Stay Safe Online
Online safety includes having the freedom to use the internet, social media and mobile devices without experiencing harassment, privacy concerns or criminal activity such as fraud. Staying safe online can be challenging and there are risks involved. It is important to ensure the IT equipment that you use has appropriate security, as well as being aware of the threats and how to minimise or avoid them.
On this page you will find useful material to help you stay safe online and minimise the risk of fraud or other negative consequences.
What is Phishing?
Phishing is the most common social engineering technique where a fraudster sends an email or text to the user seeking information that might help them commit fraudulent activity (identity theft, bank fraud). It often involves the use of a “bait” to entice the user to act and respond, such as clicking a malicious website or convincing them to divulge confidential information (e.g. banking details or passwords).
How to spot the signs of Phishing?
Too Good To Be True - Rewarding offers and eye-catching or attention-grabbing statements are designed to attract attention. Often the lure is the promise of substantial financial benefits.
Action: Be suspicious and seek to validate the legitimacy of the claim
Sense of Urgency - Users are often enticed to act fast so they don’t lose out on the exclusive, limited time, offers, to get the target to act immediately, so there is less to time available to question whether it is a valid request.
Action: Take time to consider the request.
Hyperlinks - Fraudsters disguise malicious web links under what might appear to be a genuine one that will be accessed if it is clicked. This can be a completely different one than what is presented to the user, or it could appear as a popular website with a misspelling used to trick the user into believing it’s genuine and clicking it.
Action: Hovering over it will reveal the real link, look for unknown, unexpected or misspelled links.
Attachments - These often disguise malicious payloads (malware or viruses) or malicious links.
Action: Question whether the attachment seems genuine and is expected, if it doesn’t make sense, don’t open it!
Unusual or Unexpected Sender - If it's from someone you don't know or someone you do know but seems out of the ordinary.
Action: Don’t click links or attachment. Seek to verify the legitimacy of the request before taking action.
Junk Email - if the email arrives in your junk folder, be highly suspicious of it. It is often a strong indication that there may be something wrong with the email.
How to report Phishing?
As these types of emails can be disrupting and sometimes unpleasant, we have set up countermeasures to help you report these attempts. Depending on how you view you email, you can report these using the 'Report Message' button from the Microsoft Outlook desktop client (top right corner of the email window). If you are using the web email version, click the “More actions” button in the top right corner of the email window; you can find the “Report Message” second last on the list of options.
Alternatively, you can forward the email to email@example.com. If you have any questions, please contact the IT Service Desk.
What is Social Engineering?
Social engineering involves the use of deception, often to obtain confidential or personal information for fraudulent purposes. Targeted attempts are usually trying to trick individuals into giving away passwords or financial information, or to get remote access to their computer to harvest information without their consent. Alongside Phishing, the most common social engineering attacks are:
- Spoofing – A technique used to disguise communication from an unknown source as coming from a genuine source. It is often used in email and call (caller ID spoofing) scams where fraudsters disguise their identity using the name of a genuine person, usually a senior member of a known organisation; this is used to create legitimacy and trust with the user to encourage them to take action.
- Sextortion – Is a social engineering technique which is used to scam potential victims. It involves fraudsters using the threat of releasing embarrassing imagery or videos of the user, often claimed to have been obtained from the user’s webcam. This type of attack is generally initiated via email: the fraudster uses a password obtained from a previous data breach to catch the user's attention and convince them the threat is real (the password used is often a very old password, used by the fraudsters to create legitimacy and entice the user to act). They then claim malware was installed on the user's computer and threatens to be used to send the explicit images and/or videos to all the user's contacts unless a ransom is paid.
- Pretexting - involves a fraudster using a lie (or pretext) to establish trust with a user in order to obtain sensitive personal information from them, such as date of birth, financial information, or other information that can be used to follow their malicious agenda (sensitive commercial information, etc.).
- Quid pro quo - this technique, by its literal meaning “something for something”, involves an exchange of which the user is led to believe it’s fair. It’s often used in phishing attempts where, for example, the user is enticed to open a link to confirm their details with the promise of a financial reward; ultimately, they end up with no reward and their details stolen.
- Vishing – or “voice phishing”, relates to a fraudster using voice mail, landline, or cellular phone calling to trick a user into handing over valuable information. Caller ID spoofing is often used in these types of attempts.
- Smishing – short for “SMS Phishing”, is a form of social engineering where fraudsters use text messages to trick users into disclosing valuable information. These often include malicious links or ask users to reply back to the message with the requested (valuable) information.
What is Email?
Email is the most common used form of online communication today. Whether at work, or requesting support for a purchase made recently, chances are most of these activities are done via email. While it is mostly used for legitimate communication purposes, fraudsters use email to deliver malware or steal information, through scam or spam emails or impersonating individuals in positions of power.
How safe is email?
Because email can be intercepted as it travels from the sender to the recipient, it shouldn't be treated a safe medium to communicate. It is therefore important to consider the following when communicating via email:
Avoid emailing confidential information (e.g. card details, passwords, etc.) in clear text. Encrypt it before sending (e.g. using 7-Zip) and ensure the recipient can process the encrypted information.
Use alternative sharing options for confidential information, as much as possible (e.g. Microsoft OneDrive, included with your university email).
Always check the email address of the individual(s) you are contacting to avoid sending information to the wrong recipient(s).
Login to your email using a trusted email client (e.g. Microsoft Outlook) or equivalent web interface (e.g. https://portal.office.com).
If using forwarding rules, ensure the same level of security is applied to the email address the information will be forwarded to.
Avoid opening any attachments or clicking any links from unsolicited emails. Also avoid responding to them.
What is Malware?
Short for “Malicious Software”, it is a catch-all term for any malicious software, such as viruses or ransomware. These are specifically designed for various purposes: from damaging programs or deleting files (viruses), to encrypting all hard drive contents and demanding a ransom before these can be accessed again (ransomware). Other common types of malware include spyware, adware, worms, Trojan horses, bots, bugs or rootkits.
How does it work?
Some malware, such as spyware, are used to track your online activity (e.g. browsing history); other tracking activities include keylogging, used to detect and intercept the characters you type on your device’s keyboard with the aim to steal your information, such as login credentials (username and passwords) or financial information (debit or credit card numbers, CVV codes, etc.). Other malware, for example scareware, poses as genuine software downloads or will ask you to install an urgent-sounding update to keep your computer up-to-date or to protect it against a known threat (e.g. a virus).
To protect against malware:
Ensure your computer has a firewall enabled and reputable anti-virus software installed.
Keep your software up to date. This helps protect your device against known bugs and vulnerabilities.
Back up your information regularly. This will help you recover your information quickly, in case of your device being compromised by malware.
Be careful when downloading software. Make sure it comes from a reputable source. Be suspicious when receiving emails with attachments, or when a website offers you to download a file unexpectedly (such as updates to a known program).
Apply the same level of caution online as you do offline. Online actions can have offline consequences, and vice versa.
On mobile devices, be suspicious of applications asking for too many permissions other than what they are intended for (should a keyboard application have permissions to access your location?).
Ensure your devices are encrypted.
How to spot Malware?
You’re being offered or told to download something from a website that you haven’t visited before and doesn’t look legitimate, or from a stranger who’s sent you an email.
Your internet connection or the computer’s general performance suddenly becomes very slow, you can’t access files or programs, or you’re unable to log in at all.
There are signs other people have accessed password-protected accounts, or your bank statement shows purchases or withdrawals you can’t remember making.
What is Password?
Making sure your personal information remains protected at all times while browsing or communicating online can be challenging in today’s connected world. Passwords help protect the security of your accounts, including those accounts which allow you access to the University’s IT facilities. They ensure that only you, the authorised user, can access them. However, they are limited in preventing fraudsters from gaining unauthorised access as they can find them in various ways, such as:
Tricking users using social engineering (e.g. phishing emails).
Previous data breaches. Fraudsters use leaked passwords on multiple platforms where users might have used the same password.
Watching someone type in their password (also known as “shoulder surfing”).
Guessing. Fraudsters use known information (name, date of birth, information found on social media platforms, etc.) and combine it to form passwords.
Keyloggers. Computer programs designed to intercept passwords when they are typed by the user.
Finding passwords on documents stored on the device (if found unlocked), or sticky notes left in plain sight attached close to the device.
Brute-force attacks. Widely automated and used to guess large numbers of passwords until the correct one is found.
It is important to understand the risks associated with using a weak password. The weaker the password, the easier it is for fraudsters to gain unauthorised access to your accounts. It is therefore important to understand what to avoid and what to consider when creating a password.
What to avoid when creating a password?
Words which can be found in a dictionary (English or foreign), or such words written backwards.
Names of family members, pets, friends, co-workers, favourite movie characters, birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above, either precluded or followed by a digit or easy to guess sequence of digits (e.g. secret1, secret123, 1secret).
What to consider when creating a password?
Use a minimum of 8 characters for each, with a combination of upper case, lower case, numeric, and special characters. To help with this, use a password randomiser; there are a number available online. A password example would look like this: B3b7?y7jXQ!
Use three random words that are not related with each other, in combination with a few special characters. This will make it easier to remember, and more difficult to guess by fraudsters. An example would look like this: performance.landscape.mile!
Other tips to consider:
Be suspicious of unexpected emails (see “Phishing” under the “Social Engineering” section for further guidance).
Lock your computer or smartphone every time you’re stepping away from it.
Don’t share your passwords with anyone.
Avoid using the same password with multiple accounts (on the same or across websites). This minimises the risk of unauthorised access should one of your passwords be compromised.
Use a password manager if it becomes difficult to manage your passwords.
Enable Multi-Factor Authentication where available. This adds an additional layer of protection to your account. Begin by enabling this on your email and accounts that store personal and financial information.
- CIS Phising CampaignTerms and Conditions (last modified: 17 December 2019)