From 15 October to 25 October 2019, the Cybersecurity Week takes place in Luxembourg. With this occasion, we have created a series of articles aiming to promote best practices in using trust services and their associated devices (token, smartcard, scan or signing stick). The first two posts will cover six basic behaviours to adopt or get rid of in order to better protect your electronic identity and reduce the risks of (cyber)criminals appropriate your sensitive data. Here are the first two:
Cyber-criminals are getting more and more devious in finding new ways of deceiving users and getting access to their electronic data. Phishing (a cyber-method to collect personal information for personal gain through emails and websites) has now extended to SMSes or even phone calls. The scams have become so sophisticated that you need a very good eye for detail to tell the difference between what is real and legitimate and what is fake and unlawful.
Here are some red flags to look out for when receiving emails, SMSes or calls:
- You receive an “out of the blue” message from the trust service provider urging you to perform what seems to be a very common action (to update your personal data, to log into your account, to pay an invoice etc).
- This action always involves inserting or sharing your personal data and credentials (user name and password) directly via email or on a webpage.
Bear in mind that trust and protecting privacy are the core values of any trust service provider, so it will never ask you to share your password and username, not even in a situation that seems to benefit you. Your password and username are confidential and must remain as such under any circumstance.
- The message is generic; it does not start with your name. Other times, the text is missing completely; you will receive just a link which contains the name of the company.
- The overall look of the message is familiar to what you are used to see. Here the details make the difference. It may contain some spelling errors, weird symbols that would not normally be in an official communication (like the brand name misspelled, a weird email extension, slightly different brand colours etc.).
Companies are very keen on their brand identity so they will never afford to make a mistake in their brand name or change their core visual elements overnight, including website address. Also, they are quite predictable in their way of communicating with customers. The communications are sent during business hours, from the same address which matches with its brand name and are very rarely unsolicited.
If you identify any of the red flags above, do not reply to the message, do not click on any links and do not open any attachments. Contact your trust service provider immediately; they will advise you on the next steps.
By use, we mean to access the website only by typing letter by letter the name directly in the browser. This is valid for sending emails as well. Try to avoid using the auto fill function in the URL search bar or in the “to” section of an email. This way you can avoid entering a very similar, but fake website or engaging in a correspondence with a fake contact. If you got the trust service or device through your bank, call your bank agent.
In case you still click on the link for time and convenience reasons, verify that it is a secure connection before you engage in any actions. For this, check the URL bar. The website link should start with HTTPS (which is a security protocol that uses encryption and authentication), not HTTP (which is an unsecured protocol). Sometimes, the browser may alert you that the connection is unsecured, but you cannot always rely on this. If the website is trusted and secured, the “padlock” icon will appear in the URL bar, as shown below. It is a tiny visual cue that helps you identify whether the website is genuine and official. LuxTrust’s website and its related pages will always bear this security mark.
Next Thursday, we will go over four more best practices in using trust services and devices that will ensure your electronic identity remains protected, minimising the risk of unauthorised persons gaining access to your online transactions or assets.