Avoid scams when shopping online

Avoid scams when shopping online

Reading an article on a well-known cyber security website I thought it was a really good idea to post about the most common mistakes people make when buying something online and how to keep your personal and financial information safe from scammers/hackers/bad guys in general.

So let’s get straight to the meat and potatoes:

Common Mistakes/Oversights and How You Can Avoid Them:

  1. It sounds counter-intuitive but “Googling” stuff sometimes is really a bad idea; the reason is very simple: scammers are now very sophisticated and they create fake shopping pages that look very impressive, with shopping carts and checkout pages.
  2. If you shop at a brick and mortar store and want to try the online experience, go directly to the store web address instead of using a search engine like Google.
  3. Watch out for email offers and coupons that have links you’re supposed to click to that might redirect you to a fake or dangerous website. Again, if you get one of those coupons from a store you shop at and trust, simply go directly to their website and I can guarantee you at checkout you’ll have the option to enter the coupon or promo code (if it’s not, simply call them and ask).
  4. DO NOT USE PUBLIC WIFI WHEN SHOPPING ONLINE: I know using all caps is rude, but I don’t care… using public Wi-Fi is a well-known security hole you open on your computer every time you go and get your latte.
  5. Avoid using QR codes: you know those weird codes with a bunch of squares that are supposed to give you special offers? It has been reported that bad guys create those phony codes to link to a phishing or malware websites. I’d suggest applying #3 suggestion here as well.
  6. According to Malwarebytes website (which I totally endorse), Do not use debit cards to shop online. Want to give cyber criminals direct access to your bank account? Then by all means, use your debit card! Otherwise, play it safe by using credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges
  7. Make sure you have a security software installed BEFORE going online shopping. Most of current commercial antiviruses and security suites have a website protection built in and might work (or not) but it is much better than nothing – Also make sure your Operating System (Windows or Mac) is up to date.
  8. Be very skeptic of websites that ask you too much information like social insurance numbers, password reminder questions or stuff like that
  9. Check the HTTP on the URL bar (top of the browser) and make sure the shopping cart and the checkout page has HTTPS instead of HTTP; the “S” stands for secured and it has encryption to protect data transmission.

These are some of the most common mistakes and practices, I’m confident if you follow them and keep a bit objective you’ll be fine. Also remember that if you see a deal online that is too good to be true, maybe it is…

Liked the post? Share the love!
Running a WordPress website? Make sure you keep it updated!

Running a WordPress website? Make sure you keep it updated!

WordPress, the world-famous content management system that powers around 27% of all websites in the world, is a constant (and sometimes easy) target for hackers.

Vulnerabilities like the SQL-Injection (detected by security analyst Anthony Ferrara) present a serious threat not only to the site itself but also to any visitor. Attacks under what’s known as “drive-by malware” are occurring at an increasing and alarming rate and it is the website’s administrator sole responsibility to keep his/her websites patched and secured.

We recommend some basic but effective ways to protect your WordPress website:

  • Install and properly configure an SSL certificate
  • Login to your WordPress Dashboard frequently and make sure all the Updates are being installed (WordPress core, themes and plugins)
  • Install security plugins that monitor and report your site for attacks and intrusions – we like and recommend Wordfence.
  • Host your site with a reputable and professional hosting company and make sure you ask all the questions you want about what do they do on their end to keep your site safe.

These are the bare minimum precautions any website admin should follow to keep the website secure; there are more in-depth and proactive measures but taking these first steps would definitely give you an edge and create the habit of cyber security awareness.

Liked the post? Share the love!
Planning on making your home “smart”? Make sure you keep it safe too!

Planning on making your home “smart”? Make sure you keep it safe too!

Holiday season is upon us and this year more than ever before an avalanche of new gadgets and gizmos promising to make your home smarter are hitting the market… just check stores like Best Buy and you’ll see they are devoting a big chunk of real estate to home automation.

I love tech and anything shiny and cool, but that doesn’t mean we have to sacrifice cybersecurity for convenience. There is a single constant on all the home automation technologies and that is they ALL want you to connect their devices to the web using your wi-fi… and that represents the first and to some, the biggest challenge.

Smart locks, web cameras, thermostats, smart fridges, alarm systems, personal assistants, speakers and even toys are now competing for your holiday dollars and all of them require internet access right out of the box… have you ever wondered why? Because more times than none a flaw or a potential security breach has been found and the manufacturer needs to push and update RIGHT AWAY in order to avoid a lawsuit.

If you are going to get your geek on and install a smart device, make sure you go through this basic check-up before using your credit card:

  • Make sure your wi-fi’s password is strong and hard to guess
  • Keep your wireless router updated: routers run software like any other computer and these devices themselves also need patches to keep them secure
  • Do your research before hitting the store and do not fall for sales pitches
  • Buy smart devices from well known manufacturers and avoid the cheap, generic brand hardware that might costs half of less than the big names… trust me, there is a reason for that and you get what you pay for
  • If the new device requires a username and password, DO NOT use the same as your wi-fi and DO NOT use the default that comes from the manufacturer. Again, sacrificing security for convenience has a very high price tag

As always if you have any questions about tech, I’m here to help!

Liked the post? Share the love!
Tips on Detecting Phishing emails

Tips on Detecting Phishing emails

By now you have probably heard about phishing (fake emails that look legitimate, usually from senders that you have some dealings with – but no always). I receive at least one every two weeks or so and I usually just delete them right away.
After reading about this I would like to share with you some tips on how to detect them and what to do.
Where do they come from?
  • From a bank, credit union, financial institution or financial advisor, asking you to take care of an “urgent” matter by clicking “here”.
  • From DHL, Fedex, Canada Post, etc. informing that an urgent package need to get delivered to you today otherwise will be returned to sender; usually it has a link that says “click here to track your package” or something like that.
  • From the Better Business Bureau (BBB) about a negative comment on your business and the need to click “here” to check it out.
  • From the HR department of your company asking you to “update” your anti-virus software by clicking “here”.
  • From Paypal asking you to click “here” to receive an email payment from a recent transaction.
  • And the list goes on and on…
As you’ve probably noticed, all the previous examples had the “click here” phrase, which is the norm on phishing emails; this is simply the trigger for whatever the spyware/phishing/malware. In most cases, the email by itself is harmless (although some tech blogs have reported that just by previewing the email the infection activates) and it is the user’s interaction that starts the infection.
In any case look for the following red flags:
  • An easy one: you got this email from a business you’ve never dealt with. One of the ones I got was from a credit union in Halifax asking me to update my username… the thing is, I live in Ontario!
  • Look for grammar errors, misspelled words and funny sender’s email address.
  • HR departments DON’T upgrade anti-virus. If you work for a big company, this is done by the I.T. department without the need of your interaction.
  • Any email asking you to update information they should already have.

The moral of the story is this: never, ever, ever click on suspicious links. Call the organization and verify this is a legitimate email. If you get it from an unknown source, delete it right away!

If you unfortunately clicked on it and you suspect foul play, disconnect the computer from the network/Internet immediately and call your I.T. support specialist.
Liked the post? Share the love!
How End-User Devices Get Hacked: 8 Easy Ways

How End-User Devices Get Hacked: 8 Easy Ways

When it comes to scamming consumers and businesses, the most effective strategies aren’t necessarily the most complex.

Hackers seeking funds, data, and access to corporate systems don’t need advanced techniques when tried-and-true tactics consistently work on their victims. There are two primary types of attacker motivations: opportunistic and targeted.

“The attacker does not care who the victim is,” says Rob Ragan, managing security associate at Bishop Fox, who uses the two categories to differentiate cybercrimes. “They want access to any and every device that can be compromised. This is a numbers game.”

Targeted attacks are different because the threat actor has a specific reason for wanting access to a particular device. While opportunistic attacks are often financially motivated, targeted threats aim to scam a particular person or access specific data.

Ragan says attacks are often platform-based and payload matters less than delivery method. “The payload may be ransomware, but the delivery mechanism can be anything from coercing a user to running an email attachment, to a worm that exploits unpatched systems,” he explains.

“Hacking a device takes technical acumen, and in some cases, access to the device,” says Michele Fincher, chief operating officer at Social-Engineer. Much of the time, the easiest route to device takeover is tricking the user.

Because it can be a “full-time job” to stay current on the latest threats, most users are not aware of the many ways their devices are at risk. Here’s a look at the easiest and most effective ways for cybercriminals to attack end-user devices.

 

Source: Kelly Sheridan – Dark Reading

Liked the post? Share the love!
Five Questions Board Members Should Ask Their CISO

Five Questions Board Members Should Ask Their CISO

Source: https://www.infosecurity-magazine.com/blogs/five-questions-board-members-ciso/

Security isn’t something that can just be swept under the rug while the board and executive team plans on just pointing figures if something bad happens. Cybersecurity threats are only going to get worse so organizations need to make the shift to being security-driven from the IT department all the way to the board room.

Board members need to make time to discuss security matters and work with the CISOs or their security equivalent to maintain a successful business that is security-focused.

Cybersecurity is not the responsibility of an individual or a small team within an organization. As we approach 2020, cybersecurity will be not a vertical within an organization but rather a horizontal fiber that is weaved throughout an organization.

These 5 questions should be part of a critical conversation any business owner/board of directors should have with its CIO/CISO/I.T Guy:

How secure are we as an organization? What is our risk score matrix?

Without full insight into this question, your team is essentially working blind – putting your entire organization, its reputation and customers at risk. You can’t improve a process if you don’t know what you have to work with. Understanding your security deficiencies in an organization is just as critical as understanding the sales pipeline and accounting metrics.

How are you designing a security posture that does not slow down business operations?

Being a security focused organization is crucial and can be a huge asset to the company’s bottom line, but it’s imperative that security isn’t slowing down business operations beyond what’s necessary. Disconnected security is a surefire way to slow down your business.

Further, organizations are moving faster than ever before in deploying new services and products for their customers, which is causing legacy security organizations the inability to keep up with lines of businesses.

How do we know that data/IP systems not in our control are safe and secure like Internet of Things (IoT) and Cloud?

Are all your third-party tools and service providers 100% secure? If not, their vulnerabilities are your vulnerabilities – weakening your security posture. Organizations are always responsible for their data, even if they use third party vendors, which leads to further diligence. As organizations adopt new architectures like cloud technology, this is an opportunity to embrace security as part of the scope of work versus security being an afterthought.

How do we ensure that we are ahead of the new regulatory requirements coming down the pike?

There are constantly multiple cybersecurity regulatory mandates coming down the pike. Does your organization know which ones apply to it, the specific qualifications to meet the mandates and the possible fees and ramifications if it fails to meet the mandates? Regulations are a part of any board discussion, but you need to take a proactive approach to reviewing and continuously improving your security posture versus taking a reactive approach. Relying on a reactive approach will take your organization’s resources away from customer success.

Who is responsible for security?  CISO or CIO? Risk & Compliance Officer?

We’ve already established that security needs to be a team effort but who is leading the charge? Who has final say over security processes, how to spend the security budget and the division of labor? The best way to determine who is responsible for security is the person who is responsible for answering “How secure are we?” and when there is a breach, who is the executive that will be responsible for remediating the issue.

Liked the post? Share the love!