Published: October 13, 2021
October is Cybersecurity Awareness Month. We’re teaming up with our partners at Aura to provide you with resources to help educate your family and keep you safe online from digital threats.
Cybercriminals are more sophisticated than ever and consumers are at risk.
This past year, financial losses as a result of digital crime surpassed those of home burglaries for the first time, according to data from the Federal Bureau of Investigation (FBI)’s Preliminary 2020 Crime Report and the Federal Trade Commission (FTC)’s 2020 Consumer Sentinel Report. But cybercrime attacks aren’t just becoming more common – they’re growing in sophistication in an attempt to combat new technology that can better detect and prevent threats.
The typical consumer today has an average of 90 online accounts and spends almost seven hours online each day, and most (80%) U.S. adults say they should be doing more to protect their personal information, according to a survey by Harris Poll and digital security company Aura. But despite this, the same group surveyed continues to use public wifi (68%) and the same password for multiple accounts (68%), behaviors that make it easier for cybercriminals to gain access to data they ultimately use to finetune attacks.
Survey respondents may know they can – and should – change their online behaviors to reduce their risk of cybercrime, but most haven’t because it’s too time consuming (36%), aren’t sure how (33%), or find it too difficult (17%).
This piece seeks to address this disconnect by highlighting common digital threats, as well as steps consumers can take to better protect themselves online.
Common cyberattacks affecting consumers and how to protect against them
Social engineering is perhaps the most important cybercrime tactic to understand, given it’s a common foundation for many forms of threats. This tactic exploits human nature, rather than technical expertise or hacking, to gain access to information, data, finances, systems, and more. Criminals typically research social media and other publicly available information to impersonate someone or something, aiming to gain the victim’s trust. For example, the criminal might enter an office building behind you, saying they’ve forgotten their key card or have their hands full, while wearing a company t-shirt they purchased online. They may pose as law enforcement over the phone or call an employer claiming they’ve been locked out of their account. They could “verify” their identity by correctly guessing the email address of the person they claim to be after seeing the [email protected] format posted in a press release or on the website.
Protect against social engineering:
- Check the source – and take a moment to consider whether you should trust it. It’s very unlikely that your CEO would ask you to transfer a large sum of money, for example.
- Consider if the source has the information they reasonably should, like your full name, security questions, or home address.
- Go to the source directly – hang up and call the phone number on your last invoice or the source’s official website.
- Ask for identification or to speak with a supervisor.
Phishing attacks are fraudulent communications that appear to come from a reputable source, often via email (phishing), phone (vishing), or text (smishing). They typically attempt to instill fear or urgency, or take advantage of the victim’s curiosity or greed. For example, phishing attacks often offer too-good-to-be-true deals, urgent notification to reset an account login because of suspicious activity, or contain an attachment or hyperlinks they want the victim to open. The goal may be to install malware, steal credit card data, or access login information.
Protect against phishing:
- Hover over links before clicking them. Check that the URL makes sense – look for a letter or number that’s off.
- Visit the perceived sender’s website or contact them directly to confirm the message’s legitimacy.
- Don’t download or open emails you weren’t expecting or from senders who aren’t in your typical email list. For example, if you subscribe to retailer offers with a personal email but receive a promotion to your business email address, be suspicious.
- Never give out personal, sensitive information via email.
- Be cautious of emotional and urgent lures.
Malware is an umbrella term for malicious software designed to harm a device, network, or service, such as a virus.
Scareware, for example, is a malware tactic that exploits a user’s fear and leads them to believe they need to download or buy something (e.g. antivirus software) that’s actually harmful, like ransomware.
Ransomware is a form of malware that uses encryption to hold a victim’s information, data, or files at ransom. The attacker demands a ransom to deliver a decryption key that will (usually) restore access to the files or data. These attacks are often made possible through phishing or social engineering, with the attacker, for example, posing as law enforcement, claiming they found illegal data or images on the victim’s device, and asserting they will not reinstate access until a fine is paid. The criminal may also threaten to leak embarrassing, proprietary, or valuable data or information if the ransom isn’t paid.
Other forms of malware include but are not limited to adware (displays advertisements on your screen while collecting personal information to serve you with more personalized ads), spyware (invades your device in an attempt to steal credit card or banking information, passwords, or other data), trojans (camouflages as legitimate software to trick you into installing harmful software), rootkits (enable unauthorized use of your device), rootware (replicates itself to infect other devices connected to a network), and more.
Protect against malware:
- Stay vigilant against phishing attempts.
- Keep your operating system, antivirus software, and device up to date.
- Don’t install software unless you know what it’s for or who/where it came from.
- Don’t use an unknown USB stick.
- Avoid downloads from sites you don’t trust.
- Avoid public wifi or use VPN when on a public or shared network.
- Back up files and information to minimize potential damage.
Most consumers have probably experienced an imposter scam, also rooted in social engineering tactics. These types of cyberattacks often begin with a call, text, or email, and while the scam itself varies, they all work the same way – with an impersonator of someone you trust asking for money or personal information. For example:
- Calls from the “Internal Revenue Service (IRS)” claiming you owe taxes
- Callers claiming to be the Social Security Administration, saying there’s a warrant out for your arrest
- Someone you met on the internet or an online dating site asking for money
- Calls from someone pretending to be a child or grandchild, saying they’re in trouble and need money
- Calls from “tech support” claiming to help fix your computer
- A fake employer on caregiver or nanny sites, asking you to purchase supplies for your job after sending a large check (that’ll bounce)
Protect against imposter scams:
- Be suspicious of calls from any government agency. The FTC issued warnings around this type of attack, and it won’t use threats or demand money.
- Don’t trust caller ID – it’s possible to fake.
- Don’t pay with a gift card, wire transfer, or cryptocurrency over the phone or via text.
- Confirm the source of the inquiry directly by using a phone number you’ve looked up and dialed yourself.
- Don’t give someone remote access to your device unless you’re sure they’re who they say they are. Hang up and call your tech support contact directly if you’re unsure.
Online shopping scams
Online shopping scams are another growing form of cybercrime. According to the FBI, these scams direct victims to fraudulent websites via ads on social media platforms and popular online search engines’ shopping pages, and could result in undisclosed costs to the user, failure to deliver products on time (if at all), refusals to honor guarantees made, or preventing negative reviews. Often, these sites offer a product at an extremely low price, and while some victims receive partial reimbursement, most don’t. In fact, according to a 2020 FBI Public Service Announcement, all attempts made by victims to be fully reimbursed by online shopping scams, or to receive the actual items ordered, were unsuccessful.
Protect against online shopping scams:
- Be wary of sites offering products at significant discounts or that don’t use domains like .com, .org, or .net.
- Look up the retailer to ensure it’s legitimate. Check out the retailer on Better Business Bureau, use caution with sites or retailers advertised on social media, and avoid sites registered fewer than six months ago, which you can check using the Internet Corporation for Assigned Names and Numbers’ lookup tool.
- Avoid websites using content or contact information that’s found or copied from elsewhere.
- Don’t judge a retailer by their website – they can be created and taken down quickly.
- Avoid making purchases from unknown retailers via links sent by email or text message.
In the case of a man-in-the-middle (MITM) attack, a cybercriminal typically gains access to an unsecured or public wifi server. Once they’ve gotten inside, the attacker might be a passive listener, capturing sensitive personal information like credit card data, or bank account or login credentials. Or, they may be an active participant, changing your messages or impersonating someone you’re talking to.
Protect against MITM attacks:
- Don’t connect to public or shared wifi networks.
- Use a virtual private network (VPN).
- Install security solutions on your devices.
- Secure your home wifi network with a strong password.
- Be sensitive to unexpected or repeated disconnection.
Of all the types of fraud consumers reported to the FTC in 2020, identity theft was the most common. Identity theft occurs when a criminal steals your personal information to commit fraud, such as applying for credit, filing taxes, or accessing medical care. With only a social security number (SSN), cybercriminals can secure a loan or credit card in the victim’s name, drain their bank account, use their health insurance, claim Social Security, and even identify themselves as the victim to police in the event of an arrest.
There are many types of identity theft, including:
- Tax – Using your SSN to file fake tax returns
- Medical – Using your health insurance number to get medical services or send fake bills to your health insurer for reimbursement
- Unemployment – Using your information to access unemployment or other types of government benefits
Protect against identity theft:
- Be protective of your SSN. Don’t write it down unless you watch the recipient shred it after. Don’t share your SSN out loud when others are around. Don’t carry your Social Security card in your wallet.
- Be protective of your other sensitive, personal information, like your birth date, bank account number, address, etc., as they can all be used to commit identity theft.
- Collect your mail every day and set up mail forwarding or holding when you’ll be away.
- Monitor your credit score, bank and financial statements, and take action quickly if anything seems incorrect or suspicious. Shred account statements or other documents with sensitive numbers or information printed on them.
- Freeze your credit for free with any of the three credit bureaus.
Additional suggestions for securing your digital life
Use strong passwords.
Passwords and pins are used by an infinite number of websites and accounts as the first barrier to entry, making strong passwords incredibly important. However, roughly 65% of people reuse passwords across sites. Consider these tips when thinking about password practices:
- The more complex the password (multiple digits/letters, with special characters such as @, #, %, etc.), the more secure. Don’t use a pet’s name, hometown, or favorite sports team – or anything a stranger could figure out by looking at your social media history or other publicly available information.
- Don’t use the same password for multiple accounts. Should a criminal successfully breach just one account, they’ll then attempt to use those credentials to attempt to access the victim’s other accounts.
- Don’t write a password down digitally or on paper. If you can’t remember your passwords, explore a password manager, which manages different, complex passwords for each account a consumer has across mobile and desktop devices. However, make sure to create a complex password to access the password manager itself, as that’ll serve as the gatekeeper for all of your other passwords.
Use credit, not debit cards.
Perhaps the single most effective way to protect your finances digitally is giving up your debit card entirely. The benefits of paying with a credit card have nothing to do with the card’s security defenses – but rather what happens to the user when a breach happens. Thanks to Zero Liability policies created by banks many years ago to encourage shopping online, resolving issues of credit fraud are often painless. In the instance of fraudulent charges, the bank issuing the card will typically provide the customer an immediate, temporary credit for the fraudulent charge, cancel the card itself, and issue a new card immediately. Then, a month or so later, that temporary credit usually becomes permanent. This process means the user can proceed with making charges regardless of fraud.
With a debit card, however, this scenario is different. A debit card accesses cash directly from a bank account, meaning a successful debit card attack will often wipe out the user’s entire bank account. Most banks, if they verify a charge was indeed fraud, will replace the money, but that process can take months. In the meantime, any transactions made before the fraud that had not already cleared will fail, and most businesses will charge the fraud victim a penalty – that they may no longer be able to afford – as a result.
Install protective software and keep your device updated.
Use antivirus software, anti-spyware, and a firewall on your computer. Be sure to install your computer’s updates quickly – or automatically, if possible.
Shred documents with sensitive information.
Whenever possible, don’t leave behind documents with personal information. In the event of a move or relocation, set up mail forwarding so credit card offers and other sensitive data reach only you and your family.
Explore fraud alerts.
In the case of a lost wallet, for example, you might be suspicious that identity theft will occur – even if it hasn’t yet. Contact one of the three credit bureaus and ask them to set up a free fraud alert. The bureau you contact will notify the two others.
Freeze your credit.
While it can be inconvenient to freeze your credit, this is a great way to prevent identity thieves from opening new lines of credit using your SSN. Given that nearly 30% of those experiencing identity crime are repeat victims, according to the Identity Theft Resource Center’s 2021 Consumer Aftermath Report, this is especially recommended for past victims. You can contact any of the three credit bureaus and do this for free, and similar to the process with fraud alerts, the one you contact will notify the two other bureaus.
Use a VPN. It’s essential.
Virtual private networks (VPNs) have been used in corporate environments for decades. Today, however, they’re essential for consumers to protect communications, whether on a desktop, laptop, or mobile device.
VPNs provide a secure encrypted tunnel between the user’s device and a web server or an email host. While a VPN doesn’t protect the data on the user’s device, nor that on the recipient’s end, it protects data while in transit, which is when most cybercriminals steal sensitive data.
VPNs also deliver a layer of privacy by hiding where the user is located. For example, many VPNs allow the user to choose the geography in which they’ll appear, whether that’s another country, state, or city. Location ambiguity not only makes it more difficult to connect an individual to their unique and specific online profile, but it can also help users avoid geographic restrictions on content that would otherwise be unavailable to them.
Explore an all-in-one digital security solution.
Aura understands firsthand how daunting it can be to take control of your digital life. That’s why it created easy-to-use, all-in-one digital security protection to keep you and your family’s personal information, devices, and finances safe from online threats.
It combines everything you need to proactively control your digital lives – credit monitoring, lost wallet recovery, antivirus, VPN, multi-device protection, and monitors financial transactions, bank accounts, SSN, the dark web, home and title use, and criminal and court records to keep your finances and your identity safe and secure. And in the event of an issue, Aura’s U.S.-based customer service team is available by phone and email to help you resolve problems 24/7. This is all backed by a $1 million insurance policy for every customer.
Learn more about how you can keep your family’s identities safe online with Aura and Blue Star Families.”