Staying Cyber Safe During The Lunar New Year
The Lunar New Year will be upon us soon. It is a time for reunions and new beginnings, with some making new resolutions, travelling overseas for a holiday, giving themselves or their house a makeover, and buying new accessories for themselves. It is also the time for traditional gifting - hongbao or red packet with cash for friends, family members, relatives and even the less fortunate. Due to the pandemic, e-hongbao has become a popular choice where the gifting is performed electronically replacing the conventional red packet.
Although some countries have opened their borders to foreigners with Vaccinated Travel Lane (VTL) arrangements, travelling to other countries is still largely inconvenienced with some countries requiring travellers to have a negative COVID-19 test result, and/or to take Polymerase Chain Reaction (PCR) Test or Antigen Rapid Test (ART) and have proof of vaccination against COVID-19 at point of arrival. Hence, it is difficult for retailers to expect high sales turnover from overseas holidaymakers. As such, retailers try to come up with attractive packages for online shoppers, hoping to boost their sales for the lacklustre economy that COVID-19 has brought upon. Online shopping is thus preferred as it provides the convenience of getting our shopping done through our digital devices without the need to travel out of our house or country.
Cybercriminals and fraudsters are likely to capitalise on such opportunities and try to come up with new ways to steal our money or data and an example would be sending direct messages to digital platforms offering discounts1. Even if web application owners, e.g. retailers, social messaging platforms, and financial institutions have taken steps to build in security features into their websites and mobile apps, many of us do not check the security status of the mobile app or website before proceeding with our transactions. Hence, we are exposed to the risk of online threats and data breaches when we share sensitive information online while we shop.
What should we do or look out for to have a safer online shopping experience?
1. Stop and think twice before clicking on that link, even if it appears to be from people you know
Huge price cuts for products and services from your preferred retailer/telco, or emails purporting from some so-called reputable courier companies advising on a shipping update, are common tactics used by cybercriminals or fraudsters to lure their victims to click on the link. These links are often malware-laden or with phishing intent. Once the target clicks on the link, a malware or virus may be unleashed into their device and resulting in stealing the target’s information. Note that emails or links that seem suspicious from known or unknown senders should not be opened. Personal and/or financial information should never be shared from links sent via an email. When a deal sounds too good to be true, it probably is.
2. Transact only with reputable retailers and websites starting with https://
The additional ‘s’ to http:// indicates that the website has been secured by a Secure Sockets Layer (SSL) Certificate and encryption has been enabled to protect your data and transactions. However, this does not mean that your transaction is entirely secure. Ensure that the secure site has a lock symbol beside the Uniform Resource Locator (URL) and is signed by a reputable Certificate Authority before any transactions are being carried out.
Figure 1: Example of a website starting with https:// and signed by a reputable Certificate Authority
Try to pay by credit card if possible, and not debit cards as they do not provide protection that may help to reduce your liability in times of fraud. Alternatively, some financial institutions also offer the ability to use disposable virtual cards for online transactions and this could also be a better option as compared to the usage of debit cards.
Phishing sites are increasingly using HTTPS as well to masquerade as legitimate sites. Thus, do not rely solely on the HTTPS connection as an indicator of a legitimate website.
3. Actively monitor your financial accounts and sign up for the alerts offered by your financial institutions
Transaction updates from your bank account or credit card are common tactics used by cybercriminals or fraudsters to lure their victims to click on the link. Do not blindly click on any links sent by your financial institution, alerting you to a transaction that you have never performed or a request to change your account password. Always stop and look carefully at the sender’s email address and double check your transactions by logging in directly to your bank account from the financial institution’s official website. You should sense that something is amiss if the email you received from your so-called financial institution is not sent to the email address that you have registered with them. You should also check your financial statements regularly and report it immediately to your financial institutions if there are any discrepancies found.
4. Secure your home Wi-Fi
Changing the network’s name (SSID), keeping your router software patched, setting a strong password and enabling WPA2/WPA3 encryption should be done minimally to keep your home Wi-Fi network safe from eavesdroppers and data thieves. Administrative access to your network should also be enabled to prevent rogue users from using your network and compromising your devices. Turning off Universal Plug ‘n Play (UPnP), remote management and Wi-Fi Protected Setup (WPS) further reduces threats from the internet.
5. Treat all Wi-Fi hotspots and public computers as compromised
Public Wi-Fi and computers are never secure. Information that is transmitted over unsecured wireless networks may be accessible to other users on the same network. Cybercriminals can make use of hacking tools that are freely available online to hijack your session and grab your personal details and login credentials. Hence, you should avoid using them to conduct transactions such as banking and shopping online. Do not allow your devices to automatically join wireless networks as you may connect to an insecure or fraudulent hot spot unknowingly.
6. Update your software and operating system
Always patch your computers and mobile devices and keep the software and operating systems up to date. Keeping your devices up to date increases their reliability against bugs and hackers. The time spent on patching will not outweigh the inconvenience and time needed to repair your compromised devices and the repercussions of data loss.
7. Update your anti-virus software
The links sent by cybercriminals may contain malicious payloads. Anti-virus updates contain the latest files needed to combat new viruses to protect your devices. Keeping your anti-virus software up to date allows your anti-virus to respond rapidly to new malware infecting your devices.
8. Use a password manager and two-factor authentication to protect your online accounts
It could be a hassle to keep track of different complex passwords for your accounts. The use of a password manager not only helps to manage your passwords securely, it also helps to make it difficult for hackers to guess. The use of a two-factor authentication thwarts the hacker’s attempts as it generates a different password each time you log in and thus, keeping your account more secure.
9. Disable Bluetooth, wireless and Near Field Communications (NFC) when not in use
Leaving your Bluetooth, wireless and NFCs switched on when not in use offer opportunities for cybercriminals to connect to your devices. This could result in vulnerabilities such as, eavesdropping of conversations, and/or data, malware download, pairing to your device to steal or compromise your data, and denial of service. Moreover, Bluetooth devices may not be patched in a timely manner and be vulnerable to vulnerabilities like BrakTooth2. Hence, disabling Bluetooth, wireless, and NFCs when not in use is greatly recommended.
10. Do not share your Personally Identifiable Information (PII) online
Sharing your PII online makes you an easy target for identity theft. Cybercriminals can make use of your PII to commit cybercrimes such as tax fraud or carry out fraudulent activities, compromising your accounts which leads to severe reputational damage. Hence, think twice before sharing your PII with retailers or online merchants, e.g. for that lucky draw ticket or discount voucher. Ask yourself if you really need to share that piece of information with the organisers.
Conclusion
Everyone can be a potential target. The Cyber Security Agency (CSA) has also launched programmes3 and created brochures/flyers4 to increase cyber awareness amongst internet users. We should therefore take steps to ensure ourselves to stay safe digitally not just during the festive period, but every single day. With people increasingly pivoting to smart homes, it is of utmost importance that we learn how to secure our devices, set strong passwords with multi-factor authentication, and exercise caution when performing any online activities.
References:
1https://isc.sans.edu/forums/diary/Phishing+Direct+Messages+via+Discord/28114/
2https://www.braktooth.com/
3https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/bettercybersafethansorry
4https://www.csa.gov.sg/gosafeonline/Resources/Flyers-and-Brochures