The development of the Internet as an international medium for mass communication has enabled forces for good that were unimaginable before, and has also given previously unimaginable tools to criminals.
Attackers use rifles to attack major targets, but what doesn’t get much publicity is they also use shotguns against lower value targets. A big haul like Equifax is great, but so is a large number of small hauls. You don’t hear much about those attacks, but they’re common and can be a lot more painful to recover from than a CEO being allowed to “retire” with a huge pension.
You can protect yourself from most attacks simply by being conscientious with passwords, email, and web sites.
Start with passwords. If I know or can guess your password, I can do anything you can do with it.
- If your password is 123456, password, or qwerty, so are millions more. And p@ssw0rd isn’t much better. The easiest way to break into a system is for a “bot” (short for robot) to try 100 or 1000 of the most commonly used passwords and either score or move on. Google “common passwords” to see some of them. The chance of getting hacked that way is greater than you might think.
- Do not use your personal or business partner’s name, kid’s name, parent’s name, pet’s name, your favorite team or show, a sport or musical instrument you play, a social media nickname, or anything else that’s well-known about you. That could be guessable by more people than you might think, including some with less than honorable intentions.
- A good password is one you can remember but others can't guess and is not in a proper language or slang dictionary. Maybe an old school friend's initials and house or phone number? Maybe the first letters of the words of a line in the middle of an obscure song or play or movie you like? Have fun thinking of something you can remember that only you know.
- It’s safe to use the same password on low value sites, but unique passwords are in order for high value sites. If someone gets your Facebook password, what happens if your bank account has the same password? If you can't remember a few hard-to-guess passwords, try a password manager. See PC Magazine's review of their favorites.
- Some sites require you to change your password more frequently than you'd like. That's probably overkill in most cases, but you can't argue with them. What's critical is if one of your passwords gets compromised, immediately change it everywhere it's used. Don't worry about other resources that use different passwords unless you have all of your passwords in an easy-to-read document that can be stolen. If so, switch to a password manager (see above) and change them all.
Unsolicited email - “spam” and “phishing”
With unsolicited computer-to-computer attacks getting more difficult as defensive technologies improve, criminals' easiest entry is via unsolicited email called "spam" that takes advantage of unaware and careless users. Counterfeit spam that looks like something legitimate from someone you know or a company you do business with, but is up to no good, is called “phishing”
Some is sent to sucker you into a scam, and some is sent to run attack software on your computer. It enables the modern day implementation of what's been going on ever since the serpent tricked Eve.
A few important facts about email:
- Underground services can send millions of spam emails for very low cost. Even if only 1% of the recipients fall for it, that's 10,000 suckers per million sent, a nice rate of return.
- It might not be from whom it says it's from. The actual sender can put any name and address in the From line. Your sister? Maybe not. Your bank? Probably not. The IRS? Definitely not
If your or a correspondent's address book gets stolen, spam can be customized to look like it's from a known sender. If I can steal your sister's address book, I can send you mail that looks like it's from her.
Phishing email claiming to be from a major bank or retailor sent to millions of targets will be deleted by people who do not do business with them, but will be considered by many who do.
The IRS does not communicate with taxpayers via email. Period.
- Links might not go to where they say they're going.
What you see as a link destination in an email, web page, or document is independent of the actual target. Legitimate links go where they say they're going. Criminals can display a desirable target for a link that actually goes somewhere that downloads and runs attack software on your computer or asks for personal information they can use to rob you.
? No way.
- Spam detectors do a generally good job, but they sometimes get beat and they sometimes block good email. The latter is called "false positives."
The advice the old Chicago News Bureau gave to young reporters is in order when dealing with email: “If your mother tells you she loves you, check it out.”
The most common attack today is “ransomware.” Criminals get you to click a link or open an attachment that downloads and runs a program that “encrypts” your files, making them unreadable, and if you send them the ransom they demand, they send you the “key” that will allow you to “decrypt” your files, making them once again readable. Or so you hope.
- You might have heard about the May 11 attack called “WannaCry” that took out 200,000+ computers in 150+ countries, most notably the UK’s National Health Service, forcing some hospitals to redirect incoming ambulances to other facilities. It also got a major Spanish telephone company and German railroads, among others, including many in the US. That’s ransomware.
- Last summer a major Los Angeles hospital coughed up $17,000 to get their data back.
- Countless individuals and businesses of all sizes have suffered such attacks.
Most such attacks can be stopped before they begin by not clicking a link or opening an attachment. A naïve or careless user can allow it in, and occasionally a direct attack gets past a computer's anti-virus and takes off without needing cooperation from a user Some pay the ransom, some deal with lost files, and the well-prepared recover without serious inconvenience.
Phishing for your money
Beyond running ransomware and other attack software, phishing yields excellent results for many other scams.
- Your bank or a merchant says your account has been locked, suspended, or disabled. Or there is suspicious activity on your account. Click the link and you’ll go to an impostor site that gets your username and password and then goes to the real web site while you don’t even know you’ve been had.
- Likewise, any email solicitation for personal information is most likely for criminals to rob you directly or to sell to other criminals. That's called identity theft. Whether they get it 143 million at once like from Equifax or one at a time from phishing email, they can use it to steal.
- There are plenty of low-tech scams. Click here for bargain or performance-enhancing pharmaceuticals? Counterfeit packaging is easy to make. You have no idea what listed ingredients, impurities, and outright poisons are actually in them. Unsolicited stock tips are usually to get you to make a high risk or totally worthless investment. Your friend lost his wallet in some far-away country and needs you to wire him some money that he'll pay back as soon as he returns? You won Real Money in an overseas lottery that you never played? Nice Russian girls want to meet you? If you don't respond, they can't rob you.
Those and countless others might be ordinary come-ons hoping to get unearned money out of you, or they might be distractions to get you to allow them to attack your computer, your bank account, or other valuable resources.
Just as you throw junk paper mail straight into the blue can, feel free to hit the Delete button as soon as you recognize junk email.
Other attacks on your computer
Ransomware is the current most popular attack, but there are others. Once you click an evil link or open an evil attachment, it might run attack software that gets past your anti-virus. Once running, it can turn your computer into a “bot” (short for robot) sending out spam, or trying to break into accounts with commonly-used passwords, or posting fake news on social media, or many other kinds of aggression. Or it could go after you directly, watching everything you type to harvest accounts and passwords, or your customer or accounting data, or…
Just say no
The best way to handle spam is simply to delete it. Don't bother putting the sender into a bad guy list. If not a sender you know, the name and address are probably generated at random and used only once each. Odds are good you'll never get another from that phony sender.
- If you get any email, suspicious or not, from any financial institution or retailor, do not click the link or open any attachment(s). If you think it might be legitimate, call them on the phone or open a new browser window and log in the way you normally do. Do not type the address shown in the email, as it could be trouble.
- If you're not expecting a note with an attachment, or a note with an attachment is the least bit suspicious, call or text (don't email) the sender and ask if it's real. If you don't know the sender, don't open it.
- Spam often comes with an Unsubscribe link. Don't hit it! That will validate your email address, which will allow the spammer to sell it to other spammers at a premium price. Just delete the message.
- On the other hand, legitimate newsletters and business mailings have Unsubscribe links at the bottom. If you're not interested in legitimate mailings, it's safe to hit Unsubscribe.
Evil and compromised web sites are also a common entry point for destructive software.
- Tacky web sites sometimes download attack software along with their main content. You’re safe on the major celebrity magazines’ web sites, but not on the individual sites of the scumbag paparazzi who stalk the pop tarts du jour. Stay off them, along with gambling, drugs, and obviously, naughty web sites and any involved in illegal activity.
- Legitimate web sites try to be safe; they don’t want to alienate their visitors. However, those that display ads, including Google, despite efforts to be safe, sometimes display ads called “malvertising” that go where you don’t want to go or load attack software onto your computer. Be careful of any ads.
- Sometimes legitimate web sites get compromised, where criminals manage to sneak their own stuff onto a good site. The owners usually find and remove such in short order, but once in a while criminals can get you from a legitimate site.
You’ve been attacked!
Despite (or maybe because of) how you operate, a piece of attack software could show up on your computer. Do not shut down from Windows or hit the power button. A proper Windows shutdown could allow a piece of attack software to install itself. Try to remember what you saw on the screen and immediately yank the power cord or remove the battery. Wait half a minute, plug it back in, and restart. If it seems to be clean, run a full anti-virus scan. If not, quickly yank the power cord or battery again and call a professional.