Fraud Prevention Month: Five Common Cybercrimes in 2023
Canadians rely on technology every day at work, at home, and everywhere in-between. For #FraudPreventionMonth 2023, learn how you can defend yourself from the most common cybercrimes.
Table of Contents
Cybercrime is a general term used to describe illegal activity using technology like computers and the internet. The goal of cybercriminals when attacking an individual or business is usually to make a profit.
Cybercriminals do this by obtaining your data, which can include:
-
Banking information, like your credit card number
-
Contact information, such as email addresses and phone numbers
-
The address of your home and workplace, or your IP address (which cybercriminals can use to find your location, retrieve your online identity, and intercept your network communication)
-
Login credentials such as passwords and usernames
-
Personal information including you and your family’s birthdates, names, social security numbers, etc.
If a cybercriminal targets you and gains access to these things, they can take your money, steal your identity, and use your personal information against you. Cybercriminals may also target your workplace by assessing your work account login information. This applies to anyone who works with valuable information that is confidential or beneficial to competitors.
Cybercriminals committing these targeted attacks are commonly called threat actors, malicious actors, or bad actors. A threat actor may be working on their own, or as a part of a group that has been provided with training and access to various resources in order to help them succeed in their crimes.
To protect yourself, it is wise to learn the various ways cybercriminals may come after your data, and how to defend yourself from their tricks and technology.
Phishing Attacks
Threat actors will often try to pose as someone who you know and trust, as an organization, or as a person of influence in order to manipulate you into giving them personal information. Within the cybercrime world, this kind of deception is known as social engineering, or phishing. It is one of the most common cyber scams.
A phishing attack involves receiving an email, text, or phone call from a person pretending to be any individual or group familiar to you. They may impersonate your boss, an old friend, your colleague, or a government agency like the CRA (Canadian Revenue Agency).
Phishing attacks have a few common features to look out for:
Something has gone wrong, or is too good to be true. Communications from malicious social engineers often include a notice or warning that there has been suspicious activity on your accounts, that you need to update payment information, or confirm personal information regarding your finances or identity. These attacks may also claim that you have won a prize like a new phone, vehicle, or vacation. Beware of prize offers unless you are sure you have entered a reputable draw offering a chance to win these items.
There is a sense of urgency to complete an action.Messages from threat actors (which can be sent via email, text, or over the phone) usually has an urgent tone that may feel threatening. Remember that you are in control. Take the time to evaluate the message critically in order to confirm whether it is legitimate and protect yourself.
The action involves clicking a link or providing personal information. The action the threat actor is urging you to take usually involves either clicking a link that infects your device with malware, or asks you to divulge personal information. It can be easy to fall into these traps, as the links are disguised to seem normal, and the forms where you fill in your information look just like the ones you are used to.
It opens or closes with generic regards. If an email, text, or phone call opens with something generic like, “Dear customer,” or “Hello there,” it is likely a scam. Your bank, the streaming services you are subscribed to, and the airlines you have an account with all know your full name. Any official communication from them will usually include it. However, even if they use your name, that does not mean it is legitimate, as cybercriminals are calculated and can find this information out.
With phishing attacks, emails and other communications are often made to look legitimate, and use logos or branding elements from the company they claim to be representing. The person on the phone may sound very genuine. Or a text message may appear similar to recent account confirmation texts you have received and answered. However, cybercriminals can be very talented impersonators.
It is best to remain suspicious and hesitant of communications, and remember you have the right to question someone demanding information from you. If you receive suspicion communications you are not expecting, do not click any links or offer any banking or personal information right away. If you have reason to believe that communications might be be legitimate, contact the company, organization, or individual directly through the phone numbers or emails listed on their official website to confirm they are trying to contact you.
Malware
Software that is created to harm your device and data is known as malicious software, or malware. Often the links in phishing emails will download malware onto your device if clicked on.
Cybercriminals benefit from malware technology by:
-
Recording your personal information and internet usage, and selling or using this information to profit.
-
Corrupting your files, and then refusing to undo this action until you pay them a large fee. This is called ransomware.
Your device may be infected with malware if you’ve noticed that is it running slower than usual, that there is an increase in pop-up ads or warnings, or if you keep being re-directed to a suspicious website when trying to use your web browser. The best way to defend yourself against malware is to avoid phishing scams and to use legitimate websites and app stores when downloading or purchasing content and products.
Password Attacks
If cybercriminals gain access to your computer or network, they have software that can guess and check millions of passwords in seconds. This is known as a brute force attack. Cybercriminals may also perform a dictionary attack, where they enter common and easily remembered words when guessing passwords.
When your password isn’t strong or complex enough, the chances of the brute attack being successful increases. A password including a word or name that is meaningful to you is not secure, and easily guessable. A strong password includes:
-
At least twelve characters.
-
A combination of upper- and lower-case letters.
-
At least one number.
-
A special character, like: !, # or $.
-
Random letters in a sequence that makes sense to you, but that isn’t a word and doesn’t form a simple pattern.
Each account or website you sign into should have a unique password. If this is overwhelming, there are two ways you can make it easier:
Passphrases are a form of passwords that are easily remembered while still remaining secure. While still following the guidelines above, you can make your password a phrase of random words that makes sense to you. Avoid using phrases that include your favourite hobbies or names of family members, as this information can be discovered through social media or by knowing you personally.
You may also want to consider using a password manager. A password manager works by generating unique, complex passwords, and saving them in a secure location that only you can access. An effective password manager will tell you if a password has been compromised and will alert you to change old passwords when necessary.
Of course, to log into your password manager, you will need to remember a secure password. However, you should also be using multi-factor authentication (MFA). MFA alerts your other devices when you attempt to login to an account, asking for confirmation that it is in fact you. This extra layer of security should be applied not to your password manager, but to as many accounts as possible, such as your email, social media, and bank accounts.
Man-in-the-Middle Attacks
A man-in-the-middle (MitM) attack is when a cybercriminal intercepts your online connection and communication. They will then either:
-
Impersonate the person or group you believe you are communicating with online, earning your trust and acquiring your information.
-
Or eavesdrop on your activity, checking which websites you visit and what platforms you use. They can then record your data.
MitM attacks occur over compromised network connections. Often cybercriminals will set up wi-fi at public locations that anyone can connect to for free and without a password. When connecting to the wi-fi at your local coffee shop, doctor’s office, or retail store, be extra cautious. Avoid logging into online or mobile banking platforms or any other websites and accounts that require you to use personal information when connected to a public wi-fi network.
Identity Theft
Identity theft is often part of the cybercrimes listed above. Through a successful phishing scam or by exploiting a weak spot in your login credentials, cybercriminals can begin profiting by impersonating you.
One very common crime is credit card fraud, as they will likely use your banking information to make purchases and attempt to lock you out of your accounts. However, your personal information is also valuable enough to sell to other criminals or companies, making it more difficult to put an end to the fraudulent use of your identity.
The more cybercriminals know, the more damage they can do. Besides being aware of the various traps cybercriminals have set up, consider how you use, share, and secure your data. Pause and evaluate the next time you are about to offer your information to a website, business, or on social media. Before clicking links or divulging personal data, verify who you are communicating with. Lastly, ensure you are maintaining proper password hygiene to keep your data and accounts secure and fraud-free!