Do you use the same password for all websites? Do you overshare on Facebook? If so, you're a target for cybercriminals – whose computer scams are costing Britain £27bn a year. We asked experts for their top tips to beat the fraudsters
Article by: James Silver
Cybercrime costs Britain £27 billion a year: don't make it easy for the fraudsters.
We're high up in the Gherkin in the City of London and Garry Sidaway, director of security strategy at Integralis, a firm which advises government agencies, pharmaceutical and financial services multinationals, is giving my computer a security MOT. "You don't have anti-virus software, I see," he says, a trace of mockery in his voice. "That's your first mistake."
According to Sidaway, while most of us are much more aware of the risks now ("My mum shreds her documents even if she doesn't know why," he says), we should all be raising the bar. He thinks we Britons are an overly trusting lot. Sitting ducks for an armada of hackers, who are every bit as focused on stealing our data as we are relaxed about storing it. "The criminal gangs know exactly which kind of data they want and where it is likely to be," he explains. "Conversely we're not sure what they're after."
So what are they after, I ask? "We are seeing a wide variety of attacks – everything from opportunists trying to extract passwords through phishing [emails which purport to be from legitimate sources and attempt to get us to click on an infected link] to highly organised crime units targeting businesses and government systems in an effort to steal intellectual property and information related to critical infrastructure."
The government estimates that the total cost of cybercrime in the UK is £27bn a year. The majority (£21bn) is committed against businesses, which face high levels of intellectual property theft and industrial espionage.
Enabled by the sharing culture on social media – and with ever more sophisticated malicious software known as malware at their disposal – cybercriminals have become far more adept at crafting attacks and targeting individuals and organisations. Phishing emails purporting to be from friends, often reflecting our interests – perhaps gleaned from social media sites – or from trusted organisations such as your bank or HM Revenue & Customs encourage us to click on infected links or attachments containing malware. (A recent example of the latter was malware disguised as a security warning from Microsoft's digital crimes unit.) "We have a level of trust in certain organisations and criminals exploit that trust," says Sidaway.
Typically, these so-called "man-in-the-middle" attacks install colourfully named Trojans (pieces of malware, essentially) such as Zeus, SpyEye or Citadel on computers, which have the effect of compromising, for example, online banking transactions. "Everything you then do on your compromised laptop is subverted through a hacking site which means when you [communicate] with your bank, you are going through a man in the middle. Initially, man-in-the-middle attacks were passwords used in authentication – the criminal would wait until you had finished to start using the credentials they'd just gathered. This is why banks brought in one-time passwords or codes," he says.
"But more recent malware will perform a man-in-the-middle attack to obtain the user's session (a session is created after a user logs in successfully and the browser and the bank's website use this to continue the interaction) and fake the logout requests. Once the user thinks they've logged out, the attacker can make payments using the existing session without the victim seeing any changes to their balance until the next time they log on. This is partly why banks have rolled out card readers to help prevent payments to new payees." He adds: "It's a constant game of cat and mouse."
1. Never click on a link you did not expect to receive
The golden rule. The main way criminals infect PCs with malware is by luring users to click on a link or open an attachment. "Sometimes phishing emails contain obvious spelling mistakes and poor grammar and are easy to spot," says Sidaway of Integralis. "However, targeted attacks and well-executed mass mailings can be almost indistinguishable [from genuine emails]." Social media has helped criminals profile individuals, allowing them to be much more easily targeted, he adds. "They can see what you're interested in or what you [post] about and send you crafted messages, inviting you to click on something. Don't."
2. Use different passwords on different sites
With individuals typically having anything up to 100 online accounts, the tendency has become to share one or two passwords across accounts or use very simple ones, such as loved ones' names, first pets or favourite sports teams. Indeed, research by Ofcom last month revealed that over half of UK adults (55%) use the same passwords for most, if not all, websites they visit, while one in four (26%) use birthdays or names as passwords. Any word found in the dictionary is easily crackable. Instead, says Sian John, online security consultant at Symantec, have one memorable phrase or a line from a favourite song or poem. For example: "The Observer is a Sunday newspaper" becomes "toiasn". Add numerals and a special character thus: "T0!asn". Now for every site you log on to, add the first and last letter of that site to the start and end of the phrase, so the password for Amazon would be "AT0!asnn". At first glance, unguessable. But for you, still memorable."
3. Never reuse your main email password
A hacker who has cracked your main email password has the keys to your [virtual] kingdom. Passwords from the other sites you visit can be reset via your main email account. A criminal can trawl through your emails and find a treasure trove of personal data: from banking to passport details, including your date of birth, all of which enables ID fraud. Identity theft is estimated to cost the UK almost £2bn a year.
4. Use anti-virus software
German security institute AV-Test found that in 2010 there were 49m new strains of malware, meaning that anti-virus software manufacturers are engaged in constant game of "whack-a-mole". Sometimes their reaction times are slow – US security firm Imperva tested 40 anti-virus packages and found that the initial detection rate of a new virus was only 5%. Much like flu viruses and vaccine design, it takes the software designers a while to catch up with the hackers. Last year AV-Test published the results of a 22-month study of 27 different anti-virus suites and top-scoring packages were Bitdefender, Kaspersky and F-Secure. Meanwhile, security expert Brian Krebs published the results of a study of 42 packages which showed on average a 25% detection rate of malware – so they are not the entire answer, just a useful part of it.
5. If in doubt, block
Just say no to social media invitations (such as Facebook-friend or LinkedIn connection requests) from people you don't know. It's the cyber equivalent of inviting the twitchy guy who looks at you at the bus stop into your home.
6. Think before you tweet and how you share information
Again, the principal risk is ID fraud. Trawling for personal details is the modern day equivalent of "dumpster-diving", in which strong-stomached thieves would trawl through bins searching for personal documents, says Symantec's John. "Many of the same people who have learned to shred documents like bank statements will happily post the same information on social media. Once that information is out there, you don't necessarily have control of how other people use it." She suggests a basic rule: "If you aren't willing to stand at Hyde Park Corner and say it, don't put it on social media."
7. If you have a "wipe your phone" feature, you should set it up
Features such as Find My iPhone, Android Lost or BlackBerry Protect allow you to remotely to erase all your personal data, should your device be lost or stolen. "Absolutely, set it up," advises Derek Halliday of mobile security specialist Lookout. "In the case where your phone is gone for good, having a wipe feature can protect your information from falling into the wrong hands. Even if you didn't have the foresight to sign up, many wipe your phone features can be implemented after the fact."
8. Only shop online on secure sites
Before entering your card details, always ensure that the locked padlock or unbroken key symbol is showing in your browser, cautions industry advisory body Financial Fraud Action UK. Additionally the beginning of the online retailer's internet address will change from "http" to "https" to indicate a connection is secure. Be wary of sites that change back to http once you've logged on.
9. Don't assume banks will pay you back
Banks must refund a customer if he or she has been the victim of fraud, unless they can prove that the customer has acted "fraudulently" or been "grossly negligent". Yet as with any case of fraud, the matter is always determined on an individual basis. "Anecdotally, a customer who has been a victim of a phishing scam by unwittingly providing a fraudster with their account details and passwords only to be later defrauded could be refunded," explains Michelle Whiteman, spokesperson for the Payments Council, an industry body. "However, were they to fall victim to the same fraud in the future, after their bank had educated them about how to stay safe, it is possible a subsequent refund won't be so straightforward. Under payment services regulations, the onus is on the payment-service provider to prove that the customer was negligent, not vice versa. Credit card protection is provided under the Consumer Credit Act and offers similar protection."
10. Ignore pop-ups
Pop-ups can contain malicious software which can trick a user into verifying something. "[But if and when you do], a download will be performed in the background, which will install malware," says Sidaway. "This is known as a drive-by download. Always ignore pop-ups offering things like site surveys on e-commerce sites, as they are sometimes where the malcode is."
11. Be wary of public Wi-Fi
Most Wi-Fi hotspots do not encrypt information and once a piece of data leaves your device headed for a web destination, it is "in the clear" as it transfers through the air on the wireless network, says Symantec's Sian John. "That means any 'packet sniffer' [a program which can intercept data] or malicious individual who is sitting in a public destination with a piece of software that searches for data being transferred on a Wi-Fi network can intercept your unencrypted data. If you choose to bank online on public Wi-Fi, that's very sensitive data you are transferring. We advise either using encryption [software], or only using public Wi-Fi for data which you're happy to be public – and that shouldn't include social network passwords."
12. Run more than one email account
Thinking about having one for your bank and other financial accounts, another for shopping and one for social networks. If one account is hacked, you won't find everything compromised. And it helps you spot phishing emails, because if an email appears in your shopping account purporting to come from your bank, for example, you'll immediately know it's a fake.
13. Macs are as vulnerable as PCs
Make no mistake, your shiny new MacBook Air can be attacked too. It's true that Macs used to be less of a target, simply because criminals used to go after the largest number of users – ie Windows – but this is changing. "Apple and Microsoft have both added a number of security features which have significantly increased the effectiveness of security on their software," says Sidaway, "but determined attackers are still able to find new ways to exploit users on almost any platform."
14. Don't store your card details on websites
Err on the side of caution when asked if you want to store your credit card details for future use. Mass data security breaches (where credit card details are stolen en masse) aren't common, but why take the risk? The extra 90 seconds it takes to key in your details each time is a small price to pay.
15. Add a DNS service to protect other devices
A DNS or domain name system service converts a web address (a series of letters) into a machine-readable IP address (a series of numbers). You're probably using your ISP's DNS service by default, but you can opt to subscribe to a service such as OpenDNS or Norton ConnectSafe, which redirect you if you attempt to access a malicious site, says Sian John. "This is helpful for providing some security (and parental control) across all the devices in your home including tablets, TVs and games consoles that do not support security software. But they shouldn't be relied upon as the only line of defence, as they can easily be bypassed."
16. Enable two-step verification
If your email or cloud service offers it – Gmail, Dropbox, Apple and Facebookdo – take the trouble to set this up. In addition to entering your password, you are also asked to enter a verification code sent via SMS to your phone. In the case of Gmail you only have to enter a fresh code every 30 days or when you log on from a different computer or device. So a hacker might crack your password, but without the unique and temporary verification code should not be able to access your account.
17. Lock your phone and tablet devices
Keep it locked, just as you would your front door. Keying in a password or code 40-plus times a day might seem like a hassle but, says Lookout's Derek Halliday, "It's your first line of defence." Next-generation devices, however, are set to employ fingerprint scanning technology as additional security.
18. Be careful on auction sites
On these sites in particular, says Symantec's Sian John, exercise vigilance. "Check the seller feedback and if a deal looks too good then it may well be," she says. "Keep your online payment accounts secure by regularly changing your passwords, checking the bank account to which it is linked and consider having a separate bank account or credit card for use on them, to limit any potential fraud still further."
19. Lock down your Facebook account
Facebook regularly updates its timeline and privacy settings, so it is wise to monitor your profile, particularly if the design of Facebook has changed. Firstly, in the privacy settings menu, under "who can see my stuff?" change this to "friends" (be warned: setting this to "friends of friends" means that, according to one Pew study, on average you are sharing information with 156,569 people). Also in privacy, setting "limit old posts" applies friends-only sharing to past as well as future posts. Thirdly, disable the ability of other search engines to link to your timeline.
You should also review the activity log, which shows your entire history of posts and allows you to check who can see them. Similarly, you should look at your photo albums and check you're happy with the sharing settings for each album. In the future you may want to consider building "lists" – subsets of friends, such as close friends and family, who you might want to share toddler photographs with, rather than every Tom, Dick and Harriet.
Also, remove your home address, phone number, date of birth and any other information that could used to fake your identity. Similarly you might want to delete or edit your "likes" and "groups" – the more hackers know about you, the more convincing a phishing email they can spam you with. Facebook apps often share your data, so delete any you don't use or don't remember installing. Finally, use the "view as" tool to check what the public or even a particular individual can see on your profile, continue to "edit" and adjust to taste. If this all sounds rather tedious, you just might prefer to permanently delete your account.
20. Remember you're human after all
While much of the above are technical solutions to prevent you being hacked and scammed, hacking done well is really the skill of tricking human beings, not computers, by preying on their gullibility, taking advantage of our trust, greed or altruistic impulses. Human error is still the most likely reason why you'll get hacked.
This article contains affiliate links, which means we may earn a small commission if a reader clicks through and makes a purchase. All our journalism is independent and is in no way influenced by any advertiser or commercial initiative.
The links are powered by Skimlinks. By clicking on an affiliate link, you accept that Skimlinks cookies will be set. More information.
… we have a small favour to ask. More people are reading the Guardian than ever but advertising revenues across the media are falling fast. And unlike many news organisations, we haven’t put up a paywall – we want to keep our journalism as open as we can. So you can see why we need to ask for your help. The Guardian’s independent, investigative journalism takes a lot of time, money and hard work to produce. But we do it because we believe our perspective matters – because it might well be your perspective, too.
The Guardian is editorially independent, meaning we set our own agenda. Our journalism is free from commercial bias and not influenced by billionaire owners, politicians or shareholders. No one edits our Editor. No one steers our opinion. This is important because it enables us to give a voice to the voiceless, challenge the powerful and hold them to account. Facts are sacred. But as access to information has grown, the ability to distinguish the truth has become harder. The Guardian continues to provide its readers with the real story, at a time when factual, honest reporting is more critical than ever.
Ransomware gains access to a computer the same way as any kind of virus or computer worm - either through getting the user to open an infected email, navigate to a compromised website or install an infected program.
Once inside the computer, it can bombard a user with pop-ups and warnings, lock a user out of parts of the computer, or remove important files from the host computer and threaten them with deletion.
Users are then ordered to pay a ransom to the cybercriminal in order to get back access to their files.
Sometimes the ransomware will pose as an official warning from a government agency or police force to encourage payment.
Victims are often given a time limit within which to pay and ransoms can vary in price from tens to hundreds of pounds. Often ransoms are demanded in an untraceable cryptocurrency, such as Bitcoin , to make them harder for law enforcement to trace.
Security experts agree that you should never pay the ransom. Brian Kennedy from US security consultancy iSight said that paying up won't guarantee you'll regain control of your device or files.
"Some ransomware operators will refuse to unlock your device even after you've paid, and demand more money or attempt to defraud you by other means with the financial information you've provided them," Kennedy added.
Computers are at risk (Image: Getty Images)
Unfortunately, if a serious ransomware virus has already infected and encrypted certain files, it is not possible to recover them. The decryption key is held by the cybercriminal and the algorithms themselves are too complex to break.
The only way to fully secure yourself against losing your files to ransomware or a virus is to keep your personal files backed up on an external hard drive not connected to the internet.
Ryan Olson, of security company Palo Alto Networks, says: "You need to have good, off-site backup. And if you're a business then it's really important to have a really well thought-out backup plan."
"I expect ransomware to stick around and continue to be a thorn in our side as long as it continues to make money for people."
By TOM MORGAN, Tech Writer at Which?
If you find yourself using a virus-ridden computer, you could have your personal data stolen and sold on.
On top of that, your PC or Mac will run slower than it should, sometimes making it entirely unusable.
It’s now more important than ever to keep your computer protected. But what’s the best way to stay secure?
Having up-to-date virus protection helps, but there are other ways to guard your tech.
Here are some top tips from consumer group Which?
Two-step verification is a security measure that makes it tougher for hackers to access your online accounts.
Lots of services make use of the system, with Gmail, Facebook and Apple accounts being popular examples. You won’t always be forced to set it up, but you should if it’s an option.
Usually, when logging into a service with two-step verification, a unique code will be sent to a ‘trusted device’ of your choosing, which adds an extra layer of security.
If you want to secure your Gmail inbox with two-step, you’ll need the Authenticator app. Every time you want to log in, a unique, one-time code will be displayed on your phone for 60 seconds. After time runs out, the code expires and a new one is generated.
It’ll come as no surprise to hear that antivirus software keeps your PC or Mac protected, but you can improve its effectiveness by relying less on manual scans.
Most popular antivirus tools support the feature. If you’re a Norton user, for example, set up scheduling by clicking Security , then Scans . From there, click Custom Scan . Under the Edit Scan window, you’ll spot an option that asks When do you want the scan to run? Adjust it in a way that suits you.
For users running Malwarebytes, open the app, click Settings and then head down to Automated Scheduling.
To see which antivirus software packages we recommend for top-notch protection, see Which?'s antivirus reviews page.
]It's also essential to keep your antivirus protection up to date.
When installing third-party software on Windows or Mac, you’ll be told if the source is an ‘unidentified developer’. If that’s the case, think twice before downloading.
That brings us onto a similar topic – ads. If you see a box on the side of your screen telling you that your system is ‘infected’, the chances are you’re looking at a fake alert designed to encourage you to download dodgy software.
Earlier this year, a widespread pop-up scam advised Google Chrome users to install a ‘missing font’ called HoeflerText. In actual fact, it linked through to malware.
If you spot an advert that looks suspicious, don’t interact with it at all as some feature a fake ‘X’ or ‘close’ button. A sneaky trick that could catch you out if you’re not too careful.
Google Chrome Extensions are in-browser apps that can do everything from generating discount codes on shopping sites to displaying news headlines. Not all of them are good news, though.
In the past, we’ve seen malicious software install data-grabbing extensions inside Chrome. Last year, Malwarebytes uncovered an extension called iCalc. It was described as a free calculator, but was actually a tool that could read everything you were typing online.
If you use Google Chrome as your default web browser, make sure you’re familiar with the apps inside your Extensions folder.
Open your browser, click Settings , then Extensions . If you don’t see an extension you recognise, select Details to see what information it has access to. Remove it by clicking the bin icon.
Phishing scams impersonate legitimate websites and services to try and get you to give up your personal information.
Often, phishing messages look like they’re from recognisable services you already use. One example we’ve seen mimics a PayPal document, but actually infects your system with malware if you click the links included.