Home + Mobile

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

3 reasons even Chromebook™ devices benefit from added security

Google Chromebook™ devices could rightly be called a game-changer for education. These low-cost laptops are within financial reach for far more families than their more expensive competitors, a fact that proved crucial with the outbreak of the COVID-19 pandemic at the beginning of last year.

During that period, Google donated more than 4,000 Chromebook devices to California schools and the sale of the devices surged, outselling Macs for the first time. They made remote learning possible for thousands of students who otherwise could have been quarantined without connections to the classroom. According to Google, 40 million students and educators were using Chromebook computers for learning as of last year.

Momentum is unlikely to slow anytime soon, especially since the Chrome operating system will now be the first many students are exposed to. The respected technology blog TechRadar has even referred to 2021 as “the year of the Chromebook.”

As a cybersecurity company, we naturally wonder what widespread use of Chromebook devices means for the online security of the general public. The good news is Chromebook security is pretty good compared to other devices and operating systems. Some interesting features like frequent sandboxing, automatic updates and “verified boot” go a long way to improve Chromebook security.

But the fact is, even Chromebook computers benefit from supplemental security. Here are a few of the reasons why.

  1. Users, especially new ones, make mistakes

There are several common user errors that put users, their personal information and their devices at risk. Many third-party security solutions are designed to account for exactly this type of behavior. Even strong security can’t prevent an account from being hacked if account credentials are stolen in a phishing attack, one of the most common causes of identity theft.

In 2020, phishing scams spiked by 510 percent between January and February alone. Scammers used the beginning of the pandemic to spoof sites like eBay, where in-demand goods were being bought and sold. In March, as lockdown went into full effect, attackers began targeting users of YouTube, HBO and Netflix at unprecedented rates.  

In short, phishing scammers use current events to target vulnerable users, like those who are inexperienced, compulsive or still developing critical thinking skills – traits that apply to many school-aged children.

To combat phishing scams, it helps to have filters that can proactively alert users if there’s a high chance that a form field or website is likely to steal credentials. Security companies can do this by determining the likelihood a site isn’t what it seems based on its connection to other dishonest sites. This information, known as threat intelligence, can help proactively warn when a user may be headed for danger.

2. Fake apps are still cause for concern

There are plenty of examples of bad apps and sketchy Chrome extensions being downloaded from the Google Play Store. They vary in their seriousness from annoying, like constantly pushing ads to young users, to serious, like serving banking Trojans that target users’ personal financial information.

The Chromebook sandboxing feature will defend against many of these so-called “malicious apps” from invading devices through things like popular mobile games, but some will likely find ways to avoid the feature.

In the same way that threat intelligence can help proactively determine if a site is likely to be a vehicle for phishing attacks, it can also help determine if an app is likely to be malware disguised as an app based on how closely its related to other malware on the web.

3. Web-borne malware remains widespread

The internet is littered with unsafe websites that host viruses, malware, ransomware and other online threats. Some can slip spyware – malware that tracks a user’s online movements – onto devices without a user, especially an inexperienced internet user, noticing.

The Chromebook verified boot feature can help to disable these threats – if a user knows they’ve got one on their device. But many types of malware aren’t immediately obvious. They can operate in the background, perhaps collecting data on user’s habits or logging their keystrokes to try to steal passwords or other sensitive information.

Here again, warning users of threats in advance can make the difference between addressing an infection and avoiding one altogether. By providing advanced warning of a risky website or a suspect browser extension, a good antivirus solution can stop an infection before it happens. Think of it like maintaining a healthy immune system through diet and exercise to keep from coming down from the common cold.

Protecting vulnerable users from internet threats

It’s hard to be too cautious on the web, especially with users who are just starting to use it to study, learn and explore. There are security gaps in any operating system, so it helps to layer defenses against multiple types of threat.

When facing dangers like identity theft and spyware disguised as an addicting mobile game, it helps to have a little insider information on the “bad neighborhoods” of the internet.

Interested in powerful protection designed to keep you safe while you work, study or browse on Chromebook devices? Check out Webroot® Security for Chromebook™ here.

Even with great device security, that’s the helpful information Chromebook users miss out on without installing a strong third-party antivirus solution.  

Webroot top performer among security products in PassMark® Software testing

Webroot put forward another strong performance in its latest round of independent third-party testing, besting all competitors and taking home the highest overall score. In taking the highest score in the category for 2021, Webroot beat out competitors including BitDefender™, McAfee® and ESET® endpoint security solutions.

In the report, the company conducted objective testing of nine endpoint security products, including Webroot® Business Endpoint Security. Tests measured performance in 15 categories including:

  • Installation size
  • Boot time
  • CPU usage during idle and scan
  • Memory usage during idle and initial scan
  • Memory usage during scheduled scan

Webroot stood out in several categories in addition achieving the best overall score. Some categories were won by a wide margin.

Consider installation time for instance. Webroot completed installation in just over four seconds, while the next fastest installation time was more than 17 seconds and the average for the category was over 162 seconds.

According to PassMark, this metric is important because “the speed and ease of the installation process will strongly influence the user’s first impression of the security software.”

Installation size was a similar case. It is an important metric because as PassMark puts it, “In offering new features and functionality to users, security software products tend to increase in size with each new release.”

Webroot also took home top honors when it comes to memory usage. In both memory used while idle and during scan, Webroot was the least impactful to system resources.

The reason Webroot performed so well in this test is not by accident. By design, much of the “heavy lifting” of endpoint security is done in the cloud. This ensures the highest level of efficacy while also reducing the performance impact at the endpoint. Businesses should not need to sacrifice performance for efficacy.

Additionally, Webroot took the top spot in the categories of memory usage during memory usage during initial scan, memory usage during scheduled scan, scheduled scan time and file compression and decompression.

PassMark® Software Party, Ltd. specializes in “the development of high-quality performance benchmarking solutions as well as providing expert independent IT consultancy services to clients ranging from government organizations to major IT heavyweights.”

Your password is too predictable

Password predictability is one of the most significant challenges to overall online security. Well aware of this trend, hackers often seek to exploit what they assume are the weak passwords of the average computer user. With a little bit of background information, “brute forcing” a simple password is a straightforward undertaking.

How are passwords cracked?

Cybercriminals use computing power to crack passwords with a method known as a brute force attack. With this method, an attacker guesses at the password repeatedly with the help of computer software/scripts. This makes the process automated and essentially effortless for the attacker.

The weaker the password (meaning the easier it is to guess), the quicker an attacker can crack with computing power.

So, how do we combat this?

The problem is password predictability

Passwords can be very easy to guess. Ironically, one factor that contributes to this is one that’s supposed to make passwords safer; the uniform standard most websites impose on users when creating a new password. Typically, sites require a single capital letter, at least 6 charters, numbers and one special character.

Attackers can use this information to guess when and where each character may be using only the predictable tendencies of human users. And because many users create a single password that meets these requirements and use them on multiple sites like Netflix, Facebook and Instagram, getting lucky once can lead to a bonanza for cybercriminals.

Here is an example of a password that would meets the requirements of most websites:

Example1234!

This would be considered “secure” in most cases because it meets the most common internet standard for password creation. Now swap “Example” out for the name of a child or pet, and the easily remembered combination is very likely to be someone’s actual, real-life password. It’s easy for the user to remember, and therefore convenient to use across multiple sites.

Let’s assume a user has a pet named Toby and plug it into the above example format.

Toby1234!

This is not a strong password. Pet’s names, children’s names and birthdays are often easily discoverable, especially by mining social media accounts. An attacker may just need to do a little recon on Facebook to scrounge up a handful of likely options.

Passwords vs. Passphrases

A password is a short character set of mixed digits. A passphrase is a longer string of text making up a phrase or sentence. The important thing to know about passphrases is that, when allowed, they’re far more secure than passwords. The idea that a password should be one word is outdated and retiring it would benefit user security greatly.

A method for devising a passphrase is to simply pick a line from your favorite movie, book or song and mix it with capitals and numbers. If we take Arnold’s famous line “I’ll be back,” we can easily make it into a secure passphrase.

Original: “I’ll be back”

Remove quate marks and spaces, since they can’t be used as password inputs.

Illbeback

Add some capitals: iLLbeBack

Add Numbers: iLL3beBack

And finally, a special character: iLL3beBack$

As a fun test, you can use this password-checking tool to see how long it would take a computer to crack your new creation. How long would it take to crack yours?

For comparison, let’s take one of our simple password examples from above and see how long it would take to crack. We can use Toby1234! (and yes, some people do use such simple passwords).

As you can see, it wouldn’t take long at all.

What about our new passphrase iLL3beBack$

I think we’ll be secure for now.

More tips and tricks for password safety

Using a password manger is the most practical way for making passwords more secure. Users tend to gravitate toward the most convenient solution to a given problem, and password managers keep them from having to memorize a series of complex passwords for different sites. The user can automatically save passwords with an internet browser plugin and let autofill features handle the rest.

Here are some other good rules of thumb for password safety:

  • Use a password generator
  • Use two-factor authentication (2FA) as much as possible
  • Don’t reuse passwords
  • Be unpredictable in password formatting

Don’t let a predictable password come back to bite you. When made up of easily guessable public information, a weak password can be cracked in minutes. Instead, choose a passphrase or rely on one of the many secure password management tools available on the web today.

Another NFT explainer, with a bonus look at the data security implications

“What Bitcoin was to 2011, NFTs are to 2021.”

That’s a claim from the highly respected “techno-geek” bible Ars Technica in it’s wonderful explainer on NFTs, or non-fungible tokens. Since cryptocurrencies were, are and will continue to be impactful technologies, surely NFTs are a topic worth exploring.

They exploded into public consciousness this year as pieces of art, albums, photographs and dozens of other assets were sold in NFT form. Some net their sellers huge profits, many more are ignored or overlooked completely.

Naysayers call NFTs worthless figments of our own imagination, apologists hail them as handy tools for eliminating middlemen and empowering creators. One writer has referred to NFTs as, simply, “bragging rights.”

But naturally, at Carbonite + Webroot, we just wonder how they’ll be used and abused by cybercriminals or if they can be irrevocably lost like the password to a crypto wallet.

Before we dive into that, a brief primer of our own on NFTs.

Non-what token?

An NFT can be thought of as a sort of digital deed. It is unalterable proof of ownership of a unique digital asset. That’s what the “non-fungible” in non-fungible token means: there’s only one, and it’s completely unique.

NFTs use the same blockchain ledger technology to verify uniqueness that cryptocurrencies rely on to prove ownership. A distributed group of devices does the work to vouch for the authenticity of the token the same way it does for a bitcoin.

Except, whereas each unit of a cryptocurrency is mutually interchangeable (1 Dogecoin always equals 1 Dogecoin, for instance), NFTs are designed to be completely unique. They can be programmed with their own rules and directions for use and behavior—even down to how they produce “offspring” in the case of CryptoKitties.

An often used and helpful analogy is to certificates of authenticity (COA) like those used in the art world. For ages artists have put their own unique stamps on their artwork or issued accompanying certificates to testify to the “realness” of the work. This could be in the form of a simple signature or, in Banksy’s case, written sign-off from the Pest Control Office. Think of an NFT as a digital COA or, arguably, an improvement on the concept since it can’t be reproduced or believably forged.

As with any art, the value of an NFT is in the eyes of the beholder. What’s the point of spending millions to own an original digital asset that’s been effortlessly reproduced a million times? Could one ask the same of the Mona Lisa?

The rise (and fall?) of the NFT

Regardless of your answer to these questions, a community of folks already undeniable place a huge value on NFTs. An April 2021 post on GitHub estimated the value of the “CryptoArt NFT” market to be at least $150 million worldwide.

That’s almost certainly an underestimate, since the most expensive NFT ever sold comes from the art world. It’s a work known as The First 5000 Days by the artist known as Beeple and it’s essentially a $69 million JPEG file

And NFTs aren’t limited to fine art. The pro sports, music and meme industrial complexes have all entered the business. Even social media posts are being turned into NFTs; the digital certificate for Jack Dorsey’s first-ever Tweet sold for $2.9 million. So, while anyone interested can easily find it online, only a Malaysia-based CEO of a blockchain company can claim “ownership” of the Tweet that started…all this.  

Can NFTs hold our attention for long? With absurd amounts of money changing hands over a string of digital characters, a lot of people are already wondering if NFTs are a bubble about to burst. Plenty of pundits were speculating about a bubble in mid to late-April, when sales of NFTs lagged. But as shown by nonfungible.com, a company that tracks the buying and selling of NFTs, they were back to brisk business in early May.

Perhaps NFTs are a bubble positioned to pop. Or maybe their values will vary with the cryptocurrencies in which they are mostly bought and sold. It’s certainly been speculated that they’re driving up the price of Etherium. Regardless, it’s safe to say they’re worth getting to know, because they’ll make headlines for some time to come.

NFT theft and a new brand of cybercrime

Not surprisingly, cybercriminals are already redirecting their efforts to the nascent NFT market. In an extraordinary and revealing Twitter thread, one NFT owner documented the experience of having his tokens stolen from a marketplace for digital art. He’s apparently not alone in this experience.

Even less surprising than the theft are the methods used to do it. It seems phishing for users’ passwords to the sites used to buy and sell NFTs is the main method of compromise. Two-factor authentication for accounts managing NFTs is strongly recommended by marketplaces.

Darkreading.com also notes the importance of closely guarding access keys, which are often the only means of managing an NFT. Once a key is stolen—either by phishing, a keylogger or some other means—there’s very little in terms of a realistic prospect of getting it back.

In terms of valuable digital art, NFT theft amounts to the regrettable loss of investment pieces or perhaps just the “bragging rights” akin to owning an original piece of physical art. But if the role of NFTs as proof of ownership expands into the physical realm, as is already being discussed in the real estate sector, NFT security will become critical. It may even have the power to spawn new industrials and criminal enterprises.

NFTs’ massive price tags and novel technological backing make them attractive target for cybercriminals. If the market for their sale isn’t a bubble, it’s possible that the high-profile art heists of the future may be carried out by hackers rather than the suave con men of Hollywood films, and their tools will be phishing attacks and spyware rather than fancy handheld gadgets.

6 Tips for a More Cyber-Secure Holiday Season

In any other year, many of us would be gearing up for airline travel, big family dinners, cocktail hours or potlucks with friends, and much more. But with all the challenges this year has brought in terms of how we work and connect during a global pandemic, I’m guessing all our plans look a little different than we thought they would.

Since most of us are now online more than ever before for work, school, personal connection, shopping, etc., it’s critical that take extra steps to keep our digital selves safe. With that in mind, we’ve put together a list of 6 (ish) tips to help you and your family stay safe online this holiday season, no matter how or where you celebrate it.

1. Watch out for an increase in scam emails and websites

What follows are just a few of the ways scammers may target you this holiday season. We recommend you install easy-to-use tools such as Fakespot, which is an add-on that protects consumers by detecting fraudulent product reviews and third-party sellers in real time, to help you avoid the fakes.

  • Flash sale alerts
    During the holidays, the number of promotional emails you receive is likely to go up as online stores run flash sales. With that in mind, scammers are likely to up their game, mimicking legitimate offer emails and websites in the hopes that your desire for a sweet deal will pay out for them. Use extra caution and don’t click anything in an offer email. Go to the retailer’s official website (type it directly into your browser instead of clicking a link in an email) to help ensure you’re shopping securely.
  • “Free” gift cards
    You may get offers for “free” gift cards to online retailers, such as Amazon, Walmart or Target. Remember: very little in life is free. This is another way that criminals may try to trick you into downloading malware or exposing sensitive information that they can use to steal your money or identity.
  • Fake “missed delivery” notices
    Since 94% of people are shopping online more or about the same as they were pre-pandemic, fake package notifications are another way that cybercriminals may target you. If you receive an email or text message about a missed delivery, be sure to double-check the details, such as the shipper (for example, maybe you’re only expecting a Prime or USPS delivery, so a FedEx notification should throw a red flag), the tracking numbers, etc. And, of course, don’t click or download anything in the text or email message itself
  • Discounts so deep they can’t be real
    If you see an ad or email for a high-ticket item that suddenly costs less than 10% of the regular retail price, it’s practically guaranteed to be 100% fake. Let’s face it: there’s just no way you’re going to get real Ray-Bans for the low, low price of $24.99.

2. Use caution with your charitable donations

It’s the giving season and, thanks to the pandemic, natural disasters, and other current events, there are plenty of people in the world who could use a little extra help. Good on you for contributing to the public good! Unfortunately, not even charities are sacred to scammers, and they will take advantage of your desire to help others.

It’s critical to do your research! We recommend you visit trusted organizations, like Charity Watch, to learn more about the charities you’ve chosen and their efficiency, governance and accountability before committing money. Additionally, be suspicious of aggressive pitches including multiple calls and emails or tactics that require immediate donation. Lastly, never pay by gift card of wire transfer. Use a credit card instead, as it’s easier to track and recover fraudulent transactions.

3. Research your smart devices

When we say “smart devices,” we don’t just mean things like Alexa or Google Home. There are internet-enabled fridges that tell you when you’re low on groceries, let you hear and speak to someone at your front door, function as a baby monitor, and even tell you when your laundry’s done. There are also smart thermostats, garage door openers, light fixtures, and so much more. All of these gadgets form a network of connected devices known as the Internet of Things (IoT). And each one could potentially let a hacker into your home network.

Be selective when it comes to purchasing connected smart home and IoT devices. Choose reputable brands that include security, such as the ability to change passwords and perform firmware updates. Cheaper knockoffs of name brand devices might be easier on your wallet, but they are often designed without security in mind. Additionally, since the business model for knockoffs is typically to turn a profit as quickly as possible, there’s no guarantee the device manufacturer will even be around in a year or two to send out security updates or offer support if your device malfunctions

4. Secure any new tech toys right away

Get a cool new gadget in the family gift swap? (Or buy something awesome just for yourself? Don’t worry, we won’t tell the kids.) Protect that tech investment by installing security right away. It’s not the most exciting thing to do with a new toy, but it’ll help make sure you get to enjoy it without worrying about malicious actors joining in on the fun

5. Use reputable video chatting services to connect with loved ones

When planning your virtual holiday get-togethers, use trusted video conferencing providers like Zoom, who have paid close attention to security issues this year and adapted product defaults to enable safer user experiences. Also, be cautious of any websites that request permissions from your browser to access your camera and microphone. If you get one of these notifications, close out of your browser. Do not engage with the permissions request in any way

6. Remember the basics

We’ve said it before, we’ll say it again. Good online habits are your best defense – and it really doesn’t take much effort to keep yourself and your family safe

  • Use strong, unique passwords for all your accounts and don’t share them. Length is strength, so passphrases are a good help.
  • Install virus protection on all your devices and keep it up to date.
  • Use a secure cloud backup.
  • Connect to the internet using a VPN, even on your home network (and especially if transmitting sensitive info, like credit card numbers or online banking details.)
  • Keep your device operating systems up to date so you have the latest patches against exploits.
  • Don’t enable macros. Ever. If a document or website asks you to enable macros or hidden content or “allow access”, just don’t do it. There are very few legitimate reasons for documents or websites to request these permissions.
  • Keep a close eye on your financial accounts and look out for any fraudulent activity.

Here’s wishing you a safe and cyber-secure holiday season! Keep an eye on the Webroot Blog and the Webroot Community for more tips and news on the latest cyber threats.

What’s the deal with security product testing anyway?

It’s common for savvy online shoppers to check third-party reviews before making an online purchasing decision. That’s smart, but testing the efficacy of security software can be a bit more difficult than determining if a restaurant had decent service or if clothing brand’s products are true to size.

So, with the arguably more significant consequences of antimalware testing, how can shoppers be sure that the product they choose is up to the task of protecting their family from malware? Which reviews are worthy of trust and which are just fluff?

Red flags in antimalware testing

Grayson Milbourne is the security intelligence director at Webroot and actively involved in improving the fairness and reliability of antimalware testing. While acknowledging that determining the trustworthiness of any single test is difficult, some factors should sound alarm bells when looking to honestly evaluate antimalware products.

These include:

The pay-to-perform model

In any test, the humans behind the product being evaluated have a vested interest in the performance. How far they go to influence those results, however, varies. One extreme way to positively influence results is to fund a test designed for your product to succeed. Often, the platform on which a test appears can be a sign of whether this is the case.

“YouTube tests are almost always commissioned,” warns Milbourne. “So, if you see things on YouTube, know that there is almost always someone paying for the test who’s working the way the test comes out. I try to avoid those.”

If only one product aces a test, that’s another sign that it may have been designed unfairly, maybe with the undisputed winner’s strengths in mind.

Every vendor acing a test

Tests in which all participants receive high scores can be useless in evaluating product efficacy. Because we know catching malware is difficult, and no single product is capable of doing it effectively 100 percent of the time, tests where every product excels are cause for concern.

“If every product aces the test, maybe that test is a little too easy,” says Milbourne. No product is perfect, so be wary of results that suggest so.

Failing to test in “the big picture”

No one piece of software can stop all the threats a user may face all of the time. But many vendors layer their preventative technologies—like network, endpoint and user-level protection—to most effectively protect against cyberthreats.

“Testers are still very worried about what happens when you encounter a specific piece of malware,” says Milbourne. “But there’s a lot of technology focused on preventing that encounter, and reactive technology that can limit what malware can do, if it’s still unknown, to prevent a compromise.”

In addition to how well a product protects an endpoint from malware, it’s also important to test preventative layers of protection which is lacking in 3rd party testing today.

The problem with the antimalware testing ecosystem

For Milbourne, the fact that so few organizations dedicated to efficacy testing exist, while the number of vendors continues to grow, is problematic.

“There are about five well-established third-party testers and another five emerging players,” he says. But there are well over a hundred endpoint security players and that number is growing.”

These lopsided numbers can mean that innovation in testing is unable to keep up with both innovation in security products as well as the everchanging tactics used by hackers and malware authors to distribute their threats. Testing organizations are simply unable to match the realities of actual conditions “out in the wild.”

 “When security testing was first being developed in the early 2000s, many of the security products were almost identical to one another,” says Milbourne. “So, testers were able to create and define a methodology that fit almost every product. But today, products are very different from each other in terms of the strategies they take to protect endpoints, so it’s more difficult to create a single methodology for testing every endpoint product.”

Maintaining relationships in such a small circle was also problematic. Personal relationships could easily be endangered by a bad test score, and a shortage of talent meant that vendors and testers could bounce between these different “sides of the aisle” with some frequency.

Recognizing this problem in 2008, antimalware vendors and testing companies came together to create an organization dedicated to standardizing testing criteria, so no vendor is taken off guard by the performance metrics tested.

The Anti-Malware Testing Standards Organization (AMTSO) describes itself as “an international non-profit association that focuses on addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies.”

Today, its members include a number of antivirus and endpoint security vendors and testers, normally in competition against one another, but here collaborating in the interest of developing more transparent and reliable testing standards to further the fair evaluation of security products.

“Basically, the organization was founded to answer questions about how you test a product fairly,” says Milbourne.

Cutting through the antimalware testing hype

Reputation within the industry may be the single most important determinant of a performance test’s trustworthiness. The AMTSO, which has been working towards its mission for more than a decade now, is a prime example. Its members include some of the most trusted names in internet security and its board of directors and advisory board are made up of seasoned industry professionals who have spent entire careers building their reputations.

While none of this is to say there can’t be new and innovative testing organizations hitting the scene, there’s simply no substitute for paying dues.

“There are definitely some new and emerging testers which I’ve been engaging with and am happy to see new methodologies and creativity come into play, says Milbourne, “but it does take some time to build up a reputation within the industry.”

For vendors, testing criteria should be clearly communicated, and performance expectations plainly laid out in advance. Being asked to hit an invisible target is neither reasonable nor fair.

“Every organization should have the chance to look at and provide feedback on a tests’ methodology because malware is not a trivial thing to test and no two security products are exactly alike. Careful review of how a test is meant to take place is crucial for understanding the results.”

Ultimately, the most accurate evaluation of any antimalware product will be informed by multiple sources. Like reviews are considered in aggregate for almost any other product, customers should take a mental average of all the trustworthy reviews they’re able to find when making a purchasing decision.

“Any one test is just one test,” reminds Milbourne. “We know testing is far from perfect and we also know products are far from perfect. So, my advice would be not to put too much stock into any one test, but to look at a couple of different opinions and determine which solution or set of solutions will strengthen your overall cyber resilience.”

The Importance of Mobile Security for Safe Browsing

Mobile devices have become an indispensable part of our lives. By the time we’re teenagers, we’re already tethered to technology that lives in our pockets and connects us to a network far larger than we ever imagined possible. Because of the way we interact with our phones, it knows our likes, curiosities and vulnerabilities, in addition to our passwords, financial data and most closely held secrets. This seemingly infinite amount of data also makes our mobile devices highly attractive targets for malicious actors. That’s why it’s critical to protect phones from threats.

A successful attack on your phone could compromise your personally identifiable information (PII), banking accounts and even your professional life or the success of your business. Just like you lock the doors of your house when you go away, or your storefront after business hours, you should take care to secure the entry points that cybercriminals use to gain access to the data on your phone.

WiFi and Mobile APP threats

The convenience and ubiquity of public WiFi and mobile apps are also their greatest weakness. With unsecured public WiFi, you can never be sure if you’re connecting directly to a secure hotspot or to a hacker, who is stealing your information and relaying it to another malicious actor. Before you connect to an unfamiliar public WiFi network, follow these best practices to reduce the chances of compromising yourself:

  • Use a virtual private network (VPN) instead – VPN is highly recommended for all business communications. VPN keeps your network and Wi-Fi communications encrypted, which makes it much harder for hackers to access.
  • Disable sharing on all apps – While you may be comfortable sharing your location with apps when you’re on a secure connection, consider disabling it in system preferences or settings when you’re connecting to public WiFi.
  • Verify all public WiFi networks – Hackers can easily set up a public WiFi that looks like it’s owned by the proprietor. Before you connect to “Java House Guest WiFi,” ask someone behind the counter the exact name of their WiFi network.
  • Plug Bluetooth vulnerabilities – Hackers often use Bluetooth connections to infect or steal files. This puts personal data at risk when using Bluetooth. These attacks involve using the device for phone calls or text messages, or using Bluetooth functionality to find deeper vulnerabilities in the phone system or to steal data stored on the phone. Similar exploits exist for Apple users through the AirDrop feature. The best way to plug theses vulnerabilities is to turn off Bluetooth or AirDrop when not in use, keep your software up to date, only pair with trusted devices and use a VPN to encrypt your data and hide your identity.
  • Disable auto-join for open networks – Public WiFi networks are ideal environments for a range of cybersecurity attacks, including rogue networks, man-in-the-middle attacks, viruses, and snooping or sniffing. To prevent the likelihood of these attacks, remote users should turn off Wi-Fi auto-connect settings for public WiFi networks.

With more than 120 million Android users, Android malware continues to be a real and increasingly common threat. Google has already pulled a large number of malicious apps from the Play store. But the open nature of the Android operating system makes it an easy play for hackers. The year 2020 has been a particularly risky one for mobile app users. A few of the more dangerous mobile threats in circulation include:

  • Joker – Since 2019, Joker has been stealing credit card information and banking credentials by simulating other legitimate apps.
  • CryCryptor – Based off the open-source ransomware CryDroid, this mobile variant has been spotted masquerading as a COVID-19 tracing app.
  • EventBot – This malicious app abuses accessibility features to steal user data, and reads and steals SMS messages to bypass two-factor authentication.
  • Dingwe – This modified remote access tool is capable of controlling a device remotely. Samples have been found impersonating as COVID-19 tracing apps.

Many of these malicious operators use various tricks to evade detection. Since Android devices can come with hundreds of apps pre-installed, there’s a high potential for security gaps that a malicious app maker could exploit.

#1 Defense Measure: Update the OS

One of the major vulnerabilities with Android devices is outdated software. More than 40% of Android devices are using an OS version older than v9. This makes them more vulnerable to malicious applications.

Webroot® Mobile Security can help improve your mobile defenses without impacting your browser speed. It allows you to browse, shop, search, bank or use social networks, all while blocking malicious websites that try to steal your personal information. Webroot® Mobile Security includes proactive identity protection features, which block malicious sites that try to steal your personal info or harm your device. With Webroot® Mobile Security, you can hide your digital footprint and your browsing history through private browsing mode.

Hone Your Cybersecurity Superpowers with Tips from Wonder Woman

October 21 is Wonder Woman Day. It commemorates Wonder Woman’s first appearance in All Star Comics #8. With the upcoming release of Wonder Woman 1984, we took the opportunity to talk superheroes, superpowers and protecting data with our very own Briana Butler, Engineering Services Manager at Webroot.

Q: Wonder Woman got her powers from her divine mother, Queen Hippolyta. How did you get your data protection superpowers?

I had a reboot in life. I was previously a retail buyer then I went back to school for computer science and ended up switching to the business school. I was hired at Webroot to be a bridge between engineering and business – you have to have people that can speak both languages – and that’s exactly what I wanted to do and what I was trying to forge with my new career.

I first began as a data analyst, which meant working on privacy compliance, GDPR, CCPA, and data mapping, understanding where data is stored and processed, and who has access to it. My latest role is as an Engineering Services Manager, meaning I help engineering and product with personnel and hiring needs, ISO certification and making sure our development teams receive the training they need to stay up to date with the fast pace of tech.

Q: Wonder Woman had several superpowers, or super powerful gadgets, like indestructible bracelets and a lasso that forced people to tell the truth. Is cyber resilience a superpower?

Every superhero has different talents or powers. When we think of cyber resilience, it’s sort of like our own personal toolbox of powers that we can use against malicious actors who want to take our data and make money off it.

Our toolbox of cyber resilience includes basic best practices like knowing how to create a strong password, not clicking every link that comes into your email inbox and daily behaviors of how to navigate and defend yourself online. The goal is to live your best digital life confidently, without disruption.

Q: What about our data? Does that give us any powers that we wouldn’t have without it?

I think it’s more about understanding the power data has if we give it away. When we give people access to our data, that’s when it becomes powerful. Whether it’s corporations or malicious actors, when we willingly hand out our data, that gives it power because then, they know things about us. I talk a lot about privacy and why everyone should be more critical and cognizant of the data they’re sharing. We share a lot more than we realize. It’s time for all of us to understand what we’re sharing and then decide if we, personally, really want to share it.

Q: Wonder Woman encountered her fair share of comic strip villains, like the Duke of Deception, Doctor Psycho and Cheetah. Who are the villains in the digital world?

They’re the malicious actors and cybercriminals who would take your data and sell it on the open market. It could even be the person trying to get access to your Hulu account. There are also nation-state actors and the companies you buy things from. There’s a huge spectrum of villains, and they all want your data. There’s big money in data. So, it’s important that you’re aware of what’s being shared.

I’ve started reading privacy policies – those long, convoluted legal documents – to see if I can understand where I’m going to be sharing my information and make a more conscious decision.

For one large social platform, when I went through it, I started asking myself, am I really okay sharing this information? Do I really need this service or platform? Is it necessary in exchange for what I’m about to share with them? In the end, I didn’t sign up for it.

I’ve also gone through the frustrating and somewhat time-consuming act of cleaning up all my passwords and using a password manager. Most people say they have anywhere from 15 to 20 password-protected accounts. But when I went through all the places I’ve shared my password, it was upwards of 100!

One of my favorite topics is password strength. We recently did an analysis of password configurations with Maurice Schmidtler, our head data scientist, who created a Monte Carlo simulation. We took what you usually see when you’re told to create a password – like using uppercase and lowercase letters or special symbols – and applied those within the simulation. What we found was that the more constraints you put on a password, the fewer viable options you have for a strong password, meaning it decreases the number of good password options. Whereas if you focus on creating a strong password, where length is more important than the various character-type constraints, you’ll end up with a much stronger password. Length is strength because it takes more computing power to break.

Q: Wonder Woman was a founding member of the Justice League. So, even she needed the help of a squad to defeat the villains. Do we need help from a squad to be more cyber resilient?

We all need assistance because as humans, we are fallible. Inevitably, someone might click on a malicious link, or some unforeseen event might happen where you need a backup that’s going to allow you to recover data instead of losing it permanently.

When it comes to ransomware, or really any other attack, you need awareness. That’s why we encourage proactive education and regular security awareness training, so people truly understand the threat landscape and how to identify the most prevalent types of attacks. 

Q: At one point in the story, Wonder Woman surrendered her superpowers and used fighting skills instead. In what ways do we surrender our powers when it comes to cyber resilience?

Oversharing content or data about yourself, your name or address are surefire ways to surrender power in the digital age. All these things identify you and allow criminals to gain insight that can be used against you through social engineering.

You’re also surrendering power when you practice poor cyber hygiene, like repeating passwords across multiple logins. Once a cybercriminal gains access to one login, they can discover more details about you and use it elsewhere. For example, you may not be worried about a criminal getting access to your Netflix account, but if you use the same password there as you do with your bank, then the situation just became much more serious.

You also surrender power by not protecting your home network and not using VPN when you’re on public Wi-Fi. People often think “it won’t happen to me,” until it’s too late. And recovery can be costly and time-consuming. That’s why implementing layers of protection up front strengthens cyber resilience and helps keep your digital life easy, secure and free of complications.

Q: Are you going to watch the new Wonder Woman movie?

Oh sure! I will because I’ve seen all the other ones. I’m a big fan of Guardians of the Galaxy. And, of course, I love Iron Man. And I was a big fan of Black Panther, too. Doctor Strange is also one of my faves.

Q: If cybercriminals were villains from Wonder Woman, who would they be?

The Duke of Deception! Hackers, cybercriminals and nation-state actors are constant antagonists, and that’s exactly who we defend our users against.

What you Should Know About Chatbots and Cybersecurity

People’s fears and fantasies about artificial intelligence predate even computers. Before the term was coined in 1956, computing pioneer Alan Turing was already speculating about whether machines could think.

By 1997 IBM’s Deep Blue had beaten chess champion Gary Kasparov at his own game, prompting hysterical headlines and the game Go to replace chess as the symbolic bar for human vs. machine intelligence. At least until 2017 when Google’s AI platform AlphaGo ended human supremacy in that game too.

This brief run through major milestones in AI helps illustrate how the technology has progressed from miraculous to mundane. AI now has applications for nearly every imaginable industry including marketing, finance, gaming, infrastructure, education, space exploration, medicine and more. It’s gone from unseating Jeopardy! champions to helping us do our taxes.

In fact, imagine the most unexciting interactions that fill your day. Those to-dos you put off until it’s impossible to any longer. I’m talking about contacting customer support. AI now helps companies do this increasingly in the form of chatbots. The research firm Gartner tells us consumers appreciate AI for its ability to save them time and for providing them with easier access to information.

Companies, on the other hand, appreciate chatbots for their potential to reduce operating costs. Why staff a call center of 100 people when ten, supplemented by chatbots, can handle a similar workload? According to Forrester, companies including Nike, Apple, Uber and Target “have moved away from actively supporting email as a customer service contact channel” in favor of chatbots.

So, what could go wrong, from a cybersecurity perspective, with widespread AI in the form of customer service chatbots? Webroot principal software engineer Chahm An has a couple of concerns.

Privacy

Consider our current situation: the COVID-19 crisis has forced the healthcare industry to drastically amplify its capabilities without a corresponding rise in resources. Chatbots can help, but first they need to be trained.

“The most successful chatbots have typically seen the data that most closely matches their application,” says An. Chatbots aren’t designed like “if-then” programs. Their creators don’t direct them. They feed them data that mirrors the tasks they will expected to perform.

“In healthcare, that could mean medical charts and other information protected under HIPAA.” A bot can learn the basics of English by scanning almost anything on the English-language web. But to handle medical diagnostics, it will need to how real-world doctor-patient interactions unfold.

“Normally, medical staff are trained on data privacy laws, rules against sharing personally identifiable information and how to confirm someone’s identity. But you can’t train chatbots that way. Chatbots have no ethics. They don’t learn right from wrong.”

This concern is wider than just healthcare, too. All the data you’ve ever entered on the web could be used to train a chatbot: social media posts, home addresses, chats with human customer service reps…in unscrupulous or data-hungry hands, it’s all fair game.

Finally in terms of privacy, chatbots can also be gamed into giving away information. A cybercriminal probing for SSNs can tell a chatbot, ‘I forgot my social security. Can you tell it to me?’ and sometimes be successful because the chatbot succeeds by coming up with an answer.

“You can game people into giving up sensitive information, but chatbots may be even more susceptible to doing so,” warns An.

Legitimacy

Until recently chatbot responses were obviously potted, and the conversations directed. But they’re getting better. And this raises concerns about knowing who you’re really talking to online.

“Chatbots have increased in popularity because they’ve become so good you could mistake them for a person,” says An. “Someone who is cautious should still have no problem identifying one, by taking the conversation wildly off course, for instance. But if you’re not paying attention, they can be deceptive.”

An likens this to improvements in phishing attempts over the past decade. As phishing filters have improved—by blocking known malicious IP addresses or subject lines commonly used by scammers, for example—the attacks have gotten more subtle. Chatbots are experiencing a similar arms-race type of development as they improve at passing themselves off as real people. This may benefit the user experience, but it also makes them more difficult to detect. In the wrong hands, that seeming authenticity can be dangerously applied.

Because chatbots are also expensive and difficult to create, organizations may take shortcuts to catch up. Rather than starting from scratch, they’ll look for chatbots from third-party vendors. While more reputable institutions will have thought through chatbot privacy concerns, not all of them do.

“It’s not directly obvious that chatbots could leak sensitive or personally identifiable information that they are indirectly learning,” An says.

Chatbot security and you – what can be done?

1. Exercise caution in conversations

Don’t be afraid to start by asking if a customer service rep is a real person or a bot. Ask what an organization’s privacy policy says about chat logs. Even ask to speak with a manager or to conduct sensitive exchanges via an encrypted app. But regardless, exercise caution when exchanging information online.

“It used be any time you saw a web form or dialogue box, that heightened our caution. But nowadays people are publishing so much online that our collective guard is kind of down. People should be cautious even if they know they’re not speaking directly to a chatbot,” An advises.

In general, don’t put anything on the internet you wouldn’t want all over the internet.

2. Understand chatbot capabilities

“I think most people who aren’t following this issue closely would be surprised at the progress chatbots have made in just the last year or so,” says An. “The conversational ability of chatbots is pretty impressive today.”

GPT-3 by OpenAI is “the largest language model ever created and can generate amazing human-like text on demand,” according to MIT’s Technology Review and you can see what it can do here. Just knowing what it’s capable of can help internet users decide whether they’re dealing with a bot, says An.

“Both sides will get better at this. Cybersecurity is always trying to get better and cybercriminals are trying to keep pace. This technology is no different. Chatbots will continue to develop.”

Cybersecurity Tips for a Happy National Video Games Day

This year more than others, for many of us, it’s gaming that’s gotten us through. Lockdowns, uncertainty, and some pretty darn good releases have kept our computers and consoles switched on in 2020. GamesIndustry.biz, a website tracking the gaming sector, reported a record number of concurrent users on the gaming platform Steam for several weeks as the lockdown went into effect.

According to NationalToday.com, the authority for such days, video games are an $18 billion industry that trace their origins to the halls of prestigious educational institutions like Oxford University and MIT. Not surprisingly given, the nature of our work, they’ve captured the hearts and imaginations of a good number of here at Webroot. But again, due to the nature our work, we’re well attuned to video game-related hacks and scams.

This March, 66 malicious gaming apps were discovered to have evaded reviewers and found their way into the Google Play store. In April, just as coronavirus was beginning to keep most of us indoors, Nintendo was breached and the accounts of more than 300,000 gamers were compromised. Phishing attacks posing as gaming platforms have risen significantly during this time period.

But too often we hear from gamers that they don’t use an antivirus. With all the time gamers spend online, especially PC gamers, this is a big risk. Many of the reasons we hear for not using an antivirus, in fact, are based on misconceptions.

So, to clear up some of those misconceptions, and to provide some tips for spending National Video Games Safely, we sat down with cybersecurity expert and resident gamer Tyler Moffitt to get his advice.

What kinds of security threats do gamers face?

Not running any security is the main one. It’s a big problem within the gaming community. There are also tailored phishing attempts for online games where accounts can be worth over $100. The happen on platforms including Blizzard, Steam, Epic, Riot and others.

Why do cybercriminals target gamers?

They can be a niche target when big things happen like major game releases. Halo, World of Warcraft, Grand Theft Auto, and Call of Duty have all been targets for scams. But PC gamers not running any antivirus solution other than built-in or free protection are asking for trouble.

Either by game or gaming type, what tends to be the biggest target for hackers?

The way most players are infected with actual malware and not just giving up account info is by downloading game hacks. These are usually aim bots or other ways to cheat at the game. In addition to making games less fun for other players, they endanger the cybersecurity of the individuals doing the cheating. Also, trying to download games for free on torrent sites is just asking for trouble…or a trojan

Any misconceptions about gaming security?

I’d the biggest one is that all antiviruses today will cause problems with gameplay. Many players imagine they’ll have issues with latency, or their frame rate will drop off significantly, and that’s just not true. While years ago this may have been the case with heavy installation suites and large daily definition updates, many anti-viruses has changed throughout the years to do all the heavy lifting in the cloud while still being lightning fast and accurate with threats. The amount of CPU, RAM and bandwidth usage of AVs while idle and during a scan are significantly lighter than they used to be.

What can gamers do to improve online security?

As I mentioned, running an antivirus is essential. There are lightweight options available that won’t impact gameplay. Also, I recommend enabling two-factor authentication on all accounts for online games whenever possible to reduce the risk of falling victim to a malicious hacker.

As a gamer yourself, anything else to consider or personal best practice to share?

Trying to cheat or download premium games for free, especially when prompted to by clickbait-type ads, will almost always lead to a scam or malware. There’s no such thing as a free lunch.

See how Webroot compares to competitors in terms of installation size, scan time, and resource use in in third-party performance testing here.

WFH for the Long Haul? These Tips Will Help You Create a Cyber Resilient Home Network

Cyber resilience is being put to the test during the coronavirus pandemic. As more and more users work from home, it’s becoming increasingly difficult for IT teams to ensure uniform cyber security on home devices and networks that they don’t own or control. At the same time, cybercriminals are using the pandemic to launch more deceptive attacks. In this post, we’ll break down a few steps you can take to add resilience to your home network, so you don’t have to sacrifice security for convenience during the global pandemic. We cover all of these tips and more in our Work From Home Playbook.

The secure tunnel

We lose a measure of security the minute we step outside the protective shell of our corporate network. The average home network is significantly less secure than corporate networks. This leaves remote workers more vulnerable to attacks anytime they’re not connected to the corporate network.

Luckily, you can easily improve your at-home security by using a virtual private network (VPN). With a VPN, you can establish a secure tunnel between your home network and your corporate environment, making your home connection more immune to outsider attacks. A VPN extends your home network – or connection from the local coffee shop – across a public network, allowing you to interact with your corporate system as if you were connected directly to it. This allows applications to operate securely and encryption to be enabled within the connection, ultimately privatizing any data being shared or input.

Handshake hygiene

A clean handshake is healthier in the physical world. And it’s the same with the digital handshake between your home devices and your corporate network. Anytime someone from outside the network attempts to log on, there’s a risk the person isn’t who they say they are. Login credentials are stolen all the time. In many scenarios, all it takes is a username and password to gain access to the company network. Once inside, cyberthieves can unload malicious payloads or find additional user credentials to launch even more pernicious attacks. But by adding just one extra layer of security in the form of an additional checkpoint, it’s possible to thwart most attacks that rely on only a username and password.

That’s why multi-factor authentication (MFA) has become the go-to method for adding extra verification steps to confirm that the person logging on is truly who they say they are. With MFA, the user verifies their identity using knowledge only they have, like a password or answers to challenge questions. As an additional verification step, the user supplies an item, like a YubiKey or a one-time password sent to a mobile device. Lastly is an inherited characteristic unique to who the person, such as a fingerprint, retina scan, or voice recognition. In today’s highly regulated business environment, most businesses make MFA mandatory for employees logging in from outside the network.

First, second and third lines of defense

Cybercriminals have a full quiver of options when it comes to launching attacks. But the good news is that there are also multiple solutions for defending home systems against them. The best way to secure the home network is to use a multi-layered cyber resilience strategy, also known as defense in depth.

This approach uses multiple layers of security to protect home devices and the networks they’re connected to. Here’s what that looks like:

  • Backup – Backup with point-in-time restore gives you multiple recovery points to choose from. It ensures you can roll back to a prior state before the ransomware virus began corrupting the system.
  • Advanced threat intelligence – Premium antivirus protection is still the first line of defense. And antivirus that is backed by advanced threat intelligence, identification and mitigation is essential for preventing known threats from penetrating your system.
  • Patch and update applications – Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your devices exposed to an attack.

Learn more

Cyber resilience while working from home is every bit as critical as working on-site. For more tips on how to add resilience to your home environment, and how to prepare your space for working from home long-term, download the Work from Home Playbook.

Cybersecurity and Back to (Virtual) School 2020: What You Need to Know

Even though the 2020 Back to School season may look very different from those in years past, there are a few things that will remain the same. First, since Back to School is often when parents and caregivers stock up on new clothes, tech, and school supplies for students, it’s also when lots of stores (especially online retailers) run huge sales.

Second, there will be the customary spike in cyberattacks. In fact, the attacks on the Education sector are already up. The latest data from Microsoft shows that the Education sector has recently suffered more encounters with malware (over 5,000,000 in the last 30 days) than any other industry!

Since a lot of children and teens will be attending school virtually, either part-time or full-time, they’ll be spending even more time on the internet than they currently do. The more time they spend online, the higher the risk they face.

Here are the top threats to watch out for, as well as tips for how to help keep young learners safe during Back to (Virtual) School.

Phishing

According to Tyler Moffitt, security analyst at Webroot, “phishing isn’t going to go away any time soon. As tactics go, it’s an oldie, but goodie. Times of year when people do more shopping, like Back to School or Christmas, are a big draw for cybercriminals. We always see a spike in phishing during those times. And with more people shopping and streaming online during COVID-19, I’m betting we’ll see even more activity this year than we would normally expect.”

To underscore Tyler’s point, the latest intelligence from the Webroot BrightCloud® Real-Time Anti-Phishing service shows that phishing URLs targeting global streaming services have increased significantly. In March 2020 alone, we saw the following increases in phishing URLs, broken out by service:

  • Netflix – 525% increase
  • YouTube – 3,064% increase
  • Twitch – 337% increase
  • HBO – 525% increase

Not only should you and your young learner keep an eye out for email scams, but also bear in mind that phishing can happen through a variety of channels. Because many students will end up communicating mostly via online chat, text message (SMS), or social media, it’s important for us all to be extra vigilant about what we click, what we download, and what information we transmit.

Zoom-bombing

The rise in the use of Zoom and other videoconferencing platforms has also paved the way for malicious actors to cause trouble. While it’s named after Zoom, zoom-bombing as a term refers to the act of intruding on a video conference on any platform and creating a disruption, such as spreading hate speech, displaying pornography, and more.

Additionally, Webroot threat researchers have seen videoconference executable files (i.e. the file you run to launch the program) either faked or manipulated so that unwitting victims end up downloading malware.

Fake Websites and Spoofing

Webroot researchers have seen huge jumps in the number of fake websites out there, particularly those with “COVID” and related terms in their domain names. Tyler also warns us to be on our guard for website spoofing, which is when malicious actors create a fake version of a website that looks like the real thing.

“A lot of people will have to access specific websites and online systems for school and related activities,” he says. “Criminals will effectively set traps, so that a mistyped URL or a fake search result could land you on a fake page that looks completely real, only to steal your info or install malware on your system.”

How to Keep Yourself and Your Family Safe

Here are Tyler’s top tips for staying safe online through Back to School and beyond.

  1. Use internet security software.
    If you haven’t already, install internet security with antivirus on all your devices, especially those that will be used for schoolwork. Don’t forget about using a VPN to protect kids’ internet activity from prying eyes.
  2. Update videoconferencing software.
    Make sure children and teens are always using the most up-to-date versions of Zoom (or any other videoconferencing software) to ensure they have the latest patches to prevent malware distribution and disruptions.
  3. Watch out for phishing in all its forms.
    Talk to kids about phishing. Make sure you all know to look before you click. And remember, phishing scams can look just like a text message from a best friend, classmate, or teacher, so always be wary of messages that ask you to click a link or download a file. Use a secondary means of communication, like a phone call, to verify that these are legitimate.
  4. Use your bookmarks.
    Bookmark all required distance learning pages. Criminals may try to spoof these for phishing, especially if there is a popular portal that many schools use. Using a bookmark, instead of Googling and clicking a search result, will help ensure that your kids are on the right page.
  5. Just say ‘no’ to macros.
    If you or your kids download a document and it asks you to enable macros or enable content, DO NOT DO IT. This is very likely to be a malicious file that will infect your computer.
  6. Use a secure backup.
    When we’re all so reliant on our computers and other internet-connected devices to work and study, it’s extra important to make sure they’re backed up. Nobody wants to lose a term paper or other important documents to a malware infection, hardware failure, damage, loss, or theft. Save yourself the hassle and heartache by investing in backup software.

This Back to School season, it’s especially vital that we all do what we can to ensure children and teens have the skills, awareness, and security protocols to stay safe. By following these tips, you can help make sure they stay safe today, tomorrow, and beyond.