RULES OF THE ROAD
TOPICS BELOW
Most Important, Other Rules,
Scam School, Companies to Avoid,
And Again
This website is huge, so if you read nothing else here, always remember these most basic rules of the road.
Act accordingly.
In other words: Always be skeptical. Always. Always. Always.
In March 2022, Russia invaded Ukraine, which prompted this article: Here’s how to avoid Ukraine charity scams in the Washington Post. Quoting: "To avoid a scam using the conflict in Ukraine ... start with the premise that every direct message, link, email or text is fake and work from there. This should be your default response to any contact you did not initiate".
If you are prompted to install software, don't do it. This advice comes from Brian Krebs. Non techies can be easily scammed into installing malicious software because they don't know what software is really needed to perform any given task. In October 2023, Krebs wrote that "One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months." The article is about a new wrinkle in the scam, hosting malware on a blockchain, but this is not important for Defensive Computing. The important point is that without detailed technical knowledge of the software, the safest thing to do is to say no.
No one from Apple, Google or Microsoft will ever call you, out of the blue, for any reason.
Non-technical computer users should use a Chromebook. Compared to all other mainstream operating systems, ChromeOS (the name of the operating system on a Chromebook) is much more secure and requires no care and feeding. Also, no viruses. Only computer nerds should use Windows.
Do not re-use passwords. I know this is hard as it requires a system for managing the dozens of passwords we all need to keep track of. At the least, use different passwords for the most important accounts. Which accounts are the most important is up to you but certainly financial and email. I wrote a long article on passwords, The worlds best password advice where I introduce the concept of a password formula. It can provide reasonably secure, reasonably unique passwords that are easy to remember and safe to write down on paper.
The same advice applies to email addresses, the more the better. There is no simply answer to this however. The available options are on this site, here: Multiple Email Addresses.
The price of free software and free services is no technical support. Be especially aware of this if you rely on a free email service. If something goes wrong - tough. In my opinion, email is worth paying for.
Phones get lost and stolen. Should this happen to you, it would be better if the app for your financial institution(s) were NOT on the phone. Use their website instead. Or, install their app on a tablet that stays at home.
When you have a choice, using the website of a company/service is safer than using a mobile app. Web browsers offer more control over what a website can do. Better yet, use the website in private browsing mode to insure it leaves nothing behind. This is a good article that backs up this point. The Global Surveillance Free-for-All in Mobile Ad Data by Brian Krebs. October 23, 2024. In this case, someone was put in danger by the spying done by the Macy's app on their phone.
Web Browsers
Another way to block ads and trackers is with DNS, the system that translates computer and website names into their underlying numbers (IP addresses). Some services translate anything and everything, while other services will not translate known trackers or ads or porn. Different DNS services offer different options. I am a big fan of NextDNS, but setting it up may be too much for someone without a technical background. It is worth the effort, however. NextDNS can be configured on either the operating system level or just for one web browser. A good starting point is the DNS Tester Page on my Router Security website.
You are safer, when away from home, if the Wi-Fi is turned off on your phone. This is a great example of how increased security always requires an increased hassle. The problem with this rule, is that if you fail to turn the Wi-Fi on when at home, your phone will use 4G/5G/LTE and the increased data usage may cost you money.
Don't advertise to the world (Facebook, Instagram,etc) when your home will be empty (such as going on vacation).
Advice from the mainstream media, such as the New York Times, the Washington Post and the Wall Street Journal is frequently bad. For whatever reason, they hire reporters, not nerds. You should not take technical computer advice from anyone without a technical computer background. No one writing for the mainstream media has a technical computer background. They may mean well, but they are rarely qualified to offer an opinion.
Avoid the cheapest Android devices. That includes phones, streaming TV devices and tablets. Especially avoid devices without a name brand. These things have often come with malicious software pre-installed. Another potential problem is the battery. I purchased an onn Android tablet from Walmart. Big mistake. The battery swelled up which is quite dangerous. I suspect that hardware or software that prevents this sort of thing costs money and a low end tablet will cut every corner it can.
When installing Android apps, be very careful that you have the real app, not a scam copy. Google does a very poor job in this regard, so it falls on you. You need to verify not only the name of the app, but the developer too. And the name must be an exact match for what you are looking for.
If you mother tweets something, don't believe it. Twitter is full of lies and liars.
Your Internet Service Provider (ISP) can see much of what you do. Not everything, but enough to learn quite a lot about you. Thanks to HTTPS secure websites they can not see the contents of every web page you view, but they can identify every website you visit and when you visit it. The solution to this is to use a VPN (Virtual Private Network).
If you depend on a VPN for privacy, do not use iOS devices. Apple sends data to their own servers outside of the established VPN tunnel. This has been ongoing for a long time and Apple can not be shamed into doing the right thing.
Avoid very cheap USB flash drives. The storage capacity that they claim to have can be faked. The faking extends to your operating system which reports the scam capacity. In fact, your operating system is likely to show nothing wrong because the flash drives lie to the operating system about the success of writing data, always reporting that it worked. Even formatting the thing reports no errors. This situation prompted Steve Gibson to create his ValiDrive program (only works on Windows) in September 2023.
Avoid crypto currencies (aka crypto) and NFTs.
Email is not private. You may see talk about email encryption, but that only applies to messages as they travel over the Internet. Once they come to rest in your inbox or the inbox of your recipient, they are not private. The same applies to the Sent folder of the sender, messages there are not private either. Two exceptions are Proton Mail and Tuta (formerly Tutanota). Messages from one Proton Mail user to another Proton Mail user are fully private. The same for Tuta. However messages from either one to anywhere outside of their little worlds are not private.
Both Tuta and Proton Mail are simple webmail, something everyone can use. No software to install or learn. Thus, they are a great solution for Secure Messaging. The world recommends Signal and the world is wrong. Both Proton and Tuta can be used on a Chromebook in Guest mode to insure that they leave no traces behind which makes them more secure than Signal. And, there is no need to install a mobile app. Any app that runs on Android or iOS will never be as secure as a Chromebook, especially in Guest mode. Signal messages are only secure when sent to other Signal users, same as Tuta and Proton Mail. Both Proton and Tuta offer free accounts that you can sign up for anonymously. Signal requires a phone number, so not at all anonymous. With webmail, the public and the companies can see the FROM and TO email addresses but they can not see the body of the messages. Proton can also not see into any attached files. Not sure about Tutanota and attachments.
VPNs are a good thing, but finding a trustworthy one is the difficult part. The VPN page here addresses this and its h-u-g-e. The first rule of VPNs, however, is to avoid the free ones.
Good news: You can safely ignore Passkeys, they are nothing more than a password that you are not allowed to know. It is a fad and like all fads, will fade away.
What goes up, must come down. OK, that was a joke.
Many credit cards can send you an email for every charge when the credit card was not physically present. In my experience, this has been a free service. It is a great way to immediately learn if a bad guy is charging stuff to your credit card.
To prevent a bad guy, armed with all your personal information from opening a new credit card in your name, freeze your credit reports.
If you have Apple devices, you should read this: What to expect when in contact with Apple Support from Apple September 16, 2024.
December 17, 2023: What to do when receiving unprompted MFA OTP codes by Lawrence Abrams for Bleeping Computer. If you receive an unprompted two factor code (typically via a text message) it probably means that bad guys have the password to whatever site/system sent the 2FA code. You should log into that site/system and change the password ASAP. Do not click on links in the text message or email message. If that password was also used at other sites/systems, change it there too.
Search Engines:
When it comes to scams, the rule is Never Trust.
A picture is worth a thousand words, so here is a real-life example of this scam. A gmail user sends an email thanking the victim for the purchase of cryptocurrency and attaching a phony invoice. The attachment is an image, not a PDF file, which, I assume, is done to avoid detection. This is a particularly stupid scam as the body of the message is about a refund while the subject line is about a purchase. No matter, the point here is to get you to look at the false invoice and make a phone call to cancel the order that never existed.
An interesting example of this was given in this Washington Post article: AI, huge hacks leave consumers facing a perfect storm of privacy perils by Joseph Menn (December 3, 2024). The almost-victim is a widely recognized privacy expert who came very close to being scammed himself. Google accounts have a recovery phone number for when your forget your password. A bad guy calling from a Google support number warned the almost-victim that someone might be trying to take over their email account by adding a new recovery phone number. At this point the almost-victim made two mistakes. One, they forgot that callerid is not trustworthy. Two, they forgot that there is no tech support for free services, such as Gmail. Maybe he let this slide because he was somewhat famous and thought he was special? Dunno. The scammer told the almost-victim their previous recovery phone number to prove the really worked for Google. But, between the lack of privacy in the US and data breaches, his phone number was widely available to bad guys. Trusting this, was the 3rd mistake by the almost-victim. The scammer said they created a ticket for the issue and needed to prove that the almost-victim was really the almost-victim. First, the bad guy sent the almost-victim an email. Eh. Then, the good stuff: The bad guy sent a code to the almost-victims phone to insure that he really had control of the correct recovery number. It was not until the scammer asked the almost-victim (again, an expert in this stuff) to read back this code that the light bulb went off in the almost-victims head. End of scam. There was always a tiny delay before the scammer spoke, so the thinking is that the voice was an AI-assisted translation from text to speech.
Money: Of course a scam ends with the victim paying out money. Bad guys like to use forms of payment that are hard to trace such as: a gift card, prepaid debit card, cryptocurrency, wire transfer, money transfer, or even mailing cash. They may even try to get you to transfer your money to their super special, extra protected account. The use of gift cards, in particular, has been so common that ... ... any time you are asked to pay for something with a gift card ... ... it is a scam. Here we see a drug store that fought back against these scams. |
![]() |
Some headaches/hassles can be avoided by not dealing with companies that have done assorted bad things. The list of companies to avoid has been moved to its own page.
Act accordingly.
This page: 11 views per day (over 913 days) Total views: 10,445 Created: August 16, 2022 |
This Page Last Updated January 19, 2025 | Site Page Views TOTAL 1,097,353 | Site Page Views TODAY 1,229 |
Website by Michael Horowitz @defensivecomput |
top |