Bryley Basics: Password Protection

Passwords are typically stolen during what’s called a phishing attack.

Phishing emails are malicious emails sent by criminals attempting to compromise your personal information. They often appear to be legitimate, so beware!

Most phishing emails are disguised as messages from an authoritative entity asking you to visit a website and enter personal information. These websites are set up to gather personal details, which they can then use to hack into your accounts and commit fraud. Some links and attachments in these emails contain malicious software, known as malware, which will install itself on your computer. Malware then collects data such as usernames and passwords.

Another way passwords are stolen is simply due to the face that some people use weak passwords.  If it’s easy to guess your password, then you have put yourself at greater risk of suddenly becoming a victim.

So, how do you stop someone from stealing your password?

First you will need to be aware of what real websites look like so that you know what false ones look like. If you know what to look for, and are suspicious by default each time you enter your password online, it will go a long way in preventing successful phishing attempts.

Each time you get an email about resetting your password, read the email address it’s coming from to make sure the domain name is real.  It usually says “something@websitename.com.   For example, “ITsupport@YouBank.com” would indicate that you’re getting the email from YourBank.com.

However, hackers can spoof email addresses too. Therefore, when you open a link in an email, check that the web browser resolves the link properly.

If you open a link that appears as “YourBank.com” and the link changes to “SomethingOtherThanThat.com, then you need to exit the page immediately.

If you’re ever suspicious, just type the website URL directly into the navigation bar. Open your browser and type “YourBank.com” if that’s where you want to go. This way you can ensure that you are on the legitimate website, and not a fake one.

Another safeguard is to set up two-factor authentication (if the website supports it) so that each time you log in, you not only need your password but also a code. The code is often sent to the user’s phone or email, so the hacker would need not only your password, but also access to your email account or phone.

If you think someone might steal your password using the password reset trick mentioned above, either choose more complex questions or simply avoid answering them truthfully to make it nearly impossible for a hacker to guess.  Simple passwords need to be avoided, it’s that simple.  If you need help remembering your complex passwords, you can store your passwords in a free password manager.

It is always advisable to store sensitive information like your credit card or bank details, within online accounts that are hosted by companies you trust. For example, if an odd website that you’ve never purchased from before is asking for your bank details, you might think twice about it or use something secure like PayPal or a temporary or reloadable card, to fulfill the payment.

When in doubt, don’t click.  Legitimate organizations will not ask you to disclose personal data via email.

See if Bryley is the IT company suited to your business needs, by emailing ITExperts@Bryley.com or calling 978.562.6077.

March 31st is World Backup Day – Create a Properly Planned Backup Process

With March 31st being World Backup Day, it only seems right to talk about the importance of having a well-planned backup process.  Every day we read about malicious attacks on organizations, and there is no doubt that these attacks, especially ransomware, will continue to grow drastically in 2018.

Ransomware is a form of malware based on encryption software that seeks payment (ransom) to undo the damage it causes; when infected, the malware typically encrypts all data files, rendering them useless until the ransom is paid.  Encryption software scrambles a files’ contents and creates an encryption key, essentially a code used to reverse the process.  Unless you have this key and the encryption software, the files remain unreadable.

Ransom prices will vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins.  Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards.  Paying the ransom is risky, and not recommended.  It will not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system, and it potentially will make you more of a target in the future.

The only way to thwart ransomware is by restoring the corrupted files through a backup that was created before the infection.

A properly planned and implemented backup process is vital since data stored on a network server represents many hours of effort over time, making it impractical and usually impossible to recreate.  A properly functioning, multi-point-in-time backup is necessary to provide restoration under these and other scenarios:

  • A server fails
  • A file is deleted
  • A template is written over
  • An application upgrade fails and must be restored
  • A document is inadvertently changed and saved by a user

A backup should be a complete, recoverable copy of not just data, but the entire server/network environment.  It should have these properties:

  • Sequenced over many days
  • Complete image
  • Offsite storage

If you’re ready to get serious about protecting your business data, select a talented company, like Bryley Systems, to help you implement a Backup/Data Recovery solution to eliminate weak links in your security chain.  Let us help you develop an organization-wide policy to help prevent data loss. See if Bryley is the IT company suited to your business needs, by emailing ITExperts@Bryley.com or calling 978.562.6077. We are here to help.

5 Reasons You Need a VPN Policy

The security of your business is heavily dependent on the ability of employees and executives alike to stay safe wherever they go. They need to make sure their online activities remain unimpeded and that public networks don’t become a data leak risk. Such a leak could damage your company’s reputation and set your business back months.

One of the main tools used to help businesses overcome these obstacles is a Virtual Private Network (VPN), which is a service that can connect a user to an offsite secure server using an encrypted connection. The encryption allows people to keep themselves safe from hackers on public networks (or any unsafe network). The server hides their IP address, allowing them to keep their activities anonymous and get access to restricted or blocked websites.

teamwork

All of these things are great, but VPNs can also cause confusion if not used uniformly or correctly. A “bring your own VPN” policy can prove disastrous for several reasons. Your business needs a standard policy, and here are the five main benefits of instating one:

You Can Better Manage the Configurations

Sometimes VPNs need to be managed to work best for the company. If you have a universal VPN policy or even a universally proscribed VPN for employees (in which case it would be recommended to provide access with company funds to facilitate control), then you can know that everyone has settings acceptable to the interests of the company by making those mandatory settings clear. No one will feel as though another has an unfair advantage as well.

You can use these to limit access to certain websites or regions, or simply help people who don’t know better maximize their speed and access. This kind of plan is absolutely essential if you plan on setting up your own VPN server at your company (although this should only really be done by large organizations), as messing around too much can make things more difficult for other users. It might be worth it to include a “tips and tricks” section next to them.

Uniform Universal Access

Any business should know what their employees are capable of not only in their skillsets but in the tools they are using. If you don’t have a general VPN for the company and everyone is just using their own, you might find that someone’s tool isn’t up to par with what the company needs. In the worst case scenario, someone might download a VPN application that is malware in disguise, not checking up on the service first. This could lead to a massive data breach in addition to dropped communications at a potentially crucial moment.

If your company decides upon a singular (and well-reviewed) VPN to work with and provides access or subscriptions to all relevant employees, then it will be easier to work with those remote and travelling employees knowing that they all are getting the same level of access. Chance and circumstance will be removed from the equation, and your IT specialists will be thanking you for months.

Exact Knowledge of Security

If you have a strong VPN policy that is regularly enforced, you can work under the assumption that all employees using a VPN will have a set level of security wherever they go. This allows you to send and receive sensitive information with much less risk, because unfortunately not all VPNs are created equal.

You don’t want some employees vulnerable to cyberattacks and cyberespionage while others are fine. They might feel emboldened in their security practices by the fact that they use a VPN. In your policies you need to reiterate that danger doesn’t go away entirely due to VPN use, and by having company-wide policies, you can focus on what dangers still prevail. A VPN policy will remind people that it’s not a panacea, but it should always be used.

Rules and Guidelines

People use VPNs for different reasons. Some of those reasons are strictly security related, and others are related to torrenting or pirating files. Most people wouldn’t think to download the latest box office hit on their VPN at the office, but such things do happen, and you need to be prepared for any situation.

If you have a VPN policy, then your company can clearly spell out what VPNs are to be used for and what is acceptable online behavior. Some of it can relate to already existing technology guidelines, but even those should be reiterated in your VPN policy (it won’t do any harm). No one will be able to say they didn’t know better, and clear action can be taken if these rules are broken.

Usage Control and Easier Management

Something you will want to take into consideration is who you allow to use a VPN. If your company is providing VPNs and has strict rules surrounding them, you should only allow employees to use them, not friends and family members. They might have good intentions but later cause a data breach or other critical issue down the line.

A policy will allow you to manage potential issues such as these with little difficulty, and having a pre-selected VPN and policies means that you or someone else can spend less time learning about different VPNs and more time focusing on a single one to optimize. You will be better able to know about potential activity and potential problems, letting human concerns take the forefront.

phoneBlue

VPN guidelines aren’t too difficult to come up with, and in the long run, they will save any business a good deal of time and resources. Implemented correctly, employees won’t have any problems adjusting to them and the company will be safe with a full array of useful information available at all times.

Do you think there are any other reasons that a company should have VPN guidelines? Do you have recommendations of your own that you would like to share with your fellow readers? Any stories regarding a “bring your own VPN” policy that didn’t work out? The sharing of information makes us all improve, so please leave a comment below and continue the conversation about this important tool.

By Cassie Phillips
SecureThoughts.com

See if Bryley is the IT company suited to your business needs, by emailing ITExperts@Bryley.com or calling 978.562.6077.

The Internet of Things: Convenience vs. Risk

The Internet of Things (IoT) is everywhere.  These convenient devices are in our homes and offices as well as in our pockets.  Along with the convenience they provide there are some security risks associated by using these devices.  There have been a number of known security breaches reported in the news regarding this topic, and those breaches included massive distributed denial-of-service (DDoS) attacks, and botnet hijacking attacks which have caused major disruption to organizations.

What is potentially affected?  All those devices that communicate and can be accessed via the Internet based upon their IP addresses.  That would include traditional office equipment such as copiers, printers, video projectors, and even televisions in reception areas.  Some of the less obvious devices would be climate control, motion detection systems and security lighting systems which are equipped with remote access can be controlled over the Internet. And, don’t forget the smartphones and smartwatches – these personal devices play a role in a company’s security.  These devices create access points and the best way to be secure is to define a policy to put protections in to place.

Many IoT devices are produced with the very basic software, which often can’t be updated.  As people become more aware of risk, some IoT devices are being brought up to current security standards with periodic firmware updates.  It’s a good start, but the majority of internet-ready devices cannot be integrated into the conventional IT hardware or software protections with which companies protect themselves against internet-based attacks. The variety of new internet-ready devices brings a mass of new data traffic to the network that must be managed and secured by IT departments. But it’s complicated by the variety of network protocols used by all of these various device types.  These devices are being used for personal and business and sometimes the lines of use will cross.  The integration of personal devices will pose a security risk simply because more and more attacks on companies are started against individual employees. As an example, if a device is infected with malware or a virus, it can be used to gain traction and then wreak havoc when it connects to the company’s network.  The tricky part is defining who should be responsible for IoT security – however, it is an important step.

The first consideration you need to make is whether or not connecting a particular device will be a large enough benefit to be worth the inherent risks. Depending on the device, an IoT device could be used to spy on you, steal your data, and track your whereabouts. If the device in question directly offers you a helpful, worthwhile utility, it may be worth the risk. If the connected device serves little purpose beyond its novelty, or its purpose could just as easily be managed by a staff member, it is probably best to leave it disconnected.

By taking inventory you have a benchmark as to all the devices that will connect to the Internet.  An organization should evaluate every single device that is added to the network.  Desktops, laptops and servers are generally tested extensively but mobile devices should also be added to the list.  Oftentimes devices are ignored even though they actively communicate over the network, and strict attention should be given to those devices that send data.  It’s very important to set guidelines for the use of IoT devices.  Be sure to define which devices are permitted on the company network and what data exchange with the network or Internet is desired.  The proper security technology will prevent unwanted traffic.

IoT introduces additional complexity for security.  Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s IT environment because users and apps can no longer be contained inside a organization’s network, behind a clearly defined protective wall.  Organizations need to evaluate new security concepts that have already proven reliable as workplace tools of mobile employees and remote offices.  For example, a protective shield from the cloud can scan all incoming and outgoing data traffic for malicious code, regardless of the device used.  With cloud solutions, organizations gain control of all internet-based traffic and can actively manage which communications are permitted or should be blocked. This can include preventing the printer from automatically ordering toner and restricting all other devices to a minimum amount of communication on the web. You should also make sure that the environment that you are using an IoT device in is as secure as possible. Making sure that your firmware is updated will ensure that you have the latest security patches and fixes for the various exploits and vulnerabilities that the IoT may present. If possible, this process should be automated so that your IoT devices, as well as your router, are fully updated.  It may also be a good idea to check if your router supports guest networking. With guest networking, you can keep potentially risky IoT devices off of your main business network, protecting its contents.  Organizations should always make sure that passwords are in line with best practices, and that you are not reusing passwords between devices and accounts. Following these guidelines means that even if one of your accounts is comprised, the rest of your accounts are safe behind a different set of credentials.

Ultimately, the best way to keep your organization safe from IoT issues is to establish rules regarding the use of these devices and monitor their permissions. Extending the consideration of whether or not a device needs to be connected, you need to establish if it even needs to be in the office. After all, a smartwatch can offer some business utility, whereas a smart trash can (which does in fact exist) does not.

Monitoring your organization’s network can help you identify if any unapproved devices have made a connection.

The Importance of BU/DR in the Manufacturing Industry

What would happen to your organization if plant production was taken to a halt?  How would you get it back up and running?  Or, could you?

Whether the disaster is caused by mother nature, a human error, a cyber-attack of some sort (and yes, there are many types), it can wreak havoc on your organization – it can even take the company down to its knees.  Each moment of downtime equates to lost dollars and lost customer satisfaction. Manufacturing firms have to effectively ensure that production and distribution is consistent.

Technology is used throughout manufacturing in many ways – to store data, run automated machinery on the plant floor, track inventory and support distribution. Your technology is intertwined with your business processes and if you suddenly weren’t able to use those processes, it could be a catastrophic situation.

A few scenarios of how a disaster can disrupt manufacturing, and what you can proactively avoid it.

Halt in Production.  Complex automated equipment and inventory tracking are just two processes that are severely influenced during a disaster. Do you have a recovery plan in place for a worst-case scenario?  Production logistics may be the most challenging area to recuperate, but having a strong backup and data recovery (BU/DR) plan safeguards data and allows for immediate access to mission-critical applications.

Whether your organization experiences a cyber-attack, or even a power outage that shuts down productivity for several hours, all of your applications used to run the automated machinery will not work because the system cannot connect to the network. Depending on the size of your plant(s), you could be facing up to millions of dollars in lost revenue and customer reimbursement.

BU/DR To The Rescue.  If your senior management team turned to a BU/DR expert – like Bryley Systems –  to assess the possible vulnerabilities associated with an outage and developed a proactive plan to recover and access data, your BU/DR provider would be able to access your data and apps to get your operations back up and running with a minimum amount of downtime.

Halt in Distribution.  Downtime is never acceptable when it comes to distribution.  All schedules must be strictly followed to satisfy delivery expectations. Customers don’t care if your warehouse floods.  They want to receive their order on time. Logistics management utilizes computerized tracking and ERP systems to understand how many products are stored and where they are at any given time to enhance product readiness and customer fulfillment.

Imagine this scenario – you work as an IT Director for a large New England pharmaceutical manufacturing company. Your network is more vulnerable to external hacker attempts simply due to the size of your business and the value of your data.   All of a sudden, your systems are corrupted with vicious malware and the entire database is inaccessible. To continue operations at your normal efficiency level and avoid downtime, your backup and recovery disaster plan kicks in to eliminate the malware and restore your plant data to where it was before the attack. Investing in a custom BU/DR plan serves as disaster protection ensuring your ability to move products to their destination.

The key to effective data recovery is planning ahead. Partnering with a BU/DR professional to support your critical infrastructure and resources adds additional layers of security and communication. When unexpected disasters strike, your recovery strategy will be there to save the day by restoring your data and reducing your downtime.

 

The Bryley BU/DR process:

  • For on-premise equipment, we deploy a BU/DR appliance onsite to provide local backup-and-restore capability and to speed recovery.
  • We take an encrypted image of your system and copy it to our data center.
  • We stream encrypted, differential changes from your site to our datacenter

Isn’t the survival and security of your manufacturing organization worth the investment of BU/DR?  Our team of experts will help you navigate through this process and implement the most effective BU/DR tailored to your environment and budget. 

See if Bryley is the IT company suited to your business needs, by emailing ITExperts@Bryley.com or calling 978.562.6077.

How CPA Firms Can Benefit from Managed IT Services

Let security and confidentiality be your watchwords!

When it comes to safeguarding your CPA firm’s confidential data, there is zero tolerance for risk. CPAs rely upon various forms of technology to gather data – whether it is a tax return or an independent audit.

CPA firms have made great strides by implementing such technology as electronic data management systems, client portals, and cloud-computing systems. However, records maintained by CPA firms must remain confidential because of professional standards, statutes, and regulations governing record retention. Data breaches can happen in numerous ways, including the following: fraud, hacking, improper disposal of data, or even a lost or stolen device.

A CPA firm will need their IT department (or an outsourced Managed IT Services vendor) to implement and maintain a comprehensive list of data and network security controls. It is helpful to understand the basics:

Perimeter security. This first line of defense includes firewall and intrusion detection systems, in addition to intrusion prevention systems. These should be configured with appropriate restrictions to block and filter both incoming and outgoing Internet traffic.

Endpoint security. Endpoint security requires each computing device on a corporate network to comply with established standards before network access is granted. These measures protect the servers and workstations and include safeguards such as administrative access limitations and anti-virus protection.

Network monitoring. Part of the control environment should include a frequent and ongoing monitoring program for all IT systems.

What We Do

circles

Comprehensive Support Program™ (CSP) — Bryley provides ongoing, proactive maintenance and remediation support to ensure a stable, highly-available computer network. Our most-popular Comprehensive Support Program (CSP) consolidates all end-user devices (mobile and desktop), servers, and computer-network equipment issues into one, Bryley-managed, fixed-fee program. Among the many services delivered under the Managed IT umbrella, Bryley installs and manages all software updates and patches.

Secure Network™ (SN) – An ongoing, managed-IT service that prevents intrusion, malware, and spam from entering the computer network through its Internet gateway and can restrict web-site surfing to inappropriate sites.

Multi-Point Security Hardening Service™ (MPSHS) – A periodic review to harden your computer-network security by reviewing/updating policies and configurations and testing. With this program, Bryley Systems can help your organization comply with the technical aspects of Massachusetts 201 CMR 17.00.

If you are looking for a business partner to help you navigate the ever-changing technology and cybersecurity landscape, we’re here for you. For more information about Bryley’s full array of Managed IT Services, Managed Cloud Services, and Cybersecurity Services please contact us at 978.562.6077 or by email at ITExperts@Bryley.com.

Pop Quiz: How Prepared is Your Company to Recover If Disaster Strikes?

You depend on your IT systems every day, but how dependable are they really?  If your company was subjected to a sudden loss of power could you keep working, or would business stop?  What if the power didn’t come back on for several days, or even a week?  Most importantly, have you already asked yourself these questions, and if so, do you have a written action plan to address them?

If you are at all unsure of how a disaster would impact your business, and how you might recover, here is a great little quiz to help you get the wheels turning.

1. How frequently are your company’s critical systems backed up?  Is it more than once a day?

2. If your company lost power, would your systems keep running without any interruption?

3. In the event of a system failure, could your company’s data be restored to working order quickly?

4. If your company experienced a security breach, do you have a clean set of data backups available and could they be restored in a timely fashion?

5. Does your company have a fail-over site it could revert to if your primary systems become inaccessible?

6. Does your company have a written disaster recovery plan to refer to in case of emergency?  If yes, do your employees know where to find it, and are they trained in implementing it?

If you were able to answer “yes” to these questions, congratulations!  Your company is in relatively good shape in terms of its ability to cope with a disaster.  If you answered “no” to any of the questions on this list, however, it would be a good idea to spend some time putting a plan together to address any gaps in your ability to recover from a disaster.

As a Managed IT provider, Bryley Systems specializes is helping companies plan for disaster and mitigate the risk of a loss of data.  If you think you could use a hand putting together an effective disaster recovery plan, why not give us a call at 978.562.6077.  We are here to help.

Smartphone Security

We all love receiving new technology during the holiday season, but we must remember to protect it.  Whether we like it or not, cell phones and laptops are no longer simply devices – they are an extension of ourselves.  They house important information and records that we wouldn’t dare give a stranger (social security numbers, passwords, confidential information). In fact, we use them for socializing, shopping, banking, browsing, and much more.  Simply for the ease of use, it becomes a habit to stay logged into your accounts on your devices, but the downside is that if your phone is lost or stolen, it can lead to identify theft.  Someone could also hack your phone and access information via web-pages you have visited.  The importance of smartphone security is something we should all be aware of and implement right away.

Nearly 40% of data breaches are caused by mobile devices.

  1. Employee negligence is typically due to employees who are busy, traveling constantly, or hurrying through a task, and simply not knowing or paying attention to the risks involved.
  2. Theft is a big problem since there are ways to breach a smartphone.
  3. Malicious attacks. Hackers are responsible for the majority of breaches and thrive on those who leave the doors wide open to an attack.  Don’t leave yourself vulnerable.

Here are some tips to enjoy that new device as well as protect your privacy and information:

  • Activate Screen Lock. Perhaps the easiest and first line of defense on any device is the lock screen. After any time of inactivity (usually 30 seconds for cell phones and slightly longer for laptops and desktops), the device should be enabled to auto-lock so no one else can access your information.  On a cell phone, the code is usually four characters, but can be longer.  No matter how protective you may be of your devices, there’s no guarantee that you may not accidentally leave it somewhere.
    • Encryption can do a lot to protect your phone’s data and the good news is that all iPhones and newer Android versions come with their phone automatically encrypt once you set a password.
  • Mind your Apps. We all like the simplicity and efficiency that apps provide, but it’s important to keep an eye on them. There has been an increase in malware attacks, especially on smartphones, since most users gain access to confidential information.  Always read the small print and consider the personal information the app requires. If an app requires significant personal information, reconsider installing it.
    • Always use official app stores. App stores generally approve and vet apps prior to granting them space on the platform. (Always make sure the Web site URL starts with a secure https:// and contains a locked padlock icon.)
    • Check permission for the app. Some apps will ask permission to access certain aspects of the device. While it will make sense for a GPS to ask for your location, the same cannot be said for a flashlight app asking permission to access your text messages.
  • Browse Carefully. When you access a web browser on your smartphone, you should be very careful because it is easy to accept messages that pop up. For instance, you might decide to save your password and other information as it leads to easier access later on.  Unfortunately, that can provide others a way to copy your data. Always use reliable and safe websites and never enter your information on new or unknown websites, especially when they are asking for sensitive information like your credit card or bank details.
  • Remote Wipe. Have security knowing that if your phone is lost or stolen, you can safely wipe the device to protect the data from falling into the wrong hands.  A similar feature can be enabled after a certain number of failed passwords to access the phone (usually it is around 10 attempts before the device is wiped).  This service provided to our clients enrolled under the CSP agreement.
  • Use caution with any links you receive via email or text message. Exercise caution when clicking on links. Phishing scams are not limited to email – a text message can incite you to click on a malicious link or ask for personal information.
  • Do not alter security settings for convenience. Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack.
  • All Wi-Fi was not created equal. Be mindful when using open Wi-Fi. When you are not using your wireless connection, you should keep it switched off. This can ensure that no one else can connect to your device without your permission or knowledge. You should also check your device’s network settings as they might be configured to connect to a network automatically when in range and may not ask for permission. In addition, your home wireless router should also be protected through a password or security code.
  • Run the Updates. Don’t put off downloading updates. Many updates tweak and fix several flaws on your phone that could open a backdoor for hackers.
  • Wipe data on your old phone before you donate, resell, or recycle it. Your smartphone contains personal data you want to keep private when you dispose your old phone. To protect your privacy, completely erase data off of your phone and reset the phone to its initial factory settings.

 

“Smartphone Security Guide: Keep Your Phone Data Safe” – heimdalsecurity.com
“Mobile Security Threats” – nsiserv.com
smallbiztechnology.com
networkworld.com/category/malware-cybercrime/
“Smartphone Security” – fcc.gov
pcworld.com

 

Shopping Online — Safely

Shopping online is very convenient.  You can click here and there and order whatever product you desire and have it delivered to your front door.  You can compare pricing, look for deals, compare products, and it all can be done quickly and in the convenience of your own home, any time, night or day.  The downfall?  Wherever there is money and users to be found, there are malicious hackers roaming around.

Use familiar web sites.  You need to be aware of the safer online shops, like Amazon.  One tactic favored by malicious hackers is to set up their own fake shopping websites. Fake websites can either infect you the moment you arrive on them by way of malicious links. However, the most dangerous aspect you should be concerned about is the checkout process. Completing a checkout process will give cybercriminals your most important information: credit card data (including security number), name, and address. This opens you up to credit card fraud or social engineering attacks.

What are some key things to be aware of as you’re shopping?  Sticking with popular brands is as good as any advice when shopping online. Not only do you know what you’re getting by way of quality and price, but you also feel more confident that these well-established names have in place robust security measures. Their efforts can be quite remarkable, as researchers at Google and the University of San Diego found last year.”1

 A few things to be aware of: 

  • Leery URL’s such as “coach-at-awesome-price.com” or “the-bestonlineshoppingintheworld.com”
  • A strange selection of brands – as an example, the website claims to be specialized in clothes but also sells car parts or construction materials
  • Strange contact information. If the email for customer service is amazonsupport@gmail.com” instead of “support@amazon.com” then you should be suspicious that online shop is fake
  • Are prices ridiculously low?  An online shop that has an iPhone 7 at $75 is most likely trying to scam you

The old adage “if it seems too good to be true, it probably is,” rings true in this case, and it’s best to steer clear of these sites.

Use Secure Connections.  Wi-Fi has some serious limitations in terms of security. Unsecured connections allow hackers to intercept your traffic and see everything you are doing on an online shop.  This includes checkout information, passwords, emails, addresses, etc.

Before You Buy Online…

  • If the connection is open and doesn’t have a password, don’t use it.
  • If the router is in an exposed location, allowing people to tamper with it, it can be hacked by a cybercriminal. Stay away.
  • If you are in a densely-crowded bar with dozens of devices connected to the same Wi-Fi hotspot, this can be a prime target for an enterprising cybercriminal who wants to blend in and go unnoticed. Continue to socialize, don’t shop.

Access secure shopping sites that protect your information. If you want to purchase from a website, make sure it has SSL (secure sockets layer) encryption installed. The site should start with https:// and you should notice the lock symbol is in the address bar at the top.

Update your browser, antivirus and operating system.  One of the more frequent causes of malware is unpatched software.  Online shoppers are most at risk due to the sensitive information involved. At a minimum, make sure you have an updated browser when you are purchasing online. This will help secure your cookies and cache, while preventing a data leakage.  You’ll probably fuss over having to constantly update your software because it can be a time consuming operation, but remember the benefits.

Always be aware of your bank statement.  Malicious hackers are typically looking for credit card data, and online shops are the best place for them to get their hands on such information.  Often times, companies get hacked and their information falls into the hands of cybercriminals.

For this reason, it’s a good habit to review your bank account and check up on any suspicious activity.

“Don’t wait for your bill to come at the end of the month. Go online regularly and look at electronic statements for your credit card, debit card, and checking accounts. Make sure you don’t see any fraudulent charges, even originating from sites like PayPal. If you do see something wrong, pick up the phone to address the matter quickly. In the case of credit cards, pay the bill only once you know all your charges are accurate. You have 30 days to notify the bank or card issuer of problems.”2

Using a credit card vs. a debit card is safer.  Credit cards have additional legal defenses built in that make them safer to purchase online compared to debit cards.  With credit cards, you aren’t liable if you are a victim of a fraudulent transaction, so long as you report the fraud in a timely manner. Secondly, credit cards give you leverage when it comes to disputing transactions with a seller. If you pay with a debit card, you can’t get your money back unless the seller agrees to it. With credit cards, the money you paid for a product isn’t counted against you until due process is complete, debit card holders however can only get their money back after this step.  Ultimately, banks are much more protective of credit cards since it’s their money on the line, not yours.

Additional tips for safety:

  • Never let someone see your credit card number – it may seem obvious, but never keep your PIN number in the same spot as your credit card
  • Destroy and delete any statements you have read
  • Notify your credit card issuer of any address change. Doing so will prevent them from sending sensitive files to the previous address
  • Keep confirmation numbers and emails for any online purchases you may have done
  • Immediately call your credit card company and close your account if you have lost or misplaced a credit card

Use antivirus protection.  The most frequent tip on how to be safe online is to use a good antivirus tool. It will keep you safe against known malware.  ”Before you begin shopping, outfit your phone or tablet with mobile security software. Look for a product that scans apps for viruses and spyware, blocks shady websites, provides lost-device protection and offers automatic updates.”3

Do not purchase from spam or phishing emails.  A phishing email with a fake offer for a desirable product is a hard thing to resist for many shoppers, so they make an impulsive decision and click on the “Order Product” or “Buy Now”, and that’s when the malware attack starts.  A phishing email is not like a standard email. The cybercriminal simply wants your click, and nothing else. The Unsubscribe button won’t stop the email spam.  The best solution in these cases is for you to simply mark the email as spam, this will remove the mail from your inbox and block the sender from sending more spam.

Keep a record of your transactions.  If you are a frequent online shopper, it may be difficult to remember from which site you bought a certain product.  So, write it down: what you bought, when and from what website.  Compare your spending details with the banking records from your online banking account, keep track of which websites you use for shopping and buying stuff online.

Hold on to your receipts and destroy them when you no longer need them.  Keep the receipt for your purchase, just in case you need to confirm it again, as well as for warranty and return issues.  If you want to get rid of receipt, make sure to destroy it completely, so that any possible identity thief won’t be able to find any information about you.

Don’t give out more private information than you need to.  ”In order to shop online you need to provide two types of information: payment information, such as credit card data, and shipping location, which is usually your home or work address. Be suspicious of online shops that ask for information such as: date of birth, social security number or any other similar information. They don’t need it in order to sell you things.”4

Don’t keep too much information on your smartphone.  These days, everybody stores a lot of important personal information on their phone, and most of us rarely take the time to secure them.  These devices are now much less about calling people, and more about photos, social media, etc.  Increasingly, people shop online using their smartphone, but this carries its own risks. Fake online shops can infect your smartphone with malware, and then have access to information such as phone numbers, notes, photos, and even app contents.  Be careful what information you store on your smartphone.

If you take a few safety precautions, you can enjoy the convenience of technology with peace of mind while you shop online.

1 welivesecurity.com – ESET Security Forum
2 pcmag.com
3 trendmicro.co.uk/home/internet-safety-for-kids/smart-mobile-tips-for-online-shopping/ – TrendMicro
4 bettermoneyhabits.bankofamerica.com/
staysafeonline.org – Powered by National Cyber Security Alliance
americanbar.org – American Bar Association
foxnews.com
usatoday.com