The scammers have returned (did they ever really go away?). Here are some ways you can fight back and protect yourself online. Also, make sure to read part one of this two-part series.
Let’s talk about best practices
Staying safe online and protecting your identity is vital in the digital world. You can achieve this by following best practices.
Best practices are not rules, necessarily, but a set of principles that, when applied, can do wonders to increase your personal security posture – which is a phrase the information security world uses to describe your relative degree of safety online. These principles should inform a set of practices you can apply to your daily cyber life.
Basic Cyber Hygiene – Passwords, Passphrases, and Password Managers
You can improve your personal security posture with some basic digital hygiene. Like cleaning the house, our digital lives can get messy, and sometimes we must clean up and organize. For example, we often set up online accounts without using strong, unique, complex passwords. In addition, we often do not store the associated URL, username, and password in a safe storage system like a password manager.
Creating strong, unique, complex passwords becomes much easier when you think of them as passphrases instead of the 8-character creations of the early 2000s when everything was a variation of p@$$W3RD.
At Texas State University, the minimum required length of passwords is 15 characters, which can seem like a lot until you realize that the length of that password is the length of three common words, and, with some punctuation and capitalization added, you have created a complex passphrase (i.e., these few words – with spacing – are 15 characters long). Obviously, you want to use something a little more unique and complex than the example provided, but that’s the general idea.
Use a password manager – LastPass is free to you
Of course, you could relieve yourself of that burden forever by using a password manager. Password managers come in many different varieties, but you likely want to employ a third-party password manager rather than using your browser storage for a few reasons:
- You might need your passwords or credentials in another browser.
- You might need your passwords or credentials on your mobile device.
- Browsers store your passwords in plain text rather than encrypted output.
- Browsers are notoriously insecure and are frequent targets of bad actors.
Multi-factor authentication (MFA) is an essential tool – But beware of social engineering
We use Duo MFA as our multi-factor authentication tool, an essential security addition to a strong password in today’s online world, but not a perfect fail-safe against social engineering. Ideally, you are using the Duo push app and receiving push notifications to your phone to allow yourself and nobody else to log in to your account. But, like not giving away your car keys to a thief, you never want to give out your password or MFA information to ANYONE. And no legitimate entity at Texas State will ever ask you for these things. We will never contact you to “verify your identity,” we will never say that you need to check the storage limits on your account, and we will never ask for your credentials in any way, shape, or form. Anyone who does ask you for these things is not to be trusted.
Some appeals that scammers use are:
- Appeals to authority – “We are trying to verify your identity.”
- Appeals to urgency – “Your inbox is almost full.”
- Appeals to personal gain – “Get your refund now!”
Beware of emails coming unexpectedly that ask you to act without thinking. It is much better to wait and evaluate what you see before acting. And remember the tips for spotting phishing listed at the top of this article.
Making Frenemies with your Junk folder
The junk folder is not your friend. It’s not your enemy, but it’s not your friend…more like a frenemy. It holds all the email that automated security protocols have filtered out of your inbox, but it still has them. It might even feel like it’s just waiting for you to go in there and DO something. The junk folder is tricky; on the one hand, it keeps your inbox clean, but it never says what it wants you to do about it, which can be frustrating if you don’t know that you can delete those messages. On the other hand, it’s not as crazy as it sounds to delete the contents of an entire folder. It can be very cathartic.
Here’s the low-down
Cyberspace has always been a bit of a wild west. Still, it has become far more dangerous as we have grown more interconnected, which means we have a greater personal responsibility to educate ourselves about the threats we face.
If you take nothing else away from this article, remember that no Texas State entity will ever ask you for your password or your Duo MFA information, nor will we ever ask you to verify your identity. And, to review:
- Use LastPass to manage and create strong, unique passwords for every account.
- Use Duo MFA to protect your account and never give away any login information.
- Beware of social engineering practices to get you to share personal information.
- Scammers won’t stop, so be cautious when being asked to take action.
Finally, tell your friends that we give “Verify Your Identity 15” a rating of 0% on Rotten Tomatoes and that if they ever have questions, contact the IT Assistance Center.
Joel Ausanka is an IT projects coordinator for the Information Security Office.