Okay, I have to confess something. I’ve been hacked. This past year, my Skype account has been broken into and used to spam all my friends, and my email addresses and passwords have been stolen from numerous sites.
This is particularly embarrassing, because I’ve been covering cybersecurity at my day job for nearly twenty years.
Of course, I’m not alone. Even Facebook CEO Mark Zuckerberg has been hacked more than once.
Does that mean you should just give up? No, because the more aware you are of potential problems, and the better prepared you are, the less likely the bad guys are to get to you — and the less damage they’ll do.
And you also should bother because taking care of yourself is becoming easier, and less of a bother, all the time.
Total losses: $3 billion in 2013 – 2016 (reported)
Last year, ransomware scammers took in about $1 billion dollars from businesses, hospitals, and lots and lots of ordinary people. The way the scam works is that they trick into clicking on a link or get you to download a file, and install the ransomware on your computer or mobile device, which then encrypts all your files. The bad guys hold the files hostage until you pay up, at which they might give you the key to decrypt it, or might try to extort you for even more money, until they’ve sucked you dry.
Crazy, right? You can’t even trust the criminals anymore.
Tips & suggestions for protecting yourself against ransomware
The best protection against ransomware — other than not clicking on suspicious links or downloading suspicious files, and having a good anti-virus program in place — is to have good backups. If you have backups on your files, you can just erase your computer and reinstall everything. It’s a pain, sure, but at least you’re not paying hundreds of dollars to criminals.
You can put your files on an external drive or USB stick, and then remember to make new backups on a regular basis, and not lose them. An easier option is to use online backup services.
The one I use is called iDrive, and there’s a free option that has 5 gigabytes of storage, and a basic plan, with up to 1 terabyte a year, for around $60. I also recommend Carbonite, CrashPlan, Backblaze and Mozy.
- iDrive, $60 per year.
- Carbonite, $60 per year.
- CrashPlan Code42, $60 per year.
- Backblaze, $50 per year.
- Mozy, $66 per year
You install their software, tell it what parts of the computer to back up, then it automatically runs in the background from then on.
My biggest worry with these backups was what happened if I got infected, and then the backup services made a backup of the encrypted file, and wrote over the good one? Turns out, they save multiple versions of your files, so that you can roll back to a time before the infection.
“Our tech support people deal with this every day,” said Norman Guadagno, chief evangelist at Carbonite, Inc. “They’ll see what the history is and they’ll help someone roll back in time to a safe spot. We’re coming up on the 10,000th customers that we have helped with this in the last two years.”
Then there are file sharing programs, like Dropbox, Google Drive and OneDrive, which are primarily for sharing files, but can also serve as a second backup for the most important documents.
2. Financial Identity Theft
Total losses: 3 billion user accounts reported breached in 2016 (reported)
Hackers stole 1.5 billion from Yahoo, 412 million from FriendFinder Network, 350 million from MySpace, 117 million from LinkedIn, 100 million from Russia’s VKontakte, 87.6 million from Dailymotion, 65 million from Tumblr, 60 million from DropBox, 55 million from the Philippines’ Commission on Elections, and 50 million from the Turkish Citizenship Database.
Since most users use the same user names and passwords on multiple websites, hackers can leverage the stolen data from one site to get into accounts elsewhere, said Rick Kam, president and co-founder at ID Experts, which provides identity protection services. And the risk of being a victim of identity theft goes up significantly, as well.
How to know if you’ve been breached? How to avoid that?
To check whether your info was stolen, just type your email address into Have I Been Pwned. Odds are, at least one account you use somewhere has been breached.
If you have, you want to make sure you monitor your credit. There are paid services out there, and there’s a way to get one free credit report a year from each of the major credit rating companies. But who wants to spend all that money and effort to protect their money? Not me!
I’ve been using Credit Karma, which is free, and lets you check your credit score at any time, and look at what is on your credit report, and even alerts you whenever anyone tries to check your credit rating or open a new account in your name. And if you obsessively check the site every week to see if your credit score has gone up or down — like I do — it doesn’t hurt your credit rating. You can also get a similar free service from Capital One or Discover, even if you don’t have their credit cards, and from Credit Sesame.
One free credit report a year from all three services: https://www.annualcreditreport.com
- TransUnion Credit Monitoring, $10 a month.
- Experian Credit Monitoring, $20 a month.
- IdentityForce, $13 a month.
- LifeLock: $9 per month.
- Identity Guard: $20 per month.
Once you’ve got your credit monitoring squared away — go ahead, do it now, I’ll wait, you know you’ll forget to do it if you put it off — get yourself a password manager.
I use Dashlane, which saves all your passwords for you, automatically logs you into websites, and syncs all your passwords across all your devices. Plus, if you’ve been hacked, it can go out and change all your passwords for you.
Turns out — I just checked — I have 388 different accounts out there on the Web. Have I really signed up for that many stupid mailing lists and shopping sites and email services and other kinds of websites? Apparently, so. To be honest, I’m a little on the high side. The average person has only 120 accounts, according to Dashlane.
But that’s still too many to keep track of.
What password managers do is they create a file with all your passwords, and encrypt it. Nobody has the key — not even them — so if someone breaks into their website, your passwords are all safe. Just don’t lose that one master password! When you first install it, it finds and saves the passwords you’ve got stored in your browser. Then whenever you sign into a new site, it sees your password and remembers it, and enters it for you the next time you visit. So there’s very little work on your part, and a lot of benefit. In fact, using a password manager will probably save you a great deal of time in the future — as well as protecting your identity.
I signed up for Dashlane a while ago, back when it was the best option on the market. Today, however, I would recommend you go with LastPass, which is pretty solid, and, best of all, free. You install it in your browser and on your mobile devices, and all your passwords are automatically kept up-to-date where-ever you go.
Dashlane also has a free version, but it’s $40 a year if you want to use it on multiple devices.
Finally, set up two-factor authentication for all your most-important accounts. That includes your financial accounts, your social media accounts, and your primary email accounts. The way that second factor typically works is that when a hacker in China tries to use your stolen user name and password to log into your account, the system will notice that they’re using a computer that you’ve never used before, and they send you a text message to confirm the sign-in.
To generate a strong (12 character password), use this free password generator.
3. Business Email Compromise
Total losses: $3 billion in losses (since 2013)
According to the FBI, scammers have stolen more than $3 billion since 2013 through business email compromise fraud. The way it works is that they find your work email address and send you an invoice that looks like it came from a real customer, or a wire transfer request that looks like it came from your CEO.
They also try to get database administrators give them access to company data, to get HR departments to send them tax information about employees — if you’ve got something valuable, they’ll try to go after it.
Tips to avoid email scams
If you fall for one of these scams, it could cost your company millions — and cost you your job. To protect yourself, check with your boss and make sure you know what to do when a suspicious email comes in. Is your top vendor asking you to stop sending them checks, but to send wire transfers to Russia, instead? Is the CEO asking you to email sensitive files to his personal email account? Have a plan in place for unusual requests. For example, one strategy is to contact the customer or CEO directly, by phone or in person, to confirm unusual and transfers of big amounts of money.
Be particularly careful about any requests that seem unusually urgent. If your CEO emails you in the middle of the night, needing a copy of the financial reports that very minute for a big presentation the next day confirm through a separate channel. A text message or phone call to a number that you already know, for example, would let you confirm that the request is unusual but real.
4. Tax Fraud
Total losses: $21 billion in 2016
In 2015, hackers stole data from 700,000 taxpayer accounts and collected $50 million in bogus tax refunds. That was just one hack, though it was pretty high-profile. But the problem is much bigger. In 2016, according to the IRS, total losses were around $21 billion.
Tips for keeping your credit cards and files safe
If your refund gets stolen, it can take months, or even years, to clear it up.
So file your taxes early, so the bad guys can’t get in ahead of you. And make sure you have anti-virus on your devices so that the criminals can’t steal your IRS PIN numbers and passwords as you type them.
Kaspersky, Norton, Avast, BitDefender, Trend Micro, and Microsoft all have free or low-cost antivirus software avaialble, and, as a bonus, will also catch a lot of the ransomware out there and help you avoid dangerous websites.
I use Avast, which is a free and highly-rated antivirus for both PCs and mobile devices. Microsoft Security Essentials is free and is also pretty good at stopping ransomware.
- Avast, free.
- Trend Micro, $40 per year.
- Norton, $20 per year: https.
- Microsoft Security Essentials, free.
5. Online Shopping Scams
Total reports: 2,425 scam reports
2,425 scam reports made last year to the Better Business Bureau about online purchases, accounting for 6.3 percent of all reported frauds.
According to the Better Business Bureau, fraudulent online purchases was the fourth biggest scam of 2016, after tax scams, fake debt collections, and fake sweepstakes.
When shopping online, use trusted sites that have a reputation to maintain, and go directly to their websites — not via a link in a spam email.
Tips for safe online purchasing
Criminals can easily make a fake site look like the real thing by copying-and-pasting all the text and graphics.
Similarly, make sure to install the official app for the store through the official Apple and Google Play app stores. Check to see how long an app has been around, how many downloads it’s had, and read the reviews if you’re at all suspicious.
Next, use a credit card for online purchases instead of a debit card or other payment mechanism, so if there’s a problem you can’t resolve by contacting the seller or the shopping site, you can still contact the credit card company and have them refund your money.
More tips for staying safe online can be found here.
6. Medical Identity Theft
Total losses: 16.6 million medical records were stolen in 2016
16.6 million medical records compromised last year, according to the Department of Health and Human Services’ Office for Civil Rights. 112 million records were compromised in 2015.
More than 16 million health care records were compromised last year, and more than 112 million in 2015, according to the Department of Health and Human Services’ Office for Civil Rights.
Crooks use this data in a couple different ways. First, there’s a lot of good stuff there that can help with all kinds of identity theft, including addresses, birth dates, and social security numbers.
Second, they have your insurance info so that they can do insurance billing fraud.
Either one is pretty bad. But the second one is potentially deadly.
False claims could exceed your annual maximum limits, forcing you to pay for some procedures out of pocket. And if your medical history contains incorrect information, that could cause significant problems in an emergency if it now shows the wrong blood type or allergies or medication history.
Monitor your identical identity
Review your history with your doctors if anything sounds off, keep and eye on your insurance bills for unexpected charges, and wear a bracelet if you have a particularly dangerous allergy or other medical condition that emergency responders should know about.
There are also some vendors, including ID Experts, who provide medical identity monitoring, similar to the credit monitoring offered for the financial services. If you have notified that you’ve been the victim of a health care breach, ask your insurance company for this service.