How To Reduce the Risk Of Getting Scammed and Owned Online

November 17, 2017 by stas | Filed under Security.





Social engineering and con artists have been around probably since the first humans invented some form of communication and perhaps even earlier. There were few con artists back then and which lead to few victims of their deeds. The Internet age ushered global village which lead to scalability the con artists of yore couldn’t have imagined in their dreams.

While the con artists simply want to get some of what you have using their ingenuity and relying on your gullibility, there is a whole new type of exploits that lead to perpetrators owning your computer or mobile device, and then profiting from using it without taking anything directly from you. They use your device to mine bitcoins, facilitate denial of service attacks on vital online services, rent out access to your computer to anybody willing to pay, and much more. They also perform identity theft, where they use the gathered personal information to scam others, using your personality to trick your friends into further scams, suggesting to them to purchase things as if it were your recommendation, infecting their devices with viruses, influencing political votes, etc.

And while new scams and ingenious social engineering schemes get created every second, and nobody is really fully immune (I almost got scammed just recently), there are a few “low hanging fruit”-type of scams that you really should know about and which you can easily detect and avoid.

Table of Contents

Main Types of Attacks

How do bad guys can attack you? Usually it’s one of the following things:

  1. Phishing. They want to trick you into giving them your login/password to your bank, online service or platform. They could try getting that information from you by calling you on the phone and pretending to be your bank’s customer service or send you an email doing the same. Once they have your credentials they can take your money, your data and pretend to be you to people who have a pre-established trust with you (friends/family/co-workers), which will make it easy for them to attack them.
  2. Scamming. They want to trick you into giving them some of your money. e.g. Nigerian scams. Usually this is done by offering you some insane payoff if you do something for them — that something involves sending them some of your money.
  3. Malware installing. They want to trick you into downloading and installing malware, which could be a virus or another bad software that will either use your computer’s CPU to work for the perpetrator (e.g. mine bitcoins), encrypt your data and ask for ransom, or attack other computers and anybody it’ll find you’re connect to via your addressbook.
  4. Spamming. They will try to persuade you to buy something (products, stocks, services), influence you (e.g. political votes) or sign up for some mailing lists, etc.

Terminology

In this article I use a variety of terms for the bad guy: con artist, scammer, hacker, perpetrator, etc. Most of the time they refer to the same kind of “occupation”.

The only word that I don’t like using in this context is ‘hacker’, since in the IT world the definition of a hacker is of a person, who has the know-how, diligence and perseverance to solve difficult problems. Some of those hackers engage in black hat (dishonest/bad/criminal) activities, but most hackers engage in white hat (honest/good/creative) activities. There is also the grey zone, where depending on the person’s view of the society’s norms and rules, the same person could be considered doing good things by some people and bad by others. For example, if someone breaks into your bank account or performs a credit card fraud and takes your money, your bank will most likely reimburse you, so that you will lose nothing, but the bank will. And the perpetrator may have done a good thing according to his morals, since he made the bank lose money, and that’s goodness if he believes that banks are evil (Robin Hood effect).  Regardless of your belief system, it’s the best to stay safe and not get sucked into any such things explained in this essay in the first place.

Don’t Believe Your Antivirus Program

Chances are you have a free or paid-for antivirus program installed on your digital devices that are connected to the Internet. Which most of the time will tell you that your device is safe.

This is so far from being true, it’s scary. Mostly because it’s telling you a lie.

Your antivirus program can only detect viruses that it knows off. It cannot know of all viruses and hundreds of their mutations roaming the networks out there. Over time the antivirus company will identify new viruses and add them to their database and when that happens it’ll be able to detect those viruses too. But there can be a gap of a few days to a few months before a newly released virus program gets identified and therefore your antivirus program cannot detect any such viruses in real time.

If antivirus companies were truly honest, the message their software would have said is something like:

Now Your Computer Is Immune Only To Viruses We Know Of As Of Yesterday.
It Is Not Protected From Viruses We Don't Know Of Yet.

And this leads us to:

Don’t Download Anything From Sites You Don’t Know

It’s OK to go to websites that you know are real companies who create software and that are trusted in the world, and download their software. While it doesn’t guarantee that what you download is 100% safe, chances are that it is[3]. While occasionally you may get a dud on a certified and known to be good website, this is not really a problem. The problem is that there are many websites that you’re almost guaranteed to get a virus onto your computer when you download something from there.

footnote 3: the best validation is to make sure that (1) the website link starts with https:// and not http:// (note the extra ‘s’ – which stands for secure protocol) (2) there is a little lock picture next to it, showing the lock closed and not opened, like so:

I have already discussed the email scams that entice you to click on a link that takes you somewhere you shouldn’t really go to. And then there is the Internet at large, where very similar and even more elaborate traps are abound. Yet, a random website has less credibility in the eyes of a random visitor, because it usually doesn’t have a pre-established trust with that visitor.

If you download warez-type or nulled software, instead of purchasing it from the company’s website who created it or an open source equivalent, 95% of the time you voluntarily allow a hacker to install a virus onto your system. And of course the fact that you paid for some software doesn’t mean that it’s safe. It’s easy to setup a website that sells viruses as if they were legit things. If you can’t afford to pay for the software, try to find an open source equivalent, but even then you need to establish a credibility of the site you download the open source software from. If you must run software of unknown origin at the very least run it in a “sandbox”, isolated from the rest of your computer. Vmware, virtualbox and other virtualization software is used to run such sandbox environments, but chances are that it will be too complicated for you to figure out, unless you’re a technically-apt person.

Same goes for movies, music, images, books and anything else you may like to download from the Internet. Hackers are very smart at camouflaging malware as legit files. Some of these will be caught by your antivirus program, but many won’t be detected.

Finally, I’d like to alert you to a type of websites that use fake user comments to entice you to download things. Such websites will have a download link for say some popular software for free, and under it, it will have a 100 comments from various people with their profile pictures and really smartly written comments. Pay attention to the content of their comments. Most will say things like:

1. This is a great software. Thank you, thank you, thank you. You're God!
2. Great! I checked on 5 antivirus programs and it is legit!
3. No problem running at all. Go for it.
4. You must download it, it's amazing!
5. My niece works at microsoft, she said it's safe to download.

Often if you look closely you can tell that the all comments are designed to get you into a herd mentality and act. Some websites are sneakier at it than others. Often it helps to go and look at other pages on the website. Most of the time you will see very similar and at times identical comments.

Don’t Believe Fake Antivirus Program

Sometimes when you browse the Internet, you get a pop-up that looks very similar to a common Anti-virus program and of course it’s telling you to either download and install an antivirus program that they give you the link for or to call a number where an auto-reply will tell you to do the same.

Here is an example:

This one tries to get you to download the malware telling you it’s an antivirus program, and also to call a number. Others are more creative and tell you what you’re about to lose if you don’t do that. Lots of scare tactics used here. Of course if you were to follow through you will indeed have all the problems that the scam is supposedly trying to protect you from.

So never act on such pop-ups, even if they look like your antivirus program. Instead, close the pop-up window, and even the Internet browser altogether. The go to your antivirus program that you already have installed and run a system and data check.

It’s the same thing in all the different situations. If something on the Internet is prompting you to act or else… cull that prompt immediately and instead initiate the activity yourself, either by calling your ISP’s support or if you’re advanced enough doing it on your own (such as starting your own antivirus program). Don’t trust anything else, whether it pretends to do you a favor out of love or through scare tactics.

Nothing is Ever Free

Marketing people have been using ‘Free’ for years to entice us to give away our free time in exchange for a permission for them to sell to us. Free samples, free seminars, free training, free money.

Of course this is used not just by marketers, but pretty much by most people. It’s very rare to encounter someone truly giving something away without wanting something in return, whether declaring the intention of exchange directly or the way it’s done most of the time — indirectly and covertly. Think of all the favors others have done for you, only to ask back for a return favor when they needed something from you.

Since this unspoken “barter” mechanism is so ingrained in our society, scammers use it with a great success online. Just as I was writing this article, one of the websites sent me this pop-ups:

Yeah, right, how lucky I am. I’m getting $120 for free. Not only I’ll not get any $$ from acting on this pop-up, if I do click on the link and follow through with what does appear like a benign survey – I will now give away my email address to get a lot more email scams in the future, very likely they are going to trick me into downloading a virus, and they could make me do many other things that won’t be beneficial neither for me nor for anybody connected to me, because a $120 offer is not cheap. Of course it can be just as well $5, but then you’re less likely to get tempted.

There are legit companies that pay users to fill out surveys, and usually the payoff is a few dollars. But if you ever want to get into business of making a few dollars per filled out survey you should go and seek out those companies. Almost any offer that comes in a pop-up screen is a scam.

Also do notice how the scammer will try to earn your trust by showing you as many personal details as possible. Here for example I accessed the Internet via Shaw ISP, and they tried to use that to earn my trust, since they don’t know anything else about me. If you ever did give them your name and email for example and then access the Internet from the same computer (i.e. same IP address) they will use your name too to gain trust.

Have you noticed that since about 2012, when you looked at some product on some website that same product has been following you in ads popping up on other websites? This sneaky method is called re-marketing and even though you have left the store, the store owner now can still try to convince you to buy. It is fine with legit vendors since the authorities don’t consider re-marketing not kosher. But since scammers use the same approach, we’re in deep trouble.

So the next time you see an offer to make an easy $120, think twice before you say ‘yes’.

When To Use A Fake Email Address When Registering Online

Often it’s hard to tell whether a website is legit or not. And sometimes we do know that the website is shady, but we still want what they have to offer.  Most websites want you to register to get in, and what do they want the most? Your email address. And once they have it, they will sell it to anybody who is willing to buy it, and who will then use it to scam or spam you. There are even large legit companies, who at times sell their email list to another legit but less honest company, who then sells it further and off it goes.

So the best approach in any situations where you aren’t sure is to use a fake email address.

If the website doesn’t require validating your email address, then you can always type something that looks like a valid email:

john.doe@somewhereonline.com

Try not to use gmail and other real email services when you write a non-existing email address, since you’re very likely to pick an actual email address of someone else and now they are going to get a headache due to your action.

The problem is that most websites want to validate that you provided a real email address. So they will email to the address that you provided a special link that you need to click, once that email is received so that now they will know the email address is for real.

If that’s the case (and it is the case 99% of the time), create a secondary email address at one of the free email services like yahoo, hotmail or gmail and start to always use that email address in such cases.

Continue using your real email address for your bank, any online services that are essential for your wellbeing and with your friends. Use the secondary email address for anything else.

You will see that very quickly that secondary email address will get inundated with spam- and scam-type of emails. But what do you care? You don’t need to check that email account at all. Only go to that account when you need to “validate” an email for a new site you used it for. But otherwise let those emails pile up.

Of course if you’re going to use that secondary email account like you do with your primary one, you will defeat the purpose of this whole separation. If you do so, don’t bother with creating a secondary account or you will waste even more time.

There are also throw away email services, which keep the email address valid for say one hour so that you could validate it and then they delete it as if it has never existed. But why bother with creating a throw-away email every time, when you can just have one or a few secondary email addresses you can use for the rest of your digital life.

If you weren’t sure whether the website is a good one and you used the secondary email, you can always change your profile and switch it to your primary email address. Therefore you don’t need to be afraid to use the safer choice first and decide to make chances later.

I personally use such secondary email addresses not only for potentially shady websites, but also for almost any newsletters and email subscriptions. I don’t like being bombarded with weekly and daily emails even though I do want to occasionally see what some of those websites share in their newsletters. When I choose to do so, I go to that account and read those newsletters. I like having a choice.

As you can see it’d be very helpful for you to create even more than two email addresses. One that you use exclusively for any purposes that you want to be kept in the loop 24/7. Second, for data feeds that you care to look at sometimes. Third, for anything you’re not sure about.

Blocking Ads

While commercial ads can be useful at times (though very infrequently these days), you can install special software that will block most of the online advertisements from ever showing in your Internet browser, and will definitely stop the crazy pop-ups. The main advantage of using this software is that besides blocking ads, it’ll also block most of the malware that often gets distributed through those ads.

While I do make a little bit of money from ads appearing on my websites and I only use Google Adsense for this purpose, and trust that they are diligent at not allowing any malware in their ads (most of the time), I do recommend to you to install Ad blocking software as it’ll make your online experience not only less annoying, but also much safer.

To find the right software search for your Internet browser name, your platform name and ad blocking on Google. For example if you’re on Windows OS and your use chrome, search for:

windows chrome ad blocking

note: if you use firefox, the extension ublock is much more efficient than Adblock at the time of this writing.

Online Identity Theft

Here are a few notes on Online identity thefts and how they impact everybody connected to those stolen identities:

Hacked Friends

If someone hacked your friend’s computer, same as with email, the hacker can now write to you via any messaging system, like Facebook, pretending to be your friend and suggest to you to click on some link, because he thinks it’s awesome. As I explained earlier talking about email from friend scams, the weakness of the hacker is that most of the time they have little to no knowledge of the person they have hacked. And as a result of that they can’t provide a good reason for you to click the link, other than some silly:

wow, this is amazing, http://some.link.here/

If you get such a message from a friend, always ask for a context and more background before you click it. Most of the time they will tell you they have no idea what you’re talking about. Of course they don’t know they have been hacked.

Fake Personas

Some years back when I worked in email security company I attended several Internet security conferences. I didn’t go back since the information shared there was truly scary and I didn’t really want to live in fear. But this one is worth sharing with you.

Not all hackers out there just break into accounts and computers. There are some who develop fake personas, e.g. on Facebook, they nurture those with rich, interesting and frequent posts and comments to other people’s posts, establishing themselves as experts and trend makers, creating huge following, and so on. These fake personas are then sold or rented to people who want to manipulate your opinion and then if you happen to be a follower of such a fake persona, they can, for example, relatively easily sway you politically to impact the current or future elections. Of course they can do many other things, which have nothing to do with causing direct damage to your computer or stealing your data or money. Manipulating minds is much more powerful than stealing material goods.

So unless you met someone in person and can be reasonably sure of their true identity, when you talk to someone online you really have no idea who you’re talking to. I hope that’s a sufficient revelation.

If It’s On Google It Must Be True

I will conclude this essay with another common fallacy.

Somehow because people have been using Google search so much and got such an excellent value from doing so, they now blindly believe anything that appears on Google’s search pages. Beware, Google is just a search engine and has no way of validating anything it displays. It’s just shows you what’s available and you need to do your homework to tell what’s legit and what’s not.

Moreover as of recent Google has started to have the hutzpa to post authoritative information in the search results without any validation of such postings. Currently they post it on the right column of the Internet browser on desktop computers or the top of the page on mobile devices. While it works for converting grams to ounces and some other things that just can’t go wrong, they are so wrong at times. For example. I have just happened to search for Somananda, who is a contemporary Tantra yoga teacher.

https://www.google.com/search?q=Somananda

gives us at the time of this writing this:

Not only this is the wrong person in the photo, the person in the photo is alive and well as I happen to know him. But Google tells me that he lived in the 8th century and has been long dead.

The person in the photo is Dharmananda, 21 century’s Somananda’s brother. And no relation whatsoever to the 8th century Somananda, other than Dharmananda has been studying/practicing some teachings of Somananda from the 8th century. So you can see how Google’s algorithms connected things up, except they packaged it all wrong.

note: Of course it’s possible that when you read this article and you click the link Google could have fixed this very invalid authoritative information. Which would be wonderful. And it’d be the best if they have removed this not so clean feature altogether (other than converting grams to ounces or current time). We have enough of disinformation going on already in the world at large.

As of recent I have seen at least a few other examples where Google presented something which was either absolutely wrong, or was only presenting one side of a story, and not necessarily the most correct one. For example try to research chakras and it’ll give you an authoritative information on chakras which was invented in the New Age and which is often very far from what authentic thousand-year old Yoga tells us.

To clarify I’m not talking about Google showing links to various websites, which may or may not be wrong. It has no magic powers to know that. I’m talking about Google displaying information in a box on the search result pages.

So kids repeat after me altogether, “if it’s on Google it must be true!”


Now that you have studied these notes on common online attacks on yourself, please make sure to read “How To Reduce the Risk Of Getting Scammed and Owned Via Email“, dedicated to teaching you to identify and avoid attacks delivered over email and which most people are very vulnerable to.

If you have other online security tips that are not too complex for a lay person to benefit from please share in the comments below. Thank you.


    Was my sharing valuable to you? If you feel inspired please contribute what it was worth to you.


Tags: , , , , , ,







Leave a Reply

Your email address will not be published. Required fields are marked *