Don't get hooked by online phishing expeditions

Use 'positive paranoia' to protect online info-here's how.

Big organizations and their big bucks are juicy targets for phishers-internet scammers-but everyone else needs to be vigilant, too, warns a University of Alberta expert.

"No organization, no individual is immune to these attacks as long as you use the Internet," said Gordie Mah, Chief Information Security Officer for the U of A. "We are all fair game."

In 2016, online scams generated more than 20,000 complaints by Canadians and more than $40 million in financial losses, according to Statistics Canada. As well, Public Safety Canada reports that 37 per cent of Canadians report having been a victim of a virus, spyware, or malware attack on the devices they use to access the Internet for personal use.

Mah advises people to use what he calls "positive paranoia" to avoid getting hooked, especially when scammers use social engineering to hack personal information.

"It's important be be vigilant and cautious online," he said. "Know that scammers and phishers are counting on you to be so keen to do your job, for instance, that you might overlook subtle clues that you are being scammed.

"Phishers send unsolicited emails that prey on your trust, your willingness to be helpful, your curiosity, your generosity, your desire for love, even your vanity. Even though the breach is through technology, the vulnerability comes down to human nature," Mah said. "There is no technical fix for that."

Phishers can target any type of account and medium, from Facebook and email accounts to text messages, Mah said. They'll try to snare passwords, online banking information, social insurance numbers, credit card information, dates of birth-any one of which, once in the hands of a criminal, can serve as a building block to full-blown identity theft, Mah said.

Here's how to avoid getting hooked by phishing expeditions:

  1. Use a keen eye to spot tiny errors the scammer hopes will go unnoticed, like a missing letter or an added numeral in a website address. "Scammers will slightly alter an existing legitimate domain or URL that looks familiar and authentic to you, but be on guard to spot the subtle discrepancies in their impersonation," Mah said.
  2. Know that banks, federal agencies like the Canada Revenue Agency and any other legitimate organizations will never ask for your password or other sensitive information via e-mail.
  3. "If you are suspicious of an e-mail, listen to your instincts." Don't provide any requested information or open any attachments from an e-mail you didn't expect or from a sender you don't know. Be very careful about clicking on any embedded links. Verify that the link is legitimate by hovering the cursor over the link to reveal the URL. Depending on your browser and email platform, you may need to right-click on the embedded link to view the actual URL.
  4. Use good computer hygiene. Smart practices include using clean memory sticks to plug into your drive and keeping current with your security patches and updates sent by your device and operating system providers. "You wouldn't use a mouldy toothbrush and the same goes for your computer."
  5. Don't reuse your password for multiple accounts. "If scammers compromise one account, you risk compromise to all of your accounts, as they will check to see if the password works elsewhere too."
  6. Create 'throwaway' email accounts to log on for lower-value transactions like dating or gaming sites. Create a non-descript email address that doesn't give away your age, name or address.
  7. Think twice about posting your real name, age, date of birth or place of employment to social media accounts. "It is a tradeoff you have to consider. Ask yourself why you want it out there, is it really necessary?"
  8. Back up your data offline from the devices you use everyday as an extra safeguard against phishing. "This allows you to restore your data if your device has been attacked and encrypted by ransomware." If it does happen, turn off your computing device immediately and disconnect it from the network and Internet to avoid spreading the virus.

Find out more about how to protect against phishing attacks and identity theft, visit the UAlberta's Office of the Chief Information Security Officer website or the Government of Canada's Cyber Safe website.