Cybersecurity Insights with Jon Densmore
Jon Densmore is the Chief Information Security Officer for the First Mutual Holding Company. In this episode of (915) TALK we discuss common internet scams and how you can protect yourself.
You can also listen via the links below or watch the YouTube video at the top of the page. Enjoy!
During this program Jon mentioned security resources. Here they are!
Defenses
Top 5: Do these at a minimum to protect yourself
Password manager. A good password manager will allow you to use strong, unique, randomly generated passwords for each of your accounts. They will also protect you from fake login pages because the password manager will not provide the password unless it is the legitimate website. You can also use them to store answers to account verification questions. The password manager below is free for personal use and will work on Windows, Apple, Android and iPhone.
Bitwarden: https://bitwarden.com/
Credit Freeze. A credit freeze will prevent an attacker who has stolen your identity from opening credit cards in your name. You can temporarily unfreeze your credit if you ever need to and will still have access to other credit reporting services.
Multi-factor Authentication (MFA). This is the process of being required to enter an additional piece of information, such as a 6-digit code in addition to your password to login to a site. While text messages (SMS), is considered the weakest form of MFA, it is much better than nothing at all, so use it if it is your only option.
SMS (weakest): SMS MFA: Is It Safe? Security Risks & Better Alternatives | Teleport
Authenticator apps
Google Authenticator: Google Authenticator - Apps on Google Play
Microsoft Authenticator: Download Microsoft Authenticator - Microsoft Support
Push prompts: Login with MFA using push notifications | PingOne Advanced Identity Cloud Docs
Passkeys: What are passkeys? Hint: They're faster and safer than passwords
FIDO2/Yubikey: Yubico | YubiKey Strong Two Factor Authentication
Do not act on incoming phone calls. If you receive an incoming call claiming to be from your bank or credit cards fraud department wanting you to take action on something. Politely end the call and call the fraud department back using the number on the back of the card. Scammers will impersonate banks and credit card companies to steal your identify.
Protect your cell phone account with aa long of a PIN as they will support. Use a random number and store it in the password manager. Do not use your phone number, birth year, Social Security number or anything that could be associated with you. If a scammer is able to guess your PIN to convince a phone company that they are you, they can get your phone number switched to a device that they control and start receiving your emails, including password reset ones, and MFA prompts, and take over your accounts.
Additional recommendations for protecting yourself
Keep your computer operating system, browser, and applications current on patches:
Use a regular, non-admin account for your day-to-day activities. Only use the admin account when you need to make changes to your systems:
Have secret/code words for family members. These secret words can be used to verify identity if you ever receive a call from a family member claiming to be kidnapped or in trouble. This is especially true now that artificial intelligence tools can be used to create voices that can sound like your family members.
Do not use generic titles like “mom” or “dad” for phone contacts. Scammers can use “mom” or “dad” in the caller ID to try to convince you that they are calling from your patents phone to trick you into thinking they are in trouble.
Use an ad blocker. Web advertisements can be used to spread malware and other malicious activity.
Use a separate, dedicated account, like a refillable gift card, for online purchases. This way if the website or account gets compromised, your loss will be limited to what is on that card.
Use a Chromebook. If you primarily use a computer for email, internet search, and basic word processing, a Google Chromebook is a safe, and affordable alternative to a Windows or Apple computer. Since all of your information will be stored online, if the Chromebook ever gets a computer virus, it can be simply reset without losing your data.
Use the Windows sandbox option. In a Windows 10 and 11 there is a built-in option called Windows Sandbox that allows you to run a version of virtual Windows within your computer. You can use this virtual Windows computer to visit any websites that you are not certain of. When you shut down this virtual computer, everything is deleted and there is no danger of a virus spreading to your main computer.
Add the fraud reporting phone numbers for your banks and credit cards to your phone contacts. This way you will have the correct number if you ever need to call it, and may help you properly identify if a scammer tries to impersonate one of these services.
Be careful of ads in search engine results, especially when looking up numbers. Scammers can buy ads in search engines that will appear at the top of the results. They will use these ads to setup look-a-like websites to deceive people Better to use the phone numbers on the back of your bank or credit card or to go to the official site.
Hover over links in emails to verify what they go to. Hovering a mouse pointer of a weblink in an email without clicking on it will show what it actually goes to, which may not be what it claims to be.
Do not take action or download files based on a warning from a website. Some malicious websites can display warnings that your computer is infected or has another issue requiring you to download a file or take other actions.
Setup transaction alerts for online banking and credit card alerts: These can alert you for unusual transactions or transfers so that you can take action and prevent them from completing.
Trusted app stores. Only use the official Apple and Android stores for downloading apps for your mobile device. While not perfect, these stores try to prevent malicious apps from being uploaded.
Apple: App Store - Apple
Android: Android Apps on Google Play
Minimize application permissions. Some applications will request access to phone features such as camera, location, file storage or phone that may not be necessary for the function of the app. Removing unnecessary permissions can reduce the ability of attackers to exploit these apps.
Remove unused phone apps. Remove any mobile device apps that you are no longer using or do not need. The more apps that you have on device the more opportunities there are for a vulnerability to be found and exploited.
Use a guest network for non-computer devices such as TV’s, doorbells, etc: Keeping these devices on a separate network will reduce the ability of an attacker to compromise your computer if they can get into one of these devices.
Keep router up to date and do not allow external access. Since your internet router is directly connected to the internet, it is very important to make sure that is current on its patches and is not providing unnecessary access into your network. The link below will allow you to test this to validate that you do not have unnecessary services exposed to the internet.
Test for open ports: GRC | ShieldsUP! — Internet Vulnerability Profiling
Wait to post vacation pictures. Posting pictures on social media while you are on vacation can let people that you do not know see that you are not home and that your house is not occupied. Best to wait until you are home to post those pictures.
Do not overshare on social media. Scammers will search social media to either find ways to send phishing emails to you based on your interest, or to learn things about you and your family that could be used against you.
Do not use what you post on social media as passwords or password hints. This would be account verification questions like “what was your high school mascot”, “where did you meet your spouse” and other similar questions. Much better to make up answers for these questions, even non-sensical ones, and save those in your password manager for that site.
Have someone that you trust that you can reach out to sanity check what you received. Have a spouse, family member, or friend that you can have double check anything that you receive that you think may be suspicious. Legitimate offers and request are never so urgent that you cannot take the time to confer with someone else.
Set up shared accounts or at least shared notifications for elderly friends or relatives. Elderly are often the targets of scams being copied on account alerts can help you help them from being scammed.
Block calls from non-contacts. Doing this will greatly reduce the number of spam phone calls and spam messages that you receive which can reduce the likelihood of you being scammed.
