SUPPORTING OTHERS TO BE SAFE ONLINE


Supporting others to be safe online

LEAD SCOTLAND

Welcome

  • Hello everyone, and welcome to today’s talk for Cyber Safe Scotland week. Today, I’ll be covering three important areas of how to stay safe online - passwords, fake emails, and fake websites – with a focus on how we can recognise the risks; and also on how we as practitioners can help others stay secure, especially as the usual security advice can create barriers for disabled people, especially people with learning difficulties.

    Because of some of limitations of the webinar medium - especially when being hosted through GoToMeeting - I'll do a Q&A session at the end. Feel free to comment on any posts as we go through and then these can be addressed in the Q&A too.
    • Hi Me and my brother where chating and this gye came in and said he was a hacker and he was 30. If you have imfromation pls tell me thanks  CONSTANCE HINOJOS

Passwords

  • Passwords are everywhere. You need to use them for accessing your email; your banking; your amazon account; your social media; your Netflix account; or, doing any online shopping, to give but a few examples.

    They keep potentially sensitive data safe and secure. For example, I might have sent a copy of my passport and national insurance number via email to an employer. I might have bought a present on Amazon that I don’t want people to know about yet. I might wish to keep the fact that I have purchased something on Amazon secret by not letting people access my bank statements.


    Passwords are also important  because they confirm that you are ‘you’ when doing anything online. If a fraudster had my amazon password, or the password of any my shopping accounts, they could buy things using my card. If they had access to my email password, they could send emails to my boss, my family, or anyone they wanted. If they had access to my banking password, they could drain all my funds, apply for a loan in my name, and drain that too! Even worse, if fraudsters have my Netflix password, they can then fill up my ‘recommended’ list with absolute rubbish, like my partner does. 

    At a basic level, passwords are important because they allow you to access services; access records of how you have interacted with services; and verify your identity online.

    So how can we keep ourselves safe online? There are two aspects of password security that work together: strong passwords and unique passwords.

Strong passwords

  • Strong passwords are passwords that are difficult to guess. This means that it is hard for hackers and fraudsters to access your account.

    Why is this important? Although it is tempting to think that hackers are sat trying to guess your password, entering one attempt after another, it is sadly much more scary than this. The likelihood is that a hacker will use algorithms to try passwords at a rate that a person can’t match. This is called a brute force attack. Using a standard desktop – as in, the computer you are currently using – hacking software can easily surpass 2.8 billion guesses per second. Using more advanced equipment it can be even greater. So, how can we keep ourselves one step ahead of hackers?

    There are six things to make sure you include in a password to make it strong. These are:

  • 1. Upper case letters

    Use capital letters in your password. This makes it more difficult to guess, and will take a hacker longer to crack. 

  • 2. Lower case letters

    Be sure to use lower case letters too, as having some variety in your characters will take hackers longer.

  • 3. Numbers

    Using numbers in your passwords make them more difficult to guess, and therefore make them more secure. 

  • 4. Special characters

    Adding some special characters to your password will help make sure your password is extra safe. 

  • The maths behind passwords

    To illustrate the important of this, let’s consider a short (6 characters) password that can only contain lower case letters. Perhaps abcdef. Or maybe sussex. Or maybe dbowie. For each character, there are 26 possibilities (the 26 lower case letters), which means that there are 308,915,776 possibilities (26x26x26x26x26x26, or 266). This means that if a hacker knows the parameters of this password (i.e., 6 characters long, and all lower case letters), it could be cracked in less than a tenth of a second.

    However, if we allow upper case letters, then it becomes 526. If we then add numbers, it becomes 626. And if we add special characters, then it becomes 966. This is 782,757,789,696 different possibilities: over 2500 times bigger. A good start, but it will still only take a hacker less than 4 and a half minutes to crack this.

    However, there is still two more things to consider when creating a secure password.

  • 5. Length

    Make sure your password is at least 9 characters long, but if you can manage longer then do. The longer the password, the longer it will take a hacker to crack it

    Many passwords have a minimum length of 8 characters. This brings the time a hacker needs from 4 and a half minutes to over 9 hours – however, if we use a password that is 9 characters long then the time increases to 4 weeks. A password that is 10 characters long would need 6 years to be hacked.

  • 6. Unobviousness

    Don’t use things that are easily guessed, like special dates, names, places: for example, 19091993, or MichaelC93, or Aberdeen1! are all very weak passwords, despite the fact that they largely comply with the above rules. They may not be quick to crack in a brute force attack, but they could all be easy to guess. Keep your passwords strong against this sort of attack by making them difficult to guess. 

  • How strong is my password?

    Now, as I have found out when researching this webinar, the theory behind creating strong passwords is really quite dull, and seems rather distant and theoretical. We understand the necessity for strong passwords, but we rarely bother to actually create them.

    So, to illustrate the need to create a strong password, I would like everyone to follow this link to howsecureismypassword.net, and once you have this loaded, type in one of your passwords. Just for peace of everyone's mind, the website is secure and doesn't record your password!

    How did you get on? Do you feel more confident or less confident in the strength of your password now? Did anyone find that their password would be cracked instantly? Comment below with how you got on!
    • Yes, I'm happy with my strong password :-) ANONYMOUS

Unique paswords

  • However, strong passwords are only half the battle. To keep yourself safe, you must also use uniquepasswords.

    A unique password is a password that is only used for one account. Using unique passwords means that if an account is compromised, then hackers will not be able to access other accounts. For example, if my Amazon account was hacked, hackers wouldn’t be able to use these details to then access my internet banking, my emails etc.

    Now, when I was writing this webinar I had a think about all of the accounts that I have and use semi-regularly. Having spent 10 minutes thinking about it, I found that I have over 50 accounts for things that I have used in the last three months. This shows the importance of having unique passwords – if I use the same password for everything, then a hacker would have essentially unfettered access to my life. However, it also illustrates the difficulty with password security: how is anyone supposed to remember 50 unique passwords, especially if they also follow the rules about how to keep their passwords strong?

  • Password creation

    Creating new passwords that are both strong and unique can be quite daunting. There are several ways which this can be done (another method will be discussed shortly), but perhaps the easiest way of creating strong, unique passwords is to use a password generator (such as passwordsgenerator). These create passwords according to the length that you specify. For example:

    8 characters
    +&Qw6PG$

    12 characters
    KT8GxYqc=2@F

    16 characters
    UnP5?6F=rqh*J!vj

     
    These passwords are all strong and unique, and generated in less than a second. In an ideal world, you could generate a new password for each of your accounts and then your password security would be excellent. 

    However, password security is not necessarily very accessible. People with learning difficulties, dyslexia, and low literacy skills might all find a generated password difficult to read, and therefore difficult to remember correctly. 

    So, how can we balance the need for strong unique passwords with the barriers they can create?

Accessible password security

  • There are, I think, two main options that we should consider when looking at how to balance security with accessibility. 

  • Low tech

    The other method for keeping passwords safe is to write passwords down on paper and keep this in a safe place. Although this is not perfect, it is better to risk accounts being compromised in this way than to create weak, non-unique passwords to begin with, as hackers are much more likely to crack a bad password than to find your paper. You can use this with generated passwords to create strong, unique passwords, or you could use the method described in the next column.

  • High tech

    The first is to use strong, unique, possibly generated passwords, but then to outsource the need to read or remember them: as the barriers are created by technology, let’s turn to technology for a solution.

    A secure way of keeping passwords safe is to use an aptly named password safe. Password safes are applications or software that allow you to add account details such as usernames and passwords. Password safes are password protected, so this will keep your passwords safe in the event of a hacker gaining access to your computer. You can link devices (such as mobile phones, tablets and computers) using your Google Account, so that you can access your password safe on any of your devices, and without the need to update your laptop if you add an account on your phone, for example. Some of the best free password safes are pwsafe.org and keepass.info 

  • Password safes: pros and cons

    The benefit of password safes is that you only need to remember one password to access the database you create. This password will of course need to be strong and unique, but it removes a lot of the work. It also means that users can use a password generator to generate a password, and then copy and paste this into the password safe. When they next need to enter the password, they can then copy and paste this into the password box. This helps overcome barriers for people with learning difficulties and low literacy skills, because it removes the need to be able to read the password easily, as well as the need to be able to accurately re-write it.

    However, this begs the question – we still need to create a strong, unique password that can be remembered without needing to use a password safe. How, then, do we create strong, unique passwords that are memorable?

Overcoming literacy or memory barriers for passwords

  • I think the solution to this barrier is to use a memorable short phrases or collections of words as a password. For example:

    KeithElginForres15%

    TheJungleBook88*

    RabbitCatDog93?

    These passwords all have the benefit of being strong, and the format can easily be adapted to make them personally meaningful.

    For example, the first example are the first three stations heading north from Huntly, but the idea of using three memorable points on a journey can be tailored to an individual.

    To ensure this meets all the requirements of creating a strong password, add a number or two and a special character or two on to the end. As a pattern, this might be more easily guessed, but I think it strikes the balance between security and accessibility. To make this aspect easier to remember, I would suggest using whatever the special character is on the last number that is used for the last two characters: for example, 7& or 1! are all user friendly as there is less to remember.

Fake emails

  • Malware

     

    There are two types of fake email scam that we really need to be concerned about. The first wants you to click a link, or download an attachment, and this can then infect your computer with a malware. This malware could be something like ransomware, which restricts access to your computer until you have paid a fee; a virus that infects your computer, stopping it working properly, or maybe deleting files; or, perhaps even more sinister, malware that can take control of your webcam, microphone and record you. Malware can also allow scammers remote access to your computer, and this, combined with keylogging software, means that scammers can have complete knowledge of everything you do on your computer, including what your card details are. Malware is capable of many other insidious acts too, such as opening backdoors to allow other malicious software access to your computer; downloading and installing more malicious software; or pretending to be antivirus software which needs renewing, for a fee. As such, avoiding these scams is vital when it comes to staying safe online and when using technology.  

  • Phishing & 419 scams

    The other type of email scam is called phishing. This involves a scammer sending emails which try and trick you into revealing your details, such as card details, usernames, and passwords; or trick you into paying for services which you do not need to pay for. Closely related to this is the 419 scam, where a scammer promises you a substantial return for a small admin fee.

Malware

  • How do malware scams work?

    Malware emails often try and trick users into opening them and downloading links. We might see an email that doesn’t seem to be for us, and want to find out if it is. We open it, and the details in the email don’t make anything any clearer. So we open the document. It doesn’t seem to be for us, and we then forget about it. Except the malware has now been downloaded. As such, malware emails often look completely innocuous – it might look like an email from someone we don’t recognise, but they have a name that sounds ‘legitimate’. While we may be on guard if we see and email from XXXOFFERSXXXRE_AL_DE_ALS@verydodgyscams.com, we are less likely to be suspicious of something with a more traditional sounding business name (for example ‘BroadbandSolutions@bsnet.com’). 

    Malware is also commonly delivered in fake emails the purport to be from legitimate companies or organisations that we may have interactions with. For example, last week I had an email from Netflix with an annual review attached. These malware emails might claim to come from banks, local authorities, utility providers, credit card providers, and other big names such as Amazon.

    Finally, malware scams can seem to come from individuals we have never met or heard of before, as well as from people saved in our contacts list if they have been a victim of a malware scam. 


    The image below shows a malware email.

Phishing

  • Phishing emails often try and seduce us with an offer that is too good to be true, or worry us into giving details or making payments.

    For example, phishing emails often put pressure on you to do something immediately. You must reply within 24 hours, otherwise this fantastic offer will no longer exist.

    One of the most insidious phishing scams at the moment says that you have been found guilty of something – often tax fraud – and the police have been notified and will be on their way in the next 45 minutes, at which point you will be arrested. However, as it is your first offense you have been given the opportunity to make a one-off payment of £200, £500, £1000 and this will stop any police action.

    It is easy to see how this could frighten someone, especially if they have low money management skills, into paying money to fraudsters. These sorts of phishing emails often use lots of legal sounding words which don’t necessarily mean much, or quote made up legislation – “this is contrary to article 5 of the UK tax laws”. 

    Other phishing emails might seem to be from your bank warning you about suspected fraud, and asking you to move money into a secure holding account that they have kindly set up for you. Or they may appear to be from your energy provider explaining that there has been an error with your bill, and you are either due a substantial rebate, or else you owe them significant amounts of money. In these circumstances, the pressure is also often applied with a time limit: we have been trying to reach you, and this money is due to be written off/this debt will be passed onto the courts.

419 scams

  • 419 scams are another type of phishing scam which many people are familiar with, or have at least heard of.

    You are contacted by someone who claims to be the agent of someone fabulously wealthy with a proposition for you. They have stashed £30m in a safe deposit box during recent upheavals, but can now no longer access it without the new government/the UN etc. becoming aware of it and confiscating it. However, if you provide your bank details they can transfer this into your account, letting you keep a 10% cut of the money for your troubles.

    Or maybe you have been lucky enough to win the Irish lottery, and you simply need to pay a small administrative fee to access your winnings. Maybe it isn’t actually that small a fee, but what is a few hundred pounds now you are a multimillionaire?

    The image below is an example of a 419 scam.

How to recognise scam emails

  • 1. The sender’s address isn’t right

    Reputable companies usually register a domain (although this is less likely with small companies). A domain is the part of the email address after the @. For example, the domain for my work email is @lead.org.uk.

    If you have an email you are not sure about, first hover your mouse over the sender’s email address, and make a note of the sender’s domain. Now, search for the actual company’s email address: do they domains match? If not, then the email is likely to be spam.


    The image below shows an example of a false domain.

  • 2. Don't you know who I am!?

    Is the email addressed to you (James Smith, Mrs. M Miller etc), or is it addressed to ‘customer’, ‘client’, ‘Sir/Madam’ or some other generic opening?

    Does this match what the sender has called you before, or what you would expect to be called?

    Banks, utility companies, local authorities – anyone who could conceivably take you to court over nonpayment– will have your full name, and will use it. 


    The image below shows a malicious email with a generic greeting.

  • 3. Links in the email look strange

    Before you click on any links, hover the mouse over it. This should bring up the destination URL. Does this look right to you?

    If this looks strange – maybe it is very long, or the domain doesn’t match what you would expect – then don’t click on it: it could well be spam.


    The image below shows how a fake link might appear.

  • 4. Spelling, punctuation, and grammar mistakes

    If you have received an email that has errors in spelling or punctuation, then this could help show it is a scam. This is especially true if the email claims to come from a large organisation, as they often use mail merge software to send out essentially pre-written correspondence which will have gone through several phases of quality control, leaving employees needing only to enter names and tailor specific elements to the recipient.

    If the email is full of grammatical errors, this can indicate it was written in a different language and then put through translation software like Google translate. Many scams originate overseas in countries where British English is not spoken as the main language, so scammers need to translate their work to reach an English-speaking audience.


    The image below shows a badly written email.

  • 5. The email is life-changing

    As the saying goes: if it seems too good to be true, it probably is. Many phishing emails and 419 scams promise you a vast sum for minimal effort – you can have £3m for letting someone put money in your bank account for a few days, or, for the payment of a modest fee you can access your winnings on a lottery you don’t really remember playing.

    These sorts of things don’t happen in real life 


    The image below shows a typical 419 scam.

  • 6. You have been contacted at all.

    One of the most common phishing scams at present claims to be from HMRC, advising you have made an error and you have tax to pay immediately. Alternatively, you have been found to be in credit and HMRC would like to process a refund. 

    Some organisations, such as HMRC, will never contact you via email about fines, charges, and bills. If you receive an email from HMRC, delete it straight away. 


    The image below shows an example of a bogus HMRC scam.

Accessible email security

  • Now, any of these by themselves should make you wary, and if two or more are present I suggest that you simply delete the email.

    But just deleting emails – especially emails claiming you are in trouble – can be impossible if you have anxiety, and picking up on spelling issues or peculiarities in domains can be difficult if you have learning difficulties, dyslexia, or low levels of literacy. So how can we make email security more accessible?

  • If there is an email which seems like it might be suspicious, then the best thing to do is contact the organisation or person it claims to be from.

    However, do not use any contact details that are present in the email. Search for the contact page of their website, and then phone or email them using these details. This means that if the email is fake, you won’t simply be contacting the scammer. The organisation will be able to tell you if the email is fake  or not – if it is then just delete it; if it is not, then the organisation will be glad to know that their correspondence is causing concern.

    Never open emails or download attachments until you have done this.

  • How to contact an organisation

    Scammers are highly sophisticated, so do not copy and paste details from a suspicious email and search to see if these are legitimate. This is because scammers can quite easily create a fake website – with a matching domain name – and the relevant contact details. If you were searching for a specific email address, the webpage with this on it would then appear at the top or near the top of our search results, further making it appear legitimate. 

Scam email avoidance

  • How can we avoid scams?

    Unfortunately, no matter what we do, we are unlikely to completely avoid email scams. However, there are two things we can do to reduce our chances of being exposed to them. 
  • The first thing we can do is make sure our spam filters are turned on. It sounds simple, and while spam filters are certainly not infallible, making sure spam filters are set can help catch fake emails before we have to worry about them. For example, today my spam filter has intercepted and dealt with 9 different spam emails, including emails trying to convince me to invest in ‘underground bitcoin’; telling me I had won £22 million on the Euromillions; and wanting me to contact my bank immediately about suspected fraud.

    The second thing we can do to help prevent our exposure to fake emails is to keep our email addresses safe. This means not putting our email addresses online, for example in the personal information section on social media, and  making sure that we tick “do not share my data” boxes when filling in forms online. This helps prevent our data being grabbed by companies that sell this on, and the companies that buy our data are not always the most scrupulous with who they then sell it on to. By preventing our data being available in the first place, we can help stop the flow of fake emails.

Fake and fraudulent websites

  • Fraudulent websites

    Fraudulent websites are the website equivalent of phishing emails, and many phishing emails will link to fake websites.

    Fraudulent websites try and trick you into entering sensitive information – especially card details.

  • Fake websites

    Fake websites are the website equivalent of malware emails. They might try and trick you into installing software (such as a codec, which is required for video players to work) that seems legitimate but is in fact some malware. Alternatively, they may not even ask your permission, and the malware will download when you open the website.

    The image below shows an example of a malware pop up.
  • Both fake and fraudulent websites will use urgency to pressure you into making payments, giving away details, or downloading software. This urgency is evident in the language used, and is also often more literal, with a timer being displayed. This ramps up the pressure so feel like we don’t have a chance to think about our options.  

Pop up scams

  • Some of the most common and convincing fake website scams are based on pop ups which trick you into downloading malware and/or making payments. Here are two of the most common at the moment. 

  • The IT support scam

    The first pop up scam starts with a pop up, where you are informed of suspicious activity on your computer, and told to call an IT technician on the phone number provided. This usually comes with a warning about the damage you might do to your computer if you try and resolve the issue yourself. However, when you phone the number, the scammer might then trick you into giving them remote access, and “resolve” an “issue” they have found – for a fee. Best case scenario, they have done nothing, and you have paid for a worthless service. However, scammers with remote access can be  much more malicious and install malware.

    The image below shows a version of the IT support scam.

  • The illegal material scam

    Another common scam works in a similar way to the police scam mentioned in the fake email section. You are browsing a website and a pop up appears:

    Your PC is blocked because you have been looking at illegal content in contravention with article 202 of the Criminal Code of Great Britain. This provides for a deprivation of liberty for four to twelve years and a fine of up to £100,000. If illegal access has been initiated from your PC without your knowledge or consent then you can pay a fee of £5000 to put this investigation on hold. This will be returned to you after one week.

    Scams like this try and frighten you into paying money to make what seem to be very serious allegations and consequences go away, and can also download malware to your computer. These scams often claim that you have been looking at highly illegal material, and people are unwilling to report this due to embarrassment.

    The image below shows a version of the illegal material scam
  • However, both of these scams can be identified as scams in the same way. The real organisations that the scammers are claiming to be will never contact you in this way. 

    No technology company will warn you harass you with the need for tech support through a pop up, nor will they ask you to call a phone number. These are both big red flags and mean the pop up (and website) should be closed immediately.

    The police will also never ask you to make payment to suspend charges, especially with a serious allegation. They will not give you advance warning that they will come to arrest you. And the police will never contact you via a pop up box.

Identifying fake and fraudulent websites

  • 1. Is it secure?

    When loading a website, look in the url bar and see if the address starts with https:// or http://. The s in httpsstands for secure, and this indicates that the websites uses encryption when transferring data. This encryption protects your data from hackers. If the site is not secure, then don’t send confidential material as this could be easily intercepted by hackers.

    Some browsers (such as Chrome) hide the http:// part of a site’s url, but instead show a padlock that is either locked or unlocked/shows some warning. Depending on the browser this may also be highlighted in green and red. A locked (or green) padlock indicates that the site is secure, and an unlocked (or red) padlock indicates that it is not secure.

    Although the presence of https:// is not a guarantee of security, it is a good start.


    The image below shows how secure and unsecure websites might be flagged.

  • 2. Does the domain look right?

    Many fraudulent websites try and mimic the domain of legitimate companies, for example, tesc0.co.uk or gmall.com. Although these can be obvious if you are looking, if you aren’t paying attention then it can be really easy to miss this. It may also reference a well known brand, like www.nikediscount.com.

    You should also be cautious of shopping websites that end with .net or .org, as these are not usually allocated for shopping. If you see something like this, then be sceptical.

    Don’t click on links without first making sure the domain looks correct. Check before you click by hovering your mouse over the link.

  • 3. How old is the site?

    Scammers know that people shop online during busy periods like around Christmas. This means these times are peak times for scammers too. They often put together real looking websites at the beginning of these periods.

    Fraudulent websites tend not to stay around for too long, because this makes it harder for people to get in contact when they realise they have been scammed, so fake websites tend to be young websites.

    Use a domain checker like whois lookup to check the age of a website before you buy anything. If it looks like amazon, but has only been around for 3 weeks, then that will be a scam.
  • If hovering the mouse doesn't bring anything up, then you can inspect the link by:
    1. Right click on the link
    2. Select inspect
    3. The actual url is now highlighted - does this match what you are expecting?

    The image below shows how a link may look when it is being inspected.

  • 4. What is the spelling and grammar like?

    As with fake emails, these are giveaways that the website is not legitimate. Companies put a lot of effort into making sure that their websites are professional, and while one or two typos might slip through the net, a badly written website should be treated with caution.

  • 5. How complete is the website?

    Legitimate websites often have extra features on their site, like an ‘about us’ section, privacy policies, and shipping and returns information if it is a shopping site. Check these pages to make sure they are fully populated with the relevant information.

    Most importantly, check the contact us page. Are there several ways of contacting the company?

    Try calling the phone number to make sure this is real before you buy anything, and if there is only an email address, proceed with care.

  • 6. How secure are payments?

    Never buy goods or services online using non-refundable payment methods, like BACS transfers. Make sure you use payment systems like card payments or paypal, as these both allow you to make chargebacks.

    A chargeback is when you ask your bank to reverse a transaction that has cleared because goods or services haven’t materialised. You usually have 120 days to make a chargeback, so this means that there is plenty of time for good to have not materialise before you claim.

    However, this does not mean that you can spend money on any dodgy looking site, content that you will be able to get a chargeback if there is an issue. Chargebacks are not legally required - they are part of a voluntary set of rules that banks sign up to. They also require your bank to contact the scammers bank to request the money back. If scammers have withdrawn money and closed accounts, chargebacks will not be successful.

    If you have paid for something using a credit card then - provided the item cost more than £100 - you can claim this back from your credit card provider using section 75 - more information on chargebacks and section 75 can be found on which's page about them

    However, you are still better off just leaving a suspicious website than risking not being able to get your money back.

  • 7. Is it too good to be true?

    Are you being offered a new laptop for £100? Although you can get deals online which far exceed what you can get on the high street, if a deal seems really good make sure you have done your due diligence and checked as best as you can that the website is legitimate.

Accessible website security

  • So, now we know how to check  fake and fraudulent websites, how can we make sure the advice is accessible for disabled people? The issues here are similar to the accessibility issues surrounding fake emails, such as checking the domain is correct can be difficult for people with learning difficulties, dyslexia, and low literacy levels; and malicious pop up scams can cause significant anxiety.

    The advice given in the previous column is the best way to tell if a website is not legitimate, so we should encourage and empower people to try these steps first.

    However, the best advice for anyone who doesn’t feel able to tell if something is fraudulent or not is to talk to someone you trust about your concerns. This can be the difference between spotting a scam or falling for one. If there is still doubt, don’t proceed. Fraudsters can cause irreparable damage, and this is never going to be worth an iphone for £100.

    With fake websites and pop up scams, these can be managed in an accessible way by simply closing the programme or computer. Some websites will use pop ups in a legitimate way but the information contained in these pop ups is not likely to be important. If there is a pop up you are unsure about or unhappy with, simply turn your computer off, and run your antivirus software when you restart it. It is worth remembering that no important information will ever be given by a pop up. 

Fake and fraudulent website avoidance

  • Like fake emails, there is sadly no way to completely avoid fake websites. However, there are four practical steps you can take to avoid entering them in the first place. 

  • Antivirus software

    The first is to get antivirus software. This, like a spam filter, will flag up suspicious websites before you access them, and will ask you to confirm you wish to continue to the site. As a good rule, if your antivirus software has flagged a website as malicious, do not continue!

  • Search, not URL

    The second is to access sites from a search engine search rather than typing in the url if you unsure of the website’s address. As mentioned above, many malicious websites mimic legitimate websites, and typos in the url can lead you to websites you would not otherwise have an opportunity to access.

    As a (non-malicious) example, if I have a browser open and wish to access google maps, I could either search ‘google maps’ or type in the url. If I make a mistake in the url (say, I use ‘.co.uk’, not ‘.com’), then it takes me to another website. This is not the official google maps site, but has google maps embedded in it. Along with not being the website I meant to navigate to, this website isn't secure either.


    The image below shows the homepage from maps.co.uk.

  • Keep programmes and systems updated

    The third option is to make sure your programmes update whenever there is a new system update. Do this by turning your computer off when you have finished with it for the day, rather than leaving it on standby. Up to date programmes will be more likely to catch and dismiss distressing pop ups before they can trick you.

  • Disable pop ups

    The final option is to disable pop ups. You can do this in your browser settings, and this can help reduce the risk of pop up scams. However, many websites need pop ups enabled to access their full function – this is particularly true for gaming websites, and sites where media is played – so this may not be practical. You can whitelist sites to allow pop ups, but it is still easy to enable pop ups when prompted, so think of this as an additional measure to stay safe rather than a failsafe.


    The image below shows how to disable pop ups, and how to enable them on specific, trusted, websites.

Coronavirus scams

  • Unfortunately, there are already scams trying to exploit people's fears surrounding the coronavirus. The Met Police say that nearly £1 million has already been lost to coronavirus scams in the UK. 


    So, what do they look like, and how can we avoid them?

  • A one-off payment

    A scam which seems to be very common at the moment is a text that announces that the government is issuing a payment of a couple of hundred pounds. All you need to do is follow the link in the text and enter your details...

    There are two ways of identifying this scam. The first is the URL in the text will not be to a .gov.uk website. In the example below, the URL is uk-covid-19.webredirect.org, which should look suspicious enough to flag it up as a phishing scam.

    The other way of flagging this up as a scam is to keep an eye on the news, from a trusted news source. If the government had announced it would be paying all citizens this would be something you could find on a news website. Remember to independently check anything which seems to be too good to true.

    The image below shows the one-off payment scam.

  • The fine scam

    This is a scam which claims that you have been recorded leaving your house 3 or more times in a day, and have thus been fined £35. More information can be found at the link...

    This is trickier to identify as a scam. The link looks like it could be legitimate, especially on a phone, where it is harder to inspect the URL if it is being spoofed. However, this can again be checked on a trusted news site. The government has not announced this, so it can be safely ignored. You could also contact the department that this claims to have come from using details you have checked on the government website. 

    Something which makes this more difficult to immediately write off is the fact that the sender has spoofed their ID to join the chain started by the government - the first text in the chain is a legitimate text. 

    This sort of identity spoofing is a massive problem, and is usually done to look like your bank has contact you by text. Be aware that legitimate texts in the conversation do not guarantee the legitimacy of anything later on.

Wrapping up

  • So, we have looked at how we can make password, email, and website security more accessible. 

    Passwords can be made more accessible by removing the cognitive load of remembering dozens of passwords by using a password safe, which only needs one password. 


    Email scams and website scams can be avoided by double checking that everything looks right. If there is still uncertainty, you lose nothing by asking - either the person the email claims to be from, or someone you trust, for advice - or by simply walking away. 


Resources

※※※※※※

Comments

Post a Comment

Popular posts from this blog

Image
  Types of Discrimination Under Equality Act 2010   Types of Discrimination This  is a useful guide and highlights the definitions as laid out in the new Equality Act 2010 that refers to discrimination, harassment  and victimisation. Protected characteristics are the grounds upon which discrimination is unlawful. The protected characteristics under the Equality Act 2010 are: Age, Disability   Gender reassignment  Marriage  Civil Partnership  Pregnancy Maternity  Race  Religion or belief (including lack of belief  Sex and Sexual Orientation The 4 types of Discrimination There are 4 main types of discrimination under the Equality Act: ·           Direct discrimination ·           Indirect discrimination ·           Harassment ·           Victimisation 1)  Direct discrimination There are three different types of direct discrimination. Direct discrimination occurs when a person is treated less favourably because of: ·           A protected characteristic they possess. This is ordinary dire
Read more
Image
      THINKING DIGITALLY COURSE PROGRESS JOURNAL  Dr Balkishan Agrawal 😊      Week-1 27 Nov 2020 Today I have learnt that Thinking Digitally, it is a course which looks at expanding our digital skills, making effective use of the web to  find and share information and knowledge, and developing practical skills in using digital media and read/write web applications including blogs and wikis. Working together we’ll create a range of digital artefacts (online glossaries, resource collections), and working individually with support I will produce a ‘digital artefact’ of my own on a topic of my choice.       11 December 2020 20:30   Today I learnt about which platform ( wordpress.com, blogger.com. Padlet, wiki) to use for my project. I have filled in the '' Planning your project topic'' I have studied '' Thinking Digitally learning Teaching evidence plan I have sent an email to Michael requesting guidance on how to create a blog using blogg
Read more