Our increasingly digital existence has seen a surge in cyber attacks and internet fraud. Jihee Junn collected some tips from the experts on how to keep your online life secure from scams.
This content was created in paid partnership with Vodafone.
For most of us stuck at home amid a global pandemic, Covid-19 has meant moving almost every aspect of our lives online. We now work online, shop online, even celebrate birthdays and Friday drinks online. Without the internet, our lives under lockdown would’ve no doubt been a whole lot different.
The downside: it also meant more people than ever are out there trying to steal our data and private information via targetted attacks and online fraud. According to the government’s cybersecurity agency Cert NZ, more than 4,700 cyber attacks were reported in 2019. In 2020, that number had jumped to more than 7,800 reported incidents – a whopping 65% increase.
“So much of our lives are conducted online now that there’s just a bigger surface for attackers to go after,” says Nadia Yousef, threat and incident response manager at Cert NZ. “We’re just so reliant on it as a way to conduct our day-to-day lives now that attackers have really taken advantage of that.”
Most recently, that’s come in the form of Flubot, a malicious text scam which hit headlines last month. In messages pretending to be parcel delivery updates, or an alert about a new voicemail or photo album, Flubot attempts to trick Android users into clicking a link and downloading an app in order to steal your banking and credit card information. Within a couple of days in September, Cert NZ said more than 30,000 people had reported receiving the texts, a number it deemed just “the tip of the iceberg”.
Cyber attacks and online scams show no sign of slowing down with new, more sophisticated methods emerging every day. Laura Ross, head of cyber security strategy and architecture at Vodafone, spends most of her time working on ways to minimise the risk of cybersecurity breaches both within Vodafone and for its customers. That means scanning regularly for threats, testing for vulnerabilities and weaknesses, and monitoring what’s out there on the dark web in an attempt to stay one step ahead.
“We have a number of security controls that we like to see in all our products and services,” says Ross. “For example, ensuring sensitive data is encrypted and making sure all our systems are logging to our centralised platform to provide a holistic view of activity and enables our cybersecurity team to proactively identify unusual activity or threats and react to them as quickly as possible.”
However, there’s only so much cyber security experts can do to keep people safe online. Users also need to stay vigilant and take steps to protect themselves, says Ross, with the most important steps also some of the most simple ones you can take. Because while cyber attacks are a real and serious threat, they’re also one we’re capable of managing ourselves.
Step one: Passwords
It might seem obvious, but having long, strong, unique passwords for all your accounts is the easiest and most important thing you can do. Millions of passwords are published on the dark web every year, compromising your accounts and potentially exposing personal information that could be used for anything from identity theft to serious fraud.
A simple way to check if an account’s been compromised is through the website Have I Been Pwned, a free resource that lets you check if an email or phone number has been put at risk. Another useful resource for Google users is to use Password Checkup which will assess the security of any passwords saved to your Google account.
If you find an account of yours has been compromised, your first priority should be to update your password, especially if it’s one you’ve used for multiple accounts. Given that “123456” is still the most common password in the world, it’s worth emphasising the importance of avoiding common words (“password”), phrases (“iloveyou”) and character combinations (“qwerty”), as well as things like names (including nicknames, pet names, or street names) and dates (such as a birthday or anniversary).
Instead, Ross recommends creating a unique password or “passphrase” for each of your logins. Made up of three or four random words. Some websites still require complex passwords, in this case ensure your password is no shorter than eight characters, with at least one lowercase letter, one uppercase letter, one number and four symbols (but not &%#@_) recommended. That’s a lot of complex passwords to memorise, which is why she also recommends using a trusted password manager such as LastPass, 1Password, Bitwarden or Dashlane which will create and store passwords for you. To access these, you only have to remember one “master password” which should be as long, strong and distinctive as possible, with two-factor authentication enabled for an extra layer of security.
Step two: Two-factor authentication
Even the best passwords can fall victim to the most ardent hackers which is why two-factor authentication (2FA) is your next best line of defence.
To access an account protected by 2FA, you not only need a password but also a second form of authentication. This could be in the form of answering a series of security questions whose answers only you know, entering a one-time code sent to you via email or text, using a biometric identifier such as your face or a fingerprint, or through an app such as Google or Microsoft Authenticator. This means that even if someone does uncover your password, without having that second form of authentication, they won’t be able to access your account.
“It sounds really simplistic, but having good passwords across all of your accounts and having two-factor authentication will get in front of most of the incidents we see reported to Cert,” says Yousef. “If people can spend just a couple of hours at home really focusing on sorting out their passwords and setting up two-factor authentication across banking, email and social media, they’ll be in a much stronger position and be much less susceptible to attacks.”
Step three: Security updates
When an app or software asks you to install an update, there’s usually a very good reason for it. Developers often publish updates with security patches and improvements, and ignoring them can leave you vulnerable to attackers looking to gain access to your device and information. For apps, this can be as easy as turning on auto-updates in your Google Play or Apple store, while any updates to operating systems such as Android, iOS or Windows should be installed as soon as possible, however annoying it might be to have to restart your device.
If you can’t update immediately, try to at least schedule updates to go ahead overnight. And if you’re hesitant to shut down and lose those several dozen tabs you might have on Google Chrome at any one time, rest assured that “ctrl+shift+T” (or “command+shift+T” for Mac) will quickly restore all your tabs from your previous session. Otherwise, choosing the option to “continue where you left off” in your Chrome’s startup settings will also do the trick.
“With people working from home, we really encourage people to reboot their computers daily,” says Ross. “We always recommend our users to shut down every night because not only does it give the laptop a rest and stops it overheating, but also once you restart it’ll update any pending security patches.”
Step four: Antivirus protection
Antivirus software is one of the easiest things you can have on your device in the fight against malicious attacks. These tools will scan your devices for viruses, malware, and other cyber threats, and if it detects anything malicious, it will quarantine and remove the threat in real time.
There are dozens of trusted and proven options out there for home users to download, even if you’re only able to use the version that’s free. If you can afford to pay for the premium version, however, having full protection can be well worth the subscription.
It’s important though to only run one antivirus software on your device at a time in combination with a firewall which will actively screen what traffic is allowed to enter your device (if you’re not sure if you have a firewall, note that both Windows and Mac OS X systems have firewalls built in).
Step five: Back ups
Backing up your device doesn’t just come in handy in the event of you losing your phone or laptop – it also comes in handy if you ever end up losing access to your device from a cyber security breach. Online backup services like IDrive and Acronis will store your backups on the cloud meaning you can access them anywhere at any time. For an extra layer of protection (or if you’d rather keep your backups in a physical location), using an external hard drive should also do the trick.
“Backups are important, particularly against ransomware,” says Ross. “Even from a home user perspective, there have been quite a few ransomware attacks where an attacker has locked their device and held their data to ransom. But if you’ve got an online backup on one of the cloud storage companies, for example, and you are confident your backup doesn’t include the ransomware, you can get around the ransom request by restoring your device from your last good backup.”
Step six: Stay vigilant
Cyber criminals don’t discriminate, and anyone is open to being a potential target. Even the most tech savvy among us fall for increasingly sophisticated scams, and thinking that “it will never happen to me” can often be the first step down a very dangerous, slippery slope.
If you receive something online that looks suspicious, there are plenty of things you can do to verify whether you’ve been sent something that’s legitimate or a scam. For example, if you get an email from Facebook insisting you need to update your details, don’t click on any links yet. Instead, look carefully at the email’s wording and check if it’s coming from an official account. If you’re still not sure, go straight to the source: log in to your account on the Facebook website or app to see if you received the same notification.
“Figuring out what’s real and what’s not can be really hard and we’re all really busy people. New Zealanders are also a really trusting bunch, so when we see these things we often think we have to do something. It can be a little while before we realise something’s gone wrong,” says Yousef.
“But if anyone thinks something has gone wrong or they’ve shared too much information, get in touch with us. It’s our job, we see it all the time, and we can help you with advice to try and fix it up and make sure it doesn’t happen again.”
If all this seems a little overwhelming, The Spinoff’s chief technology officer Ben Gracewood wants to leave you with some tldr advice: “at the very least enable two-factor authentication on your main email account, so that even if everything else goes to shit, you can still email support and reset passwords”.
With the world moving online, you need to protect yourself. Because the cyber criminals are out there.
Follow When the Facts Change on Apple Podcasts, Spotify or your favourite podcast provider.