More stories

  • in

    Why delaying software updates is a terrible idea

    style-photography/Getty Images When I grew up, we didn’t have smart devices. TVs, bulbs, and even telephones were simple analog devices. If you’d told my grandmother that she had to update her TV or lightbulb, she’d have thought you were asking to buy a new, replacement device — not download a software update. But today, almost […] More

  • in

    Help! I clicked on a phishing link – now what?

    ZDNETWhen you think of phishing emails, you probably think of the crude, grammatically flawed, easy-to-spot samples that go straight to your junk folder.I regret to inform you that those weak “spray and pray” campaigns are yesterday’s news. The crooks haven’t gotten smarter, but their tools have. Also: These phishing attacks are targeting Mac browsers – how to protect yourselfWith the help of generative AI, online scammers have become dramatically better at crafting and delivering phishing emails that look and sound convincing. Last year, a group of high-powered security researchers found that AI-based phishing tools have reduced the cost of these attacks by more than 95% — while making them brutally effective. One study showed that 60% of respondents fell victim to these automated attacks. Those tools can help a crook create hyper-targeted, meticulously personalized attacks that can be surprisingly difficult to spot, especially if you’re tired or distracted. Also: The top 10 brands exploited in phishing attacks – and how to protect yourselfEven certified security experts can be sucker-punched. Just ask Troy Hunt, creator of the “Have I Been Pwned” site. He was fooled by a sophisticated attacker who stole his Mailchimp mailing list. Listen to his explanation of what happened. Firstly, I’ve received a gazillion similar phishes before that I’ve identified early, so what was different about this one? Tiredness was a major factor. I wasn’t alert enough, and I didn’t properly think through what I was doing. The attacker had no way of knowing that (I don’t have any reason to suspect this was targeted specifically at me), but we all have moments of weakness, and if the phish times just perfectly with that, well, here we are. Secondly, reading it again now, that’s a very well-crafted phish. It socially engineered me into believing I wouldn’t be able to send out my newsletter, so it triggered “fear,” but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action. It created just the right amount of urgency without being over the top. What to do if you click a phishing link So, what should you do if you click on one of those links and then discover, to your dismay, that it’s a fake site designed to capture your information? Maybe you realized that almost immediately because something seemed not quite right. Or maybe you’ve already entered some sensitive information. In either case, here’s what to do next. 1. Stop typing! If you haven’t yet entered any information, close the browser tab or mobile app immediately and consider clearing your cache to eliminate the possibility that the site was able to implant some tracking information. 2. When in doubt, disconnect If you’re concerned that the site might be more than a garden-variety phishing attempt and that it might be trying to install a remote access tool or another form of malware, disconnect from the network. You can turn on airplane mode on a mobile device or laptop; if you have a wired connection, unplug the Ethernet adapter. Or just press the power button to shut down while you figure out your next steps. 3. If this is a work device, call your IT department Let them know what happened so they can check any necessary logs and begin looking for suspicious activity. Be honest. The more information you provide, the more likely they will be able to detect any intrusion and mitigate any damage. 4. Reset your password(s) and turn on 2FA If you gave the attackers your username and password for an account, you need to change that password as soon as possible, before they have a chance to lock you out. If you entered an email address, phone number, or other personal information that an attacker could use to pose as you, consider securing any accounts that are tied to that information. Create new, strong, unique passwords for those accounts. If you haven’t enabled multi-factor authentication (also known as 2-factor authentication or 2FA), do that now, especially for critical accounts. Also: Got a suspicious E-ZPass text? Don’t click the link (and what to do if you already did)If possible, do this cleanup work on a different PC, Mac, or mobile device than the one where you were phished, to avoid the possibility that the device has been compromised. 5. Scan for malware If this is a Windows device, run a full antivirus scan on the affected device to determine whether any malicious software was installed. If possible, use an offline scanner like the Emsisoft Emergency Kit More

  • in

    Why no small business is too small for hackers – and 8 security best practices for SMBs

    PM Images/Getty Images I have given hundreds of cybersecurity-related webcasts and presentations, written hundreds of cybersecurity-related articles, and been involved in hundreds of one-on-one cybersecurity-related meetings with clients. Someone will always respond, comment, or protest that their business is too small for a hacker’s attention. Small target illusion But none of these folks understand the […] More

  • in

    I clicked on four sneaky online scams on purpose – to show you how they work

    Ed Bott / Elyse Betters Picaro / ZDNETI’m not a sucker, but I played one on the internet last month — purely in the interest of science, of course. My text messages and email spam folder are filled with the usual assortment of shady stuff from online crooks. As a public service, I decided to play along with the bad guys to see what happens.Also: The best VPN services (and how to choose the right one for you)Before we get started, let me stress one thing: Don’t try this yourself. I did my experimentation in virtual machines and sandboxed environments where I knew my personal data wasn’t exposed. You might be tempted to click a link, just to see what happens. That’s a very bad idea, because what happens can sometimes be catastrophic. So, a little bit louder now: Don’t try this at home.The scams and online attempted attacks I encountered were all depressingly common. You’ve probably run across similar examples on your own devices. None of these crooks are criminal masterminds; for the most part, they’re petty thieves trying to get you to do something that will give them access to your identity or money. Here’s what I found. 1. The fake security upgrade We’ve all been trained to pay attention to security alerts, so when I received an email telling me that “suspicious activity” had been detected on my Wells Fargo Securities account, I was alarmed. Mostly because I don’t have an account with that institution, but these crooks are playing a numbers game: Some percentage of the people they reach with this mass mail will have one of those accounts. So, on behalf of Wells Fargo customers everywhere, I clicked that link, which took me first to a page that simulated a Captcha, and then to this scary-looking dialog: More

  • in

    Deleting your personal info from Google Search is stunningly easy now – and fast

    bigtunaonline/Getty Images If you find your personal information in a Google Search, like your phone number, address, or email, Google just made it easier to make sure it doesn’t show up again. Several years ago, Google introduced a “Results about you” tool that lets you track your personal information online and remove it from search […] More

  • in

    Think your Venmo is private? You should double-check this setting

    Elyse Betters Picaro / ZDNETHigh-profile officials, including national security adviser Mike Waltz, have inadvertently exposed their networks through public Venmo accounts, according to WIRED. This serves as an important reminder for all Venmo users to review their privacy settings.Also: Did you get paid through Venmo, CashApp, or PayPal in 2024? The IRS will knowIf you haven’t checked your Venmo settings, your entire friends list and transaction history may be visible to the public. While it might seem harmless if someone sees that you sent a friend $10 for a shared pizza last month, your account could be revealing far more sensitive information than you realize. What people can see on Venmo By default, Venmo makes every payment and description public. The amount is hidden, but just by browsing through a few random friends’ accounts, I was able to see the location of their kids’ sports leagues, the name of a wedding venue for an upcoming ceremony, the name of a child’s classmate at elementary school, and even restaurants they frequent.Also: This new tool lets you see how much of your data is exposed online – and it’s freeJust as concerning is that your friends list is also public by default. Looking at my friends’ contact lists, it wasn’t hard to find their family members, coworkers, children’s teachers, daycare workers, and more. This information could be exploited by anyone — online trolls, stalkers, ex-spouses, law enforcement (in 2019, federal prosecutors used Venmo transactions as evidence in the case against a man involved in rapper Mac Miller’s death), or criminals.A few years ago, BuzzFeed was able to find former President Joe Biden’s Venmo account. The issue wasn’t that the public could see he sent money to his grandchildren for their birthdays, but that it exposed an entire web of contacts, including family members and senior White House officials (and their networks).Also: The best data removal services: Delete yourself from the internetNow, WIRED has reported that the US’s national security adviser, along with other senior officials, left their Venmo accounts public, exposing their extensive network of personal and professional connections. Waltz’s account, for instance, displayed a list of 328 people, including figures like White House chief of staff Susie Wiles and several prominent media figures. This kind of exposure could be exploited by foreign intelligence services, posing a potential national security risk.While researching for this article, I found several public profiles for local politicians, athletes from pro sports teams in my area, heads of local law enforcement organizations, local TV reporters, and more. By looking at each of their profiles, I got a clear picture of the people they interact with and the places they visit. More

  • in

    How to protect your site from DDoS attacks – before it’s too late

    WhataWin/Getty Images On March 10, X experienced multiple outages, with tens of thousands of users reporting the social site was down for them. Later that day, after multiple failures, X came back online. What caused this? While the pro-Palestinian hacking collective known as Dark Storm Team claimed responsibility on Telegram for a distributed denial of […] More