The holidays are busy. We’re trying to get work done to have some fun, and we’re hosting family and friends. Plus, parents that have the holiday Elf tradition must remember to move the doll every night. It’s a lot, and it can make us more likely to fall for scams that can lead to data theft.

Hackers like to take the path of least resistance. Why work harder than they have to for their ill-gotten gains? Instead, they’ll use social engineering to get you to give them your data or download their malware. Look out for these top holiday scams.

Parcel delivery scams
More people are expecting packages this time of year. Bad actors take advantage of this with what’s called a smishing scam. It’s a particular type of scam using text/SMS messaging. You get a message from a known service telling you a delivery needs rescheduling, or that there’s an outstanding fee that needs to be paid.

Recipients, who are already expecting a package, are quick to fall for the request. Clicking on the message link, they enter personal information or download malicious software.

Tip: Go to the source of the package you’re expecting and see what they’re saying about your package delivery.

E-card scams
Another common holiday season scam takes advantage of our enthusiasm for money. Scammers send e-cards to your email. When you click on the link, you’ll download a virus or other malware (e.g. ransomware).

Tip: Check the credibility of any e-card sender before downloading the “gift.”

Christmas hamper scams
Everyone wants to be a winner, but don’t fall for the scammer calling or emailing to say you’ve won a Christmas hamper. They’ll claim to be from a legit organization and have some of your personal information already. That helps them make it all seem genuine. Then, they’ll ask for you to provide more personal details to collect your prize or gift.

They may ask only for your full name, address, and phone number (if the request was emailed). They’ll be collecting this information for a more focused attack in the future.

Tip: Use strong passwords and be careful about what personal details you put on social media.

Fake websites
Many people shop sites that are unfamiliar to them at this time of year. Grandparents (even parents) know nothing about that latest trendy shop! Bad actors will set up fake sites offering gifts and services. They're looking to get your personal details and money.

Tip: Prefer secure website addresses starting with “https” and displaying a locked padlock.

Shopping scams
Every season has its in-demand items. Scammers take advantage of this and set up ads for amazing deals on those items. Desperate to get this year’s toy for your toddler, you might be hooked. Or they’ll ensure people click on their ads by offering ridiculous deals. If you do get the item purchased via these ads, it’s likely to be a sub-par counterfeit.

Tip: Shop with retailers you know and trust.

Bank scams
This scam operates year-round, but bad actors have an edge in the holiday season when people spend more. Fraudsters typically call, text, or email as your bank having noticed suspicious activity. They get you feeling anxious and then urge you to take action (e.g. click a link or share personal details) to address the issue.

Tip: Remember that banks never use unsolicited calls to ask for personal details, pressure you to give information, or tell you to move your money to a safe account.

Protecting yourself this season
The tips shared throughout this article will help. At the same time, setting up password managers and antivirus software can also be useful. We can help you secure your online activity year-round. Contact us today at (888) 234-WDIT (9348).

Changing your email is never fun, but it can be necessary. When you need to make a change, there are several things you need to consider. Follow this checklist to ensure you don’t lose data, keep up with your old contacts, and avoid security risks.
There are many reasons someone might decide to endure changing their email address. These include:

• losing access to the old one and not being able to recover that account;
• changing your internet service provider (ISP);
• having to stop using a professional email for personal messages too;
• falling victim of identity theft;
• deciding to give yourself a more professional email by changing your address from yourbusiness@yahoo.com to you@yourbusiness.com;
• not feeling as proud of your hotbabycakes@hotmail.com address now that you’re above the age of 14.

Whatever prompts your move, try these tips to avoid missing mail and risking account compromise.

Notify your contacts of the change
You will probably be amazed at the number of people you have in your contacts folder. Still, you can make the change easier by letting your friends and family know that you have a new email address.
When you send out a message to your contacts, respect people's privacy. Send your update with their names in the blind carbon copy (BCC) line.

Migrate your old inbox
Most domain providers make it simple for you to migrate your old emails and contacts. Once you set up the new account, you’ll typically be able to go into Settings and find an option to import your old data. You may have to migrate the inbox and the contacts separately.

Don’t move on too quickly
You may be ready to move on, but don’t delete that old email address too soon. It’s a common mistake. Instead, try to hold onto your old email as long as possible. You don’t have to continue using it, but if you still have access, you can:
set up forwarding so that any emails to your old address will go to your new one;
see what emails are still coming to identify accounts you might have forgotten to change.

Inventory all accounts using that address
Use a password manager? We recommend its convenience. Plus, you can search there for accounts using the old address. The password manager can be a landing page for you to jump to all those accounts and make the necessary changes.

Inspect your trash and old emails
To help you think of other sites connected to the old email address, review your trash and sent emails.
Think also of accounts that may use that email address for recovery. For instance, you may have set the old account as a backup for PayPal, online banking, or streaming services. If you don’t change the recovery address, you might have difficulty regaining access to that account.
You might wonder why you should bother doing this. If you don’t, someone could claim your old account and gain access to your connected accounts. If you press a recover password link on a banking site, for instance, that email will go to that person instead of to you!

Get help making the email move
The many little things to take care of when you change your email can make this a big deal. Our IT experts are here to help. We can set you up for simple, secure email communications in the future. Contact us today at (888) 234-WDIT(9348).

The average individual has 100 passwords to remember, according to a NordPass study. Apparently, no one has studied how many we actually remember versus how many we reset over and over. No matter. New developments could save us from having to remember passwords altogether, as major players are moving to a single passkey sign-on approach.

What is passkey sign-on?Apple, Google, and Microsoft have joined forces to support “passwordless” sign-in across all their mobile, desktop, and browser platforms. The initiative, announced in May to coincide with World Password Day, is expected to roll out in 2022/23.

What does passkey login involve? Users choose a physical device to use to authenticate them on apps, websites, and other digital services. For many of us, this would be a mobile phone. You’d unlock the phone as you normally do. Then, you could enter a PIN, draw a pattern, or use your fingerprint to sign into the digital services you need.

To put it simply, it’s a four-stage process:

1. You navigate to the site or app or service you want to use.
2. You approve access using your passkey device.
3. A public passkey (mirroring the private one on your device) is shared.
4. Login is completed.

You don’t need a password, because the login is done using a cryptographic token (the passkey). Your selected device shares that passkey with the website, app, or other online services.

Advantages of the passkeyUsing a passkey means you need to remember only the one PIN or pattern to unlock access … or have fingertips! And you don’t have to come up with a complicated passphrase either, which means no more frustrating upper and lowercase character, number, and symbol combo.

The passkey sign-in method is touted as more secure. Passwordless authentication makes it more difficult for hackers to compromise login details. After all, they would need access to the physical device you use to access digital services, apps, and websites.

You keep personal information safe and cut password vulnerabilities that plague us today:

• Phishing attacks, which use fake websites to capture login details, won’t work.
• Brute-force attacks, which use trial and error to guess credentials, won’t get anywhere.
• Spoofing your device will no longer work, as the passkey device must be near the computer.

Another plus? Passkey security is being set up to offer multi-device authentication. You’ll be able to sign in to an app or service from almost any device, and it won’t matter what platform or browser you’re using. So, you could sign in to Google Chrome and run Microsoft Teams using your iPhone, for instance.

Making the most of multi-factor authenticationPasskey security will use a FIDO standard to authenticate you in different contexts. This is a passkey protocol already supported in some online environments, but major players are now coming together to make it more widespread.

With a passkey that is unique to you, you’ll no longer have to worry about keeping track of multiple passwords.
​
Still, until this technology is available, you’ll want to protect your online activity. Our experts can help secure your home networks and set you up with a password wallet. Contact us today at (888) 234-WDIT(9348).

All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

• My_Fave_Person_is_My_Fish_761
• Mytrip-2-Paris-Was-Magnifique
• YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity
​
Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (888) 234-WDIT(9348)!

You may remember playing Duck, Duck, Goose on the playground when you were young. But have you heard of DuckDuckGo? Many haven’t. So, we thought we’d share an introduction to this privacy-focused search engine.

DuckDuckGo promises to let you “search the Web without being tracked.” The search engine site touts a simple privacy policy: “We don’t collect or share any of your personal information.”

You can use DuckDuckGo on their iOS or Android app or extension by adding a private Web search to your favorite browser or by searching directly at DuckDuckGo.com. The site’s privacy browser extension blocks trackers and offers encryption for every device.

Why use DuckDuckGo?

Google is the obvious heavy hitter in search. The problem? The company keeps your search history forever. Plus, they are tracking everywhere you go online. Their trackers are on millions of websites.

Think about it: Ever looked at a new sweatshirt and decided against it only to find it following you in digital ads for days to come? That’s because of tracking. DuckDuckGo promises there are no trackers on its search engine. It even blocks Google’s and other company’s trackers, as well.

You might think you are achieving anonymity in Incognito Mode. But this doesn’t stop Google from saving your history. Companies, internet service providers, and governments can also continue to track you.

DuckDuckGo does not store IP addresses or other unique identifiers in its search logs. This means that they cannot create a search history or data profile on you or any other individual.

Does DuckDuckGo work?

The big question, of course, is how the private engine’s search results compare to competitors. The company claims it provides “truly private search results without tradeoffs in result quality.” DuckDuckGo says it offers “everything you’ve come to expect in your online search experience” including:

• maps;
• weather forecasts;
• local search;
• news;
• images;
• videos;
• shopping;
• definitions;
• Wikipedia references;
• currency conversions;
• flight information;
• calculator;
• timer;
• sports scores;
• Q&A reference.

Can DuckDuckGo compete?

Since its founding in 2008, DuckDuckGo has steadily gained users. On January 13, 2022, the search engine announced it had surpassed 100 billion all-time searches.

According to public traffic statistics in the same week, the highest daily number of search queries DuckDuckGo had seen was 110,439,133. Just a year ago, on January 11, 2021, the company announced hitting over 100 million searches daily.

Those numbers are impressive, yet as Search Engine Land puts it, “DuckDuckGo remains a very niche competitor.” Google has a huge market share (as much as 87.57 of searches). Bing, the next biggest competitor, accounted for 6.31%, Yahoo 3.25%, and DuckDuckGo 2.5%, according to statcounter.com.

Protecting your privacy online

DuckDuckGo is an attractive and useful option for people who want a higher level of online privacy.
There are many other ways to protect your identity online and secure the data on your residential computers. Contact our IT experts today at (888) 234-WDIT(9348) to learn more about the best solution for your personal needs.

Nine out of ten times today when you visit a website you’re asked to sign in. To add convenience, many sites offer the ability to sign in using a Facebook or Google account. Sure, it’s simpler, but this article will share three key reasons why you might want to avoid this easy route.

It’s estimated that we each have an average of 100 passwords. That’s a lot to remember, especially as we need unique logins for every site to lower our risk of cyberattack.

At the same time, every website wants us to set up an account. It helps them get to know their users. This can help them to target marketing and product development efforts. They might also share the information with third parties as another source of income.

Still, the website wants to keep its users coming back, so they allow you to sign in with Google or Facebook accounts to streamline the process. Weigh the value of that added convenience against these three considerations.

#1 You’re giving away more data
​
By using Google or Facebook to sign in on other websites, you are giving the sites greater access to information about you. Now, they not only know what you do on their sites, but you’re also allowing them to build out their picture of you with data insights from the shared sites.

Google and Facebook have powerful tools to dig deeper into your online activity, and other websites can also extract data from your Facebook and Google accounts. If you don’t read the privacy policies, you may not know what sensitive data the platforms share.

#2 You could lose access

You may join those who are deciding to quit Facebook or leave Google in favor of another platform. If you do so, and you have used that account to access other sites, you’ll have to create new logins.

Even if you’re not ever going to do away with your Facebook or Google account, you could still lose access. If there’s a major outage at one of those two sites, you won’t be able to log in at any of your connected sites either. The other websites won’t be able to authenticate you until Facebook or Google is back up and running.

#3 Your attack surface gets bigger

If you have one, unique login credential for a website, you risk your data there only if that site gets hacked. However, if you use Facebook or Google login, and bad actors compromise that account, they can access any shared sites.

Think of it like dominos. The Facebook or Google account is the first to fall, but all those other accounts you “conveniently” login to using those credentials will come tumbling down soon after. Don’t think the attacker won’t bother looking for other connected accounts. All they have to do, once they breach one account is go into your settings to see what you have connected.

Social media accounts are also a prime target. Don’t believe us? Bet you’ve seen a post from a Facebook friend (or ten) telling you to ignore strange activity due to a hacked account.

Protect your online identity

Account compromise is a top cause of data breaches worldwide. Protect your online identity by following best practices for cyber hygiene.

Need help with password security? Our IT experts can set you up with a password manager or provide other online security help. Contact us today at (888) 234-WDIT(9348)!

The main advantage of a password manager is obvious to anyone with more than one account online (i.e. everyone). Instead of remembering all 100 usernames and passwords, the password manager autofills them. It’s a boon. But it’s not the only reason to use a password manager. This article shares several more unexpected benefits.

Password manager programs generate, manage, and store many different passwords. You may be concerned about whether a password manager is safe to use. But, the cybersecurity industry consensus is “yes, it is.”

A password manager uses top-notch encryption to protect passwords. Plus, they take a zero-knowledge approach. They can’t actually see the passwords they store and prefill on sites. The password is encrypted before it reaches the manager’s server and can’t be deciphered. This is why you need to be so careful not to forget your master password!

That said, the password manager offers more than a vault for encrypted credentials.

More Benefits of Password Managers

For one thing, many password managers have apps for download onto mobile devices. Then, you can use the password manager to prefill forms on those, too. This gives you the advantage of convenience not only on your desktop computer but also on the go.

Some password managers offer added security benefits, as well. They might:

• warn you of weak password and login credentials;
• remind you to change your passwords;
• notify you if your passwords may have been compromised in a breach;
• advise you against repeating access credentials if you’re about to do so.

Another advantage is that you can conveniently share passwords with others. Maybe you want to give family members shared access to streaming accounts or allow a work colleague access to applications you’re using remotely. A managed password sharing feature can allow them to see selected passwords. You aren’t showing everything: you can pick what you make available. Plus, when you change your credentials, the password will change on their end, too. This doesn’t need to be permanent either. You can easily revoke password sharing.

You can also use a password manager to secure other important information. You might store things such as credit card numbers or other personal identifying information. Keeping that kind of data in an unencrypted note on your desktop or mobile device is unsafe, but you can take advantage of password manager encryption to safely store those precious details.

Secure your passwords with a manager
​
You can’t expect to remember all your unique passwords. Yet the days of writing down passwords on Post-it notes are over. Use cloud-based password management to secure your passwords and do more.

Contact our IT experts today to find out more about password management. We’re happy to suggest the best solution for your needs and set it up, too.

Call us now at (888) 234-WDIT(9348)!

Retail research tells us that over 75% of people are shopping online each month, and, with the holiday season upon us, you’re likely to be one of them. But don’t let the appeal of convenience distract you from the need to stay safe when shopping online.

The number of digital buyers is steadily climbing. In 2020, according to Statista, more than two billion people purchased goods or services online. During the same year, e-retail sales surpassed $4.2 trillion U.S. dollars worldwide.

Retailers are embracing the change in consumer behaviour. But, do you know who else is taking advantage? Cybercrooks. Before you buy, consider these strategies to stay safe.

#1 Question that great deal
If a deal looks “too good to be true,” it probably is. You’re not going to get a new Apple laptop for $29.99, or the latest Beats headphones or Xbox gaming console for under $20. Anyone offering you that price is trying to lure you to their site to enter your payment details, so don’t be surprised when your product never arrives!

#2 Review seller feedback
While scrolling social media you see adverts for perfect gifts for someone on your list. And it’s so easy to click the link and buy! Still, before purchasing, take the time to research the seller.

Read the feedback from other buyers on independent sources. It adds only a few moments to check sites such as Trustpilot and Google My Business.

#3 Research the business domain
Think about it: who are you more likely to trust with your sensitive data? Someone who has been in business 10 years or someone who set up shop 10 days ago? Quickly check how long a business website has been around. Enter the URL into the Internet Corporation for Assigned Names and Numbers' lookup tool [https://lookup.icann.org].

#4 Watch out for email scams
Before clicking on any offer links in emails, check the URL. You can hover over the link before actually redirecting there and check the target. Double-check that the address is to the site you’re expecting.
Also, slow down and be sure that the address doesn't have any typos or atypical endings. You don’t want to confuse www.nike.com with www.n1ke.co and end up a victim of identity theft instead of the proud owner of the latest Air Max.

#5 Check payment site security
There are several ways to verify the security of a payment site. These include:

• verifying that the site uses an SSL certificate – it will start with “https” instead of “http”;
• checking for a physical address and phone number – call the contact number to confirm it is not fake;
• reviewing the Terms and Conditions and Return and Privacy policies – any reputable brand has these!

#6 Pay with Online Payments

When you do decide to buy, prefer to pay using PayPal or another online payment tool. You won't be giving the seller your credit card details. If you can’t take this approach, use a credit card from a credit account rather than debit. You will have more protection this way. You can start a chargeback through your credit card company when the item isn't as advertised and the seller’s customer service doesn't help.
Before online shopping, at any time of the year, update your operating system, and keep your anti-virus software current, too.

Our IT experts are here to help you keep your technology safe and secure year-round. Contact us today at (888) 234-WDIT(9348).

Smishing is high up on the list of words that do not sound as intimidating or threatening as they should. Smashing the word fishing together with the “SM” for short messaging service (aka text), smishing is a cyberscam.

Especially with online shopping skyrocketing during the pandemic, delivery smishing has gained traction. Don’t fall victim to this type of cyberattack.

What does smishing look like?
You’ll get a text message that appears to be from a shipping company. You’re told you have a package coming, but that more information is needed to ensure delivery. You’ll squeal, “a package!” OK, maybe you won’t squeal, but you’ll feel anticipation and click on the link to help deliver that package to your door.

You might already be expecting a package. After all, as recently as June 2021, PWC was describing a “dramatic shift” toward online shopping. According to its most recent consumer survey, in the last twelve months:

• 44% of those surveyed bought online using a mobile phone or smartphone;
• 42% used smart home voice assistants to shop online;
• 38% used a tablet for online shopping;
• 34% bought something online via PC.

So, you might not think twice about clicking on a link appearing to be from a major delivery service.

 Don’t do it.
 
What happens next?
You click on the link and are asked for personal information, even a credit card number or password. Otherwise, clicking on the link will download malware onto your phone. The bad guys use their access to snoop and/or send your sensitive data to its servers, without you knowing it.

The smishing scam is a global one:

• March 2021 saw a 645% jump in Royal Mail-related phishing attacks, equating to an average of 150 per week.
• UPS warns about this type of fraud on its website.
• FedEx has tweeted the reminder, "We do not send unsolicited texts or emails requesting money, packages or personal information. Suspicious messages should be deleted without being opened and reported to abuse@fedex.com."

Package delivery isn’t the only common smishing tactic either. You might also see:

• urgent messages saying your bank account is locked;
• a warning from your credit card company about a fraud alert;
• something promising that you’ve won a great prize;
• an unusual activity report from a company where you have an account.

All that would get your attention, right? So, what do you do about smishing? That’s covered next.

Protect against smishing
Avoid getting drawn in by the urgency or emotional appeal of the SMS. Don’t click the link, and don’t call the number in the message either. Instead, look through your bills or go online into your account for information on how to contact that company.

Reputable mail carriers and financial institutions won't send text messages asking for credentials, credit card numbers, ATM PINs, or banking information.

Look at the sender more closely. A message from a number with only a few digits was likely sent from an email address, which can flag that it’s a scam.

Also, don’t store personal banking or credit card information on your mobile phone. That way the criminals can’t access it, even if they do get you to download malware onto your phone.

You can help others to not fall victim to smishing as well. Report any attempts to your telecommunications carrier or your communications regulatory body.
​
For more helpful information on mobile security threats and how to protect your home network from cyberattack, contact us at (888) 234-WDIT(9348)!

Every time you’re online and a site sends a separate code to check your identity, you’re using two-factor authentication. It’s become the norm. So, of course, hackers have figured out how to get around this, too. This article shows you how they do it and how to stay safe.

With billions of usernames and passwords leaked, access credentials everywhere are at risk, especially if you are reusing your log-in information on more than one site (don’t do it!).

Business websites want to offer a secure user experience, so two-factor authentication (2FA) has become the norm. It’s meant to help stop automated attacks in which bad actors use the leaked usernames and passwords.

Still, if the site you’re visiting uses short message service (SMS) to send a one-time code to your phone, you could still be at risk.

Hackers, using information they have from a data leak, can call your telephone company. They use your name, date of birth, and other identifiers available on the Dark Web, to impersonate you. Then, say you’ve lost your phone, they transfer your phone number to a device with a different SIM card.

That means when the one-time SMS code gets sent your phone number, the message will instead go to their device.

Android Users Also Beware
On Android devices, hackers have an easier time getting access to text messages. If they have access to your leaked Google credentials, they can log into your Google Play account. From there, it’s simply a matter of installing a message-mirroring app on your smartphone.

The app synchronizes notifications across your different devices. It’s for when you really need to be connected, and you’ll be able to see your phone’s SMS alerts on your tablet!

The app won’t work unless you give it permission when prompted to do so, but too many people don’t stop to read alerts from their own accounts: they assume it’s another necessary update and go on with their day. Otherwise, the hacker might call you in a social engineering ploy pretending to be a legit service provider. They’ll be familiar to you, so you’re more likely to listen when they ask you to give permission.

Again, when the one-time SMS code gets sent to your phone, because of the message-mirroring app, the hacker's device will also receive the code.

What Can You Do to Protect Yourself?
It starts with using unique passwords for all sites you visit. Worried you’ll forget them? A password manager can keep all your access credentials in one secure place for you.

You should also confirm that your credentials haven’t been compromised. If you use Google’s password service, you can head to the password manager site and tap “check passwords” to see if there are any issues. On Firefox, head to the Firefox Monitor page and “Check for Breaches.” On Safari, click on Preferences, and then on Passwords to see what recommendations they have for your security.
Change any passwords that have been involved in a leak!

To avoid the SMS concern specifically, avoid using one-time SMS codes to verify your identity. Instead, you can use a non-SMS authentication tool such as Google authenticator, which provides two-step verification services within the app itself.
​
Need help learning if your credentials have been leaked? Or want assistance setting up more security for your online activity? We can help. Contact our IT experts today at (888) 234-WDIT(9348).