Chapter 10
Truth or Dare
Abstract
As true digital detectives, in this chapter you are guided in how to recognize when information on the Web and in other digital environments may be false, deliberately misleading and designed specifically to defraud you. You also will become familiar with a range of strategies to protect yourself from the consequences of fraudulent or hostile online activity, such as identity theft, phishing, malware and payment fraud. You will reflect on how fast-moving social networking sites such as Twitter have accelerated the speed at which false information can go viral, and how critical skills are now more crucial than ever to help you discern the good from the bad.
Keywords
Cybercrime; Data protection; Malware; Misinformation; Online identity; Scams10.1. The Dilemma: ‘Misinformation, Scams and Hoaxes on the Internet Are Easy to Spot. I Won’t Be Caught Out, Will I?’
In this chapter we address the extremely important and topical issue of personal protection in online spaces and take a look at the constantly evolving variety of scams, hoaxes and other risks that are associated with Internet use—these are an ever-present concern. As true digital detectives, you will learn how to recognize when information that is posted on the Web, or appears on your social media accounts or in your email inbox, may be false, deliberately misleading or designed to defraud you.
You will become familiar with strategies for protecting yourself from the consequences of fraudulent or hostile online activity, such as identity theft, phishing, malware and payment fraud. You will also reflect on the potential of the Web for rapid dissemination of false information, particularly in light of the availability of fast-moving social media sites such as Twitter, Facebook and discussion forums, where news items—both true and false—can go viral in a matter of minutes.
In this chapter, you will:
• discover how social networking has increased the speed at which misinformation can travel around the Web.
• learn about cybercrime and the different types of fraudulent activities that are perpetrated online.
• understand how to spot a scam and become familiar with the clues that tell you all is not what it seems.
• learn how to protect yourself against Internet fraud.
10.2. The Wild, Wild Web
As part of its annual review of the year at the end of December 2014, the BBC News website posted a top-10 list of strange, wonderful and poignant items (Lee, 2014); included among them were Ellen DeGeneres’ famous ‘Oscars selfie’, which was re-tweeted more than 3 million times, a video of a dog disguised as a spider, a singing priest, a bunch of goats playing on a metal sheet, a video exposing everyday sexism experienced by women, and an image of the US-based reality television celebrity Kim Kardashian. A quizmaster in a particularly challenging quiz show might ask, What could all of these seemingly random items possibly have in common? The answer, of course, is in the title of the article on the website: ‘The Top Memes and Viral Videos of 2014’.
What is your understanding of the term viral? Although it obviously sounds health-related, in recent years another meaning has become attached to the word, and it is now included in the Oxford Dictionary. It is defined there as ‘an image, video, piece of information, etc. that is circulated rapidly and widely on the Internet’ (Oxford Dictionaries, 2015). No doubt you have heard of pictures, videos or memes ‘going viral’. Perhaps you also are aware of the recent phenomenon of ‘viral marketing’. The phenomenon of going viral is a testament to the unique power of Internet sharing and social media in spreading a message rapidly and globally, with unprecedented efficiency, reaching staggering numbers of Internet users. For example, the video that has become the most ‘viral’ in history is the Kony 2012 video by Invisible Children, which received 34 million views on the day it was uploaded in 2012 and reached 100 million views within 6 days. Another very famous example, although not as rapidly spreading, is Psy’s ‘Gangnam Style’ music video, which has become YouTube’s most-watched video of all time, with more than 2 billion views since it was released in 2012.
The speed at which information on the Internet can now travel around the globe is unprecedented. Thanks to social media sites such as Facebook, Twitter, Snapchat, WhatsApp, Reddit, YouTube and many more, articles, pictures and videos can pass from person to person at an astonishing rate, and simple hashtag phrases can spread awareness of an issue like few other media. This can be an undoubtedly positive phenomenon; if you think of the role played by social media in raising awareness and spreading the message for social movements such as the Arab Spring (from 2010 to 2012) and Occupy Wall Street (from 2011), you will understand how going viral can be harnessed as a force for good. More recent examples include the #BringBackOurGirls Twitter campaign, when 300 Nigerian schoolgirls were kidnapped by the Boko Haram terrorist group in 2014, and the Ice Bucket Challenge of summer 2014, which raised millions in donations for charities supporting those afflicted with motor neurone disease.
However, there is also a downside to ‘going viral’. The absence of checks and balances with regard to information on the Web means that the videos, photos and articles that are circulated so rapidly from person to person might not be what they seem. Social media has also made it possible for false or inaccurate information to reach all parts of the globe before it has been properly verified. The ease with which information can be deliberately altered or falsified underscores the need for extra vigilance when engaging with social media sites:
It’s going to get much worse because technical rules to stop it are often almost impossible to implement. When you send a jpeg, you may have photoshopped it but there’s no way of the recipient determining what has been photoshopped. You could just say it has been cropped rather than that the content has been changed – somebody taken out of the picture, someone else put in – but it is almost impossible to prove. Increasingly, you can’t tell truth from lies in the digital age.
(Viktor Mayer-Schönberger, quoted in Jeffries, 2011)
The ‘Twitter hoax’ is a good example of the role played by social media in perpetrating false information; in particular, the celebrity death hoax is one that you have probably witnessed. Flegenheimer pointed out in 2012: ‘Just about every day, and often more frequently, Twitter kills a public figure’. Celebrities whose deaths have been prematurely reported on Twitter include Miley Cyrus, Axl Rose, Macaulay Culkin, Betty White and Bill Cosby. In October 2014 the agent of American actor Judd Nelson was forced to circulate a photo of the actor holding up the day’s newspaper with the date clearly visible to prove that he was still alive after the rumour that he had passed away spread on Twitter (Colker & Raab, 2014).
The serious issues raised by the risk of false information circulating on social media were underscored in 2014 by the publication of the online ‘Verification Handbook’, developed by the European Journalism Centre to provide journalists with ‘step-by-step guidelines for using user-generated content during emergencies’ (Silverman, 2014). While the aim of the handbook is to assist journalists in ensuring that accurate information is reported in what could be life-or-death scenarios, the developers also emphasize that the principles and strategies discussed can—and should—be used by any person, including the ‘citizen reporter, relief responder, volunteer, journalism school student, emergency communication specialist, or […] academic researching social media’ (Silverman, 2014). Nowadays, newsworthy events can be recorded in real time by anyone who is standing by with a digital camera or smartphone. Frequently, these eyewitness videos are uploaded directly to YouTube, or circulated on Twitter or other social media sites, without any context or any editorial control, as would be the case with a trusted news network. Separating that which is important and genuine from that which is trivial or fabricated is increasingly difficult because amateur videos and images often display a professional gloss or slickness, thanks to the media and filtering tools available to all. The need for intelligent evaluation is greater than ever so that we can untangle fact from fiction.
The digital detective never takes information at face value—especially information that reaches him or her through social media or is generated by ‘the crowd’. In Chapter 5 we discussed the importance of carefully evaluating digital information and seeking out the clues that tell you whether information can be trusted. However, greater challenges arise when there has been a calculated effort to deliberately mislead, influence or, more seriously, defraud Internet users through the spread of false information, or when scams are implemented that have been designed to trick users into performing an action that will lead to some sort of negative consequence, frequently financial in nature. This chapter considers how you can recognize—and, more importantly, protect yourself against—fraudulent Internet activity.
10.3. Reflection: How Safe Do You Feel?
Take a few minutes to reflect on your own perceptions of online security. How would you react to the following statements?
• There are no issues with posting personal information online, as long as the security settings on the site have been set to the highest level of protection.
• Internet scams are very easy to spot because they are usually based on ridiculous or outrageous stories.
• There are very strict laws in place that prevent my personal online information from being shared with other people and companies.
• The government is concerned with protecting the personal data of all citizens and takes measures to enforce this protection.
• If you get caught in an Internet scam, there are always ways to get your money back, under data protection laws.
• It’s fine to input a little personal information if it means getting free access to something.
In general, some evidence suggests that there is a growing lack of trust in the security of online information among Internet users in the past few years. In 2014, a Pew Research Center report on public perceptions of privacy and security in the United States found that, ‘across the board, there is a universal lack of confidence among adults in the security of everyday communications channels—particularly when it comes to the use of online tools’ (Madden, 2014). Participants in that study indicated that they felt insecure in a variety of situations, including using social media sites to share private information with another trusted person or organization, using chat or instant messages to share private information, sending private information via text messages and email and using their mobile phone when they want to share private information. Furthermore, in the wake of the explosive information leaked by whistle-blower Edward Snowden in 2013 about the activities of the National Security Administration in accessing the phone records and Internet search logs of US citizens, a very high percentage of participants expressed concern about the government’s monitoring of phone calls and Internet communications. Most of the people surveyed felt that they should be doing more than they already were to protect their privacy online. However, it was also clear from the study that people frequently view the posting of personal information online as a kind of trade-off between their security concerns about what might happen to that information and the benefits they perceive will accrue from it, such as improved online services, personalized content or gaining free access to other services.
10.4. Online Identity Risk Calculator
In 2012, the commercial vendor EMC launched a collaboration with the National Cyber Security Alliance to develop the Online Identity Risk Calculator, which is a ‘free interactive assessment tool designed to help educate consumers about their personal exposure to online threats’. It can be accessed by navigating to this URL: http://www.emc.com/microsites/fraudgame/flash.htm.
Once you download the version of the tool that you require, you are invited to answer a series of questions about the nature and frequency of your online interactions. Your answers to these questions are used to calculate your online identity risk. Each individual answer generates ‘identity risk scores’, which are compiled to indicate an overall risk level. Questions include the following:
• How often do you access your online banking account?
• How often do you make purchases online?
• How many email accounts do you have and access on a regular basis?
• How many social networking sites do you use on a regular basis?
Your overall risk is calculated as low, medium or high, depending on your interactions. Although far from scientific, it is interesting to complete this exercise to reflect on your digital online behaviour and how open to cybercrime it might leave you. So, how safe do you feel? How much information are you willing to share online? The following sections consider the different scams that are perpetrated on the Internet and the measures you can put in place to protect yourself in online spaces.
10.5. A Digital Detective’s Guide to Cybercrime
One of the ways in which the Internet poses a threat to users is through cybercrime, defined in Encyclopaedia Britannica as ‘the use of a computer as an instrument to further illegal ends’. Rather than a physical attack, cybercrime is described as ‘an attack on information about individuals, corporations, or governments’ (Encyclopedia Britannica, 2014); it concerns the digital identities or footprints we leave behind when we interact in online spaces. Cybercrime spans a wide range of different activities, including identity theft, copyright and intellectual property violations, malware, spam, hacking, trafficking of illegal images and documents, cyberterrorism, as well as the ubiquitous financial scams.
In Europe, the European Cybercrime Centre (EC3) at Europol was launched in January 2013 to ‘build operational and analytical capacity for investigations and cooperation with international partners in the pursuit of an EU free from cybercrime’ (European Cybercrime Centre, 2015). Its first report, the Internet Organized Crime Threat Assessment (IOCTA), was published in 2014 to raise awareness among ‘decision-makers at strategic, policy and tactical levels’ of the different types of cybercrimes that are typically perpetrated online, and to advise on the measures that should be taken to protect citizens, businesses, and so on (European Cybercrime Centre, 2014). The US version, the Internet Crime Complaint Center (IC3; originally the Internet Fraud Complaint Center), was established in 2000 as a partnership between the National White Collar Crime Centre, the FBI and the Bureau of Justice Assistance to provide a means for members of the public to report online crime. Since then, its annual reports on Internet crime provide a revealing insight into the different types of fraudulent online activity that affect US citizens. However, although the IC3 reports are thorough, because of the difficulty in monitoring online crimes, the report’s authors note that ‘the true volume and scope of cybercrime is unknown’ (Internet Crime Complaint Center, 2014, p. 8). Furthermore, the ‘borderless’ nature of cybercrime makes it difficult to implement cohesive or collaborative frameworks for handling investigative procedures and sanctions to deal with the ramifications of these activities.
The EC3 report broadly classifies cybercrimes into a number of different categories:
• Malware
• Child sexual exploitation online
• Payment fraud
• Criminal finances online
• Crimes relating to social engineering
• Data breaches and network intrusions
• Vulnerabilities of critical infrastructures
Here we focus on three of these categories: malware, payment fraud and crimes related to social engineering. How are they defined?
10.5.1. Malware
Malware is a portmanteau, which stands for malicious software, and is defined as ‘software which is specifically designed to disrupt or damage a computer system’ (Oxford Dictionaries, 2015). While malware can often arrive in the guise of non-malicious, seemingly benign software, it can cause extensive damage to a host device. Malware includes software such as computer viruses, worms, Trojan horses, ransomware, spyware, adware and scareware, some of which we explore below.
The EC3 report (2014) notes that malware covers a variety of hostile activities, ranging from ‘logging keystrokes to steal sensitive user data, to sophisticated and professional malware which can intercept and alter data or hijack the victim’s user session’. Devices on which malware has been downloaded are said to be ‘infected’. Ransomware is a particular type of malware in which the victim’s device is completely disabled by the software until a ‘fee’ is paid to release it. Another form, spyware, is malicious software that can gather personal information about you from your device, such as your Internet searches or banking details, which can then be sold to other organizations without your consent.
Malware can potentially be downloaded to your device in a number of ways:
• When you accept a prompt on your device without reading the ‘small print’; for example, when installing software from a website, a pop-up might appear, suggesting that you need to download additional software or plugins, and you automatically click on the link provided. Or perhaps you receive a prompt informing you that your device is not adequately protected and that you need to download a particular security update.
• When you open an email attachment from an unknown or unfamiliar address—this is a very common way of infecting a device with malicious code; emails can seem to be legitimate, even using email addresses that look absolutely genuine. Trojan horse emails are explored in more detail below.
• When you download software (e.g., games) from any source that you have not verified as legitimate.
• When you have no antivirus software installed on your device or have not kept up with updates for the software you do have or for your operating system in general. Legitimate updates often contain the fixes for security vulnerabilities and so should always be installed as soon as possible.
10.5.2. Trojan Horse Emails
One very common means of installing malware on a victim’s device is via a ‘Trojan horse’ email, named after the legendary story from the Trojan war, in which the Greeks used a giant wooden horse to enter and destroy the city of Troy by hiding their army inside. Trojan horse emails, which usually contain attachments, may seem genuine and look official, often seeming to come from legitimate email addresses. If, however, the attachment is opened by the recipient, it may cause damage in a number of ways:
• It can create a security vulnerability, or open a secret ‘backdoor’ on your device, leaving it exposed to future cyber attacks.
• It can install software that logs your keystrokes, thus allowing criminals to discover your login details and passwords for sites that you may use, as well as payment information.
• It can turn your device into a ‘bot’ that can be used by criminals to send spam, launch denial-of-service attacks or spread the virus to other computers (US-CERT, 2008).
How do you recognize a Trojan horse email? Some clues that you can look for include the following:
• The attachments in the email may contain unfamiliar extensions such as .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf and .cpl, or they may have multiple extensions. .exe Files in particular are well known for spreading malware.
• The email is unsolicited and may appear to come from a person whom you don’t know, or from a company or organization to which you have no personal links.
• There is some kind of positive or negative inducement in the subject line to encourage you to open the attachment—for example, notification of a special offer or a warning that your account has been compromised. A very famous example was the ‘ILOVEYOU’ virus that circulated via email in the early 2000s; the inducement in this case was an invitation to the recipient to read the ‘love letter’ that was attached.
• The content of the email seems unusual, even if it appears to come from someone you know. This is where you need to use your instincts to detect whether something is amiss or out of the ordinary. Would your friend or colleague typically send an email like this?
10.5.3. Payment Fraud
Payment fraud covers a range of illegal activities, but by and large it refers to ‘fraud that occurs when someone gains financial or material advantage by using a payment instrument or information from a payment instrument to complete a transaction that is not authorized by the legitimate account holder’ (Sullivan, 2009). Payment card fraud is probably the most well-known example of this type of fraudulent activity, and it can take place in both the online and offline environments, as well as when the card is both present and not present during a transaction. For instance, you are now probably familiar with the small discreet notices posted on ATMs that remind you to cover the keypad when keying in your personal identification number (PIN) to obtain cash or carry out transactions, as well as the warnings to notify the bank if anything ‘suspicious’ about the machine is noticed. Although the widespread use of the ‘chip and pin’ card payment method has made card transactions much safer than before, a significant amount of card fraud in fact takes place online, where the card PIN is not needed.
Payment card fraud can occur via a number of criminal activities, including by obtaining lost or stolen payment cards and using them to make purchases; through card skimming, which is the extraction of card data from the magnetic strip of a payment card as the card is processed at various locations, using a special data collection or storage device; through ‘shoulder surfing’ at an ATM or at point-of-sale terminals in shops; through obtaining payment details via malware, as described above; through phishing, which is explained in the next section; or through ‘access abuse’, where ‘persons (either in companies or privately) who are not entitled to know the bank details of another person or the company get access and use them in fraudulent ways’ (PPRO, 2014). Online identity theft refers to the use of a stolen or false identity to obtain goods or services by deception and frequently results in financial loss. Identity fraud ‘can be facilitated by the use of stolen or forged identity documents such as a passport or driving licence’ (CIFAS, 2015). Account takeover has a similar effect but does not involve masquerading as an individual; rather, the cybercriminals simply hijack an existing bank account and steal from it.
The digital detective should be aware that payment fraud and identity theft may not just occur through criminals gaining access to private information; rather, it can sometimes involve information that we voluntarily make available online by filling out forms, registering for websites and so on. For example, we routinely send the following information into cyberspace:
• Internet protocol address
• Home/workplace address
• Usernames
• Passwords
• PINs
• National identification numbers (e.g., Social Security).
• Birth date
• Account numbers
• Answers to security questions (e.g., mother’s maiden name, first pet’s name).
While we might believe that websites are secure, this may not always be the case. You should always think twice about the information you are willing to give up, and guard your information online. For example, do not enable the ‘autofill’ function on websites where there is potentially sensitive personal information so that your login details will not be remembered on the browser. Changing your passwords regularly is also a recommended strategy, as is paying for online purchases with a credit card, rather than a debit card, because there tends to be more protection under law for credit card fraud, although this depends on the country you live in.
10.5.4. Crimes Related to Social Engineering
Social engineering criminal activity refers to ‘a set of offline and online methods and techniques that aim to manipulate a victim into voluntarily releasing sensitive information or into transferring money’ (IOCTA, 2014), and typically works on the fears, emotions, greed, carelessness and naivety of victims. Examples of this type of criminal activity that you might have heard of are spam and phishing, which is a particular form of spam. Spam is described as ‘Irrelevant or unsolicited messages sent over the Internet, typically to large numbers of users, for the purposes of advertising, phishing, spreading malware, etc.’ (Oxford Dictionaries, 2015). Although your primary experience of spam may be via email (or ‘junk mail’), other channels also are susceptible, including social networks such as Facebook, blogs, Internet discussion boards, and short message service (text) messages, to name a few. Spam is a ‘social engineering’ crime because it depends on the curiosity, altruism or even vanity of the recipient to open the message, and perhaps to carry out the instructions within; the Trojan horse email described above is an example of this.
One of the most common social engineering crimes is the advance fee scam, most famously exemplified in the ‘Nigerian Letter’ or ‘419’ scam. The modus operandi of this scam almost always follows the same pattern:
• You receive an unsolicited email from an apparently high-ranking official or member of a royal family who urgently needs to wire money out of their country and is imploring you to consider their plight.
• Their situation is inevitably complicated by political strife, persecution and bureaucracy.
• They therefore need someone from abroad who can receive the funds and who will then be rewarded with a small percentage (which is actually quite a lot of money).
• If you agree to ‘help’, however, problems keep arising that result in you revealing personal and financial details, and maybe even depositing some money in a bogus account (the ‘advance fee’, which is required to expedite the process).
The ‘friend in need’ scam works on a similar premise. This occurs when you receive a message, apparently from one of your friends, who is in some kind of trouble abroad; for example, they have been mugged and have lost their money and credit cards and have no way of getting home. You are asked to urgently forward some funds to allow them to travel back; details of where to send the money are provided. They do, of course, offer to pay you back afterwards.
10.5.5. Phishing
Phishing is a means of identity theft that ‘uses email and fraudulent websites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information’ (Microsoft, 2014). The strategies that cybercriminals use to ‘phish’ for personal information cover a number of different technologies. For example, victims may be targeted through ‘automated redirects to a bogus website (pharming), SMS (smishing) or phone or VoIP (vishing)’ (European Cybercrime Centre, 2014).
Clues to watch out for—which might help you avoid being a victim of phishing—include the following:
• Fake communications from online payment and auction sites such as eBay or PayPal, suggesting that your account security has been compromised, or that ‘changes to the service agreement’ have been implemented for your account, and that you need to log in to verify your account or risk the account being deleted.
• Fake emails from banks asking to you verify your account details by clicking on a link (real banks will never do this).
• Fake communications from Internet service providers suggesting that there is a problem with your account and you need to log in to check your details; this can take place over the phone or via email.
• Fake accusations of violating certain laws or committing undefined crimes.
• Fake communications from an information technology department, for example, an email from your university’s IT Support Services ‘notifying’ you that you have exceeded your allocated space and asking you to log in to rectify this.
• A fake email informing you that you have won the lottery in a country you do not reside in and that you need to forward a small administration fee to facilitate the transfer of your winnings.
• Fake communications from your country’s revenue service informing you that you are eligible for a tax rebate and that you need to verify your details to claim it.
‘Smishing’ attempts can include a text informing you that you have won a prize and only have to click on the link provided or call or text a number to claim this prize. In both cases you will be asked for personal information to ‘process’ your claim. Telephone or ‘vishing’ scams include the software company scam described in the next section.
10.6. Spotlight on Specific Scams
The most recently available IC3 report (Internet Crime Complaint Centre, 2014) includes a more specific list of common scams, virtually all of which are perpetrated with financial gain in mind. It is likely that you have heard of some of them, or perhaps you even know someone who has been a victim of one or more scams. They include:
| Auto-auction fraud | Software company telephone scams |
| Romance scams | Loan modification scams |
| FBI scams | Sextortion scams |
| Hit man scams | Gun sale scams |
| Ransomware/scareware scams | Fraudulent tech support call scams |
| Real estate rental scams | Photo and mugshot scams |
| Grandparent telephone scams | College and university scams |
| Timeshare marketing scams | Sim card swap scams |
| Work-at-home employment scams | Payday loan scams |
Exploring how some of these scams work will offer us insight into the factors that trick or frighten people into complying with the instructions that appear on their screen or over their phone—even if they seem to be outrageous or far-fetched.
10.6.1. Romance Scams
This type of scam targets people who are seeking relationships online through dating websites such as match.com, eHarmony and PlentyofFish. The scammer reaches out to the victim, establishing a bond of trust through shared intimacies and sending poetry and other hooks, and seems to be very convincing and genuine. This then leads to fabricated stories of family tragedies, personal injuries or other hardships, usually culminating in a request for money to help them through the ‘bad patch’. The unsuspecting victim may then forward the funds as requested, only for the ‘friend’ to disappear and become uncontactable as soon as the money is received.
10.6.2. FBI Scams
FBI scams work through intimidation and paranoia, and they prey on people’s fear of ‘being watched’ by the government or law-enforcement agencies. Here, the victim receives an email or a pop-up message on their computer from what seems to be a high-ranking government official from the FBI (real names are often used) who suggests that they have been ‘caught’ engaged in an illegal computer activity that constitutes a violation of federal laws. They are warned that their computer will be ‘locked’ unless they pay a fine to avoid further criminal charges. Versions of this scam tailored to the laws and institutions of different countries also are common. Ransomware/scareware scams work on a similar premise, frightening people into believing they have been somehow caught in a crime, and using this fear to extort money. These scams work because there is still a great degree of uncertainty around the monitoring of Internet activity; often, people genuinely do not know if such targeted observation is possible or permitted by their governments.
10.6.3. Software Company Telephone Scams
Usually carried out over the telephone, these scams involve unsolicited calls from a scammer who claims to be an employee of a trusted software company. The victim is informed that some kind of virus or malware has been detected on their computer and that they are at risk of losing all of their data. The scammer asks the victim to log onto their computer and carry out a few simple instructions so that they can see how their computer became ‘infected’. They then offer what seems to be competitively priced antivirus software to solve the problem, directing the victim to a website where a specific code must be entered, along with personal and payment information, to download the software.
10.6.4. Work-at-Home Scams
These scams offer what seems to be a unique and very attractive opportunity to earn significant amounts of money without having to leave your house. The ‘jobs’ that are advertised often involve very easy tasks, such as stuffing envelopes, processing medical claims, assembling craft items or selling products. Work-at-home schemes are often advertised in a slick way, using professional-looking websites and pop-ups with apparently genuine testimonials in order to recruit newcomers. Victims find themselves defrauded when they are asked to pay a fee for joining the scheme, to purchase materials that they are to use to carry out the job or to invest in stock for resale, which in reality is worth much less than claimed by the scammers.
10.7. Spotting a Scam
The digital detective knows what to look for when something is not what it seems at first. Here are some of the factors to consider when spotting a scam:
• If it seems too good to be true, it usually is; for example, work-at-home schemes often offer a salary that is far above the marketplace rate for the type of work in question, and they seem to require no professional qualifications or experience from the applicant. Any message that apparently offers a reward for very little effort is almost always a scam.
• There is urgency in the message or a warning of unfortunate consequences if you don’t act immediately, for example, If you don’t act now, you will miss out on this amazing opportunity! If you don’t pay this fine straight away, you will be arrested or have your computer seized! If you don’t download the software now, you will lose all of the data on your computer!
• A poorly written email with many spelling, grammar or punctuation errors from an apparently ‘official’ source is a sign that it is not legitimate.
• An email address that seems suspicious, for example, an email that appears to come from your bank but uses a Yahoo! email address. Email software does not verify incoming email addresses—in other words, there is no way for your email software to tell whether an email is actually coming from the person it appears to be from. A quick way to check an email address is to hover your mouse cursor over the name in the ‘From’ line. From that you can tell whether the email is from a recognizable domain that is linked to the actual sender name. Alternatively, you can use a free online verifier, such as http://www.email-validator.net, which allows you to enter an email address to check its legitimacy.
• The ‘To:’ field contains a name different from yours, which indicates that this is a mass mailing where the ‘To’ field is not real or is selected randomly. Some of the words in the email might be CAPITALIZED, which is a tactic used to attract the attention of recipients. Some of the words may be distorted (‘Lloan’ instead of ‘loan’) in order to get around spam filters, or the link provided is not the URL of the company’s official website.
• A notification containing a company logo or graphic that doesn’t seem right; many phishing emails or fake websites include graphics that appear to be the official logo of an established company. If you take a closer look, however, you may realize that it is a mock-up or badly altered version of the original graphic.
• The communication may use phrases like ‘Verify your account’, ‘Update your account’, ‘During regular account maintenance’, ‘Failure to update your records will result in account suspension’ and similar instructions.
• The emails may not address you personally, as an official company or someone you know would, but include general greetings such as ‘Dear (Bank/Company) Customer’ or ‘Dear friend’.
To ensure that visitors arrive at their official website, large established companies such as Amazon, Google and Apple, as well as banks and other businesses, use the SSL (Secure Sockets Layer) protocol. That means that you will see https in the URL address bar, rather than http://, and there may be some other differences in the address bar, such as a locked padlock icon at the start of the URL.
10.8. General Strategies for Outwitting Cybercriminals
As you can see, the range and creativity of cyber scams is infinite, and new ways of manipulating the public are emerging constantly. As true digital detectives, however, you can adopt a variety of approaches to preempt any cyber attacks and protect yourself from scams. The key ingredient is vigilance, and you must develop sensible habits when interacting in the online environment.
• Ensure that you have fully up-to-date antivirus software installed on your devices.
• Activate a firewall, which is software that ‘allows or blocks traffic into and out of a private network or the user’s computer’ (PCMag Encyclopedia, 2015). For example, in Windows, a firewall can be activated by going to the Control Panel, and turning on the Windows Firewall for each network location that you wish to protect.
• Do not open email attachments from people whom you don’t know or that you were not expecting to receive.
• Download software only from sites that you trust or can verify.
• Regularly check your bank and credit card statements to ensure that no unauthorized activity has taken place.
• If you are invited to click on a URL in a communication, always check whether it is legitimate; in Chapter 5, we discussed how to analyze a URL when evaluating information resources. The same principles apply in this case. You can also use a lookup site such as http://www.whos.com/whois to identify the organizations and individuals behind domain names and Internet protocol addresses.
• When using ATMs, always take a close look at the machine before inserting your card; for example, does it have an extra mirror on the face, or any sticky residue that could indicate that a skimming device has been attached? Or is there anything stuck in the card slot or on the keypad? If anything seems amiss, do not use it.
• When using a payment card in person, always insist on being present when the actual transaction is carried out. Do not let anyone take the terminal device out of sight. This will help to prevent card cloning.
• If purchasing on an auction site such as eBay, always study the seller feedback, and confirm the full cost, including shipping, before completing a transaction. If selling on auction sites, never accept an offer from a buyer who wants to pay more than the requested amount for an item (allegedly to speed up the transaction). In all likelihood, the payment will fail after the item has been dispatched.
• When dealing with any company online, always check whether they have a physical address, rather than just a phone number or a post office box.
• Take extra care with any download of music or software that is free of charge; it may result in malware being installed on your computer.
• Disable the autofill function for forms on your browser, and do not permit your browser to ‘remember’ your password for sites that require personal information.
• Don’t use public computers for online banking or any transactions that involve personal or financial information.
10.9. Managing Your Passwords
One of the consequences of the way we use the Web today is that we must set up multiple accounts and enter registration information for the many sites and services that we want to use. Most of these sites request that you create a unique password, which should ideally be as difficult to guess as possible—sites refer to ‘strong’ passwords, which are more secure. The typical advice is to make sure that your passwords are atleast eight characters long and that they contain a mixture of upper- and lowercase letters, in addition to at least one number and possibly a symbol as well. This is good advice: It lowers the risk that someone will be able to figure out your password and access your account. It is also recommended that you change your passwords frequently, and that you avoid including information in the password that might identify you, like your date of birth or a complete word that is related to you in some way.
However, while this is a sensible approach to take, it does mean that we can end up juggling numerous different passwords, and eventually it may seem impossible to manage them all. This is especially true for sites that you use only sporadically. How are you supposed to remember all of them? As a result of this, many people choose to use the same password repeatedly, for different sites. While this might help you, it also renders you more vulnerable in terms of online privacy. Reusing the same password exposes you to the possible consequences of a ‘password leak’, which can occur when sites are attacked by cybercriminals. According to Hoffman (2013), ‘When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts’. So, using the same password for every account is risky. Another option people sometimes take is to enable the ‘autofill’ function on their browsers, which means that login information is automatically entered when you load different sites; as we know, however, this is also not advisable, since anyone who uses the same browser will also have access to your accounts. How can you protect your security online and effectively manage the multiple passwords you require?
10.9.1. Password Management Software
One strategy is to use a password manager, which is ‘a software application that helps a user store and organize passwords’ (Wikipedia, 2015). A password manager stores all of your passwords in encrypted form and requires you to create only a single master password to log into the service. So, the application does the job of remembering for you. When your passwords for the different sites and accounts are stored in the password manager, logging into a site simply requires you to enter the master password into the password manager, which then automatically enters the appropriate login information into the website; for even greater convenience, if you’re already logged into your password manager, it automatically fills in the data for you, without you having to go to a login page at all. Some password managers also offer the option of generating a secure password when you are creating a new account, so you don’t even have to think of one yourself.
While some password managers have a cost attached, there are also many free applications to choose from. Some of the most popular password managers available include the following:
• LastPass (https://lastpass.com)
• Dashlane (https://www.dashlane.com/tpc)
• KeePass (http://keepass.info)
• Roboform (http://www.roboform.com/)
• PasswordBox (https://www.passwordbox.com/)
• Password Boss (https://www.passwordboss.com/)
10.10. Challenges
1. Individually or in a group, develop a Concise Guide to Internet Safety for the following groups: (a) school-age children between 8 and 12 years old; (b) teenagers aged between 14 and 17 years; (c) older adults, aged 65 years and older. What specific kind of information about protecting oneself online does each of these groups require? What is the best way to present this information for each group? When developing your guide, think about the following:
a. The type of online activities the individuals in these groups are likely to engage in on a regular basis. For example, are schoolchildren likely to be doing online shopping? You should research the groups carefully before beginning the guide.
b. The likely level of existing knowledge and understanding about the Internet within each group.
c. The most effective way of delivering the message to each group. For example, is it better to have a handout, a website or a booklet? Are text, images or even videos likely to have the desired impact?
2. To create an accurate profile of the cyber threats you might be exposed to in your daily life, maintain a month-long personal log of your Internet activities that may carry potential security issues using, for example, Microsoft Excel). At the end of the month, review your activities and decide whether you need to take more steps to protect yourself online. Are you habitually taking risks online? Some of the items to record might include:
a. any e-commerce sites that you used during this period. How did you pay for the goods or services that you purchased? Did the site require you to set up an account? Were you given the option to store your payment details for the next time? Were you asked to verify your payment card? Did you receive a confirmation email? Did you have any concerns about the security of your payment through the site? What information about the security of your transaction did the site provide?
b. The status of the antivirus software on your computer. Is it up to date? Did you receive any warnings about potential security breaches? Did you run any security scans on your computer during this time?
c. Any emails that you received that you were concerned about. Did any of them come from addresses that seemed suspicious? Were there strange links or attachments with any emails? What action did you take if this happened? Did any of them seem to come from institutions such as banks where you currently have an account?
d. Any downloads to your devices. Were they free of charge? Did you check the trustworthiness of the sites you downloaded from? What information did you have to give in order to obtain the download?
e. Any apps that you downloaded to your mobile devices. Were they free of charge? Did they require a link to your account on social media sites such as Facebook? Were in-app purchases involved? Do these apps record your geographic location? What personal information did you have to provide to obtain and use the apps?
f. Any other online interactions that involve payment, registration or the provision of personal information.
3. Locate the data protection website for the country or state in which you live; for example, in the Irish Republic, this website is http://www.dataprotection.ie/, and in the United Kingdom it’s at https://ico.org.uk/. In the United States, different states may have different laws; for example, information for California can be found at https://oag.ca.gov/privacy. Answer the following questions using the information on the site:
a. What rights do you currently have when a person or organization takes or records your personal details?
b. When, or under what circumstances, do these rights apply?
c. What information must data controllers give you about the personal information they hold about you?
d. How do you go about gaining access to personal information that persons or organizations hold about you?
e. Do you have the right to change information held about you, or prevent its use in any way?
f. What action can you take if you are concerned about the data about you that are being held by a person or organization?
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.