Online Risk
With the birth of the Internet there are new ways to communicate, send data from one part of the world to another, and create exciting places to shop, share your stories, and even play games.
The Biggest Risk?
The more that we use the Internet, the more likely we are to forget to do the things necessary to keep our data, ourselves, and our family safe online. It is this complacency that we must struggle with ever time we sign online.
With all the good things the Internet has to offer there is also a dark side. There are a plethora of cyber-risks that you face anytime that you go online. Learning what the risks are is the first step to becoming safer online.
Malware
The term "malware" is short for malicious software and is usually used as a catch-all term to refer to any software that causes damage to a computer, server, or computer network. Some of the most common types of malware are listed below.
Viruses
Self-replicating malware requiring a host file that depends on human action to spread it
Worm
Self-contained malware, needing no host file, that spreads automatically through networks
Trojan Horses
An apparently useful and innocent application containing a hidden malicious program
Spyware
A program that secretly monitors your online activity and sends the data back to the programmer
Rootkit
A malicious program that hides itself by convincing the operating system that it isn't there
Cookies
A cookie is a small information file that a Web site puts on your hard drive in order to remember something about you later. Typically, a cookie keeps track of your preferences when using a particular site. By using cookies, an on-line store like Amazon can keep track of what items you have placed in your shopping cart as you surf the site.
If you'd like, you can view the cookies on your hard drive. The location of the cookies however, generally depends on your browser. Internet Explorer stores each cookie as a separate file under a Windows subdirectory, whereas Opera stores them in a single cookies.dat file.
In Internet Explorer, you can delete cookies by clicking on "Tools," scrolling down to "Internet Options," and clicking "Delete Cookies." Any website that requires cookies will simply replace them.
An Internet site will generally use one of the two following types of cookies:
Session cookies
Session cookies are stored on your hard drive only during the time that you are at a particular site. They are automatically deleted when you terminate your session. A website will use session cookies to assist with navigation by remembering what pages a user has already visited, or whether or not a user has logged-in to the site.
Persistent cookies
Persistent cookies store your personal preferences on your computer for an extended period of time. Most browsers will allow you to configure how long you would like to keep persistent cookies. If a malicious hacker were to gain access to your computer, they may be able to gather personal information about you from stored persistent cookies.
It may be a good idea to consider adjusting your privacy and security settings to block or limit cookies in your web browser. In Internet Explorer, you can get to both of these settings by clicking on "Tools," and selecting "Internet Options." The "Privacy" and "Security" tabs appear at the top of the options menu.
For more information on cookies, visit this cookie summary, prepared by Microsoft.
Denial of Service Attacks
A "Denial of Service (DoS) attack" broadly refers to an attacker causing an important resource or service to become unavailable to its regular user base. In the cyber world, a DoS means normal network operations, such as e-mail and Internet access, become unavailable.
In its worst form, a DoS attack can force a website to shut down its regular operation. It can also destroy files and programming housed within a network.
Although DoS attacks are usually intentional and malicious, it is possible for a DoS to be purely accidental. Whatever the cause, one thing is certain—a DoS attack can cause its target, be it an individual user or a business, to lose a significant amount of time and money.
A DoS may be executed a number of ways, both digitally and physically. A very simple DoS might be merely cutting a fiber optic cable at an Internet Service Provider, thus denying service to its customers.
Distributed Denial of Service Attacks
A Distributed Denial of Service (DDoS) attack is when an attacker compromises several computer systems and uses them to attack a specific target. The more systems that are used as tools, the more traffic can be sent to the targeting network, and the greater the chances of shutting that system down.
To pull off a DDoS, an attacker first exploits the security vulnerabilities in one computer system, and then goes on to exploit systems, making them "zombies." The number of zombies range from two to as many as several thousand. The attacker then commands the zombies to launch an attack against a single targeted system, causing a massive denial of service.
A distributed denial of service attack is especially severe because it victimizes not only the targeted systems, but each of the "slave" systems as well.
Spam
Spam is the common term for "junk email." There are different definitions for it—from the very specific to the very general ("anything I don't want!"). The CAN-SPAM Act of 2003 defines spam as "any unsolicited email message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."
It May Be Spam If:
- It is unsolicited; you did not ask for it.
- It is impersonal to the point where the recipient is unimportant. (For example, if you are a collector of rare books, and you receive an email flyer for a rare book auction, many would NOT consider that spam.)
- It may have a misleading subject line or a false return address.
- It does not include a method for avoiding future e-mails from the same organization.
When advertisements arrive in your inbox for things like low-rate mortgages, miracle drugs, or cheap long distance services, you have been spammed. Spam often advertises suspicious products or "get rich quick" promotions. It is sent out at an extremely low cost to the sender, forcing most of its expenditure onto the Internet Service Providers, and thus, paying consumers.
Spam mailing lists can be created in a number of ways. Spammers will often pay top dollar for mailing lists with verified e-mail addresses.
Spammers also use a variety of "bots," that scour the Internet looking for e-mail addresses posted to websites and message boards. It is very difficult to avoid ending up on a spam mailing list, because marketers are so willing to pay for the information.
Some Tips to Help You Deal With Spam E-mail
Some providers may offer a filtering option for your email account. Check with your specific Internet Service Provider to see what options are available. Below are a few additional suggestions that can help you keep your inbox spam-free.
Be aware that by requesting that you be "removed" from a spammer's mailing list, you may actually be confirming that your email address works. This could result in your receiving additional unwanted email. If you are posting your email address to a website or message board, consider "masking" it. This can be accomplished several ways. Instead of posting your full address, use "example AT yahoo DOT com." Any reasonable web surfer will be able to determine your email address, but it will not be harvested by web bots. Additionally, several on-line services, such as Automatic Labs' Enkoder, will translate your email address into JavaScript that makes harvesting by these web bots a difficult task.
Be careful when giving out your email address. Before giving it to a website, or to anyone, find out what the privacy policy is. Fannin Bank guarantees that we will neither give nor sell your email address to anyone; not all sites do that. Forward spam email to the Internet Service Provider of the sender as a complaint. Sending spam is against the terms of service for most providers and therefore could result in the termination of the sender's account. In order to determine the sender's ISP, you will need to interpret the email header.
Email Scams
Nigerian Scams
"... My aim of contacting you is to seek your assistance in transferring the sum of thirty five million united states dollars only out of Nigeria and into your trusted bank account abroad...."
"The Nigerian scam costs Americans more than $100 million a year.”
Mark Connolly, U.S. Secret Service
We have probably all seen the Nigerian scam letter. Also called "419 scams," they combine the threat of identity theft with the old "advance fee scheme."
A letter or email from Nigeria (or sometimes another African country) offers the recipient the "opportunity" to share in a percentage of millions of dollars that the author is trying to transfer illegally out of Nigeria. The recipient is encouraged to send information to the scammer—blank letterhead stationery, bank name, account numbers, and other identifying information using a fax number provided in the letter.
Be advised that this is a scam and not a legitimate offer. Don't fall for it!
Unfortunately, these scams usually originate outside of the United States, and American law enforcement has great difficulty in pursuing the criminals. In addition, many of these email solicitations contain computer virus, making them even more of a menace—so be very cautious. Be sure to maintain current anti-virus software.
Nigerian Variants and other Scams
There are several variations of the Nigerian Scam that criminals may use to exploit their victims. Here are some examples:
Beneficiary of a Will:
The victim receives an email that claims they are the named beneficiary in the will of an estranged relative, and stand to inherit an estate worth millions. In order to complete the inheritance, the victim's personal financial information is needed to "prove" that they are the beneficiary and to "expedite the transfer of the inheritance."
"Over" Paying:
The victim advertises an item for sale on the Internet, and is contacted by an interested buyer from Nigeria or another African country. The scammer then sends the victim a check or money order for an amount much larger than the asking price of the item. The victim is then asked to deposit the difference back to the scammer. If the victim does not wait for the bank to verify the check, they can end up losing thousands of dollars.
Donation Solicitations:
The victim receives an email requesting "donations" to fight an evil government or dictatorship in Africa. The scammer requests that the victim provide bank account information so that the "donation" can be directly withdrawn from the bank.
Fake Web Site:
The scam artist sets up a fake online bank and "deposits" the amount of money referenced in the scam email. When the victim expresses any misgivings about the existence or size of the fund transfer that is to take place, they are directed to the site, which shows a multi-million dollar deposit.
American Soldier in Afghanistan or Iraq:
The victim receives a letter purporting to be from an American soldier in Iraq or Afghanistan who has discovered a treasure of terrorist currency and needs help to embezzle the funds out of the country. The victim needs only to provide their personal and financial information for the soldier to deposit the funds into the victim's account.
The Secret Service asks if you have been victimized by the Nigerian scam to forward appropriate written documentation to the United States Secret Service.
To contact the U.S. Secret Service:
U.S. Secret Service
Financial Crimes Division
950 H Street N.W.
Suite 5300
Washington, DC 20223
Phone: (202) 406-5850
Fax: (202) 406-5031
If you receive a letter from anyone asking you to send personal or banking information, do not reply in any manner.
Pyramid Schemes
Pyramid schemes (sometimes called "Ponzi schemes") are illegal in Texas, and in many other states. Pyramid schemes are scams in which large numbers of people at the bottom of the pyramid pay money to a few people at the top. Each new participant pays for the chance to advance to the top and profit from payments of others who might join later.
Please note that pyramid scheme emails are frequently disguised as chain letters advertising new and legitimate business opportunities. We urge you to carefully consider any potential investment advertised on the Internet
Miracle" Products
...as with most things in life – if it seems too good to be true, it probably is!...
You have probably seen the junk e-mail that makes outlandish claims: to earn you thousands of dollars each month, to make you look years younger, or to guarantee your popularity with the opposite sex. Treat these claims with the same skepticism you use when evaluating any product.
E-mail is very inexpensive to write and send. The scam artist can send thousands of e-mails for pennies, and if only two or three people take the bait, he has earned his money back. Don't be one of those people.
Look at it from this angle: if any of these products could really do what they claim to do, why haven't you heard of them before—on television, in the news, or from a friend? If these "miracle" products could do what they claim, the makers wouldn't need the spam!
Email Hoaxes
These are either deliberate or unintentional email messages warning people about a phony virus or other malicious software program. Some hoaxes create as much trouble as viruses by causing massive amounts of unnecessary email, but most are simply annoying.
Most hoaxes contain one or more of the following characteristics:
Warnings about an alleged new virus and its damaging consequences. Demands that the reader forward the warning to as many people as possible. Pseudo-technical "information" describing the virus.
Bogus comments from officials: FBI, software companies, news agencies, etc. Names and phone numbers are often invented, or "borrowed" from real people who have no knowledge of the virus.
If you receive an email message about a virus, check with a reputable source to ensure the warning is real. Recently, a popular hoax urged users to delete an important system file, jdbgmgr.exe. Consequently, virus hoaxes should be considered as much of a threat as a virus itself.
Do your friends and your colleagues a favor – if you get an email about a virus hoax, DO NOT forward it.
Internet Auction Fraud
Auction fraud is one of the fastest-growing crimes on the Internet. Although it can take many forms, the most common type of auction fraud involves a seller failing to send an item, or sending an item that is significantly different from what was promised in the auction listing.
Auction fraud occurs on eBay, Yahoo Auctions, and all other auction sites. You can find information on the latest forms of auction fraud at FlipShark.com.
The best protection you have against Internet auction fraud is your own common sense.
The following guidelines can help you to avoid auction fraud:
Transfer money through an online escrow service (such as PayPal). Most auction sites maintain lists of these services.
Check the seller's feedback at the auction site. Since feedback generally takes a few days, be wary of feedback dated immediately following a sale — it may be fake.
Be careful of sellers outside the United States, because they are not bound by U.S. laws. If there is a problem with quality or delivery, you may have no one to complain to.
Use a credit card. Credit card payment protects the buyer, because you can dispute the charges if the goods are misrepresented or never delivered. Cancel the card immediately if you suspect fraud.
Never buy anything from a seller who asks for payment to be mailed to a P.O. box.
Downloading
"Downloading" is the transmission of a file from one computer system or network to another smaller computer system. "Uploading" is transmission in the other direction—from a smaller computer to another larger computer or network.
Many users download files from the Internet or upload files to the Internet. People who share files with others on bulletin board systems (BBS) must upload files to the BBS. File sharing programs like LimeWire and DirectConnect encourage users to make files on their computers available for upload.
In short, to download is to receive a file and to upload is to send a file.
Dangers
Downloading data from an unknown or unreliable source can be dangerous. Many files available for downloading contain malware. A Trojan horse, for example, is an apparently harmless program that contains malicious or destructive code. Left alone, it has the ability to hurt your computer in a number of ways, such as ruining your hard disk, or sending out your personal information to a hacker.
One of the dangers of downloading from the Internet is spyware. The term refers to any software that aids in the gathering of information about a person or computer without the owner's knowledge or consent. Usually, the information gathered is forwarded to advertisers or other interested parties, sometimes even hackers. Downloaded programs can often contain spyware, as spyware writers use "free" downloads to distribute their product.
Some data collection programs are installed with the user's knowledge; they are not considered spyware if the user fully understands what information is being collected and with whom it is being shared.
Read the privacy policy carefully of any software that you install to discover if it is collecting information about you.
Identity Theft
Identity theft, or impersonation fraud, occurs when someone assumes your identity to perform a fraud or other criminal act. The sources of information about you are so numerous that it can be difficult to prevent the theft of your identity.
These are a few ways identity thieves acquire your information:
Stealing wallets, purses, or your mail, including bank and credit card statements, pre-approved credit offers, telephone calling cards, and tax information
Stealing personal information you provide to an unsecured site on the Internet
Rummaging through your trash and business trash for personal data
Posing as someone who legitimately and legally needs information about you, such as employers or landlords
Buying personal information from "inside" sources
Tips to Help You Avoid Identity Theft:
Do not throw away ATM receipts, credit statements, credit cards, or bank statements without first shredding them.
Never give out personal information online simply because someone asks for it.
Never give your credit card number over the telephone unless you initiated the call.
Reconcile your bank account monthly and notify your bank of discrepancies immediately.
Keep a list of telephone numbers to call to report the loss or theft of your wallet, credit cards, etc.
Report unauthorized financial transactions to your bank, credit card company, and the police as soon as you detect them.
Review a copy of your credit report at least once each year. Notify the credit bureau in writing of any questionable entries and follow through until they are explained or removed. You can order your free credit report On the Internet www.annualcreditreport.com or on the phone: Call 1-877-322-8228
If your identity has been assumed, ask the credit bureau to print a statement to that effect in your credit report.
If you know of anyone who receives mail from credit card companies or banks in the names of others, report it to local or federal law enforcement authorities.
If You Are a Victim of Identity Theft
There are several steps you should immediately take if you feel your identity has been stolen or used without your permission. Most credit card companies will not hold you responsible for charges made by a thief, but you need to act quickly.
For any accounts that have been fraudulently opened or accessed, contact the security departments of the appropriate creditors or financial institutions, and explain what happened. Close these accounts. Put passwords on any new accounts you open
Contact the fraud departments of each of the four major credit bureaus (Equifax, Experian, Trans Union and Innovis) and report that your identity has been stolen. Ask that a "fraud alert" be placed on your file and that no new credit be granted without your approval. Here are the numbers for reporting fraud:
Equifax — 1-800-525-6285
Experian — 1-888-EXPERIAN (397-3742)
Trans Union — 1-800-680-7289
Innovis — 1-800-540-2505
Contact your local police department or sheriff's office to file a report. When you file the report, provide as much documentation as possible, including copies of debt collection letters, credit reports, and your notarized ID Theft Affidavit.
If you have been a victim of Internet fraud file a complaint with the Internet Crime Complaint Center.
File a complaint with the Federal Trade Commission (FTC) by calling the ID Theft Hotline: 1-877-IDTHEFT (1-877-438-4338) or file online using this form.
Hard Drive Disposal
Selling Your Old Computer
If you have upgraded to a newer computer and are thinking about selling your old one, there is something you should consider —
Your old hard drive likely contains sensitive information about you or your business.
When you "delete" files, even if you reformat the hard drive afterwards, the information in the files could still be recoverable.
"When you delete a file, the operating system does not destroy the file contents from the disk – it only deletes some ‘references’ on the file from some system tables. The file contents remain on the disk until another file ‘happens’ to overwrite it. Any software recovery tool can restore the data if it hasn’t been overwritten yet. Hardware recovery tools may even restore overwritten files by analyzing latent magnetic traces." —EAST Technologies
Actions you can take to keep information secure:
Wipe your hard drive
Wiping or "scrubbing" your hard drive involves deleting all of its files and following up with a program that overwrites all the data with ones and zeros with several layeers of code making your data unreadable.
You should consider wiping your hard drive before selling it, giving it to another person, or donating it to a charity or school.
Destroy the hard drive
Hard drives are relatively inexpensive. Think about simply destroying your old one. That way, no one will ever have access to your data.
“Only 8% of hard drives sold on the secondary market have been properly sanitized.”
Try drilling it full of holes, or taking a few whacks with a sledge hammer — in addition protecting your information, it can also be very refreshing to work off the frustration you've built up against your computer!
As always, if you have any concerns about the security of your data, please consult your trusted computer professional.
Online Shopping
Make Sure to Use a Secure Browser.
Make sure your browser meets industry security standards. Features such as the Secure Sockets Layer (SSL) encrypt your personal information as it is sent over the Internet. Most browsers are capable of SSL encryption and other security features.
There are two ways to determine if a website encrypts data before it is sent over the Internet. The first is that the URL displayed in the address bar will begin with the abbreviation "https." This stands for Hypertext Transfer Protocol Secure. Web pages that do not encrypt data only display "http," without the "s."
Secure web pages will also display a second indicator, which differs depending on the particular browser being used. In most browsers, a small lock will appear in the bottom-right corner of the browser window.
Shop Only With Companies You Are Comfortable With.
Ask for paper documentation, such as a catalog or a brochure, if you are unfamiliar with an online merchant. This should help you become familiar with the vendor's services and policies. Never deal with an on-line merchant whose policies are not explicitly clarified.
Keep Your Password(s) Secret.
Never reveal passwords that you use on-line.
Pay by Credit or Charge Card.
Using your credit card online ensures that you will be protected by the Fair Credit Billing Act. This law provides consumers with the right to dispute charges made to their accounts. If unauthorized charges are made to your credit card, by law you are liable only for the first $50, and many companies don't require you to pay anything.
Keep Records.
Keep a record of confirmation numbers and purchase orders. Print them out and keep personal copies. On-line orders are covered by the Federal Mail/Telephone Order Merchandise Rule. This rule states that merchandise ordered online must be delivered within 30 days unless otherwise noted. Your records will be able to provide proof of the date and time of purchase.
Paying Your Bills Online
Most companies offer you the convenience of paying your bills and checking your account online. Before enrolling in one of these "click-to-pay" programs, make sure you fully understand the company's privacy policy and security measures. If an appropriate description of a company's security procedures is not available, ask the company by calling them or e-mailing them.
If you're not currently using your banks Bill Pay service you should look into it. By using your banks' online bill pay service gives a single location to pay all your bills online and reduces the amount of places that have personal information about you on the internet.
File Sharing
Peer-to-Peer file sharing, or P2P, is a method of trading files on the Internet. Users can find copyrighted music and movies, as well as computer programs and games.
It is extremely important to know that sharing and downloading these copyrighted files is a violation of copyright laws and is illegal. Recently, the Recording Industry Association of America has been suing file sharers.
Unfortunately, many new viruses and worms also proliferate across P2P networks. It is possible to download a file that appears benign and end up with a vicious computer virus.
The file sharing programs themselves can also cause problems. File sharing ties up shared bandwidth which will significantly slow down other Internet-related activities, and on a shared network, will be a nuisance to other users. Also, if the program is miss-configured, they may even share files on your computer that you never intended anyone else to see like bank records and personal information.
A Safer, Legal Alternative
Recently, several companies have released file distribution programs that allow users to purchase all the songs that they want one at a time. This allows you to pay for the music that you want to listen to and download it legally.
Most of these services include licenses with each song that allow you to copy the song to multiple listening devices and store it on your computer. Furthermore, these pay-per-download services charge as little as 79 cents per song and have hundreds of thousands of selections in their catalogs.
Public Wi-Fi
Free Internet access seems to be everywhere – not only in airports and hotels, but also restaurants, libraries, and even doctors’ offices. As a society, we have all come to appreciate being “connected” everywhere we go. But the more we connect, the more bad guys (hackers, scammers, identity thieves) are connecting, too.
And the problem with wireless is…wait for it…NO WIRES. Which means that anyone with the right equipment can intercept your communications.
Although Wi-Fi has a specific meaning and has standards established by the Wi-Fi Alliance, most of us use the term to mean simply a wireless network.
Here are some tips for staying safe the next time you visit Starbucks with your Wi-Fi enabled device.
Always remember that open wireless networks are not secure.
If you can log into a network without a password, that means anyone else can too. Never send personal or confidential information over an open public wireless network. Even something as simple as the password to your web-based email can give hackers access to get your more important data.
If you need a secure connection, use a VPN (virtual private network).
For example, if you need to connect to your work computer from remote locations, your company may provide you with a VPN connection. A VPN provides a secure way of connecting to a remote network by encrypting your transmission so that, even if it gets intercepted, it can’t be read.
Make sure you have a software firewall and keep your anti-virus program updated.
Firewalls keep out hackers, while anti-virus programs detect and remove many types of malicious software.
Watch out for shoulder surfers.
Most public networks are in areas where there are a lot of people (makes sense). Make sure that no one is looking over your shoulder while you conduct your business or read your email.
Verify the name of the network you are connecting to.
Just because you can connect to a network does not mean you may. If the owner of a network has left it open to the public by mistake, it could still be illegal to use it. Remember too, computers with Windows operating systems are set up to connect automatically to available networks, unless you change the settings.