Synthetic Snake Oil: Online Security Tips
DP73 Cybersecurity Tips for Parents and Kids

DP73 Cybersecurity Tips for Parents and Kids

February 17, 2020

Cybersecurity is a joint responsibility. It’s like a chain where it’s only as strong as the weakest link in that chain. As such, you want to make an effort in keeping security tight and staying up with trends and potential security threats.

 

With that in mind, here are some tips to keep in mind for various scenarios.

 

One tip is to have a run over of various cybersecurity terms. This is particularly geared towards kids who frequent social media often and that trend isn’t dying down any time soon. This is important because as we’ve learned social media isn’t as solid as we thought it was so it’s key to stay up to date with all kinds of trends.

 

Examples of things to cover are things terms like catphishing (people posing as a trusted individual to lure kids into doing something they shouldn’t), and spoof ads and polls. Also talking about the implications on posting personal data like current location and how that can be a threat to personal privacy.

 

Another area to cover is general mobile security. A lot of people have smartphones or have access to one. Therefore learning about this can be helpful too. Topics to cover are:

 

  • SMiShing - That’s text/message phishing. Cover how to identify it and what to do.
  • Apps - Discuss safe app choices and reinforce the importance of reviewing apps and getting them from verifiable sources. Also oversee app choices too.
  • Messaging apps - overlook messaging chat groups, especially if your child is younger. On older children, tell them about the potential threats of new people joining messaging groups.
  • Bluetooth/AirDrop (or other sharing connections) - Reinforce the habit of keeping them on when you’re using them and only turn them off when not in use.
  • Public WiFi - Talk about Virtual Private Networks and why they’re important.

 

One other topic to cover is smart toys. Now smart toys have gotten a bad rep lately with many exposing private data to the public. Needless to say, there still needs to be some tweaks to them. That being said, it’s not going to stop people from getting them. In this area, I’d exercise caution and do some digging first.

 

When considering smart toys, consider the following:

 

  • Ensure the manufacturer has both security and privacy policies in place.
  • When you have the toy, turn if off when you’re not using it.
  • If the manufacturer allows it, change the default password to something else.
  • Check your home router and make sure it’s secure. If you can, have the router with two-factor authentication

 

The final is discussing identity theft. Even if the average kid isn’t wealthy and depends on their parents, it doesn’t mean they are immune to identity theft. Teaching kids to be cautious and to identify online and offline threats is important. Of note discuss the following topics:

 

  • Password hygiene - the benefits of changing a password regularly and talking about the dangers of sharing passwords with others.
  • Phishing - the different kinds of phishing and how to identify them.
  • Monitor - whenever you can, keep on eye on the accounts that children have access to. Keep an eye especially on bank accounts.

 

There are all kinds of ways for us to better protect ourselves. But teaching our kids these important lessons can help to breed better habits for them on security. On top of that, these tips are also good for any person. Learning about these areas will also reinforce children to pick up these habits as well.

DP72 Three Best Practices for Cybersecurity Training

DP72 Three Best Practices for Cybersecurity Training

February 14, 2020

The purpose of training employees on cybersecurity is to alter habits and behaviors around certain circumstances. When you are training people, keeping them informed is one thing, but there are other tactics we can employ to ensure they get the training they need.

 

One way to ensure this information sinks in for people is to consider these tactics for all employees.

 

First, make the training mandatory for all new employees regardless of department or job description. You want to be creating awareness of online threats and that awareness needs to start on day one. As part of the initiation process, slip a cybersecurity course in there and ensure it covers all the key topics.

 

Topics like data protection, internet usage, and other topics like reporting threats. Have all of these in an employee handbook.

 

The second practice is to update and repeat training often. People don’t learn once and they’re done. In order for information to stick, you need to repeat the information on a regular basis. Learning is as much of a habit as us checking our phone first thing in the morning.

 

How you want to cover that material again is up to you. Quiz people, set up surveys, having regular discussions, or go through the program all over again. There are all kinds of methods to consider.

 

But on top of keeping up the training regularly, you also want to be updating the programs too. Remember that hackers are always working on finding various ways to attack people. As such, you want to make sure your information is recent and current to today's trends.

 

The last practice is to give employees authority. That doesn’t mean promoting them on the spot or anything, but rather elevating them and letting them know how important they are. After all, employees are the very first line of defense for any security system. So by getting employee support, and making cybersecurity a core element of your culture, you can better defend against it.

 

In order for that to happen incorporate games to keep people engaged, highlight security training achievements, and provide learning management systems which give employees the power to control their learning.

 

And when there are threats coming that could present problems, issue company-wide emails. Let people know how much their training is going to help them in defending the company.

 

Having strong firewalls, and antivirus software is good, but they’re only as good as the people who use the devices. Improve your employee’s training in this area and you’ll see a tighter security with the company.

DP71 What You Need To Know About Cybersecurity Training

DP71 What You Need To Know About Cybersecurity Training

February 12, 2020

It’s easy to convince people to consider cybersecurity training. If people don’t know how to recognize breaches or threats, how can you expect them to avoid them, report them or remove them? They won’t be able to.

 

As I’ve said in the past a lot of breaches typically stem massively from people. From weak passwords, misplacing devices or leaving computers in public areas, employees are a strong source of attacks. That’s not to say employees are all conspiring to bring business down, but all of the breaches are reminders that strong technology is only as powerful as the people who use it.

 

But the question now is what exactly should employees be trained on? Well I’ve put together a short list of what needs to be known and some key points on the subject.

 

First is to recognize the forms of cybersecurity threats. If you want people to spot them, they’re going to need to know what to look for. Fortunately you don’t need to go into extensive training on the various viruses out there. However it’s key for people to know the basics.

 

What you want to be highlighting is informing people on spam, phishing, malware, ransomware, and social engineering.

 

For these topics include examples, videos, and tips to prevent these sorts of attacks.

 

Second is to cover password security. We need passwords for everything these days and it’s important for us to make the password complex rather than easy to crack. Talk about how important passwords are and that they’re the first line of defense.

 

Third is discussing policies on email, internet, and social media use. Browsing habits can leave companies open to various malicious software if they’re not careful. Talk about why policies are important and why specific rules are placed in them. Better yet, take time to review the current policy you have with your team and discuss changes if needed.

 

Final key topic is identifying threats and being able to report them. Your staff is going to be your eyes and ears. All the devices they use can contain clues of potential threats. However, if you want employees to put a stop to those threats, you want to train them. Focus the training on what legitimate antivirus warnings look like, what’s considered spam content, and to be aware when unexplained errors occur and what to do with them.

 

This is only scratching the surface, but having employees have a basic knowledge of these topics can ensure there will be less human error. And even if there is, people will be able to report it and be able to talk about it quickly

DP70 How To Educate Employees On Cyber Security

DP70 How To Educate Employees On Cyber Security

February 10, 2020

With malware attacks and stolen data being a common theme in today’s society, companies today need to put more effort in informing and educating employees. Over the years that viruses have run rampant, one of the most common themes in those stories is that employees allowed them to run rampant one way or another.

 

They opened an email, clicked a link, or didn’t bother updating their computer. In fact one of the biggest concerns is people leaving laptops or their mobile in vulnerable places.

 

In the end, people are either your strongest line of defense or your weakest link when it comes to handling these attacks. And even if your defenses are pretty solid, all a hacker needs is to break one link before it all comes crumbling apart.

 

So what can we do to ensure the company we work with is in tip top shape to handle threats? Well here are five tips on how we can educate yourself, employees, and others.

 

First make sure you communicate clearly the potential impact a breach has on the business. How bad habits like easy passwords or not logging off your computer or leaving a laptop in a public area can spell danger.

 

Second, make cybersecurity something everyone has to take seriously. No one is immune to educational programs. That includes both management and IT staff. Even if those people already know how important it is, having those knowledgeable people in the room can help spark conversation. This also applies to employees who’ve been working with the company for a while as they likely have more sensitive information compared to greener employees.

 

Third, hold cybersecurity sessions often. Training for cybersecurity isn’t something you do after you’ve been hacked. In fact that’s the worst time to host a session. Instead, make an effort to hold sessions regularly prior to any attack.

 

These sessions don’t need to be time consuming, perhaps once a month hold a lunch ’n’ learn. Another option is having an online forum employees can share and discuss information. You can even consider putting together routine online surveys to quiz cybersecurity knowledge. It’s cheap, quick, and is a good way to measure people’s knowledge.

 

Fourth tip is is issue specific rules for social networks, mobile devices, email, and browsing. Encourage culture of “safe browsing” and caution staff to have caution around unfamiliar links or attachments they’re not familiar with.

 

On that note, if you encourage routine passwords, aim to find a balance. If you get them to change them every month, employees will start writing them down rather than memorizing them. My suggestion is change your password once every three months at the minimum.

 

Furthermore, don’t make processes so convoluted that you’re making it harder for employees to do their work. If you add too many stops, employees will find other methods to bypass those controls.

 

The final tip is to train employees to recognize and respond to cyber attacks. Give them a channel where they can easily reach for anything cybersecurity. From suspicious emails, unusual activity, or losing a device. Even if it’s a false alarm, having an emergency number to contact is reassuring and can stop attacks before they get too big.

 

Despite all of these efforts, this won’t be enough to stop every single threat out there. Hackers continue to find new ways to break into systems. But at the very least, having knowledge and a more informed staff can help reduce the risk of human error causing breaches.

DP69 Other Ways to Prevent Ransomware

DP69 Other Ways to Prevent Ransomware

February 7, 2020

Outside of downloading or buying some ransomware protection, there are other ways for us to be fighting back against ransomware and protecting our data. While a lot of the attacks target small business, we as individuals aren’t immune to scam operators and their ransomware attacks.

 

Before delving into the methods, one thing I’ll make clear is that most of these attacks have happened due to poor protection practices by employees and individuals alike. I’d recommend look at your overall behavior for how you are protecting your personal information and make changes, but also to consider getting ransomware protections tools.

 

Outside of that, here are some other ways to prevent ransomware.

 

In the event you are targeted by a ransomware attack, never pay the ransom. This funds attackers but also it doesn’t promise that you’ll get those files back. After all, you don’t know the person or where they operate. Why would they give the files back?

 

Make a habit of backing up files. Having a dedicated backup drive separate from your computer ensures you can swiftly recover the files lost with no issue. It is the fastest and easiest way to get your data back.

 

Never provide personal details over unsolicited phone calls, emails, text or instant messages. If you ever get any of these, make a point of verifying them. In an employee setting (the most common scenario) you may get a call from someone claiming to be from the IT department or some other department. In that case call up that department and ask around. Even ask fellow coworkers if they’ve gotten these unusual calls.

 

Have at least some level of protection. Ransomware protection is ideal but also having another antivirus software and a firewall is key. Make sure you get both from reputable companies in the industry.

 

Make a point of content scanning and filtering mail servers. Make a point of blocking and scanning attachments for known threats.

 

Have your systems up to date with the latest patches. These patches normally come with features that work in the background that protect vulnerabilities that ransomwares can exploit.

 

Lastly, if you are ever travelling, contact the IT department first. Definitely contact them if you plan on using public Wi-Fi. In the cases of using public WiFi make sure you have a Virtual Private Network (or VPN) on to better protect yourself.

DP68 Ransomware Protection Tools To Consider

DP68 Ransomware Protection Tools To Consider

February 5, 2020

When people aren’t scamming you through sleazy phone calls, hackers are getting into your computer and locking particular data behind an encryption and demanding money. This type of scam is called Ransomware and is one of the largest problems people face today.

 

While in some cases, ransomware is usually targeting small or medium sized businesses, that doesn’t mean it can’t go after individuals. As such, it’s smart for not only average people, but companies to invest in some ransomware protection for their PCs. Here are some of my suggestions.

 

First on the list is Bitdefender Antivirus Plus. For $30 a year, you get a solid antivirus software that is packed with all kinds of features that put other security suites to shame. Features include protection from malware, phishing, network threats, ransomware and other browsers. You also get a wallet for passwords, a VPN (virtual private network) to make tracking you practically impossible, and more.

 

Second is Check Point ZoneAlarm Anti-Ransomware. For this protection you’re paying roughly $20 a year and getting a highly-effective and robust security system. It monitors and cleans up any ransomware traces in testing and has effectively stopped modern ransomware. The only catch to this tool is that it only focuses on ransomware and nothing else.

 

Webroot is the third tool on the list and serves more as a bundle compared to the others on this list. Webroot comprises of Bitdefender, Kaspersky and many others. It bundles everything into a one-year subscription for about $20 a year. All in all, it’s cheap, speedy, and does it’s job well in providing ample protection.

 

For those who don’t want to be paying any yearly fees, there are some free options to consider. Our fourth option is Acronis Ransomware Protection. It’s free and fights pretty well against ransomware in general. The free bundle offers 5 GB of online backup storage for securing the most important files. It also is capable of recovering any affected files and can fight against most ransomwares. I’d recommend paying for one of the three I mentioned earlier, but if you need a backup, this software can cover it.

 

The final tool I’ll share is Cybereason RansomFree. This is also free and like Acronis, can fight against most pretty well with some passing through the cracks. In the case of Cybereason it’s any disk-encryption ransomware that it can’t detect. Of course you have to expect some drawbacks since it’s free, but outside of that, it adds another layer of protection and that’s better than nothing.

DP67 How to Uncover General Phone Scams

DP67 How to Uncover General Phone Scams

February 3, 2020

Even though we use our phones a lot for texting these days it doesn’t mean we don’t get telephone scams. Some of them can be nickels and dimes, but some scams can be our entire life savings. Scammers today will do anything to cheat people out of money with many posing as government officials.

 

Of course there are other scams out there, but they all follow a similar structure. They claim to work for some company that you trust or they’ll send you an email asking you to call them or click a link.

 

Even as telephone scams have become more sophisticated over time, there are still some specific characteristics that we can uncover to identify them.

 

First of all, a scammer will work hard to ensure you don’t think much about their pitch. Their focus is to get you to continue to say yes or make you feel a certain way that you act on those emotions.

 

That being said, even for people who have caught onto that, some go a step farther and can provide testimonials or websites to further their claim. They’re fake of course, but it can satisfy those who are thinking a little ahead.

 

Instead of that particular approach, I’d suggest using the following identifiers:

 

  • You’ve been specially selected for a unique offer.
  • You’re getting a free bonus whenever you buy whatever they’re selling.
  • You won a valuable prize for a contest you didn’t enter.
  • You won money from a foreign lottery.
  • A low-risk massive return investment offer.
  • Pressure you into making a decision right on the spot.
  • Use phrases like “You trust me right?” Or “We’ll charge the shipping and handling charges your credit card.”
  • Dismiss the idea you need to verify the company they represent.

 

As you can tell, these identifiers are all situational and it depends on the type of scam call the scammer is employing. In most cases, the methods they’ll use have a certain process around them. Here is how they’ll try to hook you:

 

  • A travel package: it’s usually a free or low-cost vacation that’s advertised. The scam is there is a series of hidden costs and in most cases the vacation you paid never takes place.
  • Credit and loans: the “credit card company” calls and offers a lower interest rate credit card. You’ll see these cropping up more in the down economy.
  • Investment or business opportunities: They rely on the person not be financially savvy to look into the actual investment.
  • Charities: The call is usually stressing an urgent call for donations. These appear around the time where disasters have happened recently.
  • Foreign lotteries: Whether by phone or mail, buying a lottery ticket through those methods is illegal. All lotteries and the entries must be made in person with you physically buying a ticket.
  • Free trial offers: A shell company is offering a free trial for a product and will often load you up with lots of products and will charge you a crazy amount of money every month until you cancel.

 

These are only the tip of the iceberg but staying vigilant and digging further into the information provided can help you in ensure you don’t get scammed.

DP66 How to Detect Tax Scams

DP66 How to Detect Tax Scams

January 31, 2020

Last episode, I talked about how to generally identify scams where the person is posing as a government official. However one of the most common scams people experience is calls from the CRA/IRS and that’s a rather unique case.

 

After all, if you owe the government any kind of money you know how the CRA/IRS operates can seem a little shifty. For example, in order for them to verify they are talking to the correct person they ask for the person’s SIN which is awfully similar to how scammers would operate.

 

So in light of this, being able to distinguish between a scam and not is keeping an eye on key identifiers.

 

For example, in some scams, people are directed to a fake tax website where you need to verify personal information. With this in mind we know the official site wouldn’t ask for personal information out of the blue since it’s mainly used as an open source database. Another key identifier is checking the URL. Not only do official websites have https (meaning it’s a secure site), but you should be familiar with the exact domain in your country.

 

It’s also worth looking over other behavior that the tax centers portrays through various mediums. Here is a breakdown of what they do.

 

Over the phone, they will:

 

  • Verify your identity through a variety of identifiers outside of SIN. They will also be asking for your full name, date of birth, and address. They also make a point of explaining why they’re calling as well (which is usually about a specific account like collecting income tax, EI debt, etc.)
  • Ask for specific details about the account in the event you’re asking something business related to your account.
  • Call to start an audit process.

 

They will never:

 

  • Ask for other information outside of what’s stated above. This means they won’t ask about your passport, health card or driver’s license.
  • Will demand immediate payments via cryptocurrency, prepaid credit or gift cards, e-transfers or other mediums.
  • Use aggressive language or threaten you in any way.
  • Leave voicemails that are intimidating or threatening.

 

Over email, they will:

 

  • Send you notification whenever you receive a message or document that appears in secure CRA/IRS portals. Examples of portals are things like My Account, My Business Account, or Represent a Client.
  • Also email you links relevant to conversations that you had with an official over a call, or meeting. These links are linked to a CRA/IRS webpage, form or a publication on the site. This is the only time they’ll send links in emails.

 

They will never:

 

  • give away or ask for personal or financial info via email or ask you to click on specific links.
  • Email you asking you to fill out some online form.
  • Send you emails with links to refunds.
  • Demand immediate payments via e-transfers, prepaid credit or gift cards, cryptocurrency, or other mediums.
  • Threaten you in any way.

 

Whenever they send you mail, they will:

 

  • Ask for bank information such as the name of your name of your bank and the location.
  • Sending you a notice of assessment or reassessment.
  • Ask you to pay an amount owed through official tax payment methods. Examples are through online banking, paying through My Payment option on My Account, visiting a government building and paying in person, etc.
  • Letting you know they are taking legal actions to recover money owed if you refuse to pay a debt.
  • Write to start an audit process.

 

They will never:

 

  • Request a meeting in a public place to take a payment.
  • Demand that you pay immediately through e-transfers, cryptocurrency, gift or credit cards, or other mediums.
  • Threaten you in any way.

 

Lastly if the CRA/IRS ever texts you, remember that they doesn’t use text messaging. They will not communicate to you through any kind of messenger app at all.

 

As you can tell, sometimes the lines between legitimacy and a scam are a bit tricky, but to better protect yourself, ask the following questions:

 

  • Why is the caller pressuring me to act right now? Can I be certain they’re really a government employee?
  • Have I filed my taxes on time? I should have received a notice of assessment or reassessment stating if I owe anything.
  • Have I received any written or verbal communication from them recently that warrants this email?
  • Do they have my most recent contact information like address and email?
  • Is the caller asking for information that is unrelated to what’s placed on my tax return?
  • Did I recently send a request to change business number or business information?
  • Do I have an installment payment due soon?
  • Have I gotten a statement of account pertaining to money I owe to a government program like EI or Student Loans?

 

Also remember with the CRA/IRS they want to work with you if you owe them money. They will never pressure you into paying if it affects your daily life.

DP65 How To Protect Yourself Against “Government” Telemarketing Scams

DP65 How To Protect Yourself Against “Government” Telemarketing Scams

January 29, 2020

You sometimes hear this in the news around tax time, fraudsters saying they represent the CRA/IRS calling you around tax time. But one other scam that’s been cropping up is one where fraudsters call stating that your Social Insurance Numbers (SINs) have been compromised. It’s then followed by an unusual request for you to tell the person to confirm your SIN to verify if it is and to get a new one.

 

I say unusual because if the caller said your SIN is supposedly “compromised” they should already know your SIN number anyway.

 

Not only that but the fraudsters often disguise themselves as government departments which in theory should know your SIN anyway depending on the department.

 

Anyway despite seeming legitimate, they definitely aren’t as confirmed by anti-fraud centers. Not only that, but these types of scams are nothing new in this day and age. Fraudsters have been getting craftier every year and some of the more recent scams have stemmed from fraudsters posing as government officials.

 

In the case of the most recent scam, this one crops up around times where there have been highly publicized privacy breaches. In most instances, the scammer will even mention that recent data breach.

 

But naturally, we can work around these scams and there are some tips to keep in mind too.

 

  • First of all we can always use logic. Like I said above, if the caller is claiming to work for the government, they should have a lot of your personal information right there. Similarly if they mention a highly publicized breach, unless it’s an actual government agency, chances are your SIN is not even related to it.
  • Second, as a general rule you never give personal information like credit card number or SIN over the phone. You only divulge that if the person is a trusted person or you’ve initiated the call yourself.
  • Third, if you do get an unexpected call and requests for personal or financial info, ask them who they represent and call up that organization to verify the legitimacy.
  • Fourth, remind yourself that any reputable firm will never ask personal info without significant safeguards in place
DP64 A Quick Look at Click Fraud

DP64 A Quick Look at Click Fraud

January 27, 2020

One of the biggest issues that PPC (Pay-per-click online ad campaigns) marketers are facing is click fraud. Over the past two decades, there has been a massive marketing revolution. Marketers enjoyed the leap from newspaper and billboards to radio and TV and today they can now advertise to anyone via the Internet and social media.

 

It’s obvious why we see fewer billboards or even companies attempting to use those methods. They’re practically relics best left in the past.

 

But while technology has enriched everyone’s lives, careers, and respective industries in general, there are still a wide variety of problems. And one prime example of that is the PPC marketing industry.

 

For those not familiar with PPC this form of marketing is nothing new. To give you an example of what it’s like think of it like this:

 

You’re running a grocery store and decide you want to attract more people to your store. Instead of putting on a huge marketing campaign, you decide to buy a certain amount of leaflets promoting your store. You may even offer a discount coupon on it too.

 

Anyway, you place these leaflets at the front of your store and around the surrounding area. After a week, you notice more people coming to your store and you also notice the number of leaflets on the stand is less.

 

PPC works in the same fashion. Your online advertisement is the leaflet and your cost per click is how much it cost you to print that leaflet.

 

It all sounds too good to be true right? Well the method itself is not scammy, however there is a snag with this issue. Because this new form of advertising is so powerful, there is a lot of money changing hands and it’s attracted people who will actually scam you.

 

How will they scam you? Simple. Through something called click fraud. This activity alone costs businesses billions every year. What’s worse is that because click fraud is so easy to do, a lot of businesses are at risk.

 

To put it into perspective how dangerous this can be, let’s go back to my leaflet example I used to describe pay per click.

 

Of course in this scenario you are still paying for the leaflets no matter what. PPC advertising works in the same way where you are still paying for the online ad.

 

But what if someone picks up a leaflet (i.e. clicks on an ad) and then doesn’t do anything with it? What if they pick them all up and tear them up? You’re still charged your flat rate for that advertisement you put up, however you didn’t get the lead that was assured to you. What’s worse is you’ll have to buy more leaflets or else no one will hear about your business.

 

That is what click fraud is at its core. It’s clicking on a pay per click advertisement in order to generate fraudulent charges for advertisers. This is why it costs advertisers billions of dollars. Since 2017 1 in 5 clicks on advertisements were fraudulent and the number has been rising every month since then.

 

It drives up advertising costs and in some cases those businesses can’t compete. PPC is designed for companies with tighter budgets and not as many resources. And those are the people who are hurt the most from this: small and medium-sized businesses.

 

And you’d think with such a massive industry like this there is a tighter grip on this situation right? Sadly that’s not the case.

 

There have been some address to this issue in the form of Google opening what most people call the ad quality center. Basically it’s a center devoted to monitoring ads and reimbursing advertisers who are subject to fraudulent behaviour. It all sounds amazing but it’s undercut by the fact click fraud is still extremely hard to detect.

 

As I said, click fraud is still on the rise to this day as fraudsters are using more advanced robots to slip under the radar.

 

So what can we do about it?

 

Well as a consumer there is little we can do. The best behavior is honestly to not click on an ad that you’re not interested in.

 

As a business though it’s key to look at your PPC campaigns and figure out where traffic is coming from. This sounds easy on paper but it’s trickier than you think.

 

It involves getting the visitor data and exporting it into a spreadsheet. The catch is, you’ll likely have data from thousands or tens of thousands of people through this process. From there it’s sifting through that list to look for any kind of suspicious behavior.

 

At the end of the day it’s a massive headache and a hassle to deal with and there is no other way around it other than checking the IP addresses and determining whether to block it or not.

Podbean App

Play this podcast on Podbean App