A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

RULES OF THE ROAD

TOPICS BELOW
Most Important, Other Rules, Scam School, Companies to Avoid, And Again

MOST IMPORTANT

This website is huge, so if you read nothing else here, always remember these most basic rules of the road.

Act accordingly.

In other words: Always be skeptical. Always. Always. Always.

In March 2022, Russia invaded Ukraine, which prompted this article: Here’s how to avoid Ukraine charity scams in the Washington Post. Quoting: "To avoid a scam using the conflict in Ukraine ... start with the premise that every direct message, link, email or text is fake and work from there. This should be your default response to any contact you did not initiate".

OTHER RULES   top

If you are prompted to install software, don't do it. This advice comes from Brian Krebs. Non techies can be easily scammed into installing malicious software because they don't know what software is really needed to perform any given task. In October 2023, Krebs wrote that "One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months." The article is about a new wrinkle in the scam, hosting malware on a blockchain, but this is not important for Defensive Computing. The important point is that without detailed technical knowledge of the software, the safest thing to do is to say no.

No one from Apple, Google or Microsoft will ever call you, out of the blue, for any reason.

Non-technical computer users should use a Chromebook. Compared to all other mainstream operating systems, ChromeOS (the name of the operating system on a Chromebook) is much more secure and requires no care and feeding. Also, no viruses. Only computer nerds should use Windows.

Do not re-use passwords. I know this is hard as it requires a system for managing the dozens of passwords we all need to keep track of. At the least, use different passwords for the most important accounts. Which accounts are the most important is up to you but certainly financial and email. I wrote a long article on passwords, The worlds best password advice where I introduce the concept of a password formula. It can provide reasonably secure, reasonably unique passwords that are easy to remember and safe to write down on paper.

The same advice applies to email addresses, the more the better. There is no simply answer to this however. The available options are on this site, here: Multiple Email Addresses.

The price of free software and free services is no technical support. Be especially aware of this if you rely on a free email service. If something goes wrong - tough. In my opinion, email is worth paying for. At the least, periodically insure that any free email service you use has correct, up-to-date recovery information for the account. More.

Phones get lost and stolen. Should this happen to you, it would be better if the app for your financial institution(s) were NOT on the phone. Use their website instead. Or, install their app on a tablet that stays at home.

When you have a choice, using the website of a company/service is safer than using a mobile app. Web browsers offer more control over what a website can do. Better yet, use the website in private browsing mode to insure it leaves nothing behind. This is a good article that backs up this point. The Global Surveillance Free-for-All in Mobile Ad Data by Brian Krebs. October 23, 2024. In this case, someone was put in danger by the spying done by the Macy's app on their phone.

Web Browsers

  1. Have 2 or 3 installed and available web browsers. Sometimes, things will work in one and not another. If one gets corrupted with malware, you will have a fallback.
  2. The security around browser extensions is disgraceful. As a starting point, install just uBlock Origin and nothing else. As of March 2025, Chrome no longer allows uBlock Origin, so use uBlock Origin Lite instead. Some sites you care about depend on ads, so may want to configure uBlock Origin to allow ads on just those sites.
  3. On Windows, macOS and Linux, install Firefox or LibreWolf. On Windows, install the portable version of Firefox at portableapps.com and/or the portable version of LibreWolf.
  4. If you really need a particular browser extension, install it into only one web browser and limit the use of that browser.
  5. Use Private Browsing Mode as often as possible.

Another way to block ads and trackers is with DNS, the system that translates computer and website names into their underlying numbers (IP addresses). Some services translate anything and everything, while other services will not translate known trackers or ads or porn. Different DNS services offer different options. I am a big fan of NextDNS, but setting it up may be too much for someone without a technical background. It is worth the effort, however. NextDNS can be configured on either the operating system level or just for one web browser. A good starting point is the DNS Tester Page on my Router Security website.

You are safer, when away from home, if the Wi-Fi is turned off on your phone. This is a great example of how increased security always requires an increased hassle. The problem with this rule, is that if you fail to turn the Wi-Fi on when at home, your phone will use 4G/5G/LTE and the increased data usage may cost you money.

Don't advertise to the world (Facebook, Instagram,etc) when your home will be empty (such as going on vacation).

Advice from the mainstream media, such as the New York Times, the Washington Post and the Wall Street Journal is frequently bad. For whatever reason, they hire reporters, not nerds. You should not take technical computer advice from anyone without a technical computer background. No one writing for the mainstream media has a technical computer background. They may mean well, but they are rarely qualified to offer an opinion.

Avoid the cheapest Android devices. That includes phones, streaming TV devices and tablets. Especially avoid devices without a name brand. These things have often come with malicious software pre-installed. Another potential problem is the battery. I purchased an onn Android tablet from Walmart. Big mistake. The battery swelled up which is quite dangerous. I suspect that hardware or software that prevents this sort of thing costs money and a low end tablet will cut every corner it can.

When installing Android apps, be very careful that you have the real app, not a scam copy. Google does a very poor job in this regard, so it falls on you. You need to verify not only the name of the app, but the developer too. And the name must be an exact match for what you are looking for.

If you mother tweets something, don't believe it. Twitter is full of lies and liars.

Your Internet Service Provider (ISP) can see much of what you do. Not everything, but enough to learn quite a lot about you. Thanks to HTTPS secure websites they can not see the contents of every web page you view, but they can identify every website you visit and when you visit it. The solution to this is to use a VPN (Virtual Private Network).

If you depend on a VPN for privacy, do not use iOS devices. Apple sends data to their own servers outside of the established VPN tunnel. This has been ongoing for a long time and Apple can not be shamed into doing the right thing.

Avoid very cheap USB flash drives. The storage capacity that they claim to have can be faked. The faking extends to your operating system which reports the scam capacity. In fact, your operating system is likely to show nothing wrong because the flash drives lie to the operating system about the success of writing data, always reporting that it worked. Even formatting the thing reports no errors. This situation prompted Steve Gibson to create his ValiDrive program (only works on Windows) in September 2023.

Avoid crypto currencies (aka crypto) and NFTs.

Email is not private. You may see talk about email encryption, but that only applies to messages as they travel over the Internet. Once they come to rest in your inbox or the inbox of your recipient, they are not private. The same applies to the Sent folder of the sender, messages there are not private either. Two exceptions are Proton Mail and Tuta (formerly Tutanota). Messages from one Proton Mail user to another Proton Mail user are fully private. The same for Tuta. However messages from either one to anywhere outside of their little worlds are not private.

Both Tuta and Proton Mail are simple webmail, something everyone can use. No software to install or learn. Thus, they are a great solution for Secure Messaging. The world recommends Signal and the world is wrong. Both Proton and Tuta can be used on a Chromebook in Guest mode to insure that they leave no traces behind which makes them more secure than Signal. And, there is no need to install a mobile app. Any app that runs on Android or iOS will never be as secure as a Chromebook, especially in Guest mode. Signal messages are only secure when sent to other Signal users, same as Tuta and Proton Mail. Both Proton and Tuta offer free accounts that you can sign up for anonymously. Signal requires a phone number, so not at all anonymous. With webmail, the public and the companies can see the FROM and TO email addresses but they can not see the body of the messages. Proton can also not see into any attached files. Not sure about Tutanota and attachments.

VPNs are a good thing, but finding a trustworthy one is the difficult part. The VPN page here addresses this and its h-u-g-e. The first rule of VPNs, however, is to avoid the free ones.

Good news: You can safely ignore Passkeys, they are nothing more than a password that you are not allowed to know. It is a fad and like all fads, will fade away.

What goes up, must come down. OK, that was a joke.

Many credit cards can send you an email for every charge when the credit card was not physically present. In my experience, this has been a free service. It is a great way to immediately learn if a bad guy is charging stuff to your credit card.

To prevent a bad guy, armed with all your personal information from opening a new credit card in your name, freeze your credit reports.

If you have Apple devices, you should read this: What to expect when in contact with Apple Support from Apple September 16, 2024.

December 17, 2023: What to do when receiving unprompted MFA OTP codes by Lawrence Abrams for Bleeping Computer. If you receive an unprompted two factor code (typically via a text message) it probably means that bad guys have the password to whatever site/system sent the 2FA code. You should log into that site/system and change the password ASAP. Do not click on links in the text message or email message. If that password was also used at other sites/systems, change it there too.

Search Engines:

  1. Don't do Google searches while logged in to Google. This is a relatively easy one :-)
  2. Whatever search engine you use, be very attuned to which search results are ads and which are not. The indication that something is an ad, can be very small and easy to miss. Some ads are scams that try install malicious software.
  3. Do not trust Google, or any search engine, for customer service phone numbers. Bad guys fool search engines to scam people. Go to the website of the company you want to call.

 

SCAM SCHOOL   top

When it comes to scams, the rule is Never Trust.

  1. If anyone calls and says they are from Apple, Google, Gmail or Microsoft, it is a scam.

  2. If you ever think there might be an issue with your bank or credit card, DO NOT call the number in the text message or email message or the whatever. For a credit card, only call the phone number on the card. The safest place to get a bank phone number is from a bank statement.
  3. Searching online for a customer service phone number, is likely to lead you to bad guys. They love to trick Search Engines to attract victims who have not seen this page.
  4. The person contacting you knows so much about you that they must be legitimate. No. No. No. As a result of far-too-many data breaches, and the total lack of privacy legislation in the US, the bad guys know a lot about you. This has been true for a long time, but it is getting worse. See AI, huge hacks leave consumers facing a perfect storm of privacy perils by Joseph Menn for the Washington Post (last update Dec 3, 2024). Quoting: "Hackers are using artificial intelligence to mine unprecedented troves of personal information dumped online in the past year, along with unregulated commercial databases, to trick American consumers and even sophisticated professionals into giving up control of bank and corporate accounts."
  5. December 18, 2024: Brian Krebs wrote How to Lose a Fortune with Just One Bad Click about someone who lost control of their Gmail/Google account. In part, the victim was scammed by an email message sent from google.com. Normally this means the email came from Google, but, not here. The article references this December 2023 article by Graham Cluley: Google Forms Used in Call-Back Phishing Scam. Suffice it to say, that the Google Forms system can be abused by bad guys to send victims scam emails that really come from google.com. As I write this, it has been over a year and Google has not fixed this problem.
  6. Get a message about an expensive thingy you purchased with a phone number to call? Don't call. The thing may be an Apple computer or an anti-virus program. Whatever. You did not buy it.

    A picture is worth a thousand words, so here is a real-life example of this scam. A gmail user sends an email thanking the victim for the purchase of cryptocurrency and attaching a phony invoice. The attachment is an image, not a PDF file, which, I assume, is done to avoid detection. This is a particularly stupid scam as the body of the message is about a refund while the subject line is about a purchase. No matter, the point here is to get you to look at the false invoice and make a phone call to cancel the order that never existed.

  7. The majority of prompts, asking you to install software, are scams. As Brian Krebs says "If you didn't go looking for it, don't install it!"
  8. If you try to login to a website/system and get a text message with a temporary code as an additional login step, NEVER EVER NEVER give that code to anyone. NEVER. All instances of this are scams.

    An interesting example of this was given in this Washington Post article: AI, huge hacks leave consumers facing a perfect storm of privacy perils by Joseph Menn (December 3, 2024). The almost-victim is a widely recognized privacy expert who came very close to being scammed himself. Google accounts have a recovery phone number for when your forget your password. A bad guy calling from a Google support number warned the almost-victim that someone might be trying to take over their email account by adding a new recovery phone number. At this point the almost-victim made two mistakes. One, they forgot that callerid is not trustworthy. Two, they forgot that there is no tech support for free services, such as Gmail. Maybe he let this slide because he was somewhat famous and thought he was special? Dunno. The scammer told the almost-victim their previous recovery phone number to prove the really worked for Google. But, between the lack of privacy in the US and data breaches, his phone number was widely available to bad guys. Trusting this, was the 3rd mistake by the almost-victim. The scammer said they created a ticket for the issue and needed to prove that the almost-victim was really the almost-victim. First, the bad guy sent the almost-victim an email. Eh. Then, the good stuff: The bad guy sent a code to the almost-victims phone to insure that he really had control of the correct recovery number. It was not until the scammer asked the almost-victim (again, an expert in this stuff) to read back this code that the light bulb went off in the almost-victims head. End of scam. There was always a tiny delay before the scammer spoke, so the thinking is that the voice was an AI-assisted translation from text to speech.

  9. Messages that appear to be from the U.S. Postal Service, FedEx or UPS about a shipment issue, are likely scams.
  10. Any message that requires you to act quickly, is likely a scam. The power company is not turning off your electricity tomorrow morning. Scams pretend that you must act quickly so that you don't have time to take a breath and question things.
  11. When you hear someone's voice, be it a famous person or a relative in distress, be aware that the voice and the words could both be fake.
  12. If anyone calls and asks for your Medicare, Social Security, or bank or credit card information, hang up.
  13. Official agents of the U.S. government do not message you on Facebook, WhatsApp or any other social media or messaging app. Likewise, they don't call on the phone. If you think you are being contacted by the U.S. government the best thing to do is to contact the agency directly.
  14. Most everything involving cryptocurrency is a scam.
  15. If a stranger wants remote access to your computer, run for the hills.
  16. There are wolves in sheep's clothing. If you get a message, intended for someone else, from a very kind and polite person, it may be the first step in a pig butchering scam. The scammers will start off talking about small things and keep the conversation going and going. For months they will continue to engage with a victim. Eventualy, they will become a friend, and then a trusted friend and, finally ... gimme money.
  17. If someone is trying to get you to transfer funds out of your bank, investment or retirement account "for your protection", it's a scam.
  18. Too many ads are scams. See the page here on Web Browsers for information about installing the uBlock Origin ad-blocking browser extension.
  19. Here's an easy one: Never Buy Tickets on Social Media - It's Nearly Always a Scam by Joe Keeley for How To Geek. December 6, 2024.
  20. FYI: Old people in the US should review this advice from the Social Security Administration: Protect Yourself from Scams. There is actual good advice here.
  21. FYI: New scams are always being invented. To keep up, the Federal Trade Commission issues consumer alerts about scams that you can get for free. If you are an AARP member, you can get their biweekly Watchdog Alerts newsletter about the latest scams.

Money: Of course a scam ends with the victim paying out money. Bad guys like to use forms of payment that are hard to trace such as: a gift card, prepaid debit card, cryptocurrency, wire transfer, money transfer, or even mailing cash. They may even try to get you to transfer your money to their super special, extra protected account.

The use of gift cards, in particular, has been so common that ...

... any time you are asked to pay for something with a gift card ...

... it is a scam.

Here we see a drug store that fought back against these scams.

 

COMPANIES TO AVOID   top

Some headaches/hassles can be avoided by not dealing with companies that have done assorted bad things. The list of companies to avoid has been moved to its own page.

 

And, again   top

Rules of the road

Act accordingly.

 This page: 11 views per day (over 987 days)   Total views: 11,123   Created: August 16, 2022
This Page
Last Updated
April 18, 2025		Site Page
Views TOTAL
 1,178,070		Site Page
Views TODAY
  513		 Website by
Michael Horowitz		 top
Copyright 2019 - 2025