Online vulnerability starts with human vulnerability.
Online vulnerability starts with human vulnerability. Think twice before you click
To understand Internet attacks, why and how they work, we have to look into a far more familiar concept: human nature. The cyber-criminal is nowadays driven by money. They exploit human vulnerabilities before doing so with computer vulnerabilities. Be wary of any ”too-good-to-be-true” offer or information that appeals to your:
Desire to be rich
E-mail scams and phishing attempts are the most prevalent threats that fall into this category. E-mails saying:
“You’ve won the lottery. Click here to collect.”
“If you are looking to make additional profit we will accept you as our representative in your country. You will keep 10% of each deal we conduct.”
or “Your help is needed to access a large sum of money.”
should rise serious suspicion. These are phishing attacks tricking you intro revealing personal information, steal your money, or unknowingly involve you in illegal activities. Double-check the information and look for inconsistencies, even if the message comes from a known e-mail address (of a friend for example) – some cyber-criminals steal e-mail accounts and use them for their purposes. Check with the person the e-mail account belongs to before acting. E-mails asking you to do something unexpectedly should usually arise suspicion even – or more so – when they offer easy money.
Lack of awareness/documentation combined with common human paranoia may result in what we usually known as “the conspiracy theory”, spreading ungrounded panic among uninformed people.
Bogus Warning e-mails such as
“There is a dangerous virus that deletes all information from your hard drive.
Send this to all your contacts.”
might appear to be true and even to come from an anti-virus company. Instead they are fake warnings (hoaxes) exploiting people’s fear of computer viruses in order to propagate irrelevant and false information. The goals of doing so can be subject to sociological and psychological analysis. Sloppy grammar and spelling can also be a clue that we are talking about a scam, phishing or hoax. Again, use your common sense and double-check such information by going to an anti-virus vendor website or actively searching the Internet to see if the information is verified or it is a hoax. Double-checking is a rule that can successfully apply to establish the source, occurrence and goal of virtually any information that travels the web.
Other computer security related frauds are more dangerous than that. They are actually phishing attacks that attempt to make you give away login details and personal and financial information: “Verify your Facebook account by clicking here or your account will be removed in the next 24 hours.”
Need to show compassion
Some hoaxes appeal to your human compassion:
“I am a 7 year old boy and i’m dying of cancer. The X Foundation has agreed to donate 7 cents for every time this message is sent on” (notice the misspelling of “I’m”);
“Got this from a friend. This girl only needs you to forward the message, that’s all. You don’t need to donate cash just forward. You may save her life”.
Apart from being annoying and pushing you to propagate them they are practically harmless.
However, others attempt to trick you into revealing banking and credit card details or even directly send money:
“I am your friend, X, and I was robbed in Nigeria. Please send 3,000 $ to this account.” If the scam e-mail actually comes from your friend’s address that most probably means your friend’s account has been hijacked and the scammer already uses it for its own purposes. Just call your friend and you will discover if he is fine.
Need to socialize/need to be popular
Often, people find long-term partners on legitimate online dating websites. However, scammers exploit this trend in order to achieve their personal objectives by registering on these websites with a fake identity. There are numerous cases of people being duped into sending money to their would-be online boyfriend or girlfriend who, at some point in the online relationship, will show the need to come and visit, if they would have the money for the trip – which they unfortunately do not have. In other cases, scammers randomly send unsolicited e-mails or instant messages expressing the desire to begin a relationship, in hope that someone will take the bait.
Solidarity/need to make a difference without too much of an effort
Online petition signing and cause support are a growing trend on the Internet. While some are legitimate and really succeed in making a difference, others are hoaxes or scams taking advantage of the human need to prove helpful/socially active without making too much of an effort. These usually arrive via e-mail as unsolicited messages, and they can even come from someone you know that has fallen for the hoax and forwards in to you in good faith. The hoaxes usually use powerful images (a beaten child, abused animals or people) and “call-to-action” text and their goal is to spread in chain e-mails. Such e-mail messages written in CAPITAL letters with multiple exclamation marks are most likely a hoax – if they just push you into forwarding them – or a scam – if they ask to donate money into a bank account or click a link to donate.
Desire to win/gain/receive something for free
Giveaway hoaxes offer fake vouchers, money, free products from reputable stores and companies. Some of them are just designed to propagate aimlessly, while others attempt to steal sensitive information. Remember though that the decisive click has to come from you, no matter how alluring the offer seems. Go to the genuine source of the alleged offers to verify such information and most probably will discover it is not confirmed. Free games that arrive unsolicited into your Inbox, “just a click away” are also a sign that someone tries to invade your privacy by appealing to human nature vulnerabilities. “Just a click away” most probably there lies a trojan or backdoor program that will attempt to take over and manipulate data stored on your computer. The rule is “make your own decisions”, go where you want to go on the WWW, and not where an unsolicited e-mail says to.
Typo squatting is one of the most common scam tactic to abuse carelessness and lack of attention to detail. Malicious domains disguise themselves into legitimate financial organizations (such as a bank) with just one small difference in the domain name, counting on the fact that you will not notice and take it for the real thing. Spot the difference between Bankofamerica.com and Bankofdamerica.com? The latter is an example of typo squatting (unnoticeable spelling error) that attempts to steal account information and even money of the registered user of Bankofamerica.com. The malicious website will look and feel like the genuine one, except it is not. Once you have entered you login data, all your interactions with the website are logged and your data (including credit card details you enter) is subject to malicious manipulation. Sometimes you may enter the misspelled URL name yourself in the address bar and unfortunately land on a typo squatting domain existing for that name. Other times you would receive an e-mail posing as an informative message from your bank, which would look genuine and invite you to confirm/update your personal details by clicking on the malicious website URL (that looks almost exactly as the legitimate one). Once again, check carefully every link in your e-mails and when not sure look for confirmation with the e-mail sender on other ways than replying to the suspicious e-mail.
Scammers also appeal to human nature by arising and stimulating curiosity. There are links and flashy buttons that just beg to be clicked, promising entertainment, secrets revealed, juicy pictorials or shocking news. Begin by asking yourself: “Do I really need to see this now? Does satisfying my curiosity make up for leaking personal information or even losing money?” These hoaxes or scams count on you saying yes and them not delivering – instead they abuse your “need to see this” and ultimately attempt to use it against you. Such is also the case with cracked games, free pornography, shocking (and fake) celebrity news and many more.
Fear, submission, guilt
Some scams use impersonating an authority in order to ultimately get your money. Sometimes scammers pose into the “Internet Security Service” and contact you via the phone, saying your computer has been hacked/infected, and you need to transfer an amount of money so they could fix it. Other scams use malware to infect your computer and pretend to be from an authority such as the FBI or BKA (see the FBI Moneypack scam asking to pay 200$ fine to unlock your computer; the BKA ransom trojan and so on). This is an example of ransomware (or scareware) – a malicious program that scares you into paying money “or else”. Again, check the validity of the information using alternate legitimate sources and if your computer has fallen prey to a ransomware or scareware use a clean computer with an Internet connection in order to search for information about how to get rid of the nuisance or resort to a legitimate IT Security service for doing so.