confidential information
Legitimate businesses will never ask you for confidential information or to pay for something as part of the application process. On the other hand, job scammers often ask for bank account details, national insurance numbers and other confidential info as part of an elaborate scam.

If the job is a sensitive role in that it involves working with children or vulnerable people, you’ll be required to complete a DBS check. But before you do so, ensure the website is listed here: dbs-ub-directory.homeoffice.gov.uk/.  If you are required to take a course prior to starting work, verify that any course you are asked to take is provided by an accredited firm on nmj.cipd.co.uk/qualification-finder.

They offer you a job right away.

If a company contacts you out of the blue and wants to hire you right away based on your CV which they found online, you should be very wary of that job offer. Legitimate companies will always have a formalised procedure which involves at least a formal interview. You should be wary of any vacancy that offers a job without an interview process, as it is likely to be fake.

For more information on how you can protect yourself from recruitment fraudsters, visit: www.safer-jobs.com

If you have been victim of recruitment fraud, contact Action Fraud on 0300 123 2040.

Have you been a victim of a fake job scam? Please share your story in the comments.

Categories
CYBER SCAMS

LinkedIn Scams – How to Avoid Them and Protect Yourself

Reading Time: 4 minutes

As the world’s largest professional network, LinkedIn is probably the last place you would expect to be associated with internet scams. It is a powerful platform that you can use to cultivate professional business relationships. But cybercriminals target websites with large user bases, and LinkedIn’s 760 million members are very attractive to them. Furthermore, LinkedIn provides attackers with easy access to a treasure trove of personal information and corporate data that can be used to commit a range of cybercrimes such as spear phishing attacks and identity fraud.

Here are some of the most prolific LinkedIn spams to watch out for in 2021.

Phishing emails

LinkedIn phishing emails are fraudulent emails that are designed to fool the unsuspecting recipient into thinking that they have received an email from the social network. LinkedIn is the world’s most trusted social network, and that trust is why emails with “LinkedIn” in the subject line have an open rate of almost 50%.

Here are the most common LinkedIn phishing emails:

Bogus connection requests

Fake connection requests from fake users is one of the most prevalent scams on LinkedIn. LinkedIn members get used to clicking on links in these messages, and therein lies the threat. The email will look like an authentic LinkedIn email, with the exact LinkedIn logo and branding. It may also ask you to click the link to “visit your inbox now”, or ask you to “accept” or “ignore” the invitation. If you click any of these links, you are will be directed to a spoof webpage mimicking the official LinkedIn website where you will be prompted to type in your login credentials. The aim is to steal your personal information which can be used to commit identity-related fraud.

Cloned profiles

A LinkedIn profile gets cloned when a fraudster creates a brand new LinkedIn account in your name. When the account is created, the fraudster will copy all of your personal information to the fake profile, including photos, projects and credentials that they find on your account to make it look identical to your own profile. Once the cloned account is setup, your connections might receive a LinkedIn message from the fraudster that includes a malicious, active link for your connections to click on.

Fake support emails

Fraudsters send you a bogus email pretending to come from LinkedIn support. The email will often contain a clickable link to a bogus webpage where you’ll be prompted to confirm your login credentials by clicking on the link. In some variations, it might also say that your LinkedIn account has been blocked due to inactivity. Clicking on the link in the email can result in malware, spyware or some other type of malicious software being downloaded to your device. Alternately, you may be taken to a bogus LinkedIn webpage where you’ll be prompted to enter your login credentials.

What to do if you receive a fake LinkedIn message

  1. Do not click on links in emails that purport to come from LinkedIn unless you are absolutely sure of its source. You can check where the link is going by hovering over it. As you do this, look at the bottom left of your web browser, which will show you where you will be taken to on clicking the link. If it shows anything other than LinkedIn’s home page, you can be sure that you’re dealing with a scammer.
  2. Create a stronger password straightaway.
  3. Increase the security of your account by setting up two-factor authentication.
  4. Contact LinkedIn support.

Fake LinkedIn profile

There has been an explosion of fake LinkedIn profiles created by scammers for a variety of purposes. Some scammers create fake profiles to pose as recruiters or candidates in order to attract new connections. For example, a scammer might create a bogus profile pretending to be a job candidate so they can connect with other candidates who are in the same field. The goal of the spammer is to earn your trust and agree to connect when they send you an invite.

But connecting with a fake LinkedIn profile can give scammers a lot of important information about you, including details about your history and contacts. In addition, when you accepted their invite, fraudsters also got access to your LinkedIn email address. They can now check that email on sites like haveibeenpwned.com to find out if you’re using the same password on multiple sites.

Once you accept their invite, scammers will leverage this trust to send you messages that could contain malicious links. You might also receive fake job offers designed to steal personal information and other devious schemes. So, if you receive an invitation to connect with someone you don’t know on LinkedIn, be sure to check out the user’s profile before you accept that invitation.

How can I identify a fake LinkedIn profile?

It is important to know how to spot fake LinkedIn profiles so that you can avoid connecting with them. There are certain things to look out for that will indicate you’re dealing with a fake profile.

1. Fake photo

This is probably the most obvious sign that you can use to identify a fake profile. Scammers know that a profile without a photo is less trustworthy than a profile with a picture, so they tend to use professional, stock images for their photos. If you have reservations about a particular profile, you can check whether the photo is legitimate by doing a reverse image search of the photo on Google.

  1. Go to images.google.com
  2. Click the camera icon
  3. Paste in the URL for the image.

Google will show you where that image has been used online. If you see that the profile photo is a stock photo from Shutterstock, Getty Images, etc. or has been used on multiple LinkedIn profiles, then there’s very little doubt that you’re dealing with a fraudster.

2. Thin content

Fake profiles will have sketchy background information about the person that just doesn’t add up. It will often be incomplete, lack cohesiveness and contain generic work titles such ‘Manager’. Real profiles often contain relevant information that helps you understand the user’s background. If a LinkedIn profile lacks any meaningful information about the member, it is highly likely that the profile is fake.

3. Poor spelling and grammar

Many fake profiles will often have general presentation issues such as poor grammar and misspellings. The name might be spelt in all caps or all lowercase. Generally, these types of errors in a profile should raise a red flag.

If you come across a fake profile, follow these steps to submit a report:

  1. Click the More icon on the member’s profile.
  2. Click Report/Block
  3. Select Report this profile in the window that pops up.
  4. Select a reason why you think the profile is suspicious.
  5. Click the submit button to complete the process.

Categories
CYBER SCAMS

Impersonation Scams – What You Need to Know

Reading Time: 5 minutes

An impersonation scam occurs when a person is tricked into making a payment or providing sensitive information to a fraudster that claims to come from a trusted organisation such as a bank, the police, a utility company, or a government department such as the HM Revenue & Customs (HMRC). Almost 15,000 impersonation scam cases were reported in 2020, up 84 percent when compared to the same period in 2019.

Top impersonation scams

Clone firm investment scams

Clone firms are bogus companies that have been setup by fraudsters using the details of genuine companies authorised by the FCA (Financial Conduct Authority). With this scam, legitimate Investment firms are impersonated to trick people into parting with their cash. Victims are often contacted via social media platforms, marketing emails or search engine channels. Clone firms may offer you investments in products such as student accommodation, cryptocurrency, FX, shares and bonds that are non-tradeable, worthless and even non-existent. According to the FCA, consumers reported average losses of £45,242 each when investing with fraudsters impersonating legitimate investment companies.

How do clone firm scams work?

The process begins with fraudsters setting up a cloned website using the name, address and Firm Reference Number (FRN) of legitimate firms authorised by the FCA. Many of the content on the bogus website will be the same, but the contacts will be changed so that when you try to get in touch with the legitimate firm, you’ll be corresponding with the fraudsters instead.

How can I avoid being scammed in this way?

Clone firm scams are highly sophisticated, and often very difficult for ordinary people to spot. Even if you do some due diligence by checking the FRA register, it isn’t enough because you’re dealing with impersonation of a legitimate firm. This means the Firm Reference Number will be genuine. In fact, fraudsters often encourage victims to check the FRA register as proof of their legitimacy. If you are currently considering an investment opportunity, here are tips offered by the FCA to avoid falling victim to this scam.

  • Check out the regularly updated warning list of firms that you should avoid doing business with.
  • Only deal with investment firms on the FCA register to ensure you’re dealing with an authorised firm.  
  • Use the phone number on the FCA register to ensure that you are dealing with the legitimate firm.
  • Consider getting impartial advice before going ahead with the investment opportunity.
  • Contact the FCA’s consumer helpline for advice.
  • When researching a company online, make sure the name of the firm is spelt correctly.

Make sure you check the register by typing register.fca.org.uk because the Register has also been cloned by fraudsters.

HM Revenue & Customs (HMRC) Scams

In the UK, scams impersonating the tax authorities have been going on since at least 2016. HMRC is a key target for fraudulent campaigns mainly because it is a government department and one of the UK’s most trusted bodies. Media reports suggest that nearly 1 million people in the UK have received calls, emails, texts or emails from criminals impersonating tax officials in the last year. According to the National Trading Standards eCrime unit, HMRC scams are most prevalent around paper and online tax deadlines.

Tax refund email scams

Millions of self-employed Brits who file Self-Assessment tax returns each year are the primary targets for tax refund scams, especially in the run up to January’s tax return deadline. Around this time, many received legitimate-looking emails with the HMRC logo that claims they are owed a tax rebate to help protect themselves from the coronavirus (COVID-19) outbreak. The aim of these scams is to trick you into providing sensitive information such as your bank details.

Tax scam emails are becoming increasingly sophisticated, and can be hard to spot because they often appear to come from official government email addresses. They contain the taxman’s official GOV.UK logo, along with the crown. They can also include official-style reference numbers, reference your government gateway account, and are even signed off with the name and/or signature of a real HMRC employee.   

How to spot fake HMRC tax emails:

Fake HMRC tax emails are becoming increasingly difficult to differentiate from the real thing. HMRC have also admitted that many smart fraudsters now have access to falsified ‘from’ addresses to look like an authentic HMRC address, for example ‘@hmrc.gov.uk. But here are a few things to keep in mind that should make it easier spot a fake email purporting to be from HMRC:

  • Spelling errors and mistakes with the email’s text is an obvious give away.
  • HMRC does contact people about outstanding tax bills, and uses automated messages at times. However, these calls will always include your taxpayer reference number.
  • HMRC will never ask you to disclose confidential information such as your full address, postcode, Unique Taxpayer Reference or bank details
  • Be suspicious of tax emails that pressure you to act immediately. HMRIC have confirmed they do not make these types of threats or demands.
  • HMRC will never send an email or text asking for sensitive information like bank details or personal information for tax rebates or refunds. They only ever send such letters by post. If you’re asked to share sensitive information like bank details to get a tax rebate, you can be 100% sure that it’s a scam.
  • Be cautious of an email that starts with a generic greeting such as “Dear customer”. Emails from HMRC will always use your registered name.
  • HMRC will never provide a link to a secure login page. Customers are advised to avoid clickable links within emails and text messages and navigate directly to the secure website and log into accounts directly.

What to do if you receive an email you suspect might be fake

If you receive such an email, HMRC requests that you forward all suspicious emails to phishing@hmrc.gsi.gov.uk for investigations. You can forward suspicious text messages to 60599. Text messages will be charged at your network rate. And if you have cause to believe you may have fallen victim to such a scam, you are advised to report the matter to your bank/card issuer ASAP. 

If you are ever unsure about the legitimacy of an email, here’s HMRC’s phishing email guide that provides some insights into how to recognize a fake tax email. HMRC have also published guidance on what’s genuine HMRC communication, and what’s bogus.

HMRC Phone Scams

HMRC phone scams involving criminals impersonating a tax official are often targeted at the elderly and vulnerable. They typically begin with an automated call from “Officer xxx from HMRC” with a warning that there is a criminal court case filed against you and a warrant out for your arrest.

You are urged to call the number provided in the call immediately. On calling that number, you’re likely to be informed that you have an outstanding tax bill that requires urgent payment. You may also be threatened with a criminal record if you refuse to pay. The amount of personal information that the professional-sounding man shares about you is likely to convince victims that the impersonator is genuine.

Tax scam text messages

One of the most widespread messaging scam is bogus notifications from HMRC. Cybercriminals use text message spoofing where they substitute the SMS sender ID to make the message appear to come from HMRC rather than a phone number. These messages will typically include hyperlinks to websites that will harvest your confidential information or download malware to your device.

Examples of messages you might receive include:

  • Tax refund: Recipients are told they are entitled to a tax rebate and to click on the included link to claim their refund.
  • Goodwill payment: A Covid-19 scam informing customers they are entitled to a “goodwill payment” with a link where you can apply for this payment.  Here’s an example of the scam wording: ‘As part of the NHS promise to battle the COV- 19virus, HMRC has issued a payment of £258 as a goodwill payment. Follow link to apply.’.
  • ‘£250 fine’ text message: This text message claims you are going to be fined £250 for leaving the house more than once. The message also includes an 0800 number to call to appeal and a link for more info.
Categories
CYBER SCAMS

How to Easily Spot and Avoid Instagram Scams

Reading Time: 4 minutes

With over 1 billion active monthly users, Instagram is now the most popular photo and text sharing platform in the world. 100 million users login every day to share everyday activities and moments. Unfortunately, this popularrity has also made Instagram become a regular hunting ground for ruthless attackers. According to the BBC, Instagram fraud reports hae increased by almost 150% since the pandemic began. And if you don’t have your guard up, you might unwittingly become the next victim of the numerous scams that proliferate on the platform.

Read on to learn about some of the most common scams on Instagram so that you can protect yourself, your money and your identity.

Counterfeit products

According to a study by analytics company Ghost Data, fake brand accounts selling counterfeit goods have almost tripled on Instagram over the last three years and account for 65 million posts a month. The most commonly faked products are bags, shoes and clothes by high-end retailers such as Apple, Gucci, Nike and Louis Vuitton. These fake accounts boost their popularity with fake likes and followers and make consistent posts that help to make them look like the real deal. Ghost Data estimates that as much as 20% of all posts covering fashion promote fake products and more than 50,000 accounts are hawking counterfeit products every day.

To avoid getting scammed, check the account you want to buy from carefully. Is the account verified? The big brands should have a blue verification badge on their account. Click the link on the account to find out at what the URL links to. Most importantly, use common sense and consider whether it makes sense for a traditionally expensive product to be offered at such a low price. If they have odd payment methods, that should be another major red flag.

Fake Investment schemes

One of the most prolific scams on Instagram are the fake investment schemes that are has ensnared many young people. The scam targets followers of financial institutions on the platform. According to an Action Fraud report, hundreds of young people aged between 20 and 30 are increasingly falling for these cheap “get rich quick” schemes which has cost 164 victims £358,809 in the UK alone. The scam often begins with a direct message that lures the unsuspecting user to an awesome looking Instagram page featuring a man surrounding himself with exotic cars and private jets.

The criminals convince their victims to hand over money with the promise that they will multiply their value by trading on the stock market or by buying and trading foreign currency. The scam promises a massive return on a £600 investment within 24 hours. The feed of the page contains genuine-looking proof in the form of images, testimonials, reviews and videos. But shortly after, the scammer gives the victim excuses as to why they cannot return their money and profits unless more money is sent. Eventually, the victim is blocked from contacting the scammer.

You can avoid falling for this scam by not responding to direct messages that include requests for money from strangers. Before you sign up to any investment-related offers, always verify the identity of the supposed financial company with the Financial Conduct Authority (FCA) or the Securities and Exchange Commission (SEC).

DM Phishing Scams

There are several variations of this scam. For example, you might get a direct message supposedly from Instagram claiming that your account has been hacked or that you’ve been approved for a verification badge. In other cases, you might get a message that your photos have been featured on a porn site, or a message warning that you’ve infringed upon an image’s copyright and will need to fill out a form to avoid having your account suspended.

Whatever the case may be, the aim of these types of messages is to get hold of your login credentials. These messages will usually include a malicious hyperlink. If you click on the link, you’ll be taken to a fake Instagram login page where you’ll be prompted to login with your email address and password.

Here’s what can happen if you do login to that page:

  • You’ve provided your login details to a fraudster.
  • You will usually be locked out of your account.
  • Your identity is likely to be stolen.
  • The scammer will attempt to login to all of your online accounts.
  • Malware will likely be sent out to your followers, friends and contacts. 

Use common sense when dealing with any message you receive. Avoid clicking on links that are included in any of these type of messages. You may also want to enable two-factor authentication to protect your account.

Fake giveaways

Giveaways are generally used as a legitimate marketing tactic, but some are scams with non-existent prizes. The main aim of these fraudulent giveaways is to gather as much personal information as possible. The best way to identify a fraudulent giveaway is by looking at the account sponsoring the promotion. If the account has an official company name plus “giveaway” as it’s username, it’s probably fake. When real companies have a giveaway, they don’t create a separate account or the giveaway. They do it through their official account.

Useless courses

This scam consists of rip-off courses and workshops promoted by so-called experts. Aspiring bloggers and influencers are often caught out by this scam. Before you spend big money on courses, it is important to vet them carefully. Ask for unequivocal money-back guarantees and testimonials from previous students.

Have you been targeted by fraudsters on Instagram? Please share your story in the comments.

Categories
CYBER SCAMS

Facebook Scams: How to Stay Safe and Secure

Reading Time: 12 minutes

If you have a Facebook account, you must realize that you’re at risk of being targeted by fraudsters. With opportunistic criminals doing everything they can to take advantage of a user’s social and psychological naivety, it’s no surprise that scams on social media are at unprecedented levels, and Facebook’s 2 billion+ monthly active users makes the platform super-attractive to fraudsters looking for potential victims. 

Read on to learn about some of the most common scams that have occured on Facebook.

On average, over 4.75 billion items are shared by Facebook users each day. Many of these items include links posted to open community fan pages. Unfortunately, many of these links are primarily designed to redirect you to pages that have been infected with different types of malware. Be aware that, unlike in the past, viruses can be downloaded to your computing device just by visiting to an infected webpage.

  • Whenever there’s a big news story, attackers will hijack the story to create posts that contain malicious, clickable links and post them all over Facebook. Clicking the link often leads to a blank page, and users might think they’ve simply clicked on a bad link. But just by visiting that page, malware has already been downloaded to that user’s computing device.
  • Attackers create posts with sensational headlines that are designed to appeal to your emotions and entice you to click on the link. For example, “Win a free iPad!” or “Win a trip to Dubai!” More often than not, these posts are scams. They’re an attempt to get you to enter your personal information into a bogus webpage that you’re taken to once you click on the post.
  • If any of your friends’ accounts have been hacked, attackers will often create posts that contain malicious links and post them on your timeline. The fact that the post was shared by a friend is designed to lure you into a false sense of security that the link in the post is safe because it is coming from your friend.
  • Fraudsters use links to videos with the tag “is this you?” or “Hey (your name), what are you doing in this video lol! ” The message will be sent from someone you’re friends with on Facebook. The aim is to get you to click the link, which either directs you to an infected page or asks you to download an application to view the material.

Spoofed Facebook Phishing Emails

According to Vade Secure, a company that specializes in email security, Facebook ranks second in their list of most impersonated brands in phishing campaigns. These campaigns can take several forms. In one example, potential victims are told in an email that their posting privileges have been temporarily restricted for violating Facebook’s standards.

You may also receive fake notification emails. Basically, they spoof Facebook’s email messaging service to make it look as if you have an official message from the platform. The main objective is to get you to click on a malicious link to a bogus Facebook page. Cybercriminals can also develop spoofed Facebook webpages that mimic the real thing. Once you login with your username and password, you’re handing over your credentials to the cybercriminals that created the page.

If you come across a webpage that prompts you to re-login to your Facebook account, take a good look at the address in your browser’s address bar. It must read ‘facebook.com’. Close any page that either doesn’t start with www.facebook.com or contains something between Facebook and .com. The page is fake.

Hijacked Facebook accounts

Unfortunately, Facebook hacks occur quite often. The New York Post reports that as many as 160,000 Facebook accounts are compromised every day. When an attacker hacks into a Facebook account, the victim’s connections are often the targets, not the account owners themselves.

The attackers can exploit your family and friends by reaching out and asking for money. They will look through your message history to identify the people that you interact with the most. They will then impersonate you and engineer some kind of crisis to convince the people who care about you to send money to a special account to help you out. Some messages will include a malicious link that infects the devices of people that click on it with malware or leads to a bogus web page designed to steal personal details.

Fake vouchers

For years, fraudsters have been flooding Facebook with tons of discount vouchers supposedly from the likes of the biggest supermarkets and high street stores such as Primark, Waitrose, Morrison’s, Tesco, Aldi and Sainsbury’s. The post includes a clickable link that takes victims to a bogus website where they’re prompted to enter personal information.

Users are also asked to share the voucher with their friends on Facebook. These vouchers exist to steal your personal details and infect your device with malware. As mentioned earlier, simply clicking the link to check out the website is sufficient to download a virus to your computer.

Examples of fake vouchers:

Facebook ad scams

Scam ads on Facebook are bogus ads created by cybercriminals that are designed to not only con people out of their money, but to steal their identity as well as their financial details. According to consumer group Which?, scam adverts aimed at UK consumers have conned almost one in ten people into paying for sham purchases. To facilitate their scams, cybercriminals hijack Facebook accounts and run fake ad campaigns through those accounts using stolen credit cards. Even if those ads only run for a few hours before getting terminated, a few hours are all fraudsters need to see massive returns.

The subscription trap.

The subscription trap is a scam that is targeted towards baby boomers, and different variations of the scam have appeared on Facebook and various search engines. The scam begins with an ad in your news feed that features an intriguing story about one of your favourite celebrity likes. When you click on the ad, it takes you to a fake news article on a spoofed website that mimics Fox News, TMZ, or People magazine. According to the article, the celebrity has created an amazing new skin cream that they can try for a small fee. Model Christie Brinkley was actually used in one of these fake celebrity endorsements for a fake anti-aging skin cream scam. You are encouraged to make a small credit card payment for a “free trial” of the product. At that point, you’re charged $4.99 for shipping.

Although you do get the product which Christie Brinkley has nothing to do with, by purchasing the free trial, you’ve inadvertently signed up to an expensive monthly subscription which can only be cancelled by cancelling the credit card used for the purchase. Within a month of paying for that product, another charge is made on your credit card. It is estimated that fraudsters have stolen more than $1.3 billion from unsuspecting users with this scam. 

In the UK, baby boomers were hit with scam ads on Facebook promoting CBD oil falsely endorsed by Fern Britton and David Attenborough. According to one victim, the ad promised a sample for £2.50, but £170 was later removed from her bank account.

Nonexistent products.

Fraudsters are setting up ads on Facebook without any intention of delivering those products to customers. Ads are hooking victims by offering these products at insanely low prices. And scammers are able to target users with many different types of scams based on their likes, interests, age, location and behavior. Furthermore, if you happen to click on one scam ad, you’re likely to see more of those ads because of the way the Facebook algorithm works. What you must always keep in mind is that if it sounds too good to be true, it is definitely too good to be true.

Cryptocurrency investment trading software scam.

The cryptocurrency scam is one of the most prolific internet scams that has ever appeared on the internet. The scam has appeared on Facebook, MSN News, Twitter, Instagram, and many search engines including Google and Yahoo!. Individual losses have been as high as £200,000, and it has impoverished people in several countries with many victims around the world losing their homes and assets.

How does the scam work?

There are countless variations of the scam, but generally, they all proceed in the same way. The scam begins with a potential investor searching for terms related to Bitcoin or cryptocurrencies. The budding investor is then presented with a fake news story in their newsfeed that features a well-respected, famous celebrity appearing to discuss a specific bitcoin investment scheme. Who you see in your feed will depend on where in the world you live. For example, users in France might see football sensation Kylian Mbappe, users in Australia might see actor Chris Hemsworth, and so on.

After clicking the advertisement, the unsuspecting user is automatically directed to a spoofed website that is built to resemble a well-known mainstream media publication. For example, if you are in the UK, you could be redirected to a fake Mirror news website using a stolen image of the celebrity that was featured in the fake story in your newsfeed. Other users may be directed to a fake BBC news page featuring different famous personalities appearing to endorse the bogus bitcoin investment scheme.

Entrepreneur Richard Branson featured on fake Mirror page
Martin Lewis fake endorsement crypto scam
Finance expert Martin Lewis featured on fake BBC page
Entrepreneur Lord Sugar featured on fake News Media

Using highy trusted websites and famous faces are designed to build trust in the product. The fake news stories all claim that the featured celebrity made an astronomical amount of money using a revolutionary automated cryptocurrency trading software which touts itself as “software which enables anyone to trade Bitcoin profitably.” In reality, the news stories are fabricated advertorials, the software doesn’t exist and there are no profits to be made.

If you choose to believe the hype, you’re asked to scroll down to sign up if you want to earn “life changing amounts of money”. Those sucked in by the well-known faces and promises of quick riches register for an offshore CFD (contract for difference) broker.

Shortly after signing up, you’re contacted by an “investment manager” who convinces you to get the ball rolling by purchasing £250 worth of bitcoin. Once you sign up, you’ll receive a link and login details by email to a bogus trading platform.

Over time, your bitcoin value will appear to soar, and the investment manager will keep contacting you to encourage you to buy more and more bitcoin. For example, if you invest £5,000 into the scheme, your investment will be valued at £50,000 on the platform. But once you decide to cash out, the investment manager will transfer some funds to your bank account which is often enough to reassure some people to continue investing rather than cashing out.

But when you do decide to cash out, the investment manager will submit a request for their 10% commission, which you’re required to pay into a bank account before you can cash out. Once that payment is made, you’ll never hear from the investment manager again.

In the UK, at least 108 people claimed they had lost just under £1.5 million in total to the scam.

Fake goods on spoofed websites

Counterfeit products are being peddled by fraudsters impersonating big high street names. What fraudsters will do is use website spoofing to create malicious online shopping sites that are replicas of legitimate and established retail websites. These spoofed websites will have the corporate logos, fonts and brand colours of the real sites. These malicious online shopping stores are hosted by legitimate e-commerce service providers like Shopify.

There are a lot of scammers that operate Shopify stores because the platform has a low barrier or entry, and it’s very easy to get a Shopify store up and running within hours. These scammers also make sure that the country that they’re based in is one with lax fraud prosecution laws. This makes Shopify a perfect platform for scammers.

What these fraudsters will then do is steal photos of branded images and retailers’ stock from legitimate websites and feature these products on their stores at knockoff prices, lower than you can find anywhere. They will then setup Facebook and Instagram ads using the stolen photographs and brand images. When you click on the link in the Facebook ad, you are redirected to one of these spoofed websites which looks exactly the same as the retailers.

How to identify a fake website

Cybercriminals are very good at what they do, so it can be difficult to identify a spoofed website. But the last thing you want to do is to enter your financial details into a fake website. This means you need to be super vigilant when shopping online. Here are a few things to look out for when identifying a fake website.

1. The domain name is fishy. This is often the best way to identify a spoofed website. Many of these websites even use HTTPS, so it can sometimes be difficult to tell that you’re on a scam website. But if you take a closer look, you’ll see that the domain name will always be off, 100% of the time. And even though these fake websites will sometimes use a domain name that references an established brand name, it will never be the actual brand name. For example, instead of www.asos.co.uk, you may be taken to something like www.asosdiscounts.com or something like www.discountbrandstore.com.

2. The offer is too good to be true. If it sounds too good to be true, it is probably a scam. Fraudsters target bargain hunters by advertising fake or counterfeit products at heavily discounted prices, using stolen photos or branded images.  

3. They use odd payment methods. If you buy something that doesn’t turn up or turns out to be counterfeit with a credit or debit card, you are entitled to get your money back. Fraudsters are well aware of this, so they will often ask for payment by bank transfer or some other methods. If you’re asked to pay via bank transfer, wire transfer or some other method, that should be a major red flag.

4. Take a closer look at different pages on the site. Look for contact information. If there is no contact information and all the site offers is a form to fill out, consider that a red flag. 

Facebook Marketplace

Facebook Marketplace is an online shop similar to sites like Gumtree and Craigslist. It allows users to flip old items they no longer need or buy second-hand goods in their local area.The platform has added Facebook Checkout which provides some degree of protection from scammers through Facebook Purchase Protection. Nevertheless, you should always have your guard up when doing business on Facebook Marketplace.

Here are potential scams to watch out for on Facebook Marketplace.

  • Counterfeit or fake products: a seller advertises genuine products at an incredibly low price, but when you receive the item, you discover the item is either fake or doesn’t work. If the seller is in your local area, try to inspect the item before you pay for it.
  • Criminals often use Facebook Marketplace to quickly get rid of stolen goods, especially things like bicycles, tablets, laptops and smartphones. Buying stolen goods can get you into a lot of trouble with the police if they’re traced back to you, so be cautious when buying.
  • If you will be using PayPal to pay for an item, never select friends and family payments. If you do, you’ll never be able to dispute a transaction if something goes wrong, and fraudsters are well aware of this. If a seller insists on that method of payment, consider it a major red flag.
  • If you’re selling anything, avoid using Venmo as a payment processor. The app forbids using the platform to receive funds for selling anything. It is also often used by scammers to buy items using stolen credit cards. Sellers have suffered huge losses with buyers using the app.

Before you do business with anyone on Facebook Marketplace, first of all make sure that the person has a full Facebook profile with history. If you see only a few pictures, very few or no friends or the profile was only recently created, consider that a major red flag. If you’re selling anything, be wary of anyone who insists on one form of payment.

How to avoid being scammed on Facebook

Facebook has been putting a lot of effort into tackling scams on the platform, and you can do your bit by report ingsuspicious activity directly to Facebook.

Facebook has also launched a scam fighting tool to combat scams on social media. In addition, Facebook has also donated £3m to fund Citizens Advice Scams Action, a new anti-scams project now providing one-on-one help to people who have been victims of scams.

But the scammers are still out there. Here are some things you can do to protect yourself.

  • Update your Facebook settings so that you are notified and have the ability to allow or disallow tagging of your profile by anyone.
  • Uninstall apps that ask for permission to access your Facebook credentials. These apps are often spyware.
  • Do not save login information on your smartphones or browsers.
  • Logging into your Facebook account over a public computer or shared computer can leave your account at risk.
  • Remove malicious Facebook applications.
  • Don’t forget to log out of your account whenever you use shared computers.
  • If you receive a message that looks suspicious, report it to Facebook by tapping the ‘Something’s Wrong’ button.
  • If your account wasn’t just compromised, but the hacker is actually sending out spams to your friends, report it to Facebook via Facebook.com/hacked.
  • If you received an email supposedly from Facebook that looks suspicious, forward it phish@fb.com.
  • Always keep in mind that Facebook will never send strange links or attachments in their emails. If you get any of these emails, report it.
  • If you’re being targeted by anyone on Facebook, you can block, report, ignore or delete their messages.
  • If you suspect that something is not right with a particular account, report it.
  • If you have received notifications from Facebook that you find suspicious, you can report them by clicking here.  
  • If you purchase a product that never arrives, you can report the seller. To do that, visit the seller’s profile, which can be found at the bottom of the product profile. Tap on the “Seller Info” section, and there you’ll find a “Report” button.

If you’ve been the victim of scam, you can report it to Action Fraud on 0300 123 2040 or use their online reporting tool.

Categories
CYBER SCAMS

The Most Common Apple ID Scams to Watch Out For

Reading Time: 7 minutes

Apple devices have a strong reputation for being highly secure and even resistant to most forms of malware. However, users of Apple platforms and devices can still be susceptible to online scams that target user trust to solicit sensitive data such as login credentials and personal information. Cyber scams involving Apple IDs are generally phishing attacks, and accounted for a third of all data breaches in 2019.

There are over one billion active Apple devices which require Apple IDs to access Apple services such as iCloud, iMessage, Apple Music, etc. Apple have repeatedly stated they will never ask for personal details by text or email. But the nature of some of these scams means there are times when you may be fooled into thinking that you’ve been sent some legitimate correspondence by Apple.

Why fraudsters want your Apple ID

Your Apple ID is valuable to fraudsters because it is what you use to access anything Apple-related and store a lot of valuable information. You use it to login to your all of your Apple devices. It includes your payment and shipping information, and it allows you to access your subscriptions, in-app purchases, etc. Your Apple ID is also used to access iCloud, where you can store private photos and other types of valuable files that can be used to target you if they fall into the wrong hands. This is why you need to guard your Apple ID with everything you’ve got.

Here are 7 of the most common and dangerous Apple scams to watch out for.

iCloud phishing scams

Cybercriminals behind Apple email phishing campaigns create authentic-looking invoices and email messages that can be very convincing if you’re not paying attention. You may receive messages purportedly from Apple support saying that your iCloud account has been locked for security reasons. The message often includes a live, malicious link that will take you to a bogus Apple login page, hoping you’ll be tricked into giving up your credentials on the fake page.

Some of these emails will include Apple’s support number and official address which can be a near carbon copy of an email you might actually receive from Apple. These emails have been successful in tricking many unsuspecting Apple customers into handing over sensitive data to fraudsters.

Here’s an example of a fake iCloud message:

If you have received a phishing email that is designed to look like it came from Apple, send it to reportphishing@apple.com.

Fake receipt or invoice scams

This type of scam is designed to fool the recipient into thinking that a 3rd party has misused their Apple ID to make a fraudulent purchase. The receipts or invoices used appear to be official Apple documentation, and if you’re not paying attention, they can fool you into thinking it came from Apple.

Here’s an example:

If you’ve received such a message, your first instinct would be to contact Apple to cancel the purchase. This is what the fraudster is banking on. And the fake invoice will conveniently have a link that you can quickly click to cancel the purchase. When you do click, it will bring you to a bogus Apple webpage that is designed to steal your personal information.

iMessage scams

With the exponential rise in smartphone users, you’re just as likely to receive a phishing message through iMessage. There are various variants of this scam. You might get a message that claims to come from Apple support saying your Apple ID has expired or is going to expire on the day you receive the message. You’ll be prompted to click on a link in the message to restore your account.

Other variations of the scam inform the recipient that their account is about to be deleted unless they click on the link included in the message. If you happen to click on the link, you’ll be taken to a fake webpage that mimics the legitimate Apple website. When messages are sent via iMessage, they often arrive from an undisclosed sender. Some of the text messages include an anonymised phone number with an overseas code. 

Here are Apple’s top tips that can help you spot phishing scams:

  1. The sender’s phone number or email doesn’t match the company name it claims to come from.
  2. Apple will NEVER ask you to provide personal details by text message or email.
  3. Your email address doesn’t match the one you gave the company.
  4. The message asks for sensitive information such as your credit card details, account password or personal information.
  5. The link in the email looks authentic, but takes you to a website with a URL that is different from the company’s website. 
  6. The message uses a generic message such as “Dear customer” rather than your real name. Legitimate companies will often address you by your real name. 
  7. The grammar and spelling is often poor, but this is not always the case.
  8. The message looks very different from other messages you’ve received from the company.
  9. The message is unexpected and includes an attachment.

Persistent pop-up ads in Safari

Pop-ups include random ads, offers or alerts that suddenly open in your current browser window or in a new window. There are many variations of this scam. Some will claim your Apple device has been infected with a virus. Others might provide a fake number for you to contact Apple support. They may also claim to offer software updates, plug-ins or free downloads to try to trick you into downloading malware onto your machine.

Be aware that some ads and pop-ups have fake buttons that resemble the close button, so you’ll need to be very careful when closing them. If you’re not sure how to close them, simply close the Safari window.

Here are some tips from Apple to help you manage pop-ups and other random interruptions.

·      Always ensure that you’ve installed the latest security updates for all of your Apple products. Many of the updates contained in the latest releases include enhancements that help to control pop-ups.

·      The App store is the safest place to download apps for your Mac. If you need 3rd party software for your computing device that is not available in the Apple App Store, get it directly from the developer or a trusted source, rather than through an ad or link.

·      Keep Safari’s security settings switched on, especially Block Pop-ups, for pop-up windows, and Fraudulent Website Warning.

To switch on these settings on your iPhone, iPad or iPod touch, go to Settings > Safari. On your Mac, you can find these options in Safari > Preferences. You can switch on fraudulent site warnings in the Security tab.

If you see persistent ads or pop-ups on your Mac, you may have inadvertently downloaded and installed adware when downloading apps or games on 3rd party sites. To get rid of adware from your Mac, update to the latest version of MacOS. This operating system includes a built-in tool that removes known malware when your Mac is rebooted.

Fake apps

Apple is extremely vigilant at keeping malicious apps out of the iOS App Store. However, hundreds of counterfeit apps masquerading as the real thing have been able to slip through the cracks. Some of these dangerous apps have ranked in the Top 100 of the official app store. In some cases, they have been downloaded more than 100,000 times. One example of this type of malware is a backdoor malware that masquerades as a legitimate software program. It performs the same functions as the real app, but also installs additional malicious software that can provide a backdoor into your Mac platform, allowing attackers access to your sensitive data.

Due to bugs in Apple’s app store algorithm, some of these apps can appear high in the search rankings, increasing the likelihood that they will be downloaded by some unsuspecting users. This is why it is so important to always be on your guard for apps with vague app titles and questionable reviews.

Ransomware

Ransomware is a type of malware attack where your computer is rendered inaccessible until you pay a ransom to get your files decrypted. Even though ransomware is mainly a concern for Windows computers, Macs have been affected by ransomware attacks, even though there hasn’t been a serious ransomware outbreak on the Mac or any Apple hardware.

Nevertheless, security experts maintain that Apple users are vulnerable to WannaCry-type attacks. To protect your Apple device from ransomware, consider installing the free RansomWhere? App. This app runs in the background and watches for any activity that resembles a ransomware attack, such as the rampant encrypting of files. It then halts the process and lets you know what’s happening.

Scam phone calls

An Apple phone scam begins with you getting a call from a fake support technician claiming to be calling on behalf of Apple. The scary thing is that some fraudsters may contact you using spoofed phone numbers. This means the number that is displayed on your phone would be a real Apple number, with Apple’s logo, official website, customer support number, and actual address. This way, everything looks authentic. But what is even more scary is that if you are an iPhone owner and you request a call back from Apple’s customer support, the bogus call will get indexed your phone’s “recent calls” list as a previous call from Apple Support line.

The reason fraudsters will give for the call is that your device has been infected with malware, and they’re calling to help you get rid of it. They will try to talk you into downloading remote access software, which will allow them to connect to your computer and be able to access everything on it. The plan is to download malware and take full control of your computer to steal all of your sensitive information.

How to deal with scam Apple phone calls

·      Apple support will never contact you out of the blue to fix anything. You would have to initiate the process with a request for support. If anyone calls you claiming to be from Apple, turn down whatever they are offering and hang up the phone.

·      Never provide personal information over the phone.

·      Never grant remote access to anyone over the phone unless you initiated the process yourself, and you are 100% sure that you are dealing with Apple support.