Tag: data security

HP integrates secure firmware practices in to their enterprise laser printers

23/09/2015 Data security, Internet Of Things No Comments

Article

HP adds protection against firmware attacks to enterprise printers | PC World

My Comments

An issue that has become a reality with dedicated-purpose devices like printers, network infrastructure hardware and the Internet Of Everything is making sure these devices run software that isn’t a threat to their users’ safety and security and the integrity of their users’ data.

Most device manufacturers tackle this through a regular software-update program but this requires users to download and deploy the newer firmware which is the software that runs these devices. It is also the same path where, in some cases, these devices acquire extra functionality. AVM, a German network-hardware manufacturer, took this further by providing automatic updating of their routers’ firmware so users don’t have to worry about making sure their router is up to date and secure.

But Hewlett-Packard have approached this issue from another angle by implementing watchdog procedures that make sure rogue software isn’t installed and running on their devices. Here, the printers implement a detection routine for unauthorised BIOS and firmware modifications in a similar manner to what is implemented with business-grade computers. This effort is based on their experience with developing regular computers including equipment pitched at business and government applications.

Here, when the printer validates the integrity of its BIOS during the start-up phase and loads a clean known-to-be-good copy of the BIOS if the software in the machine is compromised. Then, when the machine loads its firmware, it uses code-signing to verify the integrity of that firmware in a similar manner to what is done with most desktop and mobile operating systems. The firmware also implements an activity checker that identifies if memory operations are “against the grain” similar to well-bred endpoint-protection software. The watchdog software will cause the machine to restart from the known-to-be-good firmware if this happens.

Initially this functionality will be rolled out to this year’s LaserJet Enterprise printers and MFCs with any of the OfficeJet Enterprise X or LaserJet Enterprise machines made since 2011 being able to benefit from some of this functionality courtesy of a software update. There is a wish for this kind of functionality to trickle down to the consumer and small-business desktop printers that HP makes.

What I like of this is that HP has put forward the idea of continual software integrity checking in to embedded and dedicated devices. This isn’t a cure-all for security issues but has to be considered along with a continual software-update cycle. Personally these two mechanisms could be considered important for most dedicated-purpose device applications where compromised software can threaten personal safety, security or privacy; with the best example being Internet routers, modems and gateways.

What is this about “cyberflashing” and how to prevent it?

17/08/2015 Data security, Mobile Computing No Comments
Samsung Galaxy Note 2 smartphone

Taking control of local data-transfer functionality like AirDrop can help you avoid unwanted surprises

Article

Cyberflasher Airdrops rude images to victim’s iPhone | Naked Security (Sophos)

My Comments

A problem that has started to surface for Apple iOS users is the ability for someone to send gross images to strangers courtesy of the AirDrop feature that newer iterations of this platform have. Situations where this typically happened were when the offender and victim were on public transport or in public areas.

This feature makes it easy to share photos between iOS and MacOS X devices in a local area using Bluetooth and Wi-FI technologies and provides a thumbnail image of incoming photos rather than a dialog box asking if you want to receive the image.

This was feasible with Android and other open-frame mobile operating systems courtesy of Bluetooth Object Push Profile but these platforms. especially Android, hardened themselves against this by making your phone undiscoverable by default and providing a narrow time limit for having your phone discoverable by Bluetooth devices. As well, these platforms required your permission to start receiving the file and you didn’t see one bit of that file until you gave the go-ahead.

Android and Windows improved on this using a passcode that you and your correspondent exchange before a file is transferred and the NFC functionality that is part of recent Android versions requires you to physically touch the backs of the phones as part of instigating the data transfer.

The same situation may also crop up with Wi-Fi Aware as it implements Bluetooth local discovery for ad-hoc Wi-Fi networks created by mobile devices and will require users to be able to take control of what notifications and files they receive on their devices if this technology is for transferring files.

Protecting yourself

A good practice to observe is to turn off the AirDrop feature unless you make regular use of it. Or, at least, set AirDrop’s discoverability settings to “Off” or “Contacts Only” rather than “Everyone” so that every man and his dog can’t discover your phone. You would turn this function on if you are expecting a photo from someone not yet in your Contacts List.

In some situations, you may have to disable Wi-Fi and Bluetooth unless you are actually using these features such as linking to a hotspot or using a Bluetooth headset.

You may find that changing your device’s identity to your initials or something innocuous rather than your first name may work wonders in these situations.

I would also prefer that any local data transfer or similar activity between users takes place in a manner where each participant can see each other. This may be at the same table in a café, restaurant or library, the same seating cluster in a lounge area, the same row of seats in a public-transport vehicle or a similar area of close proximity. As well, such activity should be preceded by relevant conversation.

What must be preserved

If a setup allows for local data transfer between computer devices using a wireless medium, there must be a way of allowing the users to confirm their intent to transfer the data between each other. This means that the sender and receiver know whom the data is coming from and to and must occur before a single bit of the actual data changes hands.

This may be through the sender exchanging a simple passcode to the receiver or requiring the devices to physically be near each other at the start of the data transmission. The latter solution may be in the form of NFC where the users touch the backs of their devices together, or a QR code shown on the sending device’s screen that the receiving device has to scan before transmission takes place.

If a user wants to simplify this process, they could create a “trusted recipients” list which can be their Contacts list or a separately-created list. Personally, I would use all of the “friends” in a social network as this list because that tends to encompass too many people and an account can too easily be compromised.

The same thing must also apply to social networks, online gaming and similar services where one user may want to enrol another user in to their personal lists. This is more important if any of these services facilitate the transfer of files between users or support any form of instant messaging.

Pay-TV security technology is relevant for the Internet Of Things

14/08/2015 Data security, Home / building automation and security, Internet Of Things No Comments
D-Link DCH-3150 myDLink motion sensor

An Internet-Of-Things sensor that would require regular software updates to be secure

Article

Content security vendors need to prevent babycam hacking nightmares | VideoNet

My Comments

A problem that will get worse in this day and age is weak security affecting home automation and security. This is based around easy-to-misconfigure hardware pitched at home users on a “set it and forget it” basis. It has led to consumer IP-based cameras being hacked and their content being thrown to undesirable Websites.

This is driven by a common mindset associated with devices sold to consumers where the goal is to buy it. install it and use it without requiring the consumer to worry about it more.

The Pay-TV ecosystem invests in and uses a high-security path to protect the expensive content such as the Hollywood blockbusters or the big-league sports that it provides to its subscribers. This is always evolved and updated to counteract new threats to this ecosystem and to handle new applications. They also used the “end-to-end” approach including supplying hardware to consumers and updating the software in this hardware automatically and without the consumer having to do anything extra.

Similarly, regular-computer setups have been made secure with Microsoft and Apple delivering security updates to Windows and MacOS X on a regular basis as threats come about. This is because of these systems having a heritage of being used in the business environment for a long time.

The article raised the concept of companies who provide home monitoring and allied services offering a turnkey installation and configuration service to their customers as a premium service or simply alerting customers to misconfigured hardware and hacking attempts if customers prefer to install their own hardware. They could use the Pay-TV technology to secure the content path between the cameras and the Web dashboards or mobile apps that the customers use.

“Blind updating”

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

What I would like to see more is the ability to patch network-infrastructure hardware in a similar manner to what is done with pay-TV, regular-computer operating systems and some cloud-hosted services. This is where security updates and patches are delivered and installed automatically to these devices. In some cases, it may be preferable to provide an interactive update process for major software versions that add or change a device’s functionality.

A good step in the right direction was AVM with their Fritz!Box routers where they introduced the concept of automatic software updating to this class of device when they released new firmware for the Fritz!Box 7490.

These processes will have to require manufacturers to instigate software authentication and verification workflows and have their devices verify software updates before deploying them. This is to prevent the deployment of malware to these devices.

Fiat Chrysler are now facing the security issues associated with the connected car

23/07/2015 Connected vehicles, Current and Future Trends, Data security, Internet Of Things No Comments

Articles

Jeep Grand Cherokee outside family house - press picture courtesy of Fiat Chrysler North America

Jeep Grand Cherokee – make sure that the uConnect system runs the latest firmware

Jeep drivers: Install this security patch right now – or prepare to DIE | The Register

From the horse’s mouth

Fiat Chrysler

Blog Post

UConnect Website (Go here to update your vehicle)

Vehicle list

Model Model-years affected
Chrysler
200 2015
Dodge
Durango 2014
Viper 2013-2014
Jeep
Cherokee 2014
Grand Cherokee 2014
RAM
1500 2013-2014
2500 2013-2014
3500 2013-2014
4500 / 5500 2013-2014

The vehicles affected would be equipped with a uConnect-capable 8.4” touchscreen radio system.

My Comments

The connected car is now being highlighted as a device that has security issues. This was exemplified previously by BMW when they rolled out a patch for their connected infotainment system in the newest vehicles because of a security risk.

Now it is Fiat Chrysler’s turn where their UConnect connected infotainment system which has a stronger link with the car’s powertrain was needing a software update because of this same issue. It was brought about by a discovery that a pair of hackers found in relation to a 2014 Jeep Cherokee owned by one of these hackers concerning undesirable remote control of this “family 4WD”. The software can be downloaded by vehicle owners who have an affected 2013-2015 vehicle and can be done by downloading the update file from the UConnect Website to a USB memory stick then transferring that file to your vehicle. If you are not confident with this process, you can have the mechanics at the dealership where you bought the vehicle from perform this upgrade, while your vehicle is being serviced by them.

At the same time, the US Congress is legislating for security standards concerning connected vehicles including software protection for the vehicles’ powertrain, steering or braking in the form of the “Security and Privacy In Your Car Act” (SPY Car Act). This is in a similar vein to various design rules and standards that nations require vehicles to comply with for safety like seatbelt or lighting requirements. Even the US Senator Markey called out that drivers shouldn’t have to choose between being connected or being protected.

Again, this is a class of devices which is easily driven by the marketing impetus to have them on the market. But there needs to be a culture to encourage a secure environment for connected vehicles as there is for desktop computing.

One way would be a continual update process for the firmware associated with the connected vehicle, including aftermarket setups that have any effect on the vehicle’s steering, brakes or powertrain. This would preferably be in the form of a blind-update process like what happens with most operating systems when you set them to automatically update and patch.

Personally, this could be facilitated by having the connected vehicle work with the home network whenever it is garaged at home. This would then allow it to download the updates overnight while it is not in use. As well, the motorist should have the chance to choose what updates are provided like with enterprise variants of operating systems.

Beware of fake posts and online scams relating to the Nepal earthquake

28/04/2015 Current events, Data security, Fake News, Disinformation and Propaganda, Social issues involving home computing No Comments

Previous coverage

Malaysia Airlines air disaster–another event bringing out the online scams

My Comments

Just lately, a disaster that has affected many people has occurred with many casualties in the form of the Nepal earthquake.

But what follows on the tail of these disasters is an avalanche of spam email and flaky social-media posts that offer extra insight or paths to assistance for people who are touched by these events. As well, it is the time when scams pretending to be charity appeals intending to provide aid to the victims of this earthquake also appear on the Internet. It is something I have drawn attention to previously when there was the Malaysian Airlines MH370 air disaster which drew out these scams and am drawing attention to in relation to the latest earthquake. But they lead you to malware or to harvest users’ personal or financial details. In these situations, it pays to think before you click on that link so you are safe with the Net.

Check for legitimate resources that offer information about your relatives’ or friends’ wellbeing and some of these could include Nepalese consulates in your area, the Red Cross or similar services and work with them “from the horse’s mouth”. That means to deal with official websites that are known to the public and are usually published by the media as part of their coverage on the issue.

Facebook does offer a legitimate Safety Check service which comes in to play during civil emergencies. Here, it would identify if one was in an affected geographical area and allow the person to interact with them to know if they are safe and this status would appear in your Facebook Friends’ news feed. For that concerned person, they would be able to check on the News Feed for their relative’s or friend’s status. But be careful of any “fake friends” that appear around the time of this disaster and any post from a friend of yours that isn’t known to be in the area but is out of order should be questioned.

As for charity appeals, most of the media provide information about legitimate fundraising efforts that are taking place so you don’t get fleeced easily.

What to do is to be aware and careful with using the Internet to find details about who is affected by a major event and check with trusted resources.

Being careful about online marketplaces

09/04/2015 Data security, Online Marketplaces No Comments
House

Online marketplaces can be used to sell houses,

Increasingly, the Internet is becoming full of sites where you can advertise items for sale or swap. These range form online-auctions sites like eBay through to “online-classifieds” sites like Craiglist, Gumtree or Le Bon Coin, to online car-sales or house-sales directories like Carsales.com .

Holden Torana LX street machine

…cars including classic cars ….

A problem that can easily happen with these sites is where someone can use various forms of fraud or trickery to scam you out of your money or have you misrepresent the goods being sold. This doesn’t matter whether you are the buyer or the seller of the goods concerned. A friend whom I go to church with passed on an email about a bad experience that someone he knew had when he sold a vehicle on Carsales.com .

Deal with the site directly

Speedboat on trailer for sale

… or boats

As you manage your interactions with these online marketplaces, use the same cautions as what would be expected for online banking and broking. Here, you need to be suspicious of phishing approaches and interact with the site using its known Web address. This is a good time to add the online marketplace to your browser’s Favourites or Bookmarks; or create an operating-system link (available on the Desktop to the marketplace.

It is also a good habit to monitor the ad on the Website to make sure it hasn’t been modified by anyone but you if you are selling the goods in question. This is important in relationship to the price of the item being sold.

eBay screenshot

eBay – one of the most common online marketplaces

As well, deal with your email service in a cautious manner. Here, if you use a Webmail service, log in to the Webmail service by starting a Web browser and logging in using its Web address or coming in to the service using an entry point that you preset for it.

Settle the transaction in a traceable manner

As you settle the transaction, make sure you use a payment system like PayPal where the payments can be traced and you can reverse the transaction if there are questions about the goods. This is more important if the goods aren’t being handed over in person.

Craiglist

Craig(s)List – the popular online-classifieds Website

As well, deal with the payment system “at the horse’s mouth” when following up the transaction by using the system’s Web site. This is important when you are dealing with high-value goods.

Beware of transaction values that are way over or under the odds

Transactions that are way “off the beam” should ring alarm bells. This is important whether you are a buyer or seller. because a person who is offering well over the odds for something you sell may be engaging in a fraudulent transaction. Similarly, goods advertised well below their expected value may have many questions about their provenance or condition.

Research the goods you buy

When you are buying goods through an online marketplace, make sure you know about the goods you intend to buy so you can make an informed decision. This may involve researching the Web generally about the item, dealing with online forums specific to the kind of item being sold or simply talking with one or more people who are knowledgeable about the goods.

In the case of vehicles, watercraft and aircraft, find out their fair market value through resources like the Red Book (Australia, New Zealand or Asia Pacific), Kelly Blue Book or NADAGuides in the US, or Parkers Guides in the UK. If you are dealing with a “classic”, it may be worth contacting a club associated with that marque or model, or browsing through a magazine dedicated to those cars like Hemmings to assess the real value of them.

As well, use resources like CarFacts (Australia) or Autocheck to verify if the car has been stolen or written off, or if there are debts outstanding on it. In some cases such as a car that was just privately imported, you may have to use similar resources based in a country other than your own as well as your own country.

Making contact with the other party

Try to make contact with the other party at least through the online marketplace’s enquiry system so you can exchange more details about the goods that are the subject of the transaction. It is also a better idea to make a telephone call with each other so you can be sure you are dealing with a real person. Sometimes making a Skype or Viber videocall can work wonders so you can see whom you are dealing with and you can have them show you the item in question.

For high-value items like vehicles or boats, make sure you can see the item in person. This is to verify the goods are genuine and you can assess its condition properly. This also includes being able to take the vehicle for a test-drive to put it through its paces. In the case of vehicles especially when one is buying their first car, I have always advised bringing one or more friends along when seeing the seller and the vehicle in order to obtain a better opinion about the vehicle.

Windows 10 to benefit from the FIDO authentication standards

23/02/2015 Data security, Operating Systems, Systèmes d'exploitation No Comments

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.

BMW delivers a security update to its ConnectedDrive cars

03/02/2015 Current and Future Trends, Data security, Internet Of Things No Comments

Articles

BMW 120d car

BMW cars with ConnectedDrive will benefit from an over-the-air software security patch

Your BMW just downloaded a security patch | Engadget

BMW patches in-car software security flaw | IT News

BMW Group ConnectedDrive increases data security | BMW Blog (BMW enthusiasts’ online magazine)

From the horse’s mouth

BMW Group

Press Release

My Comments

BMW ConnectedDrive user interface press picture courtesy of BMW Group

BMW ConnectedDrive user interface – where you can manually draw down that update

An issue that is constantly being raised regarding the Internet Of Everything is data and network security, including making sure the devices work to end-users’ expectations for proper, safe and secure operation. One of the constant mantras associated with this goal is to have a continual software-update cycle for these devices with the ability for customers to place new software in these devices in the field like you can with a regular computer or a smartphone.

BMW had brought about the ConnectedDrive online vehicle management and infotainment system to their newer BMW, MINI and Rolls Royce cars. But they discovered a flaw in the software and wrote a patch to rectify this problem. You would normally think that to have this patch delivered in to the vehicle management system, you would need to bring the car in to the dealership and this would be done as part of its regular preventative-maintenance servicing.

Here, it would typically involve you having to book the car in with the dealership including determining whether you need to use the courtesy car or not, drive it there at the appointed day and time and pick up the courtesy car if you needed it, then make a point of heading back to the dealership before they close to collect your car when it is ready.

But BMW had worked on delivering the software patch to the car via the mobile broadband link that the ConnectedDrive system depends upon for its functionality. Here, you would be advised that the update is taking place and at an appropriate time, the software patch would be applied. If you had garaged the car, you can manually “draw down” the update to your car once you drive it out of your garage.

What I see of this is the proactive way that the BMW Group have been able to use what is taken for granted with most computer operating systems to roll out critical software patches to their vehicles, which is something to be considered of importance when it comes to data security. This has to work not just through the life-cycle of a vehicle but beyond especially in markets where vehicles are likely to benefit from long service lives.

Tech support scams now affecting the Macintosh platform

29/12/2014 Data security, Operating Systems No Comments

Article

Mac users: Beware of increased tech support scam pop-ups | MalwareBytes Unpacked blog

My Comments

The Apple Macintosh has been seen by its users as a safe regular-computer (desktop / laptop) platform mainly because it didn’t have as much of a foothold as the MS-DOS / Windows platform. Now this platform is starting to appeal to malware authors due to the fact that more people are heading towards it as a regular-computer option along with the fact that Microsoft has been continually hardening the Windows platform.

Windows users had suffered the bane of various unsolicited “tech-support” scams ranging from Website popups through to phone calls. Now the Mac platform is under attack because these scams implement JavaScript to take over the machine in a similar way to what happens with Windows. Also the same scam targets iOS devices due to their use of Safari with the same codebase and JavaScript implementation.

Of course, don’t follow through with the prompts to call these numbers or download the software because this involves activities like malware downloads or paying exorbitant fees to dodgy overseas-based businesses. But what do you do to close these nag screens?

On the Macintosh, you would have to kill the browser session by using the Force Quit routine. The best way IMHO to do this is to press Command+Option+Shift+ESC together if the browser has the foreground. You can also press Command+Option+ESC to bring up the Force Quit menu and use the mouse or trackpad to select the application to stop. The reason I suggest using the keyboard shortcuts is because some of the nuisance dialog boxes can effectively “take over” the pointing device.

iOS users can stop the browser by double-clicking the Home button and swiping the window representing the troublesome app to kill that app.

On both platforms, you clear out the browser cache and history to stop the fake tech-support Website cropping up. This is more important for the iOS platform because if you open up Safari, it will come up with the last-opened Website. For the OS X implementation, you click the “Clear History” option in the “History” menu, which also clears the cache. For the iOS implementation, you go to the Safari option in the Settings app and then tap the Clear History button to stop it from reopening.

A timely reminder to beware of suspicious emails in your inbox

25/11/2014 Computing Tips, Data security No Comments
Windows Live Mail client-based email interface

Slow down when you check those emails so you are safe

Increasingly people are receiving emails that are becoming very dangerous to their personal or business security.

This happens during November and December, especially between when the American community celebrates Thanksgiving (last Thursday in November) to Epiphany / Twelfth Night (January 5), where there is a lot of Christmas-driven communications and most, if not all, of us are thinking about Christmas. This includes responding to the shopping offers that are being made available through this time. Here, these emails are being sent in a manner as to “get at” the user and take control of their computing equipment or data..

Over this past weekend, some friends of mine from church had approached me about email issues and I had found out that the husband fell victim to a phishing attack against his Outlook.com Webmail account with it ending up being used to send spam messages. Here, I visited these friends on Monday night for dinner and to help him change his account’s password and report it as being compromised. Then a close friend of his rang him about receiving the Australia Post phishing emails and I suggested to that friend to delete that email immediately.

One example is to supply  malware as an attachment typically obfuscated as a compressed “file of files” or a malformed document file; or direct users to pick up the questionable software at a Web link. The idea is to get users to install this software of questionable provenance on their computer so that it makes it become part of a large botnet that is intended to wreak havoc on other computer users, steal your personal or business information, or extort money from you.

Another example is a link that send users to a forged login or other customer-interaction page for a Webmail, banking, Social Web or similar online service to steal their personal details. This is typically to steal the user’s money or identity, create a bank account or similar financial account for laundering ill-gotten gains, or use an email mailbox and contact list to send further spam to computer users.

The email is suspicious if

It is out-of-character with the sender

This may be reflecting a situation that you know the sender is not in, such as them or their business being in financial dire straits. It may also simply be an email of a kind the don’t normally send.

Contains nothing but enticing “click-bait” text

You may find some enticing text written in the Subject line or in the body of the message that gets you to either open the attachment or click on that link.

Implores on you to open it or click on the link under pain of losing service continuity or something similar

Looks very official and has copy that threatens you that you will lose access to your funds or continuity of a service you use, or something similar; and requires you to click on a link in that message to take action to remedy the situation. This may also be about the pending arrival of a parcel or some funds and you have to click on a link or open an attachment to print out a “claim form”.

What to do?

Do not click on the links in that email or open the attachment

Under no circumstances should you click on any links in the suspicions email or open any attachment that is part of that email.

Check the email out

In the case of a personal email, check the email address that purports to be in the name of your contact to see if it is one that you and your contact regularly use. Here, some people may operate a business email address alongside a personal email address and you need to confirm these addresses through conversation, business collateral that they supply, amongst other things.

In the case of a business email, check to see if the email looks as though it genuinely represents that organisation. If the email is requiring you to do something to assure “continuity of service”, access to funds, etc. contact that business directly using their customer-service number or email.

One obvious red herring would be if you receive a contact from a bank or other business you don’t do any business with. Another red herring is an email that isn’t addressed to you personally, rather it uses a generic “all-call” salutation like “Dear Customer”. Yet another red herring is the quality of the document. Here, you look out for whether the email represents the company’s current “trade dress” such as current logos, colour schemes and the like. As well, you look for the quality of the document to see that it reflects what is expected for a business document coming from the company’s location of business, such as spelling, grammar, punctuation, etc.

Sometines, what may appear in the “To” list may be contacts, including “virtual contacts” which represent a cluster of email address, whom you don’t have anything to do with. This is also a sign of a suspicious email.

Check with the sender

If you receive an email from a contact of yours which appears to be out-of-character with them, contact them about that email. You must do this not by replying to that email but by either calling them on the phone, sending an SMS or instant-messaging message to them or sending a separate email to them.

If it is business-related like correspondence from your bank or other organisation, log in to the business’s Website yourself using its commonly-publsihed or commonly-known Web address. Here, you type the address in to your Web browser’s address bar or, if you do regular business with the site, go to the bookmark or favourite link you have created for it. As well, it may also be of value to contact the organisation on their published phone number to check the veracity of that email. Here, you may find this in the regular business correspondence that you have for them or use the common telephone directory or the organisation’s Web page to find that number.

Report the email then delete it

If you are using your Webmail provider’s Web-based user interface, you may have an option to report that email as spam, hacking, fraud or something similar. If you are using a client-based email setup, forward the email as an attachment to your ISP’s or email provider’s email address that has been set up for reporting email abuse or fraud.

Business users who work for a company that has an in-house or contracted IT team should let that IT team know about the suspicious email. This will also apply to those of us who study at a school or university which has its own IT team.

As well, if the email appeared to be in the name of the bank or other organisation, look on the organisation’s Website for a “report fraud” link or email and use that to report the fraudulent emails that you received. Here, they can engage local or national law enforcement to take further action especially if the behaviour is consistent.

Then delete the fraudulent email immediately.

Security tips

  • Keep the computer’s operating system and application software up-to-date with the latest patches
  • Make sure you are running a good anti-malware utility and that it is updated frequently and regularly. It may also be a good practice to run a full scan with this software
  • Make sure that you have strong and preferably unique passwords on your online services
  • Make sure that your home network hardware is on the latest firmware and has strong non-default passwords.
  • Consider using a password manager program or service. As well, it may be worth it to implement a two-factor authentication setup on your online services with your smartphone showing a key number as a “second factor”.
  • As well, you may find that if you have an account with a major online service like a Microsoft service or one of the popular social networks, you may have the opportunity to implement a single sign-on. This may be worth using especially with games, forums, comment functionality, online music or similar services so you don’t have to work out extra passwords.
  • Back up the data you created yourself using your computer to a NAS and/or USB hard disk and preferably make a separate copy of this backup in a separate location
  • Only visit Websites and online services that are known to be reputable