Other Safety Measures

Navigating the internet safely is like tiptoeing through a minefield. Every action you take, every link you click, every website you visit – it carries a potential risk.

Take cookies, for example. These tiny files are stored on your browser, and keep track of the websites you visit. They can improve your overall browsing experience: for example, a cookie might auto-fill your home address when you're filling out an online form.

But what if a hacker gains access to these cookies? Suddenly, they could find out your home address, your credit card number, and whatever else your browser has stored up.

Many of the browsers we use to access the internet, like Google Chrome, come with default settings that put convenience ahead of security. You'll have to take the initiative, and tweak those settings, if you want to keep yourself safe.

In terms of cookies, most browsers come with private browsing or incognito modes. If you use these modes, it stops the browser from storing your browsing history, cookies, and other temporary files.

In most cases, you'll have to remember to switch on this private mode every time you open the browser. But some browsers, like Firefox, have an 'always use private browsing' option, which keeps you in private mode automatically.

Another danger with online browsing comes in the form of pop-up ads. They're not just annoying; they can also be a way for hackers to get malware onto your device.

Sometimes, these pop-ups aren't even visible. They hover on web pages, completely unseen, waiting for you to click one by mistake. The moment you do, they'll take it as an invitation to redirect you to a dangerous website, or start downloading a piece of malware.

If you delve into your browser settings, you can usually find an option to block these pop-ups. This setting might not be 100% effective, but it's definitely worth turning on.

If you're looking for a more robust solution to pop-ups and ads, you can download a specialist adblocker, like the popular uBlock Origin.

An adblocker will usually take the form of a browser extension, which sits in the corner, ready to be turned on when you need it. When it's active, the adblocker will hide adverts, block pop-ups, and generally keep your browsing experience cleaner and more secure.

But it's worth remembering: your favorite websites won't get any ad revenue if you use an adblocker when you visit. If you like (and trust) a website, turn your adblocker off when you visit.

Here’s another layer of defense that you can use when you’re browsing the web: set up two user accounts on your personal computer, one with admin privileges, and one without.

If you use your non-admin account for web browsing, it makes things a lot harder for malware. Why? Because nothing is allowed to download or install itself via a non-admin account.

If it tries, then a window will appear on the screen, asking you to give explicit permission by entering the admin account’s password. If you don’t enter this password – and you definitely shouldn’t, if you don’t recognize the download – then the malware will struggle to take hold.

Another thing to keep an eye on is the security protocols used by websites. Basically, before ever visiting a website, you should check the URL.

If the URL starts with 'https' (e.g. https://kinnu.xyz/), that means the site is secure. Any data you send to this site will be encrypted, which makes it harder for hackers to steal. Like anything, this isn't a perfect defense, but these websites are definitely safer than non-secured alternatives.

Most browsers display a lock icon in the search bar when you visit a secure 'https' site. They'll also give you a warning if a site isn't secure. If you receive that warning, or don't see a lock, think twice before visiting the website.

Wi-Fi seems to be everywhere these days, making it super easy for us to stay connected, even when we're out and about. But from the perspective of cybersecurity, Wi-Fi can be dangerous.

You know when you're in a coffee shop, and you see a bunch of networks pop up on your device? Some of those might not be as legit as they seem. Cybercriminals often set up networks with names that appear to be real. For example, they might set up an open network called 'Coffee Shop - Guest' or even something like 'Starbucks WiFi'.

Once you connect to that network, the cybercriminal can intercept your data, or access your device. This type of attack is known as an evil twin.

Basically, you should never connect to a public Wi-Fi without checking if that network is real. If you're in a coffee shop, or an airport, or anywhere else, double check with someone who works there.

Another potential Wi-Fi pitfall is the auto-connect setting, which you can find on most of your devices.

At first glance, this setting feels nice and convenient. If you're in an area with public Wi-Fi, your phone or laptop will automatically connect, saving you a couple of clicks. But this auto-connect function could pull you into an unsafe network. Always make sure to go into your device settings, and switch your auto-connect off.

The same goes for file sharing and Bluetooth. These services put out signals that make your devices more discoverable, almost like waving a flag. If you're not currently using them, you should switch them off, to reduce the risk of a cybercriminal remotely accessing your device.

Your home Wi-Fi network can also be a potential target for cyberattacks. If a hacker manages to connect to it, they'll be able to access all your home devices that are connected to that Wi-Fi too.

Luckily, there are some easy steps that can help to stop this from happening.

You know the name of your Wi-Fi network that others can see? That's called the Service Set Identifier (SSID). Usually, it's something simple, like the brand of your network. But simple SSIDs are easier to find. Take the time to change it to something less obvious, and it will boost your network security.

As well as changing your network's SSID, you should also change the network password. Make sure that it's something long, and strong, and difficult to crack.

On top of this, check your Wi-Fi's settings, and make sure to enable network encryption, while turning off network name broadcasting. If you're having any trouble finding these settings, get in touch with your provider, and ask them for a bit of help.

And one more thing: don't just set it and forget it. Every so often, take a look at your network, and check if there are any devices that you don't recognize. Regularly change your SSID and password, and always make sure to keep your router updated.

Another important safety measure, in the context of Wi-Fi, is a Virtual Private Network – better known as a VPN.

This piece of software encrypts your internet connection, hides your physical location, and stops other people from tracking what you do online.

Popular VPNs include NordVPN, ExpressVPN, and Surfshark. These services aren't free, but they're well worth the price if you're serious about protecting your devices.

A VPN makes your devices invisible whenever you connect to Wi-Fi. Or, rather, it makes them a lot less visible than they would be if you didn't have one.

Another essential part of cybersecurity is knowing how to keep yourself safe from social engineering.

It doesn't matter how secure your system is – if a cyber criminal manages to trick you into entering your personal details into a fake website, or making a bank transfer into a fake account, all your other defenses will be wasted.

These types of attack are getting more and more common. Why? As technology gets better and better at keeping out threats, a lot of cyber criminals are realizing that human beings are the easiest thing to hack.

Back in the day, you could spot a phishing email a mile away. Bad grammar, weird spelling, low-quality images. But now? They're often using high-quality images, sophisticated language, and more.

So how do you spot these scams? One tell-tale sign is a sense of danger or urgency. Phishing scams often play on your emotions, trying to panic you into making mistakes. If an email uses words like 'urgent!' or 'immediately!', take a moment to think things through.

They might also play on other emotions, like curiosity, sympathy or guilt. If an email talks about 'needing your help', it's often a big red flag.

Another sign of a phishing attack is vagueness: in a lot of cases, the attacker won't refer to you by name.

In addition to this, they might not quote a customer number, or an account ID, like you'd expect to see at the top of emails from a lot of reputable sources. Things like this are easy to miss – but it's always worth keeping an eye on.

Having said that, this vagueness isn't 100% reliable. In a spear phishing attack, a hacker might look you up on Facebook, or find you on LinkedIn, before sending you a personalized email.

In other words, while vagueness is often a sign of phishing, not all phishing emails will be vague.

Another sign of a phishing email is an email address, or a URL, that doesn't look quite right.

An email from an official source, like an online bank, will always be sent from a legitimate address, often with the company's name included after the @ sign. For example, an email from the Bank of England might have an address like customersupport@bankofengland.co.uk.

It will never be sent from customersupport@gmail.com, or bankofengland@aol.com, or something completely strange and random like 1242rwFfetefwa@3rgsdg.com.

Whenever you receive an email, you can double check the sender's address by hovering over their name. This approach isn't perfect, as some hackers can fake legitimate addresses, but it's always worth a check.

On top of all this, sometimes spotting an attempt at social engineering will rely on some kind of gut feeling.

You just got a phone call that sounds like your bank... but does it really feel right when they ask you to tell them your PIN? Or you just got a message from what looks like your colleague... but is it really normal that they're asking you to send them money?

If ever something feels a bit strange, there's a good chance you're dealing with a phishing attack. Just hang up the call, or close the email. Then get in touch with your bank, or colleague, via an official channel instead.

You could also boot up Google. You may discover that other people have received the same email, or been phoned by the same number – phishers often try their luck on thousands of people at a time.

We've already mentioned spear phishing a few times – when a cyber criminal takes the time to find out some details about you, before using these details to contact you with a targeted, personalized attack.

They might refer to you directly by name. They might pretend to be your employer, or a childhood friend. They might talk about a holiday you went on last year, or mention your wedding day, or use a hundred other personalized tricks to lull you into a false sense of security.

But how do they get all these personal details? In a lot of cases, their source is social media.

Social media leaves a digital footprint. This is all the information you've shared online, like your posts, comments, likes, photos, and friends.

You really don't want this information to fall into the hands of a hacker. Along with spear phishing, they might use your digital footprint to work out the answer to security questions on your private accounts, like your mother's maiden name, or the breed of your childhood dog.

To stop this from happening, you need to change the privacy settings on all your social media. Set your account to be visible only to your friends or direct connections. This can really help to keep your personal information from falling into the wrong hands.

Privacy settings are helpful, but they'll never be 100% secure. Ultimately, when you're using social media, you need to always be careful not to share information that you wouldn't want a hacker to get hold of.

For example, an existing friend might be using a weak password on their social media account. If this account gets hacked, then the hacker can use your friend's account to look at your 'friends only' information.

And keep an eye out for suspicious friend requests. If a stranger adds you, and you let them inside? Suddenly, they've bypassed your privacy settings. If they're a hacker, they can use this against you.

In addition to all this, make sure to protect your social media account with strong passwords and multi-factor authentication.

By now, hopefully this goes without saying – but some of us made our social media accounts when we were barely older than children, and we might have been using the same (weak) password ever since.

Login notifications are also worth enabling. This helpful setting will give you a heads up via text or email if someone ever tries to log into your account from an unfamiliar device. It's a quick little step that makes your system more secure.

When we're trying to maximize our cybersecurity, we need to be aware of something called insider threats.

An insider threat is a second person, other than yourself, who also has access to your systems. Maybe you share your home computer with a partner, or a couple of children. Or maybe you share your Wi-Fi network with a housemate, or parents, or grandparents.

At first glance, it all sounds innocent enough. But any one of these people could be a risk to your cybersecurity.

Insider threats can be divided into two different categories: intentional and unintentional.

Intentional insider threats are usually associated with companies and governments, rather than personal computer users. Imagine an employee who accepts a bribe from a hacker, and agrees to install a piece of spyware on their company's private system. Or another employee, who's just been laid off, and deletes an important company file as a final act of spite.

Importantly, both of these malicious employees have access to the company computer system. They know the passwords, they have a way inside – and that's what makes them such a threat.

There are plenty of real-life examples of this. In 2023, two former employees from Tesla leaked thousands of company documents to a German newspaper. Tesla’s cybersecurity was robust, but these insiders let them down.

In most cases, a personal computer user won't need to worry about intentional insider threats. But unintentional insider threats are a very different story.

Imagine that one of your kids is using your computer. They receive a phishing email while your back is turned, and click on a dangerous link. Suddenly, your system is infected with malware. That's a prime example of an unintentional insider threat.

Or imagine that a friend comes to stay the night, and logs onto your private Wi-Fi. They don't realize that their laptop has a worm on it – a worm that uses this network connection to jump onto your systems too.

Negligence is also a problem. Your partner might ignore a reminder to update their software. Before you know it, a virus has entered your home.

So, how do we deal with all this? It often comes down to awareness.

You need to make sure that all the people who have access to your system – whether that's friends, or family, or just random house mates – have a solid understanding of cybersecurity.

The more they know, the less likely they are to make a mistake that brings your systems down. Tell them about strong passwords, auto-updates, phishing scams and more. Even ask them to do this pathway!

In addition, it's always important to control which users have access to what. For example, if your kids are using your laptop, make sure they're always using an account that doesn't have admin privileges. That way, even if they do slip up, it should limit the total damage.

Cybersecurity is a fast-evolving landscape. Hackers are constantly inventing new ways to attack your system – and you need to work hard to keep track of these changes, and keep yourself one step ahead.

One change we've seen, over the last couple of years, is the rise of artificial intelligence.

For example, hackers have started using a malicious tool called WormGPT, which lets them write viruses or phishing emails with the help of generative AI. Other types of AI have been used to speed up bruteforcing attacks, significantly increasing the rate at which a weaker password might be cracked.

Perhaps the most frightening recent development is the rise of AI vishing.

Vishing, or voice-phishing, uses voice messages and phone calls as opposed to texts or emails. A few years ago, vishing was hard to pull off – but with the help of AI, and deepfake technology, these scams are now much more effective.

A hacker might use an AI voice that sounds exactly like one of your loved ones. They will use this voice to phone you up, and engage in a conversation. At the end of the conversation, they might ask a quick question: "by the way, can you remind me of my PIN number?"

One of the most extreme examples of AI vishing took place in Hong Kong, at the start of 2024.

An employee at a company was invited to a video call with a number of senior colleagues. One of these colleagues asked the employee to transfer several millions dollars from one account to another. But this colleague (and all of the others in the call) were actually AI deepfakes.

As incidents like this get more and more common, new strategies will need to be implemented. For example, maybe you could establish a safe-word with your friends, family, and colleagues. If they ask you for something like a password, or a bank transfer, get them to confirm this safe-word before proceeding.

Alternatively, you could ask them a personal question that a scammer wouldn't know the answer to. “Sure, I’ll tell you that information… but first, do you remember how we met?”

On a more positive note, AI is also being used to improve our defenses against cyber attacks. It can analyze huge amounts of data for threats, which means our cybersecurity solutions are getting better at spotting and stopping risks.

For example, towards the end of 2023, Google added a new AI spam filter to Gmail. It detects phishing emails almost 40% better than before.

Ultimately, cybersecurity is a battleground. On one side, hackers are using new technologies to improve their attacks. But on the other side, companies are using these technologies to build more powerful defenses.

The following text is a fictional article about a real-life vishing attack.

Employee Targeted By Deepfake
April 11, 2024

This week, an unsuspecting LastPass employee found himself at the center of a vishing scam.

The employee, whose identity remains confidential, was targeted by a scammer using advanced deepfake technology. The scammer, posing as the CEO of LastPass, tried to trick the employee into revealing company information.

The scammer approached the employee over WhatsApp, using urgent voice notes and messages.

The employee found it suspicious that the messages were sent over WhatsApp, rather than usual working channels.

They also noticed forced urgency in the messages, a common hallmark of social engineering.

"Our employee rightly ignored the messages and reported the incident to our internal security team," said LastPass in a public statement. "There was no impact to our company. However, we did want to share this incident to raise awareness."

In the case of LastPass, the vishing attempt was unsuccessful, but other companies have been caught out.

In February, Hong Kong police reported a deepfake video call that convinced an employee at a multinational firm to send fraudsters $25 million.

This video call had a number of attendants, including the chief financial officer and other senior staff members. But all of these attendants were deepfaked, apart from the one employee targeted by the high-tech scam.