Updated on: December 17, 2024
From free VPNs to popular messaging platforms, some of the most popular tools and habits you trust might actually be putting your data at risk.
In this interview series by Safety Detectives, I invite cybersecurity experts to reveal the most dangerous mistakes millions of people still make, and their top tips to avoid them.
My guest today is Greg Reber, CEO and Founder of AsTech Consulting, a leading provider of information risk management solutions for various sectors, including finance and retail. Before founding AsTech, Reber worked as a Senior Security Consultant at Wells Fargo. He also was a Partner at Moss Adams, managing the Cybersecurity practice.
Are there any cybersecurity habits or apps that most people consider safe but should avoid at all costs, and why?
Lots of people still visit unsafe sites because they “look OK”, and open dangerous attachments in emails. Probably they don’t know that already in 2023 over 90% of all phishing websites were using a valid SSL certificate, according to the Anti-Phishing Working Group (APWG).
One of the utilities I recommend is Virustotal.com that will provide many (up to 100) security vendors’ opinions on the security of URLs and files.
People also use the same email username and password for many different login credentials. If one site is breached, these credentials are then sold many times over on the Dark Web. According to Google Cloud’s 2023 Threat Horizons Report, 86% of data breaches involve stolen credentials. This risk grows exponentially, if you reuse the same credentials on all sites and apps.
Using a utility called HaveIBeenPwned.com will tell you immediately if these combinations have shown up in reported breaches. Additionally, a password manager is quick and easy and only requires people to remember one username and password. (just don’t forget it!)
Then there are mobile phone attacks, where The Bad Guys send URLs to your mobile. Two things here:
- Unless the sender is verified, never go to a link in a phone message
- I’m getting messages at least once a week now from someone asking if this is the right number for JoeBob (not my name). DELETE these, don’t answer them. The Bad Guys are just seeing if the number is an actual one.
Can you share an example of how these mistakes caused significant damage, and what could have prevented it?
An example of visiting unsafe websites happened when multiple Wells Fargo Bank customers received an email telling them their account had some security issues and they needed to visit the website “using the link below” in the email…
Well, it’s quite easy now to tag text as a URL, like ‘www.wellsfargo.com’, but make the actual url ‘www.TheBadGuys.com’ which redirects to a fake login page where you will put in your actual credentials. The Bad Guys ‘harvested’ the credentials, went back to the bank’s real website, logged in and moved money to external accounts.
^ Simply not clicking on a URL in an email would have prevented this. ^
Why do people keep falling for these mistakes, and how can they spot the red flags?
People really, really like convenience. Really!
Spotting red flags:
- In emails roll the mouse over the highlighted URL text and see what site comes up
- Look for strange text and wording in emails and text messages, e.g. “We notice strange happenings within the account that is yours. Please click in the proper location to fix the issue.”
We trust too much and we’ve got to stop that. Get into the habit of checking things out before jumping in. The Bad Guys are getting very good at making you feel safe because they may have some information about you that only a trusted source would have.
Always be suspicious.
If someone wants to strengthen their online security and privacy, what are five steps they should take today?
- Use a password manager
- Check suspicious URLs and files on Virustotal.com
- Check your email address(es) on HaveIBeenPwned.com – there’s a very good description of breaches that may affect you
- Only download apps that have been certified by Apple if using iPhone, and Google if using Android
- Don’t take your cellphone or computer to some countries. Just don’t. China comes to mind.
- Double check before clicking on any URL.
What opportunities and challenges should people prepare to face in 2025? What should users start doing today to prepare?
Be aware of the shortfalls of AI generated information. AI chatbots are having ‘hallucinations’ more often than people think. This is when the AI makes something up that is just plain wrong. This will probably increase as AI platforms use AI generated information as they ‘learn’ – and they are learning from hallucinatory information.
Get used to the fact that The Bad Guys already have a wealth of information about you – literally. There have been so many large scale breaches that we now live in a world where secrets aren’t secret anymore.
But Remember, just because someone knows an address you’ve used in the past or your dog’s name, it doesn’t mean they aren’t out to scam you. If you haven’t already, freeze your credit so no one can apply for credit in your name.
If an online or mobile application is offering Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA), USE IT. The minor inconvenience of one more step is more than worth the added security.
How can our readers connect with you?
Website: www.AsTechConsulting.com
LinkedIn: linkedin.com/in/gregoryreber
X: @greg_reber
Data sources:
https://apwg.org/trendsreports/
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf