It's never a good season to leave your online accounts vulnerable to hacking attacks or theft. And when the holidays roll around, the scammers aren't taking vacation: They're boosting their efforts just as you already face extra risks.
To avoid becoming a victim, it's not enough to just stay away from relatively obscure little online storefronts. Many large companies have reported serious security breaches over the years:
Back in 1994, Russian hackers grabbed $10 million out of Citigroup's (C) Citibank accounts.
Last year, Sony (SNE) was hit, and 25 million people who played games at Sony Online Entertainment had information such as credit card numbers stolen.
Just a few months ago, Bank of America (BAC), JPMorgan Chase (JPM), Wells Fargo (WFC), U.S. Bank (USB), and PNC (PNC), a veritable who's-who of the financial world, had their online banking systems attacked. The major damage seems to have been inconvenience, with millions of customers unable to access accounts for a while.
Thus, the best strategy is to be smart about your online behavior at all times, no matter where you surf. With passwords, for example, choose strong ones, such as those that are not common words or names, and that combine letters, numbers, and symbols in upper and lower cases.
Change your passwords regularly, too, and don't have the same password for lots of sites. If your account at one company is hacked into and a troublemaker has your password, you don't want him to be able to use it to access your other accounts elsewhere.
One way to generate a complex password is to think of a sentence that you can remember, such as "It looks like rain today." Then grab the first (or last!) letter of each word, to get i-l-l-r-t. Then add some numbers or other characters to the mix, as well as a little upper or lower casing.
Here are some of the kinds of scams to keep an eye out for, now and throughout the year:
Beware of "phishing," which involves your being asked for personal information -- perhaps in order to access a prize you've won (or to enter into a contest for a prize), or to access a deep-discount coupon. A few years ago, these scams arrived by email; today you can be phished via texts or even come-ons on Facebook (FB). If anything seems too good to be true, think twice. And even if something seems to be an ordinary drawing for a prize, don't rush to submit your personal information. You have a small chance of winning and a bigger chance of being defrauded.
Likewise, be wary when companies you know seem to be approaching you and requiring information, perhaps after scaring you. You might receive an email from your bank, for example (and it will likely look a lot like a real email from your bank), alerting you to a supposed security breach and asking you to click a link to verify some information. Don't click. Don't submit information. If you're worried about it, look up the company's phone number on your own (don't use a number provided in the email) and ask about it. These come-ons take many forms.
Know that even some apps that you download onto your smartphone may be malicious, grabbing valuable information and perhaps trying to infect and steal from your friends and contacts as well. Free apps are more likely to be problematic than ones you pay for -- but of course, there are plenty of good apps that happen to be free, as well.
Know that scammers play on basic emotions such as fear and greed. They may tell you that you've got a virus and offer to solve the problem for a fee, for example. Or they might masquerade as the U.S. Postal Service, UPS (UPS), or FedEx (FDX), saying that they need some information from you before they can deliver a gift or something you ordered. Scammers will also pose as charities, and they can be convincing and persuasive. Even free screensavers you're offered can actually be malicious.
You can protect yourself from many of these dangers by maintaining a suspicious attitude and erring on the side of caution. Be sure to have security software running on your electronic devices, too. Don't befriend strangers on social networking sites. And don't announce that you're on a trip (and thus have left your home empty and available to thieves). Share your vacation photos on Facebook only after you return. Minimize the personal information you store online and in social networks, too, such as your birthday, phone number, and address.
The online world has many wonderful things to offer us, but it can take more than it gives, if you're not careful. Be smart online, now and throughout the year.
Longtime Motley Fool contributor Selena Maranjian, whom you can follow on Twitter, owns shares of JP Morgan Chase, but she holds no other position in any company mentioned. The Motley Fool owns shares of Bank of America, Wells Fargo, PNC Financial Services Group, JPMorgan Chase, Citigroup, and Facebook. The Motley Fool has sold shares of Sony short and has bought calls on Facebook. Motley Fool newsletter services have recommended buying shares of FedEx, United Parcel Service, Wells Fargo, and Facebook, and have recommended creating a diagonal call position in FedEx.
9 Scary Ways Criminals Use Facebook
Happy Holidays: You've Been Hacked!
When criminals hack a Facebook account, they typically use one of several available "brute force" tools, says Grayson Milbourne, Webroot's manager of threat research for North America. These tools cycle through a common password dictionary, and try commonly used names and dates, targeting hundreds of thousands of different email IDs. Once hacked, an account can be used as a platform to deliver spam, or -- more commonly -- sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.
Commandeering occurs when a criminal logs on to someone else's account using an illegally obtained ID and password. Once online, they have the victim's entire friend list at their disposal and a trusted cyber-identity. The impostor can then run a variety of confidence schemes, such as the popular "London scam," in which the "friend" claims to be stranded overseas and in need of money to make it home. The London scam has a far higher success rate on Facebook -- and specifically on commandeered accounts -- because there is a baseline of trust between users and those on their friends lists.
Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner then sends friend requests to all of the victim's contacts, who will likely accept them, as they appear to be from someone they know. Those accepted friend requests give the con artist access to his new "friends'" personal information, which can be used to clone other profiles or to commit fraud.
As Grayson Milbourne puts it, "Exploiting a person's account and posturing as that person is just another clever mechanism to use to extract information." Perhaps what's scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a Facebook account.
Cross-platform profile cloning is when a cyber criminal obtains information and images from Facebook and uses them to create false profiles on another social-networking site, or vice versa.
Because the profile is often cloned to a social networking platform that the victim doesn't use, this kind of fraud may also take longer to notice and remedy.
Phishing on Facebook usually involves a hacker posing as a familiar individual or respectable organization, and asking for a user's personal data, usually via a wall post or direct message.
Often, users will be directed to click on a link. Once they do so, their computer may be infected with malware, or they may be directed to a website that offers a compelling reason to divulge sensitive information.
A classic example would be a site that congratulates its victims for having won $1,000 and prompts them to fill out a form to collect their prize -- a form that requests credit card, bank account or Social Security numbers, which can then be used by the fraudsters.
Also becoming increasing common, warns Milbourne: "spearphishing," a practice that uses the same basic idea but targets users through their individual interests.
In this common con, the scammers direct users via some sort of clickable enticement to a convincing, but spurious, Facebook log-in page. When the victims enter their usernames and passwords, they are collected in a database, to be used by the original scammer or resold to other criminals.
Once scammers have a user's login information, they can take advantage of the identity through apps like Facebook Marketplace. Posing as a reputable user lets the scammer capitalize on the trust that his victim has earned to sell fake goods and services, or promote brands they have been paid to advertise.
In affinity fraud, con artists assume the identities of people in order to exploit the trust of those close to them to steal money or information. Facebook facilitates this type of fraud because people on the social network often end up having a number of "friends" they actually do not know personally and yet implicitly trust.
Criminals can infiltrate a person's group of friends and then offer someone deals or investments that are part of a con. They can also assume an identity by hacking into a person's account and asking their friends to wire them money, or give them sensitive information like a Social Security or credit card number.
Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their email addresses, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information often finds its way into passwords or answers to "secret" security questions. While the majority of unprotected information is mined for targeted advertising, it can be a used for more pernicious ends such as profile cloning and, ultimately, identity theft.
Most mass email advertisements are legal, if annoying. However, the growth of social networking has allowed for a new kind of spam called clickjacking. Clickjacking uses an advertisement for a viral video or article as an inducement to click on a link. Once clicked, the link sends the user to a page that tricks them into taking actions that they don't realize they are doing, such as sending an advertisement to all their friends' walls, buying an item via a concealed page, or revealing personal data. This has become such an issue for Facebook that earlier this year, the company teamed up with the U.S. Attorney General to try to combat the problem.