Menu
The tricks of the malware trade: Don't take the bait!

It's not always easy to spot a phishing email. If you've come close to clicking a link in a phishing email (Who hasn't?) don't feel too bad. It's not just carelessness on your part.
Those crafty computer criminals are targeting their victims more precisely, using what they know about you to your disadvantage. (Eight of the FBI Cyber's Most Wanted are pictured above.)
Here are five simple things you can do to avoid taking the phishers' bait.
1. Avoid unfamiliar USB thumb drives, CDs, DVDs, etc. Before you plug anything readable into your computer, consider the source. Even if you trust the source, scan the device with your antimalware program before you access any of the files the gizmo stores.
In an August 1, 2014, article, CNN Money's Jose Pagliery recommends treating all USB flash drives and smart phones as personal, like razors and toothbrushes. No sharing.
In the old days, content on external media often played automatically after being inserted. The Autoplay/Autorun setting is disabled by default in Windows 7 and 8, and should also be disabled in earlier versions. The Winhelp.us site explains how to disable autoplay in Windows XP and Vista. (It also describes how to change the setting to play such media automatically in Windows 7 and 8.)
2. Shun unfamiliar email attachments or links. All the big-name email services scan your messages and their attachments for malware, among other reasons (Hello, NSA.) Despite the automatic scan, you may suspect the legitimacy of a file sent to you as an email attachment. If so, scan the file for malware manually before you open it. A free service for checking individual files for malware is VirusTotal. (Note that VirusTotal has a 128MB file-size limit.)
It's easy to forget that we're not supposed to click unfamiliar links in emails. The bigger problem is, some familiar links should be left unclicked, too. It's always safest to type the URL in your browser's address bar and then search the site for the page referred to in the message.
3. Don't give out information over the phone. The IRS doesn't use the telephone to contact people about their taxes. With rare exceptions, the agency prefers to keep a paper trail of its interactions with taxpayers. The same goes for Microsoft and most other companies.
One possible exception is when an agency or company you telephoned previously calls you back. This assumes you gave them your phone number previously, and you asked for or expected a return call.
If you have any doubt about a caller who claims to be from an organization you've dealt with in the past, ask the caller for their phone number so you can call them back. While you're at it, ask them for the name and location of their employer.
Sad to say, I've received calls in recent weeks from people claiming to work for the IRS and for Microsoft Support. Rather than answering the callers' questions, I start asking about them: "Who are you? How did you get my number? Where are you located?" The scammers never linger on the line once you've turn the tables on them.
The Federal Trade Commission Consumer Information site offers advice on spotting and responding to telephone scams. The Microsoft Safety & Security Center has information about the widespread telephone tech-support scams. On October 31, 2013, the IRS issued a warning about the telephone scams from callers purporting to be from the agency.
4. Get a 'disposable' phone number. Your phone number is valuable to data thieves. Avoid sharing it too widely by signing up for a free phone service, such as Google Voice. All you need to get a free U.S. phone number from Google Voice is a Google account. I signed up for a new number in about 15 minutes.
Whenever a service I'm signing up for requires that I supply a phone number, I enter the Google Voice number. The trick is to set up the account's voicemail, and then sign into the Google Voice app on your cell phone to retrieve your messages.
5. Keep sensitive information under wraps. Some office workers don't appreciate how much private information about their employer can be picked up just by someone just walking around their work area. In a February 19, 2015, article, CSO's Maria Korolov reports on the results of a study by the Ponemon Institute that entailed having strangers roam around 43 offices for two hours. The researchers wore valid temp-worker IDs. The managers knew what the researchers were up to, but the staffers did not.
In 88 percent of the visits, the roving researchers were able to pick up sensitive information that was left in plain view. Rarely did any staff members ask the researchers any questions, even when the researchers took pictures of open files displayed on computer screens, and placed documents marked "confidential" in their bags.
Departments identified as most vulnerable to inadvertent disclosure of sensitive information were customer service, communications, and sales. Least vulnerable were accounting and legal. And the researchers were able to pick up no confidential information from the research and development departments.
Those crafty computer criminals are targeting their victims more precisely, using what they know about you to your disadvantage. (Eight of the FBI Cyber's Most Wanted are pictured above.)
Here are five simple things you can do to avoid taking the phishers' bait.
1. Avoid unfamiliar USB thumb drives, CDs, DVDs, etc. Before you plug anything readable into your computer, consider the source. Even if you trust the source, scan the device with your antimalware program before you access any of the files the gizmo stores.
In an August 1, 2014, article, CNN Money's Jose Pagliery recommends treating all USB flash drives and smart phones as personal, like razors and toothbrushes. No sharing.
In the old days, content on external media often played automatically after being inserted. The Autoplay/Autorun setting is disabled by default in Windows 7 and 8, and should also be disabled in earlier versions. The Winhelp.us site explains how to disable autoplay in Windows XP and Vista. (It also describes how to change the setting to play such media automatically in Windows 7 and 8.)
2. Shun unfamiliar email attachments or links. All the big-name email services scan your messages and their attachments for malware, among other reasons (Hello, NSA.) Despite the automatic scan, you may suspect the legitimacy of a file sent to you as an email attachment. If so, scan the file for malware manually before you open it. A free service for checking individual files for malware is VirusTotal. (Note that VirusTotal has a 128MB file-size limit.)
It's easy to forget that we're not supposed to click unfamiliar links in emails. The bigger problem is, some familiar links should be left unclicked, too. It's always safest to type the URL in your browser's address bar and then search the site for the page referred to in the message.
3. Don't give out information over the phone. The IRS doesn't use the telephone to contact people about their taxes. With rare exceptions, the agency prefers to keep a paper trail of its interactions with taxpayers. The same goes for Microsoft and most other companies.
One possible exception is when an agency or company you telephoned previously calls you back. This assumes you gave them your phone number previously, and you asked for or expected a return call.
If you have any doubt about a caller who claims to be from an organization you've dealt with in the past, ask the caller for their phone number so you can call them back. While you're at it, ask them for the name and location of their employer.
Sad to say, I've received calls in recent weeks from people claiming to work for the IRS and for Microsoft Support. Rather than answering the callers' questions, I start asking about them: "Who are you? How did you get my number? Where are you located?" The scammers never linger on the line once you've turn the tables on them.
The Federal Trade Commission Consumer Information site offers advice on spotting and responding to telephone scams. The Microsoft Safety & Security Center has information about the widespread telephone tech-support scams. On October 31, 2013, the IRS issued a warning about the telephone scams from callers purporting to be from the agency.
4. Get a 'disposable' phone number. Your phone number is valuable to data thieves. Avoid sharing it too widely by signing up for a free phone service, such as Google Voice. All you need to get a free U.S. phone number from Google Voice is a Google account. I signed up for a new number in about 15 minutes.
Whenever a service I'm signing up for requires that I supply a phone number, I enter the Google Voice number. The trick is to set up the account's voicemail, and then sign into the Google Voice app on your cell phone to retrieve your messages.
5. Keep sensitive information under wraps. Some office workers don't appreciate how much private information about their employer can be picked up just by someone just walking around their work area. In a February 19, 2015, article, CSO's Maria Korolov reports on the results of a study by the Ponemon Institute that entailed having strangers roam around 43 offices for two hours. The researchers wore valid temp-worker IDs. The managers knew what the researchers were up to, but the staffers did not.
In 88 percent of the visits, the roving researchers were able to pick up sensitive information that was left in plain view. Rarely did any staff members ask the researchers any questions, even when the researchers took pictures of open files displayed on computer screens, and placed documents marked "confidential" in their bags.
Departments identified as most vulnerable to inadvertent disclosure of sensitive information were customer service, communications, and sales. Least vulnerable were accounting and legal. And the researchers were able to pick up no confidential information from the research and development departments.