Gone phishing: the vital steps to take to guard against cyber crime

We don’t usually need to know how the internet works. It just does. The many services that it enables, from email to Netflix to smart home lighting systems, are all delivered to us regardless of whether we understand any of the magical connectivity that takes place under the hood. But that lack of understanding can leave security loopholes, and those loopholes are exploited by criminals who seek to steal our personal information. The common reaction to being lectured about computer security is one of apathy and indifference, and that’s hardly surprising. The advice we’re given is often misleading, plenty of it is jargonised and over-complicated, and even if we take the trouble to act on the advice, we rarely get to see the benefit – these are preventative measures, after all. In addition, few of us believe that we could ever be a target. The truth, however, is that most hacking is automated, and automated systems don’t discriminate. They just look for weaknesses and attack them, and if your personal information is vulnerable then your money is, too. While a small proportion of hacking is done for mental exercise, most of it is motivated by greed. They want what is ours, and they’re getting better at grabbing it. Criminals have three routes to our personal information. One is by attacking companies who keep hold of it, with our permission, to make it easier for us to use their services. Most companies guard that information – biographical details, addresses, credit card numbers, passwords – with great care, but a series of well-publicised breaches offer proof that security can’t always be guaranteed. As consumers, all we can do is recognise that our personal information has value, only to give it to firms we trust, and only send them information via a secure web interface. That generally means that a padlock is visible next to the address bar in the browser and the address begins with “https” rather than “http” – but that’s not a cast iron guarantee. We need to stay alert for other signs that a site isn’t genuine, perhaps the wrong website address, poorly copied design or clumsy language. That moment where we send information across the internet is the second point of weakness that’s frequently exploited. Fake websites, set up to collect passwords or credit card details, are often landed on via links in emails or messages which we often click on without thinking. To persuade us of the legitimacy of those messages, criminals might masquerade as a company, a charity, or a friend, a technique also known as “phishing”, or “social engineering”. None of us like to believe that we’d fall for those tricks, but even the most computer-savvy people have been known to drop their guard and discover that they’ve unwittingly become a victim. There’s no magic way of stopping phishing in its tracks. Yes, there is software which can help to alert us to the veracity of certain messages by either flagging them or sending them to a spam folder. But the main weapon we have is our own vigilance: being wary of messages that feature tempting offers or ask us to send personal information, and being alert to websites that just don’t look right. All our vigilance, however, can be undone by one failing, and it’s one that we’ve exhibited for more than two decades, despite being repeatedly scolded by experts: bad passwords. It’s commonly acknowledged that the whole idea of passwords is flawed. They can be easily guessed or stolen, we’re bad at choosing them and we insist on using the same one again and again. If you have a password that’s the name of someone or something you hold dear, perhaps with a number appended, it can and will be guessed. It might be an emotional wrench to change it, but you should. If you’re one of the 3 per cent of people who have, at some point, used the world’s most-used password – “123456” – it’s time to change it, if you haven’t already. And if you reuse the same password across many services – as many of us do – you’re making yourself vulnerable. If your password to one service is compromised, it compromises you everywhere else, too. Security firms tell us that if we only do one thing to try and improve our online security, it would be to start using a password manager such as 1Password or LastPass. They generate strong passwords for every website you use, and remember them for you when you’re trying to log in. If you’re using a service that offers the option of two-factor authentication, or 2FA, turn it on. Then, whenever you log in, you’ll be texted or emailed a code to make sure you are who you say you are. The third route to our information, of course, is via our devices themselves. The idea of a criminal hacking directly into our computer or smartphone may seem like the stuff of science fiction fantasy, but again, hacking systems are becoming increasingly automated. If you have a modern phone running software that’s bang up to date, you’re likely to be safe; manufacturers are waging a constant battle against hackers, and the security of the latest devices is pretty good. But older machines can be open to attack. On average, it takes approximately 20 minutes for any computer running Windows XP to be hacked after connecting it to the internet. Now, Windows XP has been out of support since 2014, and if you’re still using it you may resent being asked to upgrade – after all, it can mean a big disruption to your computing environment – but ultimately it’s for your own good. The truth, frankly, is that computer security is dull. It’s boring to think about, it’s arduous to implement, and the rewards can seem to be non-existent. But new hazards are emerging constantly, and a small amount of time spent dealing with it today can help to avoid a whole heap of misery tomorrow.

Gone phishing: the vital steps to take to guard against cyber crime

Online fraud is becoming ever more sophisticated, leaving even the most computer-savvy of us under threat, says Rhodri Marsden