A healthy dose of skepticism is key to online safety. If you find that a little hard to believe, good.
Skepticism is only half the story. The other half is protective software. Once you protect your computer, make sure you don't inadvertently override it by making human errors. Let the answers to these six questions guide your online activities.
6 safety questions:
1. Where am I?
If you are on your home computer, check to ensure you're protected: Do you see your firewall icon? Have you updated your antivirus software and run a system scan recently? If you are using your computer on the go, are you on an encrypted wireless network?
If you're not on your computer, then hold off on shopping, creating accounts and logging into financial sites. When using a public computer you have no assurance of safety. So whenever possible, only use public computers for surfing, never shopping or otherwise entering personal information.
If you're just going to surf or play a game, "You should be able to do that with perfect safety," says David Marcus, security research and communications manager at McAfee. On the other hand, accessing work files or sending sensitive documents by e-mail on a public computer may not be a good idea. "If there is job or financial information on there, you have to determine if you would want to potentially expose it," he says.
If you must conduct private business publicly, know the dangers and be extra vigilant after you leave. One of the main dangers of entering sensitive information into a public computer is that someone may have installed a keylogger onto the machine that tracks your keystrokes during log in. Jennifer Leach, consumer education specialist at the FTC, shares this homemade encryption solution to foil keyloggers: Have several browsers open at once and hop between screens as you log strokes, only feeding in one or two characters per screen until you've finished logging in.
"It takes a long time, but I've been doing that at the library and when using public Wi-Fi at hotels or in coffee shops," she says. "Never put your personal financial information on a public computer."
Of course, the old rules of public surfing still apply as well: Close all browser windows when you are done so someone can't hop on the computer after you are gone and get into your accounts. And watch out for shoulder surfers, just like at ATMs.
As wonderful as encryption and security software is, we can override it through behavior. Which is why the next questions come in handy.
2. How did I get here?
Surfing is a fairly safe practice from an identity protection standpoint, but once you start logging in or disclosing personal details, you'll need to proceed with caution. Be aware that information thieves will try to shuttle you off to fake sites via links in e-mail where they prompt you to divulge personal information. The practice is called phishing, and it's not the relaxing pastime of its homophone.
It's not often someone casually browses to one of these dangerous sites, according to Mark Sunner, chief security analyst at MessageLabs. "In almost all situations, the links come to us in e-mail. What we have noticed, certainly over the last 18 months, is that these messages are becoming much more tailored and targeted to their recipients," he says.
Take control of your online experience and always enter URLs yourself rather than clicking links before entering personal information. If a site is asking for financial information, make absolutely sure that you are the one who initiated contact, advises PayPal spokeswoman Sara Gorman.
"If you are signing up for an online account, whether it be a financial account or an e-commerce account, always open a new browser and type in the Web site you are trying to visit. Never follow a link and then disclose financial information," she says.
Just to give you an idea of the prevalence of this threat, Sunner says that one in every 99 e-mails heading to the corporate community contains phishing identity theft of some description and he estimates a similar threat level to home users.
"That is almost the highest that we have ever tracked it, pretty much since tracking began," he says.
Not only are phishing attacks increasing, it's getting harder to spot the fakes. As people wise up to spam, phishers are getting more sophisticated, targeting the recipients and sometimes including bits of personal information in the e-mail.
"Nowadays, if we intercept a particular phishing run that is purporting to come from a particular bank, increasingly we've noticed that the addresses that it's heading toward actually may use that bank," Sunner says. He also reports that it's becoming more common for phishers to reference people by full name and in some extreme cases include their address or postal code.
"There are a lot of e-mails going around that ask for personal information or that appear to come from your bank or your ISP or your payment site," warns the FTC's consumer education specialist Jennifer Leach. "Those are never real. Legitimate companies will never e-mail you and ask you for your account number or your Social Security number, and anyone who does is trying to scam you."
"The first thing to keep in mind is that just because an e-mail is addressed to you personally, doesn't lend it any more credibility," Sunner says. "In fact, expect to see more of it as the bad-guy community continues to plunder the rich sources of information that are out there about us," he says.
Sunner is referring, in part, to social networking sites, where we willingly disclose all sorts of detailed, personal information about ourselves that can be useful to identity thieves. More on that in the next question.
3. Who's asking?
These days technology goes a long way toward protecting you, but it's often not a lack of technical knowledge that exposes us to thieves. It's our own willingness to lay out our personal details to anyone who asks, and even those who don't. Loose lips used to sink ships, now our fingers fire away, freely spilling important bits of information, causing our own downfalls.
Consider the source of any request for information to determine whether the request seems appropriate.
"A lot of what we see now is people exposing too much information to Web sites that require sign-ins or want to know a lot of information about you as a user," says David Marcus, security research and communications manager at McAfee. "If a Web site is asking for Social Security information, that's just inappropriate unless it's (a) bank or something like that. People need to question why and not just take it at face value."
Some people find therapeutic benefit in pouring their hearts and souls out to strangers or looking for connection online, but you should mete out even seemingly trivial personal information sparingly. The information you freely give up about yourself online can help thieves decrypt your passwords or "confirm their identity" as you on your existing accounts.
To combat this, be sure to use strong passwords not related to personal information, and don't reveal the answers to security questions online.
Think about the "security" questions banks often challenge you with. None of those things would be smart to share with others online. The worst challenge most banks may throw at you over the phone to establish identity would be your name, address, date of birth and perhaps your mother's maiden name.
According to Mark Sunner, chief security analyst at MessageLabs, spyware often tracks the particular banks people use as well as their addresses, but users themselves fill in the missing blanks when they divulge personal information.
Social networking plays a big part, maintains David Miner, senior director of Symantec's Financial Services Industry Solutions. "The bad guys are becoming very good at leveraging the technology on social networking sites like Facebook to glean your information. It's no longer the big attack that most people hear about, it's very quiet; you may or may not know that your information has been stolen."
"We forget that there is a bad element out there and an awful lot of information is now publicly accessible, very, very up-to-date and that in turn can then be used against us," Sunner says.
4. Does it look safe?
Obediently filling in a page without scrutinizing it first is a sure-fire sign that we've dropped out of the questioning mindset. After typing in the URL but before entering financial information, look at a few things:
Has the site been flagged as unsafe or iffy?
Pay attention to warnings that your browser or toolbar plug-in gives you about the safety of a site. Even though it's not always spot-on, use extra caution if a site has been flagged as questionable.
If you're running one of the newer browsers, security components might be built right in. "A lot of those, like IE7 (Internet Explorer 7) in particular, have anti-phishing filters," says PayPal spokeswoman Sara Gorman, "where they'll put up a warning if they detect that you are going to a site that's already determined to be fraudulent, saying 'warning, do not enter your personal information on this site because it is known to be a fraudulent site.' They make it very hard for you to give up your information to a fraudster."
Even if your browser doesn't come equipped with added security tools, there are plug-ins available. According to David Marcus, security research and communications manager at McAfee, tools such as McAfee's free plug Site Adviser are a very important additional step that's complementary to anti-malware security software.
"We scan the Internet daily, looking at sites from the point of view of user behavior," Marcus says. "We engage the site in every behavior that a user might: opening a browser, did it try to exploit the browser, did it try to exploit security settings; clicking on the links, do the links try to download malware onto the machine; do sign up forms result in the creation of spam? If it engaged in bad activity, if it links to malware or other bad sites, we give it a red.
"Technologies that engage and check out sites before you actually go to the site are going to be very important in the future."
Is the site encrypted?
Whenever you transmit sensitive data, it must be encrypted. There are a few ways to make sure the site you are on is encrypted, but the simplest is by looking to see if there's an "s" after the "http," (e.g., "https") in the URL. "In some browsers, you look for the little lock icon to be locked. Unfortunately those aren't foolproof because you can spoof those," says Jennifer Leach, consumer education specialist at the FTC.
TIP: The other way to check the encryption of any Web page is to right-click on it and click properties and that will tell you if the connection is encrypted.
5. What do I know about them?
Unless you've shopped with a company before, do your due diligence. There is nothing magical about the Internet that protects you from an unscrupulous online merchant over the shady vendor on the corner. You have to know who you're dealing with and get a sense of whether you can trust them before you start giving them your personal information or money.
PayPal spokeswoman Sara Gorman says: "If something seems a little fishy, it probably is. If you wouldn't feel comfortable making a transaction in the offline world, you shouldn't do it in the online world either just because you may get a great deal."
HOW TO: Do a quick online search on the company before you initiate a transaction to see if customers are complaining about their service. Also, look to BBBOnLine for safe vendors, or the Better Business Bureau at BBB.org, for reports on 3.8 million businesses in the U.S. and Canada.
If the vendor has received any industry stamp of approval, all the better. The BBBOnLine is a subset of the Better Business Bureau specifically geared to highlight reputable vendors in the online space.
"BBBOnLine gives a seal of trust linked to company information," says Steven Salter, vice president of BBBOnLine. "There you know the company has been researched and we'll explain what information they'll collect and how it will be used. They've also agreed to a complaint resolution protocol."
6. How do I pay it safe?
If a company wants to be paid in cash or will only let you go through a particular escrow service, don't complete the transaction. Use credit cards or credit-based payment services, which give you the best consumer protections online, or use a reputable escrow service for larger purchases.
Steven Salter, vice president of BBBOnLine says: "Be careful in the way you pay. Folks should never pay cash. When you're dealing with an individual, it's unwise even to pay by check."
Jennifer Leach, consumer education specialist at the FTC, recommends credit cards or credit-based payment services over a debit card because if someone gets ahold of them, they won't be able to clean you out.
"Never pay by check, wire transfer or cash," she says, "because if something goes wrong, you will never get it back. Whereas if you pay by a credit card or payment service, you have some rights."
For those who still feel uncomfortable giving out their credit card information online, a payment service might be the way to go. PayPal spokeswoman Sara Gorman explains that credit information is only entered once at PayPal: "When a consumer buys something online, all that merchant sees is the consumer's shipping address and e-mail information. They never get the credit card number or the bank account number."
Rest assured that there is help available if you run into a snag. "If folks do run into a problem with a business or get scammed, we'd like to help with that," says Salter. "They can turn to the BBB for information and at BBB.org, we take complaints. Folks sometimes think we only take complaints about our own member companies, but that's not the case. We'll try to help get it resolved."