October 14, 2019
October is National Cybersecurity Awareness Month.
“At some point, almost everybody in society will become a victim of identity theft,” said Multnomah County Deputy District Attorney Christopher Shull, who prosecutes financial and cybercrimes. “Always think before you click. That is the number one way that hacking occurs. Don’t click on everything you get in your email. If you don’t recognize where it came from, delete it without even opening it.”
Cybersecurity is the protection of all of the devices that are interconnected on a network, according to Portland Police Bureau Detective Cory Stenzel, who is currently assigned to the Bureau’s Digital Forensics Unit.
Stenzel stressed the importance of being aware of cybersecurity because the extent of our interconnectivity between computers, cell phones and other electronic devices continues to grow.
“It’s important to never lose focus and to always maintain vigilance when going online and using connected devices because the moment you pick up a device that has internet connection and start to input information, it’s potentially compromisable,” Stenzel said.
There are several types of internet scams or attacks that the public should be aware of including phising scam, man-in-the-middle scams and cross-site-scripting attacks.
Phising scams have primarily involved email, but attackers are now targeting cellphones and text messages, so the scam could come via text message or email.
Either way, the scammer is using either text message or email to trick you into giving them personal information, which could include a person’s full legal name, birthdate, address, social security number, passport information and/or financial information.
According to the FBI’s Internet Crimes Complaint Center, consumers lost more than $30 million in one year alone after falling victim to phising attacks.
“Phising emails look like they are coming from a legitimate vender,” Shull said. “But in fact, the sender is just imitating those companies. Almost every phising email will include a link for you to click on. The attacker wants you to click on that link and they may claim that your password needs to be reset or your account has been frozen because of fraud. In reality, that email is the fraud.”
“One of the most important things people need to remember is to not give out personal information,” Stenzel said. “Unless you absolutely know who you’re talking to, never give out any kind of personal information.”
The man-in-the-middle attack is essentially someone eavesdropping on your online communications hoping that you enter protected information that can be easily siphoned off. These attacks can occur without you ever being aware. Typically, a man-in-the-middle attack will occur using unsecured Wi-Fi hotspots that are typically found in coffee shops, hotels and other public buildings – even airplane Wi-Fi, which is becoming increasingly popular.
“Public Wi-Fi is very scary,” said Stenzel.
When someone connects to an unsecured public Wi-Fi network, they are potentially exposing all of their information to anyone else who is on the same network.
“If you were to provide bank account information while connected to that hotspot, the attacker now has your bank account information, your log in information, your password information, and could literally go in and transfer all of your money from your account and into another account,” Stenzel said.
A cross-site-scripting attack can occur nearly undetectable to the average computer user. If someone inadvertently opens a bad link through a browser or email, the link may be designed to install unwanted software on the computer or device.
Other attacks can include keystroke loggers that run silently in the background of your electronic device and record each keyboard entry you make. The data you enter can be viewed or later downloaded by the malicious actor to access your protected accounts. Ransomware is another common malware that will lock your device by encrypting the data. Typically, in these attacks, the data is only returned after the attacker receives the ransom – typically in the form of cryptocurrency. Often, if a ransom goes unpaid, the data will be destroyed.
Shull recommends avoiding using auto-fill features for online purchases and password entry.
“That’s a bad practice to get into,” Shull said. “I personally fill out my credit card information every time I make an online purchase. That way there’s nowhere my information is stored online that can be hacked and have that information stolen.”
Stenzel agreed: “Anytime information you’ve stored online is accessible once you’re compromised.”
Many in-person retailers may offer to store your credit card information on file for “check out convenience” – and may do so without your express knowledge – but that information is now stored somewhere else and could be hacked.
If you’re not certain where your credit card or debit card information is being stored, contact your financial institution. Many will provide a list of where your data is being stored.
Stenzel also warned about downloading unnecessary applications on your computer, tablet or cellphone.
“If you’re downloading an application that says it’s a flashlight, why would a flashlight application need access to your text messages, your call log, your history, your internet browsing search history? It doesn’t. So these are the kinds of things to be aware of,” Stenzel said.
It’s also important to read the terms and conditions when making purchases or providing personal identifying information.
“They say one of the biggest lies told throughout the world is, ‘Yes, I’ve read the terms and conditions,’” Stenzel said. “It’s important to read that fine print because often what you’ll read in there is that they are informing you that they are going to share your information.”
Many organizations will offer opt-out features, but it becomes extremely onerous to have that information removed.
“At the end of the day, criminals are getting smarter and smarter and these attacks are evolving,” said Stenzel.
Other cybersecurity tips:
- Keep current with all updates released by your device’s manufacture
- Avoid clicking email links
- Consider getting a credit freeze
- Be aware of the websites you’re visiting. Some websites can be easily spoofed to make it seem real.
- Use complex passwords and change them periodically
- Back up your files frequently using an external hard drive. When that device is not being used, unplug so it had no connectivity
- Install and run a Virtual Private Network (VPN) service on your cellphone
- Ensure your at-home Wi-Fi networks are secured by changing the default password
- Ensure your at-home Wi-Fi networks are protected using VPN services
Contact: Brent Weisberg, Communications Director