Beat the Hackers!

Ever heard of social engineering? 

That’s what happens when guys try to trick you into giving them the information they need to get into your online accounts.

They know that if they get into your accounts, they could embarrass you, maybe blackmail you, impersonate you, get all your friend’s details, or even steal from you.

But how do they get into your accounts?  How do they get past your passwords?

Well, assuming you don’t have an easy password, they may just trick you into revealing them.

They might send you – via a pal, say – a link on social media to a funny joke. A link that when you click on it releases malware, or directs you to a website that requires you to ‘confirm’ your password.

PHISHING

In the online world this sending of a bait email or message that someone will be tempted to click on is called Phishing.  Phishing is a form of ‘social engineering’ that is based on approaches from someone you know. It is very popular among hackers because if you receive a message from a family member, a teacher, etc, you’re more likely to trust it.

The links will encourage you to ‘check something out’, in other words click on it. When you do, you will often find yourself in a copycat website. This website may look very legitimate, with all the right logos, and content. In fact, the criminals may have copied the exact format and content of the legitimate site. (See below for how to check out copycat websites). The links might also infect your device with malware and take over your social media account.

 Popular phishing attacks include:

  • A problem that requires you to “verify” your information. You might receive an email, usually claiming to be urgent, asking you to confirm some information. This will involve entering your personal information into the fake site.
  • A task from someone posing as a boss, a teacher, a fellow student. The message may ask you to do something – if you get a message you think is coming from teacher, you’ll open whatever she asks you to do, right? Often the attachment will be a simple word document or excel sheet which might nonetheless contain a virus.
  • An urgent appeal for help. A message from a friend who is stuck in country X, has been robbed, beaten, and is in the hospital. You need them to send money so they can get home and they tell you how to send the money (to the criminal).
  • Spear phishing is a form of hacking that involves getting a message or email from someone you trust – a boss, teacher, friend, government department such as for a driving licence asking you to open an infected attachment or click on a malicious link for more information about a new policy.
  • Jokes, shocking revelations etc. Then of course there are all the memes and jokes or invitations to look at shocking photos someone claims to have of you that you will be invited to look at.
  • Tips to Avoid Social EngineeringAttacks
  • Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers.
  • Think before you click. Hackers create a sense of urgency to make you act first and think later. When you get a highly urgent message, take a moment to be sure this is from who it’s supposed to be. The best way is to call the person and check if they really did mean to send that.
  • Research the source. If you’re sent a link to a website, ignore it. If you do want to check out the offer you’re seeing, instead google the company and go to their website that way so there is less risk of being misdirected to a copycat website.
  • Delete any request for personal information or passwords. No reputable organisation will do that by email.
  • Do not open email attachments click on links in emails from unknown sources. If it’s from someone you know, message them first, make sure it’s legit.
  • If it seems to be good to be true, it is. If you receive an email claiming to be from a lottery, or a dead relative, the millionth person to click on their site, or thousand person to have to have shopped with them that month – ignore it. In order to give you your ’winnings’ you have to provide bank details they can send your winnings to. Or they may ask you for ID so they can prove who you are.
  • And better not do those online quizzes, click on and share jokes etc. They are almost always designed to build a portrait of you that can be used for marketing purposes or targeted scams.

 

Smishing

Smishing is phishing via SMS.  It is often used to steal a person’s money or identity by some response to the message.

Examples include messages claiming to be from

  • Your bank, informing you that there is a ‘problem with your account’ such as irregular activity or lack of funds.
    • A retailer, offering ‘vouchers’ or ‘gift cards’.
    • A technology provider such as Apple or Google, notifying that you ‘need to validate an account’.
    • A parcel delivery company, notifying you that you need to ‘confirm that you want a parcel to be delivered’.
    • Revenue services, informing you that you are ‘due a tax refund’.

How to avoid becoming a victim of smishing

  • Do not click on links in text messages unless you are 100% certain that they are genuine and well-intentioned.
  • Take time to consider your actions before responding to text messages.
  • If you are asked by such a caller to cut off the call and phone your bank or card provider, call the number on your bank statement or other document from your bank – or on the back of your card. Do not call the number provided to you by the caller.
  • Ask yourself if the sender, if genuine, would really contact you via this text.
  • Recognise threats of financial issues or offers that seem too good to be true, for what they really are.
  • If in doubt, call the correct number of the organisation or individual from whom the text claims to have been sent, to check its authenticity.
  • Remember that even if the text message seems to come from someone you trust, their number may have been hacked or spoofed.
  • Do not respond to the text message. Doing so could result in your details being added to a ‘suckers’ list’ and you will be inundated with similar messages.

Blackmail emails/messages

There has been a sharp increase in the incidence of emails or messages on social media threatening to expose the recipient to everybody in their contacts list, for viewing pornographic online content unless a fee is paid.

Here’s a real example:

There are variations of these mass emails, which often contain poor grammar and spelling and are sent randomly.  Some will be less specific alluding to having captured images of them doing some ‘pretty naughty things’ leaving the activity undefined.

Some will include a link to samples of these compromising information, but when you click on the link instead the link contains malware which gives access to your contact list.

The sender know that the knowledge of whether adult material has been viewed or not can result in fear and panic. Sometimes the email will refer to one of your actual emails or passwords which might have been stolen from a previous mass hack.

Duplicate websites

Copycat websites are imitations of official websites such as government departments or local government websites that offer public services, banks, etc.

Public service scams

There are a number of sites that offer public services – especially visa services, passport services etc. Often these are designed to look official but to charge for services that might in fact be free, or a lot cheaper.  When you google the public service website, these scam sites often come up first because they use various website tools to achieve higher positions on Google. They also have website addresses that are designed to confuse the person seeking the service into thinking they are official. Google requires companies which charge fees for official services that are available for free, but often this information is in the fine print or not available at all.

Thus

  • Do not automatically opt to use the first website(s) you find in a search engine, even if the address seems authentic and you are in a hurry.
  • Instead, take time to look for the official website. You can normally tell that site is official if it ends in ‘.gov.uk’, gov.sl, gov.bw, gov.rw etc.
  • If you do opt to use an unofficial site to purchase official services, make sure that the payment page is secure by checking that the address begins with ‘https://’ (the ‘s’ is short for ‘secure’) and there is a locked padlock in the browser This is not a 100% guarantee, but should certainly look for this.