Checklist 06: Identify and avoid online scams in 5 easy steps

• Learn to identify phishing e-mails and fake websites.
• Use a password manager app for added security.
• Make sure you’ve got the right number before calling tech support.
• Don’t believe those pop-ups.
• What to do when your browser is “locked.”

Internet criminals can be pretty devious, and it’s becoming increasingly harder to determine legitimate sites from fake ones these days. In today’s episode, we’ll go over five ways to identify and avoid online scams, helping to keep your personal data (and the contents of your bank account!) out of the hands of online con-artists.

Learn to identify phishing e-mails and fake websites. Although automated detection for spam or fraudulent e-mails has gotten better with each passing year, phishing e-mails continue to play a major role in identity theft and other forms of online fraud. Phishing e-mails are crafted by scammers to mimic the look and feel of legitimate messages from online banking and credit card companies, with the sole purpose of getting you to divulge your login information and account details, enabling fraud on a large scale. Sometimes it can be difficult to discern legitimate e-mail from phishing attempts, but there are a number of ways you can lower the risk of falling victim to online phishing.

One of the most obvious indicators that an e-mail might be less-than-legitimate is the presence of spelling mistakes or other grammatical errors. Big companies run their e-mails through teams of proofreaders and copyeditors before they ever even think about sending them out to customers, and it’s pretty rare to find errors in legitimate messages from your bank or credit card company.

Even when an e-mail looks legitimate from a spelling and grammar point of view, it’s still not a good idea to trust links in e-mails, especially when it comes to things like banking websites. Many times a phishing e-mail will tell you that you need to verify your account information to avoid a fee or account closure, with a link to a website that mimics the login page for your bank/credit card company. When you enter your login information on the fake site, the bad guys will have your info and use it to access your account and defraud you.

Similarly, when in doubt about the authenticity of an e-mail or website link, don’t trust the contact numbers or support links from the suspect e-mail, as there’s a chance that they are fake as well. Instead, contact your bank or credit card directly via the website or phone number listed on your physical debit or credit card, as they’ll be able to look up your account information in their system and let you know if an e-mail really came from them or not.

Use a password manager app for added security. With all of the various online accounts we use on a daily basis, including banking, e-mail, social messaging, etc, it can be hard to keep track of a different password for each site. While it may be tempting to use a simple, easy-to-remember password, that’s not a good idea. If your password is something simple for you to remember, there’s a good chance that it’s weak enough for the bad guys to gain access to as well. Additionally, re-using the same password on multiple websites is a bad idea. There have been a number of well-publicized attacks on various websites in the past few years where account information (including logins and passwords) have been stolen by hackers and leaked onto the internet at large. If your favorite social media site gets hacked and you used the same password for online banking, it’s a simple step for the bad guys to determine the login information for your bank account as well.

Password manager apps provide a number of useful features and functionality. First, they can quickly generate secure, hard-to-guess passwords, with a different one for each login account you have. Second, they can store said passwords in a protected manner (encrypted) on your computer, which is much safer than simply having them all in a text file or written down on a sticky note. Finally, many password manager apps can auto-fill your login details when you need to access your account on a website, so you don’t have to actually remember anything more than one single password (which you use in conjunction with the password manager app as a password for the rest of your passwords, essentially).

One of the major benefits of the auto-fill capability of password managers is that they will verify the authenticity of a site before allowing your login info to be auto-filled. So even if a site looks legitimate at first glance, the password manager app would be able to see that it isn’t actually your real online banking site, and refuse to part with your login details should you try and auto-fill them on a scam site.

Here at SecureMac, we highly recommend 1Password, which is one of the best password manager apps available. Other options include LastPass and iCloud Keychain.

Make sure you’ve got the right number before calling tech support. A relatively new type of scam has emerged in recent years that walks a hazy line between something legitimate and flat-out fraud. The scam companies all offer some form of online technical support, with varying degrees of legitimacy, and always charge a fee for their “services.” The biggest problem is the way these companies advertise themselves.

What they’ll do is buy a bunch of ads on sites like Google, designed to specifically show up when a user searches for something along the lines of “Adobe help desk number” or “Apple technical support.” The ad will include a 1-800 number to call and is worded in such a way as to appear to be the actual support number for whatever major company the user is searching for. While these scam tech support services generally have fine print listed on their site stating that they aren’t officially affiliated with Apple, Microsoft, etc, they’re not exactly up front about it and rely on user confusion when someone calls them thinking they’re getting ahold of the actual company whose product they’re looking for support with.

When a user calls them for support with their computer hardware, software, and so on, they’ll usually go through some basic “troubleshooting” steps (sometimes real, sometimes fake) and charge the user a fee to solve the problem they’re encountering (again, sometimes they’ll actually fix the problem, other times they’ll just say they did — or the problem was non-existent in the first place). If you look up any of these scam tech support companies on the Better Business Bureau website, you’ll see complaint after complaint that users’ problems reappeared (or were made worse) after they paid for the supposed “support” services.

Most of the time, major companies will provide at least some technical support services free-of-charge for existing customers, and if there is a problem that requires payment, legitimate companies will provide a guarantee that they actually solved the problem you were encountering. So, the bottom line is that you shouldn’t call a 1-800 number just because it appeared at the top of your search results in Google (which are often just ads that look like search results). Instead, go to the official website of the company who makes the product you need support for, and locate the helpdesk/support information directly from the company itself.

Don’t believe those pop-ups. Along a similar line to the previous item, an emerging threat is the use of pop-up alerts to scare users into thinking they are infected with malware, that their computer is on the verge of crashing, or some other dire event is about to unfold unless they download some program or call a 1-800 number to fix the supposed “problem.” And of course they’ll want to charge a fee for their services. These pop-ups can seemingly appear at random while you’re surfing the web, but are generally coming from a malicious ad on whatever site you’re visiting. They are especially prevalent on torrent search sites and sites claiming to stream movies that are still in theaters for free.

Don’t believe random pop-ups telling you that your computer is infected or about to crash while browsing the web. If some random “security” pop-up appears and it isn’t coming from a legitimate security program that you had previously installed on your computer (or if you’re not specifically running security software on your computer in the first place), you can safely ignore it as a scam. This is doubly true if the pop-up is telling you that you need to download some security software or call a 1-800 number to save your computer. The one exception is Google’s malware site security warning, which appears when you are trying to access a website that has been known to distribute malware in the past. In any of those situations (including the legitimate Google malware site warning), simply close the pop-up or website and go on with your web browsing as normal. There’s nothing actually wrong with your system.

What to do when your browser is “locked.” Some of the more aggressive pop-up scams take things a step further, and try *really* hard to make you think that your computer is actually infected with a virus. They’ll make the webpage take over the entire screen, continually spawn pop-up messages telling you you’re infected (when you close one pop-up, another one will immediately appear). Sometimes they’ll even have a computerized voice reading a warning message over your computer’s speakers, which can be unexpected and annoying. Above all else, the scammer’s tactic in this situation is to make it so you can’t use your web browser for anything else (unless you call them for help, of course). So, what do you do when you encounter a “locked” web browser?

The first thing to note is that you should never call the 1-800 number or visit the website shown in the pop-up, nor should you download, install, or run whatever scammy “security” software they’re peddling. Recent versions of popular web browsers have added an option that appears on pop-up windows, allowing you to block further pop-ups from being shown by that site. However, the scammers are constantly trying out new tricks and tactics to avoid being blocked, and it’s a constant cat-and-mouse game between the scammers and browser companies, so sometimes that way of stopping the pop-ups from appearing doesn’t work.

Since most browsers are configured to pick up where you last left off every time you launch them, simply quitting your browser and re-launching it won’t do the trick. Sometimes you can force-quit your browser, turn off your wifi to temporarily disable your internet connection, then open your browser and close out the offending webpage. Otherwise, you can fix this issue in Safari (for example) by quitting Safari, then relaunching Safari while pressing the Shift key on your keyboard, which will close the windows from your last browsing session in Safari and thus stop the alert from appearing when you launch Safari. Alternatively, some third-party security and privacy tools can be used to clear out the specific files that your web browser uses to pick up where it last left off, giving you a clean slate the next time you launch your browser, at which point it will be unlocked and you can get back to surfing the web.

One thing to note is that these scam pop-ups aren’t always peddling fake tech support. Other variants of this scam will have pop-ups claiming to come from the FBI, stating that you were doing something illegal online and need to call a number or visit a site to pay a fine if you want to avoid jail time. If you’re actually doing something illegal online, the FBI does not show you annoying pop-up messages, they come and arrest you instead.

Ok, that’s it for this episode! If you keep the information presented here in mind while you’re checking your e-mail or surfing the web from day-to-day, you’ll be better prepared to spot and avoid online scams. You’ll have peace of mind knowing how to identify which pop-ups you can safely ignore, and keep the contents of your bank account out of the hands of internet thieves!