It seems in these digital days that everybody wants something for nothing. A lot of people out there turn to fraud and deception to get that done.

Be careful who you trust!

A lot of the people I talk to about security are concerned about who they shouldn’t trust. I would suggest to you that this is the wrong way to think about trust on the internet. The question shouldn’t be who not to trust. The question is who should you trust.

When it comes to emails, websites, phone calls, etc. Don’t trust most of the stuff that you receive, see, or hear. Your trust should be a very hard thing to earn! It’s your email account, your computer, your facebook page. Try to keep those safe! Unless someone has given you explicit cause to trust them, be skeptical.

Let’s go through some stuff, more in-depth. Here’s where we’re going:

Email

A common technique for trying to steal your precious data is to send a sketchy email, sometimes containing an even sketchier attachment, from what might seem like a legitimate source. These can be masquarading as the Postal Service, your bank, your mom, or even appear to come from your own email address. It’s really easy to spoof an email address these days.

Don’t open it! Don’t download the attachment! For the love of all things, don’t unzip and then install that attachment!!

Unless you are keenly aware that the actual person who is reportedly sending you that email should be sending it, you can pretty safely ignore it. If you don’t reasonably expect to receive any sort of attachment from someone, they probably didn’t send it.

For example, we here in the Tech Services department would never send you any attached zipfile containing anything that you should install. We have lots of ways that we can install those things (sometimes even remotely). If you get a message from some “systems administrator” asking you to “install the attached patch immediately or else the world will end,” it is not from us! That’s just not how we work.

Websites

Another common technique to steal that data of yours is through phishing. This is where an attacker sets up a page that looks exactly like your bank’s login page (or facebook, twitter, etc.), but really gives whatever username/password to some random guy (or girl) in Russia.

Check the URL! Use HTTPS. Always!!

If you think you’re logging into your bank, but the URL in the address bar is www.iswearthisisyourbank.com, guess what. It’s not your bank. Anytime you’re entering some sensitive information online, check that you’re actually on the website you think you’re on.

Furthermore, if the information is really sensitive (any username/password, credit card information, social security number, etc.), be absolutely sure that it’s transmitted safely. Make sure that you see https:// in the address bar, there’s a green lock, and you haven’t seen any warnings. If https:// is not there, put it there. If it’s not avaialable on that website, you should contact the webmaster and ask them to make it available. Usually, you can email webmaster@somewebsite.com to get in touch with someone who can speak with some reasonable authority on that particular website.

Telephone Calls

One of the most popular ways to get sensitive information out of people is with a technique called social engineering. This is where an attacker calls or emails you posing as someone who you would normally trust. Maybe they tell you their name is Casey and they’re the new guy in IT, and they just need to double check your password.

Maybe they tell you they just got hired in the admissions office for some part-time, remote work and need a list of the recent graduates along with their phone numbers and emails.

Don’t trust anybody who calls/emails unexpectedly and asks for sensitive information.

You can simply tell them that it’s not information that you can give out. Tell them that they should come visit you in person to talk about the information they’re seeking. Tell them that you’ll have to double-check with the department-head about their status before you can perform any business-related function for them.

Conclusion

If you’re still with me, you’ve earned a gold star. I want to sum this all up as easily as I can:

Your sensitive data is the most valuable thing that you or your company has. You should give it the same level of protection that you would give your teenage daughter on prom night. Bad people are trying to take it from you. Don’t let them have it!