In my mind, I harp on security all the time. I just went back and looked at my previous blog posts and realized that I don’t push online security nearly enough. Let’s make it our New Year’s Resolution to give ourselves a good ol’ fashioned security audit, beef up our passwords, and get an idea of the newest ways the bad guys are coming after you. I’ll also cover a tried-and-true method of bad guy attack.
I recently sent this same information to our staff to help them learn and get a handle on our company security practices. It’s time you did the same. This is a very long post but it’s an important one. I encourage you to read it through the whole thing and implement my suggestions. I’ll cover the following areas:
- Phishing Emails
- General Email Security
- Clicking The “Unsubscribe” Link In An Email (including Gmail’s feature)
- Strong Passwords
- Password Database Programs
Here is a link to a copy of an email we received recently. It is an example of a very common phishing email that is going all around the internet right now. There are a few variations of this but it basically goes like this… “I have hacked your computer / router / cell phone. I’ve stolen all your address book and contact information and internet browsing history. I’ve used the cameras to take pictures of you doing ’naughty’ things on ’naughty’ websites. Pay me a bunch of Bitcoin within 48 hours or I’ll send these pictures of you to your whole contact list and / or I’ll lock your computer so you can’t access it. Don’t bother changing your password, I can see if you do it. Don’t try to erase your computer, I have a copy of all your data already.”
Like I said, there are variations, but that’s the general message. I’ve even personally received them where they send my password (a very very old and no-longer-used password) along with the email saying something like “You don’t believe me? This is your password! abc123.”
Here is the strategy for dealing with this… IGNORE THESE EMAILS! DELETE THEM IMMEDIATELY AND DO NOT GIVE THEM A SECOND THOUGHT! These are 100% purely phishing emails. The senders are operating on a principle of fear because you probably couldn’t tell if your system was compromised. Your computer probably is not compromised in that way…BUT your password probably is. (More on this down below.)
General Email Security
It’s sad that I have to say this but, in general, do not trust emails—don’t trust their content, don’t trust the links that are in them, don’t trust the “from” address, just generally don’t trust anything about them. There’s too much spam and scam going around to put blind faith in whatever pops into your inbox.
- If your “bank” wants you to verify some details of your account, open a new web browser window and manually type in the URL of your bank…do not click the email link!
- If your college alumni association wants you to make a one-time donation to the library fund, open a new web browser window and manually type in the URL…do not click the email link!
- If FedEx needs you to verify your shipping address because of an undeliverable package, open a new web browser window and manually type in the URL…do not click the email link!
- If some Nigerian Prince wants to share USD $1.27 mil with you my special friend just do please verify your particulars, well…I advise you to fully ignore the message, but whatever you do…do not click the email link!
Do you see where I’m going with this?
Tip #1: Do not trust anything about emails.
Tip #2: Do not click any email links.
Tip #3: Open a new browser window and manually type the address.
Clicking The “Unsubscribe” Link In An Email
In 98% of circumstances, DON’T click “unsubscribe” at the bottom of unsolicited email messages. Also, NEVER click “unsubscribe” on an email that is sent to you just for the purpose of you clicking “unsubscribe.” If you absolutely know that you signed up for the emails and now you want them to stop or if you really really trust the sender, then fine, close your eyes, cross your fingers, say a prayer, and click the unsubscribe link. Otherwise, all you’re doing is confirming for spammers that your email address is valid and active. You will instantly be subscribed to 1,000 other email lists and your inbox will be overflowing. At that point, there’s no way to stop it all.
Instead of clicking the unsubscribe link, it’s better to completely block the sender by disallowing that person to send you messages. I often block the entire domain. If you don’t know how to do this, help is a Google search away… (HINT: click this link for the Google search.)
Along these same lines, the Gmail interface offers a handy “unsubscribe” feature that often tries to help you unsubscribe from unwanted email. I wouldn’t trust this either. I think, in the background, all Google is doing is submitting that unsubscribe request for you which is the exact same thing as you clicking the link….which will just result in more spam email. I don’t know this for sure but this is my hunch.
I’ve written about this in the past and, honestly, I can’t harp on it enough…mostly ’cause I know you aren’t listening to me and aren’t creating and maintaining strong passwords. If you have trouble with that, read my next section on Password Database Programs. Regardless, here we go…
We here at Netvantage Marketing occasionally (perhaps not often enough) change the passwords for the services we use. Unfortunately, we can’t impose these same measures on our clients and they are often left out of these password updates and still have awful passwords.
Let’s review the difference between a bad password and a good password.
|Bad Passwords||Good Passwords|
|...are short and/or use words from the dictionary.|
|...are long and do not use dictionary words.
|...use patterns from the keyboard.|
|...use a random string of characters and numbers.
Example: cg,3fRjGzD63ar/(ZAm[[email protected]]3d34
|...use your name or birthday or some other personal information from you, a spouse, a child, or another loved one.|
|...are completely nonsensical and do not use any personally identifying information.
|...try to be clever by making common letter-number substitutions or letters-as-phrases.|
Example: [email protected]
Example: im1ru12 (read that out loud and quickly)
|...try to be secure...not clever.
Example: hqcKRYU6.6qZb)[email protected]$#=9uB6
All of those passwords in my “good” list were automatically generated by a password database program. I didn’t have to think of them and I don’t have to remember them…my password database does it all for me.
Password Database Programs
By now you’re likely bored; if you’ve even gotten this far. Thus, I’ll make this short. Use a password database also known as a password manager. There are a lot to choose from, paid and free, simple and full or features, standalone and integrated, and every other binary combination you can think of. Here are my favorites:
- 1Password — This one is my recommendation. You have to pay for 1Password but it’s awesome. It is super easy to use, very intuitive, comes with both a program that runs on your computer as well as web browser plugins to auto-fill your passwords. There’s also a mobile app that syncs with the desktop version.
- LastPass — This has a free version which is perfectly fine for most people. It’s relatively easy to use and has web browser integration to automatically fill out login forms on web pages. There is no desktop application (which I do not like) and the web interface is a little clunky. But, hey, it’s free and not terrible, all things considered.
- KeePassX — This is an excellent password manager that I have been using for decades and that our company has been using for a long time. It’s free, there are versions for all types of computers / operating systems / phones / tablets / etc. (all free), and there’s a desktop application. It will not auto-fill login forms in your browser, though, and it’s not that great when a bunch of people need to use it at once.
You can find a bunch more with a simple Google search… Please don’t buy one of those password vaults from Sharper Image or wherever else. They look kind of like calculators and, while they were great in 1982, they’re pretty much just annoying gimmicks right now. Hard. Pass.
Here’s Your Job…
- Download and set up a password manager
- Set a new password for each service you use. You can do this just a handful per day–every time you log in to a new website, update the password. Doing it slowly over time is better than not doing it at all.
- Don’t ever click a link in an unsolicited email.
- Don’t ever click the “unsubscribe” button in any emails.
- Ignore any emails that say they have naughty pictures of you.
- Take a deep breath, open a bottle of wine, and enjoy the holidays! See you in 2019!