Social Engineering Bigger Risk to Your Online Safety than Malware

June 8, 2011

Protect your computer! has been the mantra of safety, security and privacy experts for years. We tell you to be sure to have up-to-date security software installed. To use strong passwords. To password protect your home network.  To avoid using unknown networks. And so on…

But we also tell you that all the security in the world can’t protect you, if you, or someone else using your devices, act carelessly. 

You can protect your home by selecting a safe neighborhood, installing locks on the doors and windows, adding security systems, outdoor lighting, fencing and gate, and getting a guard dog. But you can also disable all that security in the blink of an eye by opening your front door. If the person at the door is safe, then no harm is done. But if the person at the door has fooled you into believing they’re safe – you could be at high risk.

The same scenario of security and disabling of security plays out online. The term social engineering refers to the ways criminals use non-technical tricks to convince you to disable your security measures so they can get into your computers, phones, consoles, etc., and cause harm.

Interesting data from AVG Technologies reported in the Virus Bulletin shows that users are more than four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit. Why? Because criminals know that humans are usually the weakest link in the security chain.

Think about it, why would crooks struggle to dismantle or bypass your security when they can convince you to open the door and let their exploits in?

How do criminals convince users to allow them bypass the user’s security? By gathering information about their victims. Some attacks are fairly unsophisticated broad attempts sent out knowing that a certain percentage of users will have an account with a service like eBay, Facebook, Chase Bank, etc. and that some will click on a notice that appears to be from one of these companies.

In more sophisticated attacks the criminals learn more about your specific behaviors, interests and who your friends are. Once the criminals have learned these things about you, they can set up a scenario that significantly increases your likelihood of falling for their scam. The better they know you, the more likely you will click on their link or download their exploit.

How to defend yourself

Study and practice the easy to learn 14 Steps to Avoiding scams. If you follow these steps rigorously, they will help you avoid falling for socially engineered exploits.



Symantec Delivers Threat Report and Excellent Tools that Explain Risks to Consumers

April 18, 2011

A newly released Symantec  Internet Security Threat Report shows the company recorded over 3 billion malware attacks in 2010, and found that these threats not only skyrocketed in volume, they had also made substantial advances in their level of sophistication.

According to the report, the 5 biggest threats are:

  1. Targeted attacks against companies attempting to steal information.
  2. Social networking threats in which information about individuals is collected through the internet and social networks and leveraged to earn victims trust or masquerade as friends.
  3. Zero-Day exploits that exploit vulnerabilities within operating systems and services.
  4. Attack kits that bring advanced technical exploits to common crooks that otherwise wouldn’t have the skills to create online exploits – think of these like attack-in-a-box packages.
  5. Mobile threats that extend the basic business model behind cybercrimes to mobile devices as phones reach the capability and mass adoption necessary to make the exploits profitable.  Learn more about mobile threats in my blogs: It’s No Accident – Mobile Money and Mobile Malware Set to Go Big in 2011, and McAfee Threat Predictions for 2011 – Mobile: Usage is rising in the workplace, and so will attacks

The Report Made Easy

For consumers, Symantec’s report can be easily be understood through two great tools:

  • A nice info-graphic they put together to illustrate 2010’s year in numbers:


What this means to you

Here’s a 12 point checklist to get you started on the road to Internet security and safety. If you want more detail, look to for straightforward practical advice on how to steer clear of Internet hazards whether you’re sending e-mail, dating online, making purchases or socializing – and whether you are on a computer, or your phone.

  1. Secure your computers and smartphones with anti-virus, anti-spyware, and tools.
    Keep them current and use them unfailingly-as automatically as locking your door when you leave the house. A computer that does not have security software installed and up-to-date will become infected with malicious software in an average of four minutes. That malicious software will steal your information and put you at risk for crimes.
    1. You must have anti-virus and anti-spyware software installed and up-to-date. If your computer or phone isn’t protected from Trojans, viruses and other malware, your financial information, passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use a free service.
    2. Secure your internet connection – Make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here. Never use a public WiFi service for any type of financial transaction or other type of sensitive information transfer.
    3. Use added protection on sensitive financial information with passwords or store on a flash drive, CD or external hard drive For added protection all year, keep your finances inaccessible to anyone who uses (or hacks into) your computer. You can do this by password protecting individual files or folders on your computer, or choose to keep this information on a flash drive or CD that you keep in your safe or other secure location.
  2. Use strong, unique passwords for every site. Creating strong memorable passwords is easy and can actually be fun – and the payoff in increased safety is big. The key aspects of a strong password are length (the longer the better); a mix of letters, numbers, and symbols; and no tie to your personal information. Learn how with my blog Safe passwords don’t have to be hard to create; just hard to guess
  3. Review the privacy terms and settings. This needs to be done for every social site you use. Create an environment of safety for yourself by understanding how any website you use treats your privacy and information. That fine print may tell you the company can own, resell, rent, or give your information to anyone they want. If it does, find a more respectful site.
  4. Discuss online safety with your family and friends.  Decide together how you will help protect each other’s privacy online and set rules that reflect your personal values. Decide what information about yourself you are willing to have shared online, and with whom you are willing to share it. This includes asking friends to put your email address on the Bcc: line if they are including you on an email to people that you don’t know. Learn more here
  5. Be selective about who you interact with online and what information you make public.
    1. The risks are relatively low when you stick with people you know—your family, and friends. Going into public chat rooms or opening your blog up to the general public, for example, significantly increases your risk.
    2. Think carefully before you post online any information that can personally identify you, a family member, or friend on a public site like a blog, in online white pages, on job hunt sites, or in any other place anyone on the Internet can see the information. Sensitive information includes real name, birth date, gender, town, e-mail address, school name, place of work, and personal photos.
  6. Pay attention to messaging risks.
    1. Think twice before you open attachments or click links in messages -even if you know the sender-as these can be used to transmit spam and viruses to your computer.
    2. Never respond to messages asking you to provide personal information, especially your account number or password, even if it seems to be from a business you trust. Reputable businesses will not ask you for this information in e-mail.
    3. Never click on links provided in messages, unless you are sure of the sender. Instead, use a search engine to find the website yourself.
    4. Don’t forward spam. Whether it’s a cute ‘thought of the day’, ‘set of jokes’, ‘amazing photo’,  ‘recipe tree’ or similar email, if you don’t personally know the sender the email is surely a scam designed to collect the email accounts – and relationships – of everyone you share it with.
  7. Don’t trade personal information for “freebies.”   Online freebies come in two forms:
    1. The free games, free offers, and ‘great deals’. Just as in the physical world, if these types of offers sound too good to be true, they probably are. Not only will these collect and sell your personal information, these ‘deals’, and ‘free’ applications are usually riddled with spyware, viruses or other malicious software.
    2. Through survey’s, sweepstakes, quizzes, and the like. These marketing tools are designed for one purpose – to get as much information from you as they can, so they can sell that to interested parties. Even the most innocuous ‘survey’s learn far more than you imagine, and they may give you malicious software or download tracking cookies, so just skip these entirely.
  8. Periodically review your internet contacts, and online activities.   Internet housekeeping is important. Review who you have as contacts, and who can see your online profiles periodically to prune out everyone you no longer have a close relationship with. Review any images and content you’ve posted online to see if collectively these tell more about you than should be known.
  9. Check your credit reports.  Under the Fair Credit Reporting Act, you have the right to one free credit disclosure in every 12-month period from each of the three national credit reporting companies—TransUnion, Experian, and Equifax.
    1. Request a free credit report from one of the three companies for yourself, your spouse, and any minors over the age of 13 living at home to check for credit fraud or inaccuracies that could put you at financial risk. (Although exact figures are difficult to get, the latest data shows that at least 7 percent of identity theft targets the identities of children.) The easiest way to do this is through
    2. You can also pay for credit monitoring services that will alert you to any suspicious activity or changes in your credit scores.
  10. Block people you don’t want to interact with.   You don’t have to accept invitations to be friends with people just because they ask. Women in particular can find it difficult to turn someone down – and creeps and crooks count on this very thing. If you don’t want to be friends, delete the request. If you are already connected with someone you would rather not be, block them from your social sites. You can also block their email account so they can never contact you through email, and block their phone number from calling or sending text messages to your phone.  YOU get to choose who, how, and when you are contacted.
  11. Trust your instincts.   Online and offline, your instincts play a critical role in your protection. If something feels ‘off’, go with your instinct. You don’t have to explain your reasoning to anyone.
  12. If you are exploited, it is not your fault.   Following the fourteen steps outlined above can go a long way to keeping you safe, but bad things sometimes do happen. If you fall victim to a scam, fraudster, abuser or criminal, don’t blame yourself. The only person guilty is the abuser or criminal.  You didn’t cheat, scam, lie, threaten, harm, steal, or abuse yourself in some other way, so don’t lay a burden of guilt where none belongs. Don’t let the abuser or criminal shame you into silence. Speak out and get the help you need.