There are two basic ways to protect yourself from cyberthreats. The first one is difficult to achieve and takes many years of dedicated study and constant knowledge updation, i.e. becoming an IT security professional through studying, experience, and certifications. For most of us, this is not an option. Luckily, there is a second option.

The second way, which is my favorite, is simple and easy. It involves simple psychology and basic human behavior, which we all can easily apply in our daily lives. Although not as iron-clad as the first, it does the job 99.9% of the time (just like our soaps and disinfectants), which is great news for the majority of us who are not IT professionals or serious IT hobbyists.

Here are 5 simple cybersecurity rules that will protect you online:

1. Do Nothing

There aren’t many situations where doing nothing is helpful. However, in cybersecurity, it is a valid strategy most of the time for most users.

In the cybersecurity context, here’s what doing nothing looks like:

• When you receive a suspicious email - don’t open it,

• If there’s an unsolicited link in an email - don’t click on it,

• If there’s an unsolicited attachment in an email - don’t download it.

Why does doing nothing work?

In a business environment, security incidents and data breaches are rarely caused by genius hackers running thousands of lines of code. Most of the time, security breaches are caused by employees or contractors getting fooled by some crafty social engineering.

Cybercriminals craft their phishing emails, smishing messages, etc. using social engineering to incite fear and anxiety that make their targets act in haste. They try to trick you into believing that there will be severe consequences if you do not act immediately. Examples of so-called consequences include, “your account will be deactivated”, “your credit card will be charged for x dollars”, “your data will be deleted”, etc.

If you click on the link in their email or SMS, they win. If you reply to their email, they still win because that confirms your email address as a legitimate target and can be sold to other cybercriminals. The simplest way to stop their attack in its tracks is to “do nothing”.

Why is it difficult?

When I said earlier that it is simple and easy, I wasn’t completely honest. Doing nothing can often be difficult, especially when you are busy at work. When you come across a potential threat, the natural human tendency is to panic and do something quickly to resolve the situation.

Imagine that you just started at a new workplace and are trying not to mess up. You are racing against time to complete your first project and suddenly your phone notifies you of an SMS. It’s from your bank and reads “Dear customer, $2,750.00 has been debited from your Bank Of America account. If you did not make this transaction, please call xxx number to cancel the transaction.”

Your immediate instinct is to call the toll-free number in the SMS. That, of course, connects to a fake call center staffed by malicious actors who are waiting to take your bank account details to process some real charges.

Most online scams rely on people panicking and acting in haste. So if you do nothing or at the very least, take your time to think and evaluate the situation, you will be safe.

2. Don't Click Unsolicited Links

We mentioned unsolicited links in the previous section, now let’s take a more thorough look at them. The URLs or links in phishing and smishing messages play a key role and an understanding of how they work can help protect you from a larger number of online scams and attacks.

Most cyberattacks and online scams are designed to steal your account credentials, financial information, or personally identifiable information. Typically, they achieve this by deceiving the user into believing that they are who they claim to be and convincing them to divulge sensitive information.

Here’s how the most common type of scams work. The attackers pretend to be contacting you on behalf of your bank, credit card company, tax authorities, police, IT support, etc. Their email or message will contain a URL, which is supposed to take you to the website of the bank or other organization they claim to represent.

In reality, these URLs take you to a spoofed web page that closely resembles the original website, and whatever information you enter in such web pages is stolen by the attacks. In more serious cases, clicking such URLs can also download malicious software onto your computer.

How do URLs work?

URL is short for Uniform Resource Locator. It is also known as a web address or link. From the user’s perspective, a URL has two parts, one visible and one hidden - “the anchor text” is the part that you see, and “the target” is the part that is hidden.

For example, here’s a link: Jones IT


If we look at the code of the above link, we see  <a href="https://www.itjones.com/">Jones IT</a>

In this example, “Jones IT” is the anchor text and “https://www.itjones.com” is the target URL.

Here’s the part that causes the problem, the anchor text doesn’t have to match the target URL and can be anything you want. 

Here’s an illustration of such a misleading link: www.ebay.com

 If you click the above link, it takes you to amazon.com instead of ebay.com. Here’s how the link is encoded:

<a href="https://www.amazon.com/">www.ebay.com</a>


This little trick is what most phishing and smishing scams rely on. They make it look like you are being taken to a legitimate website but instead, you’re taken to a malicious website.


How do you know if a link is malicious?

Since URLs play such an important role in the attacks, cybercriminals go to lengths to make it look legitimate. If they can’t do that, they will obfuscate or shorten the URL, making it difficult to identify it.

You can easily reveal the underlying target URL in a link by simply hovering your mouse pointer over the link (but make sure not to click on the link). When you are hovering your mouse pointer over a link, the mouse pointer changes to a pointing finger. When this happens, the target URL is displayed in the bottom left of your browser screen.

Once you see the underlying URL, you can check for the following red flags that help you identify if the link is malicious:

• The underlying target URL is completely different from the anchor text.

• The URL is obfuscated, shortened, or misspelled.

• You don’t recognize the URL of the website.

• The URL has an “http:” prefix instead of “https:”.

• The URL has a misspelled domain or subdomain.

• The URL contains a foreign domain such as .cn, .ru, etc. instead of .com or .org.

• There are numbers instead of letters (e.g. 192.167.1.1) in the URL.

• The URL contains an unexpected subdomain or extension (e.g. http://gmail.signin.services.ru).

If you are ever in doubt about the validity of a link, remember the first rule, i.e. do nothing. If you don’t click the malicious link, the attacks won’t work.

3. Don't Open Unsolicited Attachments

What applies to links in emails also applies to attachments. If an attachment is unsolicited, unknown, or unusual, don’t open it. While the threat of malicious attachments has significantly reduced thanks to improvements in spam filtering and virus detection capabilities, we still need to be vigilant because malicious attachments can be extremely harmful not only to the user but to the entire network and the organization at large.

As a general rule, if you don’t recognize the sender or weren’t expecting to receive an email attachment, don’t open it. Even if you receive an unexpected attachment from a known email, you should tread with caution because it is possible that their email account may have been compromised and is being used to spread malware.

If you receive a suspicious attachment from a colleague, reach out to them via a different channel like your organization’s messaging application. If it’s from outside the organization and it feels absolutely necessary to confirm its legitimacy, pick up the phone and give the sender a call on a known or publicly available number. But never call back on a number provided in the email.

4. Don't Mess With Your Device

In the realm of horror stories, vampires follow a peculiar rule. They can’t simply walk into a house, they have to be invited in. Interestingly, when it comes to keeping your computer secure from cyber horrors, this rule holds true.

Many times, the users themselves invite trouble by downloading pirated software or movies from sketchy sites, which could easily be spreading malware. Sometimes, even legitimate programs downloaded from third-party sites are bundled with adware or spyware.


So don’t mess up the security of your device by installing random software or applications.

5. Use A Password Manager And 2FA

We at Jones IT have been vociferous advocates of password managers for a long time. Password managers are excellent at generating random passwords, remembering them, and securely storing unique credentials- things that most of us are terrible at. They make managing all our accounts simple, keeping us safe while we navigate the Internet.

When the burden of coming up with and remembering complex passwords is off our minds, we are less likely to reuse passwords. This prevents attackers from using a single compromised password to gain access to multiple accounts.

Additionally, password managers also come with an auto-fill feature, which fills your credentials automatically when you visit a saved page. This feature doesn’t just save you time but also keeps you secure because it will never fill in your credentials on spoofed web pages. So, even if you land on a malicious website, your account credentials will be safe.

To take your security to the next level, you should add 2FA (Two Factor Authentication) to the mix. 2FA adds an extra layer of security by requiring a code in addition to the username-password combinations. The code, which functions as the second method or factor of authentication is typically generated by an app on your phone or sent as an SMS. This makes it much more difficult for a hacker to gain access to your account, even if your password is compromised.

Conclusion

While security solutions such as antivirus, antimalware, etc. play an important role, the greatest responsibility for the protection of our accounts and devices remains with us. Attention to some basic human behavior and situational awareness go a long way in protecting not only us but also our organizations from cyberattacks.

Before we conclude this blog post, there’s one last thing. While doing nothing is great for your personal cybersecurity, you can do one simple thing to help your colleagues and the rest of the organization. Whenever you come across a suspicious email, SMS, or phone call, simply inform your IT team. This way they can investigate, alert others, and patch up any vulnerabilities that may have been overlooked.

Is your organization doing enough to build awareness and foster security-conscious behavior? If you could use some help building a security-conscious culture at your organization, reach out to us by clicking the button below.

If you liked the blog, please share it with your friends