By Lauren Morley on Aug 21, 2019, 8:36:00 AM
Just about every day we hear news of another data breach, identity theft, and stolen personal information. It can seem futile to try and keep your information safe! But there are some simple ways to protect your online identity and privacy. Follow our tips to keep your data secure and your blood pressure down.
Audit and clean up your online information
Have you ever Googled yourself? You might be surprised by what you'll find! Unless you're a celebrity, there isn't much reason for the world to find your personal information through a search engine.
Go through at least Google and Bing's search results for your name and see what you find. This could pull up social networks, your business, news articles and press releases, phone directories, and people search websites like PeopleFinder, Spokeo, and BeenVerified.
See what information is available publicly (make sure you're logged out of your social accounts for accuracy) and decide what needs to go. Some information is available in public records and can't be removed completely - marriage and divorce records, court cases and arrests, property deeds, business ownership, bankruptcies, and more are all open and publicly findable. While you can't erase everything, you can be wary of what information will always be out there and prevent criminals from using it against you (more about this later on).
If you find information you wouldn't want the world to have access to, such as on your social media account or people finder sites, start taking actions to lock it down. Ensure your social accounts are set to private and photos are only shared with your connections. Personal information aggregation sites will generally have a contact form or way for you to request removal of your data from them. While public record information may stay available, things like your phone number, email, last known address, and other information can and should be removed (and frighteningly, most sites will have these listed!)
Another thing many people don't consider is online map services like Google Maps. Search for your house and see what shows up when you go to the street view of the location. Your house number, cars and license plates, and even you could be in the photo! This could be an easy way for criminals to find out more information about you just by having your address. While Google has gotten better at blurring things like license plates, it's a good idea to check and request obfuscation if you notice anything publicly viewable.
For Google Maps, here are the steps to request this:
- Open Google Maps or the Street View gallery.
- Find and open the 360 photo that violates the Google Maps Image Acceptance and Privacy Policies.
- In the bottom right, click Report a problem.
- Complete the form.
- Click Submit.
Review and update privacy settings
Most of us use multiple apps, social media sites, and online services. All of these have different default privacy settings and security methods. If you never check these and rely on the company to protect your information, you're probably setting yourself up for problems!
Most services will collect and sell your information, especially if they're free, and would just love it if you wouldn't pay attention to what they're gathering.
How to check and update app permissions
Mobile apps are a huge culprit for data collection and questionable security. Spend some time going through your downloaded apps to see what permissions are enabled.
For Android devices (via Google)
"You can change the permissions that apps can access in the main Settings app on your device at any time. Keep in mind turning off permissions may cause apps on your device to lose functionality.
Note: If you're using a work, school, or government Google Account, your administrator may use the Device Policy app to control certain permissions.
See all permissions for each app:
- On your device, open the main Settings app.
- Tap Apps or Application Manager (depending on your device, this may look different).
- Tap the app you want to update.
- Tap Permissions.
- Turn permissions on or off.
See all apps on your device that can access particular permissions:
- On your device, open the main Settings app.
- Tap Apps or Application Manager (depending on your device, this may look different).
- Tap Permissions or App permissions. If you can't find App permissions, you may need to tap an App or Privacy and safety App permissions.
- Tap a permission.
- Turn permissions on or off."
For Apple devices (via Wired)
"From the Settings app, tap Privacy to see all the permissions available on your phone: access to photos, motion and fitness data, your phone's location, and so on. Tap on any entry to see the apps granted those permissions and to disable those permissions, if necessary.
The exact choices vary depending on the permission. For location data, for example, you can grant access to an app all the time or only when the app is open. With Apple Health data, meanwhile, you can give an app access to certain bits of data, like the hours you've slept, but not others, like the steps you've walked.
Scroll down the Settings screen beyond the Privacy menu to find individual app entries. Tap on any app to access the same permissions as before, plus some extra ones—like access to notifications and permission to use cellular data as well as Wi-Fi. Again, a simple tap on an option or toggle switch is enough to grant or refuse a permission."
For Windows devices (via Wired)
"Click the cog on the Start menu to open Settings, then pick Privacy to see what your installed apps are allowed to do on the OS.
The options are sorted by permission rather than by app, so click any of the entries on the left side to see apps with access: Location, Camera, Pictures, and so on. Each screen looks slightly different, but if you scroll down you'll see a list of apps associated with that permission. You can grant or revoke them with a click on the relevant toggle switch.
With all of these permissions, you can turn off app access completely: For example, you might decide you don't want any of your applications using your webcam. Note though that these screens cover apps installed only from the Windows Store and some apps bundled with Windows, like Mail and Cortana.
For full desktop apps with access to all your system resources, like Photoshop, there's no easy way of controlling permissions; these apps may have some options available in their respective preferences boxes, but otherwise you'll have to completely uninstall any that you aren't happy with."
Social media permissions
Taking some time periodically to review your social media security and permissions is a great idea, especially as more services become integrated.
Facebook is a big one, and lots of services even allow you to sign in to them using your Facebook login. This creates a bridge between the two and lets them collect and sell even more data about you. These connections can be terminated by you and is usually a good idea!
Another recommendation for Facebook is to control who can view your profile, posts, and photos/videos. You can choose for your content to only be available to friends, friends of friends, public, only you, or a custom group. This gives you great options for choosing who sees what, and should be used not only for public privacy but for practical purposes too! Don't want your boss or future employers to see your weekend parties? Take advantage of this setting!
For other social media sites, check out their available privacy and security settings too. Many are similar to Facebook and will let you control who can view your profile and posts, and change as needed. Also be sure to check out the Integrations section to find out which other services are connected to your profile and update these if needed.
Use anonymous payment and email services
The more businesses you give your financial and personal information to, the more risk there is. That information is stored indefinitely and you usually have little idea of how that company is protecting it.
For in-person payments via card, consider using prepaid debit cards that can be loaded with any amount. These can be purchased easily and reloaded as much as needed, and will ensure that your actual card number isn't exposed or stolen.
Prepaid cards can be used for online purchases as well, but another option is to use a service like Privacy.com. They will generate a secure virtual card to use for purchases and mask your actual card number. This is a great idea for both privacy and practical purposes. Have you ever signed up for a recurring service and forgotten to cancel it? Virtual cards are a great solution, while also ensuring that your true information will never be compromised if one of those companies is breached or mishandles your data.
For just about any service or offer out there, you'll also need to supply your email address. Sometimes we want to hear from the company again, but sometimes we just want whatever they're offering without being spammed or having our email address shared! For the latter, there are tons of temporary email address services out there. They will generate a free throwaway email address for you, often with a temporary inbox that you can check if needed, after which it will be automatically deleted within a specified time frame. Some services are throwawaymail.com, temp-mail.org, and guerillamail.com.
Limit what you share on social media and with businesses
In addition to being cognizant of who can see your posts and your overall security settings, it's important on social to think about what you're putting out there. If it's on the internet, it will live forever, even if it's deleted later. Consider if you'd be comfortable with your friends, your parents, your children, your coworkers, your boss, your family, your partner, and random strangers seeing what you're going to post! Should you really share videos of your child for the world to potentially see and use? Pictures of your new house? While you may think you're only posting it for friends, there is always the potential for leaks.
Also think about the timing and content of your posts. This is especially important when you're on vacation for example. If someone with bad intentions sees that you're currently halfway across the country, they know that you won't be at your house for a while and it could (and has) lead to a burglary. Same applies when you're at work, at your kid's soccer game, or just out and about. Some people will use the check-in feature on social to even share where they are at that very moment. This is another potentially dangerous practice.
Thieves will also use pictures you post to find out if you have anything valuable, such as in the story linked above. Would you tell a criminal that you have some gorgeous new gold jewelry and won't be home from the hours of 4-6 pm today? Your social media profile could be doing just that.
The information you share with other businesses could also lead to privacy issues. Think about going to the doctor and what information they ask for. Hospitals are sadly notorious for having poor security practices, and just imagine all the data they have about you. While you can't flat out refuse to give any information to some places when you're using their service, know what is and isn't a necessity.
For instance, did you know that you don't have to give your social security number out to any company that claims they need it? Hospitals are another great example of this - check-in forms will just about always ask for your SSN. The only times you need to give your social are in these places provided by the US Social Security Administration:
- IRS for tax returns and federal loans
- Employers for wage and tax reporting
- Employers enrolled in E-Verify
- States for the school lunch program
- Banks for monetary transactions
- Veterans Administration as a hospital admission number
- Department of Labor for workers’ compensation
- Department of Education for Student Loans
- States to administer any tax, general public assistance, motor vehicle or drivers license law
- States for child support enforcement
- States for commercial drivers’ licenses
- States for Food Stamps
- States for Medicaid
- States for Unemployment Compensation
- States for Temporary Assistance to Needy Families
- U.S. Treasury for U.S. Savings Bonds
Social security numbers are just one example, but think before you start giving away all your information to any business that asks. Inquire what they'll use the info for and how they protect it, and be okay with not giving them everything they want if you don't feel comfortable. Companies are breached all the time and it's your information on the line when it happens.
Use strong online account and password security
Some basic account security tips that will keep you protected are:
- Using two-factor authentication: If your account has it, always use two- or multi-factor authentication. Most sensitive services use it at this point. Check your banking and other financial accounts, your email, your subscriptions, etc and turn it on. This will ensure that even if someone gets your credentials, they will still need access to your phone or other linked device to get into the account.
- Turn on account alerts: For services like your bank and credit card, most will send you an email or text alert if there is a new login or charge. Make sure this is always turned on for any account that allows it. Subscription services are a big target for criminals, so it's a good idea to turn notifications on for things like Netflix, Hulu, Steam, and Amazon. Many people reuse their login information across sites, and have their financial data saved in these services, making them even more important to protect.
- Sharing accounts: It's common for families and friends to share accounts for things like Netflix. While they usually have limits for how many devices can share it, often the limits are pretty high and you may not notice a new user. Periodically check which devices are using any shared account, and remove ones you don't remember or recognize. And again, make sure you have notifications turned on for when a new device is added!
- Close unused accounts: Do you remember how many accounts you've ever created in your lifetime? There's probably quite a few that you don't use any more and have forgotten about. Even without using a service, your data is still being stored with them and has the potential to be stolen or misused. One way to figure out what you can get rid of is to go through your email - inbox, junk, and trash folders. You're likely still getting emails from the services you've signed up for and can use that to help figure out what to cancel.
- Be cautious of free WiFi: Super convenient when you're out and about, but also a big privacy concern. You don't know who set up the connection and how secure it is, and it's alarmingly easy for criminals to monitor what's happening over a public WiFi network. If you must use it, don't conduct any sensitive business or log into accounts. It pays to be a bit paranoid here! Pretend that someone else is watching everything you do, and act accordingly.
- Think about your security questions and answers: While these seem like a good way to add an extra layer of security, how many of your answers could be found online? Your pet's name, mother's maiden name, father's middle name, elementary school, first car, favorite movie, etc are all common questions that you've probably shared the answer to on social media, or can be found through a search engine. We mentioned this briefly at the beginning of this article - public records information can potentially be used to figure out answers to these. Some companies have started asking more complex questions to combat this. But if you're stuck giving answers to easily find-able questions, consider making up an answer that's incorrect, but something you'll remember. Your first car could be the Millennium Falcon, or the city you were born in could be Winterfell!
Password security is a huge topic that could easily fill an article on its own (what a coincidence, we have that here!)
If you just want the CliffsNotes, here's a brief overview of tips and methods you should use for your passwords:
- Use different passwords for each account: We've all heard it before, but how many of us actually do this? It seems like a pain, but it's the best way to ensure that someone who has one of your passwords can't get into more of your accounts.
- Create a strong password: Gone are the days when changing letters to numbers and adding special characters would protect you. Attackers use computers to crack passwords, and they can guess millions of combinations in no time while trying all the common mutations people use. Words that can be found in a dictionary or in popular culture are also easy to guess as most people will only use one or two words in their password. Your best bet here is to create a long, completely random string of words or characters. How? Two methods that work well - think of a sentence that you can remember easily, for example "I have 2 dogs & their names are Yoda & Bindi". Take the first letter of each word, capitalization and all, along with any symbols and numbers, and use that to create your password, in this case it would be - "Ih2d&tnaY&B". It's very random, doesn't contain any actual words, is long, and is much easier to remember than most passwords. You can even write the entire phrase down at your computer without worrying anyone guessing its purpose. Method two - take 4-6 words that have no relation to each other and are totally random. You can use a book, a webpage, or just any old words you can come up with for this as long as they are truly random and unrelated. An example of this could be "applecatkeypapersoap". The length and randomness of this method is its strength (the longer the better), and you don't even need to worry about capitalization or substituting numbers for letters.
- Use a password manager: Having long, random passwords that are different for each website is tough for many to manage. You may consider using a password manager like Dashlane or LastPass. The caveat to this is that your main password, the one you use to log into your password manager, must be extremely secure since it's guarding all of your account login details. But having one super-secure password to remember is much easier than dozens!
Take advantage of credit monitoring and services
Often criminals are after your financial information and money, so keeping an eye out for any potential fraud is a smart plan.
While you can request one free credit report from each of the agencies once per year, there are services like CreditKarma that will allow you to check your credit reports for free any time you like. You can also dispute any issues from their website directly and get alerts about changes to your credit profile.
Many banks offer their own monitoring and alert system, and you should definitely take advantage of these if you can. You'll receive a notification or email every time there is a charge made on your account, or if changes have been made.
Another option to protect your finances and credit is to use credit freezes:
"A credit freeze is a freezing of your credit report at your request. That means no one can gain access to your credit report even if they have your Social Security number and other personal information about you.
A credit freeze allows you to control access to your credit reports through a special PIN or password. So, even if someone has your Social Security number, they could not use that information to establish new lines of credit or to make purchases on credit in your name.
This is important because, before opening new accounts, most companies will do a credit check of the applicant. With a credit freeze in place, a credit check can’t be done. As a result, an identity thief will be prevented from opening new accounts using your personal information."
As of September 2018, freezing and unfreezing your credit is free with each of the bureaus. They each have their own process for setting it up, you can check them each out here - Equifax, TransUnion, Experian.
It's a good idea to freeze your credit if you've been the victim of identity theft, a data breach, or if you just want to make sure you're extra protected. It takes a little extra time to freeze and unfreeze your accounts, but it's nothing compared to the time and headaches it takes to recover from fraud.
Learn effective scam and phishing prevention + awareness
Great passwords and safety measures won't be much help if you hand a criminal your account details and personal information on a silver platter! That's why the most important part of online safety is education and awareness.
Phishing attempts are growing and the attackers are getting smarter. Everyone has received the obvious scam email filled with spelling errors, phony email addresses, and mistakes that are easy to see and ignore. But these are getting harder to spot as the criminals improve their tactics.
Here are some common phishing and scam methods and how to combat them. While these are directed towards businesses, the same tactics are often used on consumers too.
With many businesses relying on cloud services such as Office 365, G Suite, Dropbox, and Slack, hackers know there’s huge potential in gaining access to just one account in a company network. Phishing emails in this category will generally attempt to lead you to a fake login page for one of these services. By pretending there was a security incident you need to review, an important notification, or an expired password, they incite urgency and bring your guard down.
If an attacker can gain access to a team member’s account, they can send out phony emails to contacts to get even more information, impersonate the victim, attempt wire fraud, find credentials for and request password resets on other accounts, and gain access to company files.
Best way to avoid: Enable multi-factor (2FA) authentication on any accounts that allow it.
Do not click links or open attachments in emails from services you use unless you 100% trust the sender and were expecting the email. Most reputable companies like Microsoft and Google will not send clickable links or attachments unrequested through email and they will never ask for your personal information.
If you think something’s up with an account, go directly to the service’s website yourself from your web browser and log in without following links from the email.
Online messaging apps have given attackers another way besides email to scam their victims. Malicious messages will be sent through Facebook, Microsoft Teams, Skype, etc. These platforms generally don’t have the same security or filtering options seen in business email.
Recipients are more likely to click a link or open a file in these programs because while they’ve been trained to be suspicious of emails, messaging platforms haven’t received the same attention.
Best way to avoid: Train employees to use caution with any messaging platform, and make them aware that cybercriminals are utilizing these apps. Some third-party tools also exist to help secure online messaging programs.
Let's (business email) compromise
BEC attacks are on the rise as a successful one can easily net hundreds of thousands or even millions of dollars in one swoop for the perpetrator. “According to CNBC, law enforcement agencies have dealt with over 17,000 victims who have collectively lost more than $2.3 billion to BEC attacks.” (VadeSecure)
Sometimes you’ll hear this referred to as CEO, wire fraud, or invoice phishing. By compromising an executive’s email account, an attacker can dupe another employee (usually a financial manager) into wiring money to them. This is easily accomplished by going through old messages, finding a vendor the company’s previously sent money to, and changing only the routing/account information. Most people won’t check that the account numbers match previous payments and will send the money right off to the criminal’s account.
The rise of social media and large-scale data breaches have made these attacks more effective in recent years. A criminal can easily find a company’s hierarchy and personal information on social media. Coupled with credentials found through data breaches, it’s all too easy for an attacker to convincingly impersonate and/or take over the account of someone at your business.
Best way to avoid: Many banks, especially business banks, will allow you to set up extra security features before they process any transfer or vendor payment. Examples include sending a code to your email or phone as in two-factor authentication, creating a pin or password, and requiring two people at your company to approve the order.
We also recommend requiring something like this internally regardless of your bank setup. If a request comes through email, have that employee confirm the request through a different channel i.e. text, phone call, in person, or a messaging program.
Sharing isn't caring
Attackers are figuring out ways to circumvent email security features like scanning for malicious links. Criminals will embed dangerous files within sharing services like Dropbox or Google Drive, then send a link to that file to the victim.
Since the link within the message is from a reputable service, most security filtering settings won’t flag it. But once the victim follows the link and falls for the scam, their information can be stolen, malware installed on their machine, etc.
Best way to avoid: As always, never click links in emails unless you were expecting it! Confirm with the person who appears to have sent the message through an alternate channel – phone, in person, text.
This email is a common target for both businesses and consumers. It will attempt to convince you that there’s been a billing issue with a service you use – Netflix, Paypal, Quickbooks, etc. Just click the link in the email to verify your information and it will all be cleared up! Or, more likely, you’ll send your financial, login, and/or personal information straight to the perpetrator.
Best way to avoid: Once again, NEVER follow links from emails you aren’t expecting. If you want to check the validity of an email like this, call the company directly or visit the website and login from your web browser. If there is a billing issue, you’ll be able to see straight away.
Companies are aware that phishing scams like this are prevalent, and will generally never ask you to follow a link or confirm personal information from an email.
Taxation without representation
Tax season is, of course, when this scam is at its peak and it comes in a few flavors. Some emails will state that you’re eligible to receive a refund, or that you will be audited. Both want you to give up personal information.
In another variation, an attacker will pretend to be from a vendor or adviser and attempt to “confirm” employee tax information.
Best way to avoid: The IRS will pretty much always send you important information through snail mail. They will never ask you to confirm personal or financial details over email or even the phone.
If a vendor or adviser calls or emails trying to get employee information, have a system in place to confirm these requests before giving anything out. This could entail channeling everything through your CEO or another person who is familiar with all your vendors, and/or requiring all requests be made via certified mail.
While it can seem like an insurmountable task to protect yourself in the internet age, with a little effort and diligence you can feel far safer and more confident. Combine education and awareness, the proper security technology and tools, monitoring, and a little time and you'll greatly lower your risk.