5 Easy Online Security Tips

As someone who works online all day managing websites, integrations and email systems, taking security precautions is routine. Everyone needs to keep their business and personal data private, and financial accounts secure. I thought it might be helpful to introduce and reiterate some online security tips which you can use to be more cautious in your daily activities.

Humans Are the Weakest Link in Online Security

This is a well-known fact in online security circles. Whether it is using a name and birth date in passwords, or being susceptible to scams, people are the weak link because they just don’t realize how seriously they should be taking online security.

Becoming more aware of the risks may open your eyes and give you more resolve to take precautions. Consumer friendly information about scams and security can be found on government websites such as the Consumer Financial Protection Bureau, or on other sites like Consumer Reports.

We have included a note you can jump to below about Social Engineering after the tech security tips.

5 Easy Online Security Tips

As we conduct our everyday activities online, we can have the most impact on preventing harm to ourselves by practicing smart online security habits.

Here is a quick list of the 5 tips covered:

1. Use Complicated Unique Passwords

2. Use a Password Manager

3. Always use 2FA/MFA

4. Use an Authenticator App

5. Log Out of Online Accounts! 

The first, most preventable way that humans can stop being the weakest link has to do with passwords…

Use Complicated Unique Passwords 

This is the online security tip you hear constantly, but find excruciating to act on. We all know that you MUST use strong passwords. But you also must not reuse them EVER. And this is when we hear the common question, “Why would anyone want to target me?”.  The answer is that everyone is targeted without the perpetrator knowing much about their targets. But they do often have archives of email addresses, and these are commonly accompanied by passwords. This is because large scale hacks occur frequently, providing an archive containing millions of email + password combinations to bad actors. 

That and more of your sensitive information is sold on the dark web from past hacks of Ticketmaster (.5 billion users’ data), AT&T, Marriott, Equifax, and numerous other large organizations.

You shouldn’t be able to remember any password!

If your passwords can be spelled or remembered then they are too simple, AND you are probably using them in more than one place.

Re-using Passwords is extremely dangerous.

When your stolen user name + password pairs get sold and distributed on the dark web, you are compromised. It’s called being “Pwned”, meaning owned in cybersecurity slang. The combinations are used in “credential stuffing attacks”, in which they are loaded into bots that will try to log into numerous targeted sites to gain access to financial and other sensitive information. 

Have You Been “Pwned”?

You may have old shopping / other accounts that you’ve forgotten about, and they may be the ones to get hacked someday. When that happens and you are still using the same passwords elsewhere, there is a good chance that others can access your accounts.

Go and change passwords on your important accounts now. Check Have I Been Pwned and Mozilla Monitor to see if your info is out there. I can guarantee that if you check various email addresses you have used over the years, that you have been Pwned!

Use a Password Manager

Complicated passwords can be created unique from eachother and saved using highly secure password managers.  The easiest and free choice for a password manager is to have your browser* save your passwords, so long as you protect your device and lock down that browser with a password. You can have your passwords sync to your Apple, Google or other account or you can disable syncing. 

There are also online Password Managers, which can work by installing software on your device or with just an add-on to your browser. These can be helpful when you need to share a password with someone, which you would do through an online account. For example, when I need a client to share website related passwords with me they can enter them into an encrypted guest account in my online password manager. Bitwarden and 1Password are reputable. Lastpass has been hacked twice 😱😱, so I would avoid that one. Forbes article about Password Managers.

* Speaking of browsers – If your browser is auto-filling your information on websites such as logins, address, and credit card info, you should set a master password on your browser password feature. It’s also a good idea to disable auto-filling your address and credit card information on website forms.

Use an Authenticator App

(Google free, Authy, or Microsoft)

Always set multi-factor authentication, such as using an authenticator app or receiving a text whenever you log in. It may be inconvenient for you, but less inconvenient than having your identity or thousands of dollars stolen! The authenticator app is more secure than text messages, as phones risk being “sim swapped”. Verizon article about Sim Swapping.

Authenticator apps use a TOTP (Time-based One-Time Password). It is easy to setup in many online accounts you have, by simply aiming your phone camera at the QR code and following the website prompts.

A step above these apps is a FIDO2 hardware key, such as Yubikey which you touch during login.

Log Out of Online Accounts

Any including Social Media, Email, Banks, Insurance.

A trending hack on the rise is called session hijacking. Your logged-in authentication cookies can be intercepted by malware on a visited website or your device. The attackers can then access any websites you’re currently logged into even after you’ve stepped away. 

This is something that can take place on just about any kind of account. Even Google is scrambling to protect their users against session hijacking attacks. PCMag article about Google’s fight against Session Hijacking

You can greatly reduce session hijacking risk by simply logging out of your accounts as soon as you are finished with your task. Logging out will expire the session cookies, logging out any imposters or preventing hijacking of your session.

⚠️ A Note About Social Engineering

Lately I have been hearing about payroll diversion scams and fraudulent invoice collections from managers who have encountered it, some of whom have fallen for it losing tens of thousands of dollars. Payroll diversion scams are often done when an imposter emails a staff member at a targeted organization pretending to be one of their highly paid executives, partners, or any employee. The imposter then provides a new account number where their compensation should be deposited, and the staff makes the change without verifying the request directly with the executive.

“Social Engineering” is the term used to describe people tricking people into giving them access to their systems or money. This psychological manipulation can take many forms, often without reliance on high tech systems. Victims can be targeted specifically or found by casting a wide net of communications to find potential victims who respond. The perpetrators succeed at deceiving and defrauding the innocent with merciless dedication. The most common occurrences involve impersonating a person or company by email, phone, or text and may involve spoofing the email address or phone number to look like it came from the legitimate source.

The possibility of being fooled by forged emails, suspicious texts, and imposter calls / letters is something that we must remain vigilant about. There must be procedures in place to verify the authenticity of requests, such as obtaining a confirmation signature for the request in person before any action is taken to fulfill the request.

If you have questions about any of these online security topics, feel free to contact us and subscribe!