Updated: Oct 5, 2021
Part one of my four-week cybersecurity awareness series.
Did you know October is Cybersecurity Awareness Month? This October, I'll be publishing weekly posts with my top security tips to help you stay secure online!
With the number of internet threats increasing each day, it's more important than ever to secure your online accounts. Too often we think, "my account won't get hacked" or "there's no way my identity will get stolen", and then one day it happens and we're left anxious and paranoid trying to pick up the pieces and repair the damage.
Cybersecurity can't be up to just the trained security professionals. It's everyone's responsibility, especially when it comes to protecting your personal, health, and financial information. As a cybersecurity professional myself, I know how important it is to spread awareness and tips to help non-tech, everyday people stay secure online, which is why I'll be sharing my top 12 tips throughout the month.
Through this four-part series, I hope to give you some of the basic information you need to secure your online presence and prevent you from falling victim to any one of the 3 billion phishing emails sent daily.
Tip #1: Always check the sender address and URL in emails you're unsure about.
If you're reading this, you definitely have an email address, which means you've definitely received numerous spam and phishing emails. While many of them probably get caught in your junk email, preventing you from ever seeing them, sometimes one makes it into your inbox, leaving you wondering if it's legit or not.
When you're unsure of the legitimacy of an email, there are two things you can do to help verify if it's a scam or not.
First, check the sender email address. Malicious senders can easily spoof the display name to make it look like the email came from a trusted person or company. I'm sure you've received emails in the past where the display name is "Apple" or "Amazon" claiming you need to reset your password or confirm an order. Unfortunately, many people fall for this because they blindly trust that the email did come from Apple or Amazon. Actually validating this is as easy as checking the sender email address. In the browser, this is usually viewable as shown below:
If you're on a smartphone, you'll likely have to click on the display name to open up the view that shows the sender address. This is what it looks like from the Mail app on iOS. By clicking on the display name, the full contact opens up which shows the sending email address.
Double-checking this information prior to clicking on links or attachments is the best thing you can do to validate the legitimacy of the email. If the sending email doesn't look professional, comes from an unexpected domain, or is simply a bunch of gibberish, report the email as junk!
The second way to validate an email is to check the URL of a link before you actually open the site in a browser. Similar to how a display name can be spoofed, hyperlinks can be edited to look like they will take you to a legitimate site. They can also be embedded in buttons or images, so it's important to validate those and avoid blindly clicking on them.
To check the actual URL of a hyperlink or button, right-click on it and select "Copy link" or "Copy hyperlink". The verbiage varies but should be similar to either of those options. In some cases, simply hovering over the link or button will show the full URL. This makes it even easier to see if the Microsoft or Google email you received is really directing you to Microsoft.com or Google.com.
If you’ve copied the link to your clipboard, open a text editor of your choice — Notepad, Word, etc. —or open your Notes app on your smartphone. Paste the link and determine if the URL is in fact legit. Sometimes it might not be obvious, so the best next step is to Google it or use a domain reputation checker to help you confirm if it's real or a scam. You can simply search, "is example.com legit", or use a site like URLVoid.com to scan the website for you.
If you do one or both of these things when you aren't sure about the legitimacy of an email you receive, you'll likely catch most, if not all, of the phishing emails you receive. And if you do both of these things and still aren't sure, mark the email as spam and delete it. When in doubt, it's best to ignore it because odds are, it's a malicious email.
Tip #2: Always mark malicious emails as spam.
Piggybacking off of tip #1, let’s cover why it’s important to mark malicious email that makes it into your inbox as spam. You might be wondering, why? What good will that do if the email already made it to my inbox? Reporting emails as spam helps the email providers better categorize the same or similar emails in the future.
Email providers like Google, Microsoft, Yahoo, etc. are analyzing sender addresses, hostnames, and IPs along with the contents of every email that passes through their servers. They're constantly looking for indicators that an email is suspicious or malicious and will send positive verdicts to your junk. Unfortunately, new phishing domains and malicious files are created all day, every day, so it's kind of impossible for email providers to keep up. Marking emails you receive as spam basically lets them know, "hey, you delivered a spam email to me. You should block this next time."
Doing so will ensure the various sender details and email contents are re-analyzed and properly categorized so the same or similar emails are marked as spam in the future.
Tip #3: Never respond to requests for personal information via email.
Too often people receive an email claiming they need to confirm personal information or provide details for some reason or another, and they respond to the sender with the information they're asking for. Whether the email is from a legitimate sender or not, you should never send personal details via email unless it's being sent via an encrypted channel.
Oftentimes if a bank or healthcare provider needs you to confirm personal information, they'll have you do so via a "secure send", where you have to enter a key or password to access a portal where you can share the information with them. This is the only time you should share details like your social security number, insurance details, account numbers, or other sensitive information.
What if it's my bank or doctor's office? You have a few options:
Send the email in encrypted or confidential mode. Most email providers have a secure send feature built-in, so simply search how to do it for your respective provider.
Call the sender. Tell them you'd rather not email personal details and have them update your record while you're on the phone with them. Even if they write the information down to enter into your profile at a later time, they have a duty to either shred the piece of paper or file it away under lock and key.
Providing personal information via email, especially banking information, social security numbers, or passwords is a big no-no, as emails can be easily intercepted or eavesdropped on. If the information isn't properly protected, a malicious individual can easily steal it and then use it to commit cybercrime like fraud or identity theft.
Here are the first three cyber tips for cybersecurity awareness month:
Not sure about an email? Check the sender address and URL before clicking any links or responding to the email.
Always mark malicious emails as spam or junk. This helps email providers like Google and Microsoft to identify similar scams in the future.
Never respond to requests for personal information via email unless it's being sent in a secure manner (via encryption).