What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, and it provides the authors analytical data about your interactions with their content.
Embed code for: 2017-04 Security
Select a size
Technology Training Security April, 2017 Agenda: • Introduction • Definitions • Computer Security / Fraud Prevention • Recognizing and Avoiding Fraud Schemes • Phishing Examples • Other Safeguards • AARP Recommendations • Questions/Discussion If you have questions or need help: Email: LH.TECH@outlook.com Cell Phone: (612) 812-2205 Training Documents: go to docs.com/leonhoffmann Next Training Session (mark your calendars) Date Topic Thursday, April 20 Security Thursday, April 27 Security Thursday, May 18 Windows 10 Thursday, May 25 Windows 10 Thursday, June 18 iPad/iPhone Apps – Music, Movies, Games Thursday, June 28 iPad/iPhone Apps – Music, Movies, Games Thursday, July 20 iPad/iPhone Apps – Camera & Photos Thursday, July 27 iPad/iPhone Apps – Cameral & Photos New Technology Training Schedule: 1 PM on the 3rd and 4th Thursday. One hour after training (2 PM to 3 PM) reserved for follow-up questions and discussions. Technology Training – Security 1 Introduction It is easy to become a victim of fraud, but you can avoid fraud schemes if you are aware of the tactics schemers use, take a few simple steps to protect yourself and know what to do if someone makes you a victim. This document has hints to help you do that. History of Computer Bugs, Viruses, Malware and Phishing: • Thomas Edison first used the term bug in 1878. He called bugs “little faults and difficulties that arise while working…”. Computer scientist and pioneer Grace Hopper (Harvard University) was the first person to associate the word “bug” with computers in 1947. She traced an error on the Mark II electromechanical computer to a moth trapped in a computer relay and coined “bug” to mean a computer error or glitch. • While fraud has been around since the birth of humans, it increased significantly as we invented more methods of communication. The US Mail and telephone became the first tools used for fraud. The birth of email and the internet in the 1990s gave access to millions of computers around the world. It did not take long for mischievous people to figured out how to hack into and infect or steal information from these computers. Soon the “bug” vocabulary expanded to include words like virus, phishing and malware to define different types of computer attacks and fraud schemes. • While many schemes today occur via email or computer, personal information available on the internet has improved a schemers ability learn more about people and has therefore caused a resurgence of fraud schemes via US mail and telephone. Software Provider Awareness and Prevention: The software industry has struggled to stay ahead of hackers and prevent attacks. However, considering the number of would be schemers, they have done a superior job of protecting computer systems. Less than 10% of computer hacks and fraud cases are due to software weaknesses. Today, software companies hire hackers to break their systems in hope of finding and patching holes before malicious hackers can exploit them. Still hackers find ways to get through or around software preventive measures. User Awareness: In a January 2016 study, researchers simulated a phishing scheme in an email to 1,700 recipients. The email had links to pictures from a New Year’s Eve party. 56% of the recipients clicked the link and 78% admitted they were aware of phishing schemes and related security risks of email links, but out of curiosity clicked the link anyway. Studies show that users trigger 90% of all virus attacks or fraud schemes by taking an ill-advised action. Schemers take advantage of us by appealing to our curiosities or by using scare tactics to lower our defenses. So, acute awareness, preventive actions and the correct reaction when subjected to a scheme are critical factors in avoiding fraud schemes. Technology Training – Security 2 Definitions: Viruses: Programs that negatively affect a computer or its contents with the aim to: • Corrupt the operating system or run programs to consume computer memory. • Install programs to launch attacks on others or send many emails to contacts. • Delete or make files inaccessible & require a payment to recover the files. Spyware and Adware: Small programs that lurk behind the scenes, to track keystrokes and usage history to get information about you. Spyware or Adware may: • Capture web browsing habits to enable offerings of focused marketing. • Offer misleading info or alerts with links to unsafe websites or malicious software. • Track keystrokes to steal your identity, user names and passwords. Malware: Software designed for malicious intent (includes spyware, adware & viruses). Phishing: These schemes aim to steal your identity or money, and may occur via US mail, phone call, internet or email. They use threats or enticements to get you to: • Buy something that is useless or overpriced or to install malicious software. • Give them personal information to steal your identity, email, credit card, banking info with the goal to break into your account or sell your information on the Deep Web. Sniffing: Sniffers mechanically cruise the web and public Wi-Fi networks to capture email addresses, user names, passwords and other personal information. Deep Web: Non-searchable websites used for illegal business activities like selling stolen credit cards, email address, user names, passwords, illegal firearms, drugs, etc.). Cookie: A cookie is a small amount of data like login information, preferences or settings generated by a website and saved on your computer by the browser. Cookies are helpful, not dangerous. Without cookies, you would need to enter this information every time you visit the site. Privacy concerns are minimal but you can turn cookies of if you prefer. URL (Uniform Resource Locator): Specifies a web page address expressed as http://www.companyname.com. There are many URL suffixes to differentiate Countries (.eu, .de, .nl, etc.), Government (.gov), non-profit (.org) and educational (.edu) sites. IP Address: Internet Protocol Address is a unique numerical label assigned to devices or web pages that communicate via the Internet. All websites, computers, printers, routers and other devices connected to the internet have a dynamic or static IP address. Secure SSL site: SSL site addresses start with https instead of http, a web protocol used by reputable websites to ensure encrypted and secure data entry. Anyone can issue an https site; however, trusted https sites must have a SSL certificate and IP address authorized by a Certificate Authority. Browsers verify https sites with trusted certificates and warn users of sites not authorized by a trusted Certificate Authority. Technology Training – Security 3 Computer Security / Fraud Prevention (things that can reduce risk of attack) Manage and Update Software. • Out of date software makes a computer vulnerable to hackers. Many updates fix security issues, so out of date systems leave weaknesses for hackers to exploit. Set your operating system to update automatically. Also, go to Settings > Update & Security > Windows Update > Advanced Options to get updates from other Microsoft products and use your sign in to automatically finish installing updates. For Apple, occasionally check the App store to be sure you have the most recent updates. • Install only software you need. Unnecessary software makes updates more difficult, makes your computer more susceptible to hacks and may slow your system. Use the operating system’s preinstalled browser rather than a third-party browser. (Edge on Windows 10, Safari on Apple and Chrome on Android). • Discourage use of browser plug-ins like Ask, Java & Adobe Flash. Out of date plug- ins create a security risks and some plug-ins are really tracking software or adware. Computer Protection. Protect your computer to reduce exposure and risk from malicious attacks. • Install Anti-Virus Software. Use Windows Defender (Windows 10 preinstalled). For other operating systems, install Avira, AVG, Avast, BitDefender, McAfee, Symantec. • Lock computer when not present. Go to Start > Power > Sleep/Shut Down. • Design and Use Passwords Wisely. Do not make it easy for hackers to figure out. • Complexity. Do not use passwords like 12345, children/spouse name, birthdates or simple patterns. Mix in upper and lower case letters, numbers and symbols. • Phrases. 16+ digit phrases are hard to crack and easier to remember. Examples: mycatlikesgarfield or allintensivepurposes or boydoihatepolitics! Make it difficult by adding capital letters, numbers or symbols. Example: BoyDo1H@tePo1t1cs! • Unique passwords. Do not use the same password on your bank, credit card, shopping, or other websites with personal information that could lead to identity theft if someone hacked a site. One site hack would make all sites vulnerable. • Reduce Number of Passwords. Use one password for web sites like ESPN, TV Guide, AllRecipes where you want a user account to save settings or preferences but the site would not give a hacker information they need to steal your identity. • Password Manager. Use a software program to manage and remember your passwords. Password manager options are: LastPass, 1Password, Enpass, OneLocker and others. Apple and Windows operating systems can also manage passwords, but do not use this feature unless you use Two Factor Authentication. Technology Training – Security 4 • Two Factor Authentication (TFA). Most software manufacturers and websites like Microsoft, Apple, Google, Amazon, etc. offer TFA account settings. With TFA, all first-time logins must be preauthorization via a code sent to a text enabled phone or email address. A user must enter the user name and password plus a TFA code to log in. This prevents unauthorized logins because a hacker could not get the code. • Biometrics. Use Apple ID or Microsoft Account and fingerprint, iris or face recognition. • Set data files to back up automatically to the cloud. Cloud backups protect data in case of a lost or destroyed device and make it easier to synchronize files with a new computer. Use a second cloud service or external drive as a secondary backup. • Be a skeptic. It can be difficult to recognize a fraud scheme. When in doubt assume the worst. It is better to be safe than sorry. If you still believe a person or company contacting you is real, call back at a number you know is correct or enter the website address that you know is correct directly in the browser. Public Wi-Fi Safety: Certain measures can improve safety of a public Wi-Fi network. Turn off Wi-Fi Sense. Do not connect automatically to Public Wi-Fi networks. Two Factor Authentication (TFA). Make it very difficult for a hacker to access accounts. Turn Off Guest/Public Network Discovery & File Sharing. • Windows: go to Settings > Network and Internet > Wi- Fi > Change Advanced Sharing Options > Expand Guest or Public section and turn off sharing options. • Apple Mac: go to System Preferences > Sharing and uncheck all the boxes and turn off Network Discovery ("stealth mode") under firewall advanced settings. Firewalls. These are on by default, do not turn them off. Virtual Private Network (VPN). A VPN creates a private tunnel to the internet, masks your IP address and encrypts data sent over the internet. VPN services like ExpressVPN, PureVPN & NordVPN cost $5-$10 / mth. HTTPS/SSL. Enter confidential data (credit card, user name, password) only on https:// sites. Encrypt Data Files. If not using a VPN, use Apple FileVault or Windows BitLocker to encrypt computer files. Encryption may make it more difficult to recover files. Instead of encrypting all files, you may choose to selectively assign encrypted secure passwords only to sensitive documents (Office, Quicken, etc.). Use a secure password because the document is still only as secure as the password. Technology Training – Security 5 Recognizing and Avoiding Fraud Schemes. Fraud may occur via computer pop up, email, US mail, or phone. Schemers use different tactics to draw you in. If in doubt about whether it is real, always assume it is a scheme. • Some schemers are sloppy and obvious. Expect a scheme if an email has misspellings, bad grammar or is generic. Some may look professional, but if you look closely you may spot telltale signs. Even if it looks legitimate, always carefully examine email links. See more about email links in Email Schemes section below. • Some schemers are smart. They get information about you on Facebook, genealogy or other websites or from family. Then in an email or conversation with you, they divulge some information so you believe they are real. Never divulge personal information about you or loved ones unless you are certain you know the person contacting you. The SSA, Medicare, IRS, FBI, Police or any reputable company will NEVER contact you to scare or threaten you or ask for money or personal information. • Schemers know we are curious creatures and that we do not think clearly when pressured, threatened or scared; so, they often use enticement or scare tactics to draw you in. Some may appeal to your better side and take a very friendly approach. 90% of fraud occurs because we react to the schemer’s tactics. Receiving a phone call, letter or email does not make you a victim but how you react might. So stop, think and then act rationally. If you are not sure, ask an expert or delete the email or hang up the phone. Following are some of the common tactics used by schemers. • You won a contest! I need your personal information so I can send you a gift. • Your account is not working. I need to confirm your account information to fix it. • I am calling because someone else is using or making charges to your account. I need to reset your personal information to stop fraudulent use. • Your account has been disabled and I need your login information to restore it. • There is a fraud charge on your account. I need your info to reverse the charges. • We are contacting you on behalf of the Microsoft of Apple to fix your computer. • Your computer is infected or is not functioning properly and will shut down or be unusable unless you call now. • Click the link to get updates to a disaster or news story; or to make a contribution. • Local police call that you son/daughter was kidnapped or injured in an accident. • They may think of dozens of other reasons to contact you. Regardless of what they say and how they ask, do not believe them and do not give them any information even if you think it might be real. Remember that no reputable organization or company would EVER contact you in this way. Technology Training – Security 6 Email Schemes. • Emails attachments. May include executable files, viruses or malware. If you are not sure about the file, remove it from your system. Do not take the risk. • Be wary of any email attachment, especially from an unknown source. Even emails from someone you know could be dangerous if a hacker breached their computer and is sending malicious emails from that computer without the computer owner’s knowledge. If not sure, do not open it. Contact the sender to verify they sent it. • Never open a file attachment where the name ends with .exe, .scr or .zip (dmg, qtz or zip on Mac). These are executable files that may install malicious programs. • Email Links. • You may receive an official looking email with links that when clicked install malicious software or take you to an unsafe website. Never trust or click email links unless you are certain of the source. Even if a website looks official. • Evaluate links. Move the mouse pointer over the email link to see the address in a popup. Watch for links with an IP address (a number like 126.96.36.199), misspellings in the name, one letter missing or added, or added prefixes or suffixes like Amzon.com or Amazon1.com, Amazan.com or any variation thereof. Enter address directly in the browser or use a shortcut you know is safe. • Do not click “Unsubscribe” on potentially unsafe emails. That will alert them that your email is legitimate so they get more money when they sell on the deep web. Unsafe websites. Reputable companies use secure internet protocol for their websites. If a website does not follow this protocol, exit the site and never enter personal data. • SSL Secure Sites. An SSL secured URL will start with HTTPS and the address bar will include a lock sign (see samples at right). • If a site you are visiting is not SSL secure or you receive a warning that an https site certificate is not trusted, do not enter personal information and be very careful before clicking an advertisement or file download link. You risk triggering a phishing pop up, a sniffer capture of your computer IP, email address, user name or password or a malware download that could be very harmful. • Report unsafe or phishing websites and emails. Most browsers and email systems offer ways to report suspicious sites or flag email as Junk. When you flag emails as junk it trains the email providers system to filter future messages from that sender. Technology Training – Security 7 Software Downloads. • Only download software from known and reliable sites like a manufacturer’s official site or from a reliable software reseller like Amazon. • Never click on a download banner or link on an unfamiliar site. Many of these links download a package bundled with adware or malware. • When installing a program, the install may ask if it is okay to install other programs or to change your default internet browser. Uncheck the boxes agreeing to this so these other programs do not install. See sample above. Phishing Examples. Internet pop ups – Microsoft or Apple impersonation schemes. • A pop up says your computer has a virus, is infected, needs updating or cleaning or has an operating system problem and will shut down and be unusable if you do nothing. Some play a loud and irritating voice recording. • Some claim to be working with Microsoft or Apple, often sounding very official. Microsoft or Apple offer operating system updates and never contract with others to fix a problem. • The message may say to call an 8XX number. When you call, they offer to fix the problem for a fee, and may offer a warranty which you can pay with your credit or bank debit card. • These pop ups can be scary, but without exception, these are always schemes! Never call them or give them your credit card or personal information and never let them connect to your computer. Kidnapping Schemes. • A schemer contacts a family member or uses the internet or Facebook to get personal information. Then they call you saying the family member was kidnapped and ask for a ransom. They recite personal things about the family member to make you believe them. They may threaten to kill or maim your family member if you do not pay. Technology Training – Security 8 FBI or Police Impersonation Schemes: A caller says you bought something illegally and you need to pay a fine or face arrest; or they say they are investigating a local or international crime and need your help. The caller may give some information about you so you believe they are real and they may even use real names of local police officials. The caller may ask you to get a gift card and call back for further instructions or pay money using a bank debit card or credit card or ask you for personal information like your address, spouse name, social security number, driver’s license, etc. These are fraud or identity theft schemes. The FBI or police will NEVER call you. If there is a serious problem they will visit you in person. If still in doubt call the local police and tell them about your experience. IRS Impersonation Schemes: The caller claims to be with the IRS saying you have a tax return or tax payment that is past due or you made an error or there is a problem with a recent payment. They may threaten you with fines or penalties if you do not pay at once and ask for your credit card or bank debit number to take care of the problem. Or, as in many fraud schemes, they may divulge some personal information about you that they got on the internet so you think they are real, and then ask you for more information like address, credit card, social security number etc. to steal your identity. The IRS will NEVER contact you or ask you for payment over the phone or via email. IRS payment requests are always by US mail. If you get one of these calls, hang up. Note: The IRS may hire private collectors to collect past due taxes. However, they will always contact you by mail first so you will know beforehand if you owe money. Regardless of how they contact you, only make payments directly to the IRS or US Treasury at a valid IRS address, never to a third-party collector or anyone else. Lottery Schemes. You receive a call or email message saying you won the lottery or a sweepstakes. They may ask for your bank debit card so they can deposit your check directly. Again, they may recite some personal information about you that they got somewhere on the internet so they seem like a real company. Internet Freebies Other Ruses: Be aware of free offers. Do not click on anything unless you know what it is. If you click what you think is a link to a legitimate site, review the address to be sure it is not a trick. For example, schemers may impersonate Amazon.com or Apple.com by misspelling the name in the URL or by adding a prefix or suffix to the URL. If you want to go to the site, enter the address directly in the browser or use a saved shortcut that you know is safe. You are likely to see the same information on the real site if it is real. Technology Training – Security 9 Other Safeguards. Hackers try to get information about you through social media, genealogy or other websites. Their goal is to learn enough about you so they may pose as you on line, with banks or with credit card companies or trick you into thinking they are legitimate. You can reduce the likelihood of schemers getting your information by taking extra care and managing your on-line exposure. The information below is a guide and not legal or accounting advice. Contact an attorney or accountant to discuss what is right for you. • Social Media. Use care on Social Media. Default settings often have global visibility which is fine if you are a company promoting products but not for a person. Do not globally share personal information like birthday, age, children’s names, address, etc. • Public Wi-Fi. Do not use public Wi-Fi for confidential transactions unless you protect your computer with a VPN. Sniffers can hack into unencrypted networks to capture data transmissions, including passwords, user names or account information. • Simplify. Have one bank account, one or two credit cards and one investment account so you have fewer accounts, user names and passwords to manage. • Banking Alerts. Set up email or text alerts for credit cards and bank accounts. Banks deliver alerts within seconds of processing a charge to your account. Knowing who charged your account and when can give peace of mind; and, if charged illegally, a quick response may reduce the likelihood and risk of excessive invalid charges. • Documentation of Technology Holdings. • Healthcare Directive and Power of Attorney. Specify who and how you want to manage your healthcare & estate, including technology/digital assets & accounts. • Revocable Trust. If you have assets large enough to require probate upon death, consider a revocable trust. A Revocable Trust ensures assets pass to heirs without probate (a public and costly process) and a smoother transition when you need a trustee/co-trustees to help you manage your affairs. A Trust document may more extensively specify how and who you want to manage technology assets. • Document personal information. Keep in a secure locked location. If you can no longer manage your affairs, give this to your POA or Trustee for safekeeping. • Home Address, Date of Birth, Social Security Number • IRA/401K/Pension – Account name and number, investment manager, beneficiary • Bank/Investment Accounts + Agent – Name, account type, phone, mailing address, email, account & PIN No. • Rental or other deposits – Amount and supporting documents showing conditions on deposits • Attorney – Phone, mailing address, email • Social Security, Account information like mother’s birth name, place of birth and other Technology Training – Security 10 • Medicare Supplemental and Dental Insurance Policy Details, Agent • Property or Life Insurance: Policy coverage summary, property covered, company, agent, phone, email • Location of Critical Documents: Will, Revocable Trust, POA, Healthcare Directive, Birth Certificate, Marriage License, Social Security Card, medical, financial and tax records, Tax Return PIN for electronic filing • Location of original and backup computer records and instructions on how to access them. • List of all User Names and Passwords. Account/Website User Name Password Password Hints or PIN Bank, IRA & Investment Accts Credit card Email addresses Desktop or laptop Computer login Shopping websites Bill payment accounts Social Security, Medicare info Insurance accounts All other on line accounts • Instructions on what to do at death if not included in legal documents. This includes the following and more: • How you want affairs and accounts handled. Show unique characteristics for any of the above accounts. • Preferred burial method and location if reserved in advance • Change IRA/401K/Pension to Beneficiary (notify of death) • Contact Attorney/Accountant – File Estate Tax Returns • Cancel medical, drug, dental, home/rental/auto insurance (after selling car) • Cancel apartment lease, paper, utilities, credit card, combine or close bank accounts • Cancel online accounts (i.e. Facebook, NetFlix, Office 365, +++) What to do if you are a victim of fraud, identity theft or a computer attack? Disconnect from the internet or shutdown the computer. • Unplug the internet cable or if wireless, disconnect the wireless router or click on the connection icon in the system tray and click turn off wireless. • If a normal shut down does not work, push and hold the power button until it shuts down. If that also does not work, as a last resort, unplug the power. If it is a laptop you may need to remove the battery to get a complete shutdown. Fix the problem as outlined here or call a technology expert to help. • Open Windows Task Manager, find the intruding program and click end task. • Open Control Panel > Uninstall a Program, uninstall unauthorized programs. • Run a “Full” virus scan. This may take some time to complete. If you are a victim of fraud or identity theft go to FTC.gov or aarp.org/money/schemes- fraud/fraud-watch-network to learn more and what to do next. For IRS fraud go to Treasury Inspector General treasury.gov/tigta or call 800-366-4484. Report IRS schemes by email at firstname.lastname@example.org. Technology Training – Security 11 AARP Recommendations: • Leave nothing of value in your car to tempt thieves, not wallet, laptop or mobile device. • Do not toss sensitive documents in the trash or recycling bin, shred them first. Use a micro-cut shredder – the kind that shreds documents into confetti. • Secure your smartphone and computer with passwords and lock them when not in use. For passwords, consider a phrase, something easy to remember & hard to crack. • Use strong passwords to protect financial accounts. Consider a longer easier to remember phrase rather than just a passcode or password. Longer phrases are harder to crack. • Do not share your Social Security number unnecessarily. Only share it for tax reasons, obtaining credit, and to verify employment. • Do not carry your Medicare card unless on your way to a health care appointment. Instead, make a copy and black out all but the last four digits. This is enough information for a provider to get started in case of emergency. • Use gel pen to write checks. Thieves can wash off ballpoint pen and rewrite a check. • Do not give out personal information over the phone, over the internet or through regular mail unless you initiated that contact. If you receive a communication by someone claiming to be your financial institution, do not respond. Instead, contact the institution with a number or website address you know to be correct. email • Social Security, Account information like mother’s birth name, place of birth and other Technology Training – Security 10 • Medicare Supplemental and