“There are 6 people on your wireless network stealing documents, photos, and bank account information from your computer.” This is what I was told on the phone one evening by a technical support representative trying to fix my internet.
I was trying to call the customer support line for the company that made my wireless router and had run a Google search to find the phone number. I clicked on the first number listed for what looked like the correct company name and website. As it turned out, the link was illegitimate, and I spent the evening on the phone not with a technical support representative but with a scammer trying to steal my information.
This story came to mind while at a recent meeting with the Durham and Orange County Estate Planning Council. We were discussing identity theft and online security with a focus on crimes in North Carolina. While listening to the presenter discuss the ever-evolving tactics used to con unsuspecting victims, I thought of how easy it was for me to fall into this scammer’s trap.
The bad news is that I allowed the scammer to remote into my computer, leading to a range of possible outcomes as serious as having a program installed on my computer. The good news is that this experience has forced me to become more vigilant about how I protect my information and has led me to recognize several security “best practices,” most of which are easy to implement and highly effective:
Best practice #1: Two-step verification on email
Two-step verification is quite simply a must for online security. Your email is a jackpot for online scammers and hackers. Access gives them a plethora of information about you and the ability to communicate on your behalf! It is also the primary vehicle most of us use to reset our login information to important online accounts.
Two-step verification adds a second layer of protection on top of your username and password. It requires a code to be entered every time a new device (computer, mobile phone, etc.) is used to access your email. This code is sent to you by phone through a voice or text message.
Once two-step verification has been set up on your computer or mobile device, you will not need to enter the code for future logins. Anyone who tries to login from another device, however—like a hacker who has your username and password—will need to enter the code.
Best Practice #2: Don’t answer security questions correctly
One of the scariest realizations I had after my experience with the scammer was that it is not all that impossible for a hacker or scammer to find the answers to security questions used to reset login Information. Many of the questions are fairly basic, and the answers are often found in public sources of information. Even if the answer itself is not available, there may be enough information available to guess. For example, I often see the question, “What hospital were you born in?” This one is pretty easy to guess for me if you know my hometown: there is only one!
For this reason, I don’t answer security questions correctly. Instead, I choose a random word to use as my answer. For example, my word might be “tomato.” No matter what the security question, my answer would be “tomato.” I always use the same random word so I know what it is.
(Note: this strategy can help prevent a person from finding or guessing the answer to your security questions. It does not protect against a hacker installing a “key logger” program on your computer which records keystrokes—this is a topic for another blogpost!)
Best Practice #3: Ask yourself, “Why does this person need my information?”
Just the other day, I received a phone call from a person who said she was calling to verify my contact information for a magazine subscription. Thanks to my call with the tech support scammer, I was immediately skeptical.
This person already had my information, and I had just started receiving the subscription, so the call seemed legitimate. However, at the end of the call she asked, “What city were you born in?” I asked why she needed this information, and she told me it was to verify my identity for future calls. This seemed fishy to me (and happens to be an answer to a common security question), so I politely declined to answer.
It is important to question why someone is asking for your information both over the phone and over email. This is especially important if the other person contacted you. If a request for information doesn’t make sense or seems unnecessary, don’t be afraid to ask why it is needed or even refuse to answer.
These 3 Best Practices are easy to implement and have given me great peace of mind knowing I have additional layers of protection in place. I encourage you to give them a try.