The risk of hacking and how to avoid it

All

When you think of hacking, it might conjure images of shadowy figures working in the depths of the online world to steal corporate information or disable major websites. But getting hacked is far more commonplace than you might realise. It could be random or inappropriate messages sent from your email account to your entire contact list, or outright theft of your online banking details.

Storing data digitally comes with risk, so it’s important to understand how much of that risk you can manage yourself. Taking responsibility for your part in setting up and maintaining your online security can do a great deal to protect you and your family.

Here, we look at what the risks are to your data, how you can manage them, and what to do if your data is compromised.

Hacking can happen to anyone

When we talk about storing ‘data’, it might be credit card details that you save to a website you buy from or a streaming service you subscribe to, photos you post online, passwords to your bank accounts, email or social media accounts, or even sensitive documents stored on your home laptop or PC.

While it might seem as though major companies like Facebook, Netflix, Zoom, Microsoft or Google would have incredibly secure data storage, they have all recorded data breaches at some time or another, along with other big names like NASA, eBay, Amazon and even major international banks.

The biggest concern lies with companies that have had data breached because they had a weak security system, with little to no encryption. But even companies with great security can be on the receiving end of a cyber-attack. The bottom line is that any online account can be compromised. But these breaches can be much less of a problem for you if you do your bit to stay secure.

How to manage your side of the security deal

The most important thing you can do is to be aware of some basics that will make issues with your data less likely.

Check what you’re signing up to

If you’re planning to buy from a new website, sign up to a database or hand over any personal details online, take a good look at the company’s website first. If the design is unprofessional or has glaring spelling or grammar issues, chances are it’s dodgy and you should avoid it.

Sometimes, however, fake sites can look slick and are trickier to spot. In cases like this:

  • Check the web address (the URL). Some internet browsers (what you use to surf the web) can be tricked into displaying fake domain names as trusted legitimate sites. For example, a domain registered as “xn--pple-43d.com” could display as “apple.com”. A simple way to check if a URL is fake is to copy and paste it into another tab. When pasted into the address bar the URL will appear in full – e.g.: “https://www. xn--pple-43d.com/” – in which case don’t hit enter and load the site.

  • If in doubt about a website’s safety, head to the Google Safe Browsing Transparency Report. This site has a tool where you can enter a website address to check whether the site is safe for browsing or if it hosts any malware.

  • Check for the padlock. Does the website have a padlock symbol with “https” at the front of the web address? “https” tells you that the communication channel between you and the server is encrypted and secure (anyone “listening in” on the network will only get encrypted information that won’t make sense). It isn’t a guarantee that the server you’re communicating with won’t steal your data, however. This is when you need to check its SSL/TLS certificate. These certificates protect users’ information while it’s in transfer and authenticate a website’s identity. To view the digital certificate issued to a website, click on the padlock in the web address bar and select Certificate. Click on “More information” and then view the certificate to check it is legitimate.

  • Verify the company. Check whether the website has a physical address. Does the company have a phone number listed and an email ID? Try sending an email to the ID on the contact page and check if it gets delivered. Make sure that the email is not a generic one (like hello@gmail.com) but one that comes with the company brand (like contactname@companydomain.com).

  • Check their privacy and protection policies. Most countries and industries have data privacy laws and regulations that make it mandatory for a website to let you know how your data is collected, used, protected, and stored. This is usually outlined in a privacy policy document that you’ll have to read and agree to the terms and conditions before using the site. By now, most of us have skimmed through enough privacy policies to know what a decent one looks like compared with one that pretends to be an authentic document.

  • Check the shipping and return policies. If you’re on an e-commerce platform, the shipping and return policies are a great way of telling whether a website is legitimate or fake. If the website lacks one, or if it’s unpolished or vague, then rethink making any purchases.

  • Check their social media presence. Most legitimate companies have at least some level of social media. Fake websites sometimes have the icons for Twitter or Facebook, but the graphics don’t actually link to a real account.

  • Read company reviews. Google reviews are an excellent source of references. You could also see if you can find real employees of the company on sites like LinkedIn.

Use security tools for online browsing

There is a host of tools designed to help protect you and your information online. Some that we’d recommend checking out include:

  • F Secure: Identity protection software.

  • Norton Safe Web and Virus Total: This tool can analyse URLs and tell you if the site you want to visit is safe or malicious.

  • Netcraft extension: This tool can be added to your browser and lets you do a quick lookup of sites you want to visit and provides protection against phishing.

  • Disconnect: A tracker blocker that shows you everything that tracks you on a website and lets you disable them.

  • Webroot filtering extension: Can filter out and block dangerous websites.

  • Privacy Cleaner: An application that runs in the background and alerts you if a page or an app tries to access your files and information.

Know the obvious signs of website malware

Malware is any software designed to intentionally cause damage to a computer, server, client, or computer network. This includes computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software etc.

Pop-ups and/or advertisements on websites that try to get you to click on them are often indicative of malicious websites egging you on to download and execute some malware on your system. Always be careful when clicking on any ads.

Be wary also of websites that redirect you to other sites with promotional content, or to a legitimate looking page that asks you to enter sensitive information.

How to spot if you’ve been hacked

Signs of unusual activity include:

  • Warnings about unusual attempts to log in to sites. For example, Facebook and Google will send notifications and emails alerting you to attempts to access your account. This will usually be if someone has tried to get in and failed, requested to change your password, or successfully signed in from an unfamiliar location.

  • Not being able to access your Google account using your regular username and password.

  • An unfamiliar purchase charged to one of your bank accounts or credit cards. Banks will often detect any suspicious payments early on and contact you before things go too far.

  • Odd emails asking you to do something – like click a link, or supply personal information. These can all be signs that your data has been compromised in some way.

Watch for fake emails:

  • Never click on a link in the body of an email unless it’s a direct response to a request that you have made, such as a password reset.

  • Do not respond to ‘delivery’ emails that are not related to any order you’ve made.

  • Do not respond to unexpected account information requests.

  • Even emails from friends can be compromised if they have been hacked, so don’t click on links from them unless you are 100% sure what they are.

Look for spelling mistakes or a sense of urgency. A legitimate email from a legitimate company would use your name and proper grammar. Most importantly, they would not threaten to suspend your account in a badly written email, use urgent or threatening language, or ask you to provide any personal or account information. These are tell-tale signs of a scam. Any communications from legitimate companies will have an appropriate tone and will never sound menacing or threatening, even if you don’t follow through with their call to action.

If you hover over or right click your mouse on any linked button it will let you see or copy the actual link where you would be redirected. (If you copy and paste it as unformatted text into a Word document then you can see it).

If you’re unsure of an email and it invites you to click a login button for a website you use, it may well take you to a site masquerading as the real thing. If you enter your username and password there’s a very good chance that your account will be compromised or your account details will be sold on. Delete the email.

Signs that you’ve been hacked

If your data is stolen, criminals can do a lot with the information – using it to access your online accounts (email, social media or PayPal), online banking theft, or opening accounts and taking out credit in your name. This type of identity fraud can be difficult to detect and fix. This is because, unlike immediate theft of money, you may not realise straight away that someone has stolen your identity information.

Even simple publicly available data like your name, home address, date of birth or email address can be used to collect even more information about you that can lead to someone taking out loans, utility contracts or other forms of credit in your name.

Damage to your credit score might be the first thing to tell you something is wrong and you may only become aware of that when you apply for credit and are denied, or debt collectors contact you.

You can check your own credit record for free, but there is a charge if you want the information quickly.

If you want to find out if you’ve been a victim of data theft you could check your email address on websites like:

https://haveibeenpwned.com

https://www.avast.com/hackcheck

Both these websites can tell you if your data has been stolen and offer you options for next steps if it has. Simply input your email address and they will search the Internet looking for matches.

This is a great way to see if you could be affected, as a breach does not mean anything has happened as yet, but it is exposure to vulnerability that you can then close down.

Or you can sign up to the service and be sent alerts if your data is part of a breach with these sites, or use other products like F Secure.

Get things back under control

If you know that one or more of your accounts has been hacked, the following steps can help to minimise the damage:

  • Get in touch with the company that owns the account/s in question. Every organisation will have their own policies, procedures, and recovery steps when it comes to compromised accounts. They will also usually have a specific contact address for reporting incidents, which you’ll be able to find quickly through an online search (e.g. “gmail account hacked”).

  • If you can still access the compromised account, change the password for it and for any other accounts that use the same password.

  • If you can get back into a hacked email account, check the settings to make sure they’ve not been altered. For example, the hacker may have activated a setting to automatically forward all your emails to another account.

  • Get in touch with anyone who may have been impacted. If fake messages have been sent from your social media account or you’re forced to create a brand-new social media account, you need to let friends and family know the details of the new account and/or explain what the fake messages were about.

  • If appropriate, such as with cases of harassment, report the hacking to police.

  • If a person or a group claims to have accessed your account and have messaged you about it, don’t click on any links they send you. Their claims may be false and the links could be attempts to access personal information. • Make sure that all apps and software you use (on your phone and laptop/PC) are up-to-date.

Secure everything

The best way to reduce your chances of being hacked again is to limit opportunities for hackers. The better your “online hygiene”, the less chance you have of being compromised.

  • Getting hacked on one account should be the trigger to check all other online accounts you use. Update your passwords and check the security settings. When updating your accounts use complex security questions where you can. The answers should be something that only you could know.

  • Take time to consider if you have old ‘zombie accounts’ you no longer use, such as old email addresses or subscriptions. Delete them.

  • Multifactor authentication (MFA) should be turned on for as many sites and services as possible. The most common type is two-factor authentication, where another piece of information, as well as your password, is required to log in to a service. This is currently one of the most effective ways to secure your accounts.

Reduce risk

Taking steps such as those outlined in this article will help to keep you in good shape when it comes to your digital security. And, just like staying in shape physically, the key is to keep at it!

Previous
Previous

Coping with grief – theirs and yours

Next
Next

Move it or lose it