We frequently see reports of Spam and “Phishing” emails in our support queue. In the media, we read about “Ransomware” and other online security concerns – usually high profile Hacking or DDOS (Denial of Service) attacks.
The hacking of Yahoo is one most recent example, with millions of users accounts compromised – including an estimated 190,000 New Zealand Xtra / Spark customers affected. No doubt these users will see an increase of spam as a result of this hack.
Such news stories seem to be an everyday occurrence – and they are good reminders to review your online security practices – both for you and your customers.
The damage to a business – either from a security breach – or from an accidental click – can be extremely frustrating and costly: the loss of time, the loss of functioning equipment, the loss of public confidence from any negative publicity and consequently, the loss of revenue. Nobody wants that. Whilst you can’t protect yourself from everything, there are a few “best practices” you can employ to reduce the risks.
Online Security For Your Customers
If you run a website or app that collects customer data, you need to be extra vigilant to ensure you have adequate security;
- All aspects of your website and backend systems should be secured using HTTPS / SSLs.
- Backend data that’s sensitive should be encrypted wherever possible.
- Where possible, store transactions / credit card data off-site on the payment processor.
- Access to such data and to your admin areas should be restricted and heavily protected.
- Ensure your system software is secure and regularly kept up to date.
- Check that you / admins all have strong passwords across all systems.
- Do not permit users / customers to use weak passwords.
- Write a security policy: for example, that you’ll never request login data on email.
- Communicate such policies clearly with your customers.
- Ensure you have plenty of backups to be on the safe side.
Purple Dog offers managed services to assist online businesses with some of these responsibilities.
We can also provide an online security audit consultancy to assist in determining what improvements your business can make to optimise your online security. Contact us today to see how we can help.
Fake Emails
Recently, a client with an eCommerce website received what appeared to be an email from PayPal advising her of an issue with her account due to a customer complaint. She was fooled into thinking it was real and clicked a “login now” link contained within the email. At a genuine looking PayPal login screen, she kept receiving a login error, gave up and contacted us for assistance. We immediately recognised this as a (rather convincing) scam and by trying to login, she’d unwittingly given away her login details. The client was advised to contact PayPal and her bank in order to cancel her credit card and secure the account. A lot of wasted time – but thankfully, on this occasion, time (and a bit of pride) was all that she lost.
We regularly see these “Phishing” emails forwarded to us from concerned customers. Typically, they contain malicious or fake links. For example, emails from “Domain Registration Authority”, claiming – with official looking titles – that “It’s time to renew your domain” with a link to pay for the domain transfer. The email looks genuine – but it’s a fake Phishing / marketing email, designed to help you part with your money. These should be marked as spam and deleted (if you use Gmail, you can also mark them as Phishing).
Ransomware
Ransomware is still fairly rare, but it’s reportedly on the rise globally. It’s even more cynical than Phishing emails – typically characterised as a “malware program that self-installs and locks” a computer or sometimes an entire network. Usually the malware is installed and activated by the innocent user visiting a dangerous website – but there are also cases of users inadvertently installing from an email link. A fee is then demanded in order to deactivate it and if the fee isn’t paid, the malware may damage / delete / corrupt computer files. It can be quite scary to receive one of these because if you don’t know what you’re doing, it can be very difficult to recover from and in some circumstances, the only way to recover from it is to re-format the computer (thereby losing all your data) and restoring from a backup – typically lots of time wasted! Whilst Ransomeware is not so common as Phishing, it’s certainly best to avoid!
Hacking
Generally speaking, the best way to enhance your online security and avoid being hacked is to keep your website software up to date and restrict Admin Access to your accounts. You should also of course, ensure that you always have adequate backups. If we manage your website and / or apps as part of Club Purple, then we will handle this for you. If you’d like to know more, please get in touch.
Check Twice, Click Once
So what can you and your users do to stay safe and enhance your online security? Most of the following you already know – but it can’t hurt to be reminded…
1. Beware what you click on;
- Watch out for fake “phishing” emails – don’t click on links or attachments unless you are certain it’s safe.
- If in doubt, don’t click – instead, directly visit the website concerned by manually typing the address in your web browser.
- In some browsers, you can hover over the link in the email and check the website address that shows up to ensure it’s genuine.
- Consider installing an “adblocker” software and of course ALWAYS keep a good anti-virus such as Avast or Kaspersky is installed, functioning and up to date.
- Avoid dangerous websites by ensuring you have up to date security installed on your machine / device.
2. Careful who you trust;
- Don’t trust strangers on the phone! We’ve even had this phone call ourselves; the caller claimed to be from Microsoft trying to reach the “owner” to tell them “there’s a virus on the computer that needs fixing”. Don’t get caught out by this scam. Large companies such as Microsoft are extremely unlikely to ever call anyone like this. Ask for the caller’s full name, company and phone number and tell them you’ll call them back. Then hang up, find the company head office number via Google search, call and verify that person exists.
- Carefully consider who you give access to in terms of your website admin area and any other important business system access or data. Once a user has access, they may be able to gain access to other systems and could potentially damage your business.
- Make sure you have plenty of backups of your data – in case the worst happens.
3. Always use strong passwords and where possible, Two Factor Security
- It goes without saying that you should only use strong passwords that cannot be easily guessed. Use a master password app like Last Pass: https://lastpass.com/
- Two factor security adds an additional layer of login check (by sending a code to your mobile phone) to ensure anyone who does actually get access to your username and password, still can’t log in. You should use Two Factor security on all the sites that offer it.
4. Be secretive
- Never give out information or passwords unless absolutely necessary and only when you’re certain it’s secure. If you have to share such info, ensure you use a secure (https) environment.
5. If The Worst Happens – stay calm and seek help
- STOP and consider your next best move. Don’t turn off your device – just leave it as is.
- Don’t try to “fix” the issue yourself, unless you are certain of what you are doing – you could make things worse.
- DO – Reach out for help from us, here at Purple Dog or another trusted advisor.
If there’s anything we can help you with, get in touch.