News
8. 2. 2023

3 Pieces of Good Advice to Boost Your Online Security

Let's see how our senses can deceive us in this new and amazing online space.

The unprecedented development of communication technologies and the gradual shift of day-to-day activities to online is a fact that is, I am convinced, beyond any discussion. Children and teenagers of today do not dream of becoming an astronaut or a car racer, instead, they talk of becoming a YouTuber or even a content creator. We order pizza or a cab ride using a mobile app, we pay our bills and invoices using a bank app, we buy shares online through our broker and I don’t even need to write about something as obvious as online shopping.

But let’s take a look as how our own senses can deceive us in this amazing brave new online world. We will also illustrate how this fact is exploited by hackers and scammers and, in particular, we will give you specific tips on how to improve your online security while fully reaping the benefits of technological progress.

Advice No. 1: Use of passwords

Choose unique and strong passwords for each online service. This advice is so obvious that no one actually reads it anymore – nevertheless, it is still 100% relevant. The computational power and methods of password guessing have improved so much lately that guessing a simple password is only a matter of seconds or minutes. Let’s see how the simple password “charlie123”  which, according to https://www.security.org/how-secure-is-my-password/, would take exactly 1 minute to crack, could be improved. So, what should such a password look like?

  • The password should be at least 8 characters long and contain a combination of upper- and lower-case letters, special characters, and numbers.
  • Also, your password should be unique for each individual service.
  • You should not use personal information that can be easily traced in your password.
  • Yet, it should be easy to remember.

Tip: to create such a password, you may want to use a sentence which is important for you – this will ensure it is easy to remember with its emotional charge. A sentence that reads  “My dog Charlie is No. 1” could then be transformed into “MdgChrl15#1”. This is how you come up with an easy-to-remember password that would require 4000 years to be cracked using the password guessing method. Quite an upgrade from a couple of minutes, don’t you think?

Of course, while this mnemonic can be helpful, taking into account how many such passwords we actually need this and every day, this approach may not suit everyone. Let’s take a look at a few pro tips that will help increase the security of your login:

  • Use of password managers. The complexity of your password becomes irrelevant if you have your password scribbled somewhere (in your PC or on a post-it note) in unencrypted form. It is precisely this problem that password managers can help us with – these are specially designed software components that store passwords for you. This storage is performed using the so-called end-to-end encryption, and therefore even the password manager itself does cannot access your passwords until you enter the master password. In this way, all you need to remember only one complex password while all the other passwords are managed for you by this software. An overview of the most frequently used password managers can be found HERE.
  • Use of multifactor authentication. This principle requires that in addition to the password itself, it is necessary to enter one more factor. Only after entering both factors (the password and the second factor) will you be authenticated. In this way, you increase your security, because even if successfully compromising your password, the attacker would have to steal your second factor as well to do you any harm. We recommend using this approach especially when logging in to really important applications and services such as online banking applications. Apps providing this type of login can also be found HERE.
  • Current backup emails or phone numbers. Today, when detecting a suspicious activity or providing account recovery, many services providers use the emails or phone numbers you entered during registration. Make sure you have access to these backup emails or phone numbers and that they are up to date.

Advice No. 2: (Dis)trust and verify

Trust but verify goes the old adage and, indeed, it could be nowadays easily upgraded to distrust and verify. Let’s look at one study that discusses user behavior in the online environment. Whoops, are you saying that the link didn’t lead to any study at all? Let us apologize for a harmless joke – you have just found out how a lot of scammers work in principle. Using similar techniques (and not only these), they can direct you to fraudulent sites that look almost the same as the ones that you are familiar with.

Our eyes that have served us so well during our evolutionary journey deceive us here at first sight. The description of the link itself (or an email or a website) may not have anything to do with its actual content. Of course, in most situations, these links and descriptions are very appropriate, because they make it easier for the user to navigate the Internet – the link to the Aliter Technologies site looks better and is clearer than the link to the https://www.aliter.com/ site.

Some tips on how not to be tricked by this scam:

  • Before you actually click on the link, you can preview where the link really leads. You only activate the preview if you hover with the mouse/cursor over the link, but do not click on it.
  • Let’s check the domain. To log in to aliter.com, you must verify the letters coming after the last dot and the name on the left. In the case of www.aliter.com, it is obvious that the website is, in fact, aliter.com. However, with  www.akutne-info-aliter-com.domain.info, this is not so obvious anymore. In this case, it is a domain.info website which is a site/domain that has nothing to do with aliter.com (and is, of course, purely fictitious).
  • Does the page contain a certificate? Any reputable service must contain a certificate ensuring that the connection between you and the website is secure. The small “s” letter in the word “https in the opening part of the link is therefore incredibly important.
  • It is better to be cautious than to regret anything later. In case of any doubts, it is always better not to click on the link or not to enter your data on the site. Verification over the phone should go without saying when it comes to important services such as online banking, etc.

Advice No. 3: Fraudulent emails and text messages

Although the previous advice should, in principle, protect you from fraudulent emails, considering the frequency and impact of scam attempts, we have decided to pay more attention to this particular phenomenon. Let’s start by explaining why online attackers use email scams so extensively. Email communication today is so prevalent and so cheap that we don’t even think about it. We thus use our email address to make online purchases, or we set them up on our social networks pages as a means of contact with others. Whether we like it or not, these email addresses (whether by way of online ‘collection’ or way of selling on black markets) become available also to online attackers. This is a fact that we simply have to accept, and we need to be prepared for this. You can take very good care of your email but a service provider with whom you used this email may have been compromised and you are already on the scam hitlist. If you combine this fact (easy accessibility of e-mail addresses) with a low price of sending e-mails, we get an ideal tool which can send a fraudulent e-mail to a large number of users at almost zero costs.

As illustrated in our first advice, where a completely different website was hidden behind a link, a very similar principle works also with e-mails. However, this issue is further intensified in the case of emails, as several types of scam methods may be applied. Instead of recognizing the respective techniques, let’s look at the main signs of how to recognize a fraudulent email or text message (SMS):

  • A sense of urgency – fraudulent emails usually try to evoke a sense of urgency. In the email subject line, you often find phrases such as ‘Stolen password – password reset required’, ‘Blocked account – password reset required’ or perhaps ‘Please pick up your package delivery’.
  • Forged email sender – the email only pretends to be legitimate, it can often look like it is sent from any Slovak bank from slovakbankname@slovakbankname-reset-password.domain.info“. Here, in fact, the important indicator is the info domain name, which certainly does not belong to any Slovak bank. Everything else is just optional text which the attackers defines as they need.
  • Generic impersonal address – these emails are typically sent to thousands of users so you will rarely find a correct salutation. In most cases, you will at best be addressed as ‘Dear User’ or perhaps ‘Dear Customer’.
  • Fraudulent Links – fraudulent links are very common exactly in these types of emails. Therefore, the technique we described above – when you do not click on the link but only hover over with your mouse or cursor will work well in this case, too.
  • These emails also often contain attachments – more often than not, an attachment will come along with the email. Therefore, your initial reaction should not be to open the attachment and see what it is about. In fact, you should be careful with every single attachment that you have received in your mailbox. Attachments containing suffixes such as .exe, .msi or even .zip, .pdf or .docx are particularly suspicious.

Unfortunately, the very nature of these threats, i.e., that they use social engineering techniques, make it basically impossible to ensure one hundred percent protection against fraudulent SMS or emails. Although the technologies to recognize fraudulent emails have advanced considerably, so have the methods to generate these emails. At the end of the day, it is an endless battle between the scammers and tech companies that develop tools to protect users from this fraudulent content. Unfortunately, more often than not, the good guys have odds stacked against them.

The only universal advice we can give you at this moment is to be prudent and use your critical thinking. It is very unlikely that we will get rid of fraudulent emails or SMS any time soon, which is why it is always better to check any suspicious email, for example, by using alternative communication channels. You may call your bank or simply be alert and observe carefully whether an email or a text message contain the signs of fraudulent communication. And, above all, you need to be careful when entering login data and tokens.