Posts

Municipal IT Director Put on Leave Following Breach

/0 Comments/in /by

Hackers Had Access for Months Before Launching Ransomware Attack

Municipal IT Director Put on Leave Following BreachIn another sign that accountability is rising in cyber security, the IT director of the Suffolk County Clerk’s Office in New York has been put on paid administrative leave. An investigation following a September ransomware attack found that hackers had been exploring and exploiting Suffolk County’s systems since December 19, 2021, and accused IT Director Peter Schlussler of acting in “an incredibly nonchalant manner” toward the county’s cyber security.

Schlussler disputed the investigation’s findings in an email to The New York Times, noting that his requests for stronger cyber security at the County Clerk’s office had been rejected by superiors. Suffolk County wound up taking all of its systems offline in September when the hack was finally discovered and, according to the Times, is still using workarounds for some online functions.

Suffolk County Hack Timeline Illustrates Common Tactics and Detection Failures

An examination of the Suffolk County hack reveals opportunities when the intrusion could have been detected, had the IT Director been following security protocols that most cyber security specialists recommend.

December 19, 2021: Criminals gain access to the County Clerk’s systems via a known flaw in a common piece of software. Investigators found that there was no centralized authority for the municipal systems run by Suffolk County. As a result, patches to fix the known vulnerability were not applied across all systems. Suffolk County Executive Steven C. Bellone cited the IT director’s failure to patch the vulnerability as a cause of the cyber attack.

January 2022: Hackers install Bitcoin mining software on the Suffolk County systems. Criminals install software like this for two reasons: To see if it will be detected and removed, and to see if the data it sends will be detected and removed. Organizations that fail to spot rogue software communicating with unknown parties will have their data stolen.

Many IT directors perform regular scans of all systems to look for new software installations, which can be sign of a breach. This can be a challenging task in a large, decentralized environment, which is why cyber security professionals recommend centralized administration for users and software.

March 2022: Hackers install tools to run Suffolk County systems remotely. Criminals who do this have a high level of confidence in their ability to carry out significant attacks. These systems will be tested before the next phase of intrusion begins, offering an opportunity to detect the activity.

Every IT director and security professional should be scanning systems regularly for all known remote clients. Although New York investigators did not specify the kind of remote access tools used, many criminals use the same remote-access software that organizations use to keep their own remote employees connected. By itself, the presence of remote access software may not trigger concern, but the alarm should be raised if it is suddenly used more often, at unusual times of day or in unusual ways. Use a Virtual Private Network (VPN) secured with two-factor authentication (2FA) to enhance the security of remote access.

April 2022: Criminals create the first of several admin-level user accounts in the County Clerk’s systems. This is the boldest step yet, and at this point, the hacker is the IT director. With Admin-level access, criminals can install software, exfiltrate data and manipulate systems to cover their tracks.

There are a number of ways to alert IT staff when new accounts are created, and a number of ways to limit the access that new users have. Beyond these safeguards, user lists and access levels should be audited and verified on a regular basis, with any unrecognized accounts immediately flagged and suspended.

July 2022: Data exfiltration begins, including at least one file with the name, “Passwords.”

August 2022: Keyloggers are installed. Intrusions begin on systems connected to the County Clerk’s system. Hackers encrypt everything they can access as they prepare to launch a ransomware attack.

What should stand out about the Suffolk County attack is the patient, meticulous nature of the hackers. This was not a high-speed raid or a crime of immediate opportunity. Hackers got in, then slowly built up their presence and toolkit over time, starting with nuisance software and moving on to complete control and surveillance. At each step, the hackers stopped and waited to see if their activity would be detected. When it was not, they executed the next step of their takeover plan.

The month-by-month increase in activity correlates with what hackers know about most cyber security solutions: Scans run at least once a month. If 30 days pass and software or activity has not been detected, it is safe to escalate. Think of this like a burglar finding a series of unlocked doors in a home. After opening each door, the burglar looks around to make sure it is safe before opening the next door.

The Myth of “Opportunistic” Cyber Attacks

Far too many business owners and organizational leaders think a cyber attack occurs because someone lets their guard down for a moment. While these attacks do occur, they tend to be low-level financial attacks that scam a few hundred or a few thousand dollars. Real cyber criminals are as patient and methodical as the group that attacked Suffolk County, and the damage they cause can lead to millions of dollars in remedies and restitution. Large, distributed, heavily used networks like those found in municipal government offices are ripe targets for the troves of personal information they hold and the opportunities they offer for criminals to conceal their activities.

We see multiple points where the Suffolk County attack could have been stopped, but we also see the challenges faced by the IT director, which are common to both businesses and the private sector. Too many leaders do not understand the real nature of cyber attacks. Too many government and private-sector organizations see Virtual CISO services or Dark Web Monitoring as a needless expense. The irony here is that they wind up paying for these services after a breach, alongside any fines and costs associated with data loss and system repairs, when they could have prevented the intrusion in the first place.

There is also the question of accountability, and the decision to suspend the Suffolk County Clerk’s IT director. This follows Federal sanctions against the CEO of Drizly following the theft of customer data. In both of these cases, investigators uncovered events that should have been prevented by cyber security best practices and held the people responsible for overseeing cyber security accountable.

Hacker for hire a rising Trend

/in , /by

Hackers and wannabe hackers can easily purchase cheap tools of the trade online. The security firm Dell SecureWorks Inc. confirms this in their latest report and adds that underground markets for hackers, including those from Russia, is thriving.

11DThe “Dark Web” is the go-to place for hackers looking for guidance and tools like malware. Yes, you can buy malware. If you don’t want to be the hacker, you can hire a hacker.

There’s any number of reasons why a non-techy person would want to hire a hacker. Maybe that person wants to make money and thus hires a hacker to create a phishing campaign that generates lots of credit card numbers and other personal data for the hacker’s client to then open credit lines in victims’ names.

Maybe another client wants revenge on an ex-lover, their current boss or neighbor; they hire a hacker to crack into the target’s Facebook account, and then the client is able to log in, impersonate the victim and post comments and images that will make the victim look frightfully bad.

Dell SecureWorks Inc., also found:

  • For $129 a hacker will steal e-mails from personal Yahoo or Gmail accounts.
  • For business accounts, however, hackers want $500 per e-mail.
  • Wannabe hackers can buy phishing tutorials as well as other tutorials for $20 to $40.
  • Gee, for just $5 to $10, you can buy a Trojan virus that you can infiltrate someone’s computer with and control it—even if you’re a thousand miles away.

So booming is the hacker for hire and hacker-in-training industry, that these cybercriminals even offer customer service. Makes you wonder why hackers are selling their knowledge, tools and providing customer service, if they can make so much more money just hacking.

Well, maybe deep down inside, these crooks have a kind heart and want to help out people, even if it means helping them commit crimes. Another explanation is ego; they’re so good at what they do that they want to share their knowledge, albeit for a fee.

What else is for sale on the Dark Web? Stolen hotel points and frequent flyer accounts. Buyers can use these to get gift cards on legitimate sites, says the report from Dell SecureWorks Inc.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

What are Bug Bounties?

/in /by

A bug bounty refers to the reward a bad-guy hacker gets upon discovering a vulnerability, weakness or flaw in a company’s system.

6DThis is akin to giving a reward to a burglar for pointing out weaknesses in your home’s security.

But whom better to ask than a burglar, right? Same with a company’s computer systems: The best expert may be the black hat or better, white hat hacker.

An article at bits.blogs.nytimes.com says that Facebook, Google, Microsoft, Dropbox, PayPal and Yahoo are on the roster of companies that are offering hackers bounties for finding “bugs” in their systems.

A “zero day bug” refers to an undiscovered flaw or security hole. Cybercriminals want to know what these zero day bugs are, to exploit for eventual hacking attempts. There is a bustling black market for these non-identified bugs.

Compounding the issue is that it is becoming easier for Joe Hacker to acquire the skills to infiltrate—skills that common hackers never would have had just a few years ago, and especially a decade ago. So you can see how important it is for businesses to hire the best at finding these bugs and rewarding them handsomely.

So yes, hackers are being paid to report bugs. The bits.blogs.nytimes.com article says that Facebook and Microsoft even sponsor an Internet Bug Bounty program. Such a program should have been started long ago, but it took some overlooked bugs to motivate these technology companies to offer the bounties.

Heartbleed is an example. Remember that? It was a programming code mistake that affected certain SSL certificates—which help protect users on a secure website. As a result, over a dozen major tech companies began an initiative to, as the bits.blogs.nytimes.com article says, “pay for security audits in widely used open-source software.”

So as clever as bug bounties sound, it shouldn’t be regarded as the be-all end-all solution. How about an incentive to get developers to implement secure, mistake-free coding practices? Well, companies are trying. And they keep trying. But with humans behind the technology, there will always be mistakes.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Meet the FBI’s most wanted Hackers

/in /by

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Visual Hacking is High Tech Shoulder Surfing

/in /by

A visual hacker can infiltrate you—from the outside in. Quite literally, a person (ranging from a snoop to a cyber criminal) can peer over your shoulder while you’re using your computer or mobile (“shoulder surfing” or “visual hacking”), and collect your personal information—whatever you have up on the screen.

4DThis is so easy to observe Go to any airport or café and you’ll see scores of people using their laptops, headset on, head nodding to some beat, totally oblivious that a world exists beyond their little comfy spot.

However, shoulder surfing can also happen from a distance, e.g., a thief using binoculars or a small telescope. He can be nearby aiming his high-quality smartphone camera at the user. A cheap camera can be hidden near a spot where people often settle down with their devices, aimed right where people most often open their laptop or whip out their mobile.

You might be able to prevent shoulder snoopers by covering your screen with a hand, but this isn’t practical. If you’re working remotely, you should think about setting yourself up so that passers-by can’t see your screen, such as sitting up against a wall. However, these maneuvers aren’t always possible and you know that you need protection every single second to prevent information you are working on from a potential leak.

A recent survey of IT professionals found that 82 percent had little to zero confidence that employees were capable of concealing their device’s screen from peeping eyes; 82 percent believed it was possible that data had already been viewed off of their screens by the wrong eyes; and 85 percent reported being able to view sensitive data on a screen that they were not supposed to be looking at. So why aren’t more people – and more importantly, more organizations – taking the necessary precautions to protect their visual privacy?

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless. To prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack 3M now offers its ePrivacy Filter software. When paired up with the traditional 3M Privacy Filter, which blacks out side views and helps prevents hackers from stealing a glance at your screen, the ePrivacy Filter notifies you when someone is peering over your shoulder. You can now protect your visual privacy from nearly every angle.

Not only do thieves try to see what’s on the screen, but they’ll also study the user’s fingers at key times, such as right after they open the laptop. This could be the password they’re typing in to gain access to the device. A skilled visual hacker can determine which group of keys was pressed, then confine a brute-force attack to those characters to crack the password.

If you think shoulder surfing is uncommon and more so the product of overactive imaginations, think again. Take yourself, for example. Imagine being on a long flight. You’re wide awake but drained from using your device and reading magazines. Sooner or later (and you know this), your eyes will drift towards the stranger seated next to you—to see what’s on their screen. Since you, an honest, non-criminal person, is apt to do this, imagine how tempting it is for thieves.

Research results that were released last year revealed that 72 percent of commuters in the UK peer over the shoulder of fellow commuters. But don’t think that shoulder surfing is confined to the public; it can also take place right inside your office building. This can be particularly true for offices with an open floor plan design. With more and more screens out in full view and not enough attention paid to the types of data being accessed for all to see, you can never let your guard down when it comes to protecting confidential and sensitive information.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Are All Hackers Bad?

/in /by

The word hacker has a pretty negative connotation. It brings to mind other words like cybercriminal, thief, and malicious. It’s easy to see why hacker has a bad rep. The news is full of stories about hackers stealing data from large companies and the government. Hackers are the bad guys.

But are they?11D

Tesla just recently announced they are hiring hackers to find and fix security holes in the Model S car. Google started a league of hackers called “Project Zero” to track down security flaws in their software. Companies like Facebook and others sponsor hack-a-thons, where anyone is invited to try and crack their systems, all the time. Why would these companies want to hire or incentivize hackers?

The truth is not all hackers are the same. Here are the different kinds of hackers:

  • White hat hackers: Also known as “ethical hackers,” these hackers use their skills to make the Internet a safer place. Some white hat hackers do this for fun and then report the information to companies or sites they have broken into so the companies and sites can be fixed. It is these white hat hackers that Tesla is hiring they can find any security holes in their Internet-enabled cars before the bad hackers find and exploit them.
  • Gray hat hackers: These are the guys in the middle. They sometimes act legally, sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits. An example of gray hat hackers is hacktivists—who hack to bring attention to a political agenda or social cause. Anonymous, a predominant hacktivist group, recently took down multiple Israeli websites in protest of the Gaza crisis.
  • Black hat hackers: These are the bad guys that give the word hacker its negative connotation. These hackers are committing crimes…and they know it. They are looking to exploit companies or you and your devices for their financial gain.

So the next time you hear the word hacker, don’t automatically assume it’s a bad thing. Hacking can used for good and evil, it all depends on the hacker’s intent.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

How To Stop Criminal Hackers In Their Tracks

/in /by

Do you offer free WiFi? Put these three safeguards in place to protect your customers and your business.

3DOn a recent trip from Boston to New York on an Acela Express train, I was writing blogs and doing some research using Amtrak’s free wireless Internet. “Free” usually translates to “unsecured,” which means a criminal hacker with the right hardware and software could have sniffed out my wireless communications and grabbed my data. That same hacker, depending on my device’s firewall, setup and sharing settings, might also have been able to access my drive and files and even plant a virus on my device.

But I wasn’t worried because I use a virtual private network software that allows me to surf on an unsecured connection.

Amtrak also knows its free wireless is risky for its users, so before you can use it, you have to agree to the terms and conditions of the Wi-Fi’s use that indemnify Amtrak.

Protecting Your Business

Free wireless is everywhere, because Wi-Fi brings in customers and is a great tool to help create customer loyalty as well. Numerous merchants, including hotels, coffee joints, fast food places and numerous others with a storefront, offer free Wi-Fi to attract people and increase sales.

But it has its downsides, too. If you’re offering it in your place of business, you need to understand that your access point can be used for criminal activity—and to hack your own business, too.

So what are criminals looking for? Criminals connect to free Wi-Fi for:

  • Pirating music, movies and software via P2P programs. This criminal activity costs the recording and motion picture industries billions of dollars every year. The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) are cracking down on any IP address associated with illegal downloading and will come after your business too.
  • Child pornography. Law enforcement spends lots of time in chatrooms posing as vulnerable kids, chatting it up with pedophiles who buy sell and trade in child pornography. If your IP address is used for this purpose, you will get a knock on the door with a battering ram.
  • Criminal hacking. Bad-guy hackers look for vulnerabilities in others’ devices when using free Wi-Fi networks. They steal keystrokes, usernames, passwords and account info, and install spyware and viruses.

You’re not powerless against these hackers. These three safeguards are the first hurdles you can put in place to secure your company’s Wi-Fi:

1. Use a web proxy/filter. IT security vendors sell software that filters out or blocks known websites and prevents the sharing of P2P files. For more details on what kind of information can be accessed, search “internet access control software” to find a suitable vendor.

2. Add an agreeable use policy. There are numerous phrases a small business can incorporate into an agreeable guest use policy. You may want to include such language as “User agrees not to …”

  • Willfully, without authorization, gain access to any computer, software, program, documentation or property contained in any computer or network, including obtaining the password(s) of other persons. Intercepting or attempting to intercept or otherwise monitor any communications not explicitly intended for him or her without authorization is prohibited.
  • Make, distribute and/or use unauthorized duplicates of copyrighted material, including software applications, proprietary data and information technology resources. This includes the sharing of entertainment (e.g., music, movies, video games) files in violation of copyright law.

You may want to search for and read other business’s agreeable use policies in order to help you compose your own. And be sure to have your lawyer or legal department review it before you begin having customers agree to it.

3. Implement a secure Wi-Fi. Wi-Fi that requires users to log in with a username and password to charge even a dollar will then have their credit card number on file. This would mostly eliminate any anonymity, thus preventing numerous e-crimes.

Don’t think for a second something bad can’t happen to your business. Performing due diligence, knowing your options and implementing these barriers will keep both you and your customers from legal troubles and from getting hacked.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Washington Man Steals Over 1000 Identities

/0 Comments/in /by

While we often hear about international criminal hackers compromising databases and stealing credit card information, identity theft is often committed locally, by someone with access to sensitive paperwork.

In one such case, a suspected identity thief was recently arrested in Washington, after driver’s licenses, credit cards, and Social Security numbers were stolen from more than a thousand victims across the state.

Detectives believe the documents were stolen from cars and homes and used to open fraudulent bank accounts in victims’ names. Seized evidence includes bags of driver’s licenses, credit cards, credit card swipers, Social Security cards, and a list of thousands of names and Social Security numbers. It is difficult to estimate the total financial loss as the investigation is still underway, but so far the number is into the high thousands, and sure to increase.

According to court documents, the suspect admits being involved in identity theft in order to support his drug habit.

It is important to observe basic security precautions to protect your identity, like using a locked mailbox and checking your online statements often. But while you can store paperwork containing personal information in a locked safe and refrain from keeping sensitive documents in your car, there’s little you can do to ensure the safety of your personal information when it’s stored by corporations and government agencies.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on their accounts. McAfee Identity Protection includes all these features, as well as immediate assistance from fraud resolution agents if your identity is ever compromised. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Criminal Hackers: The Soldiers of the Web Mob

/0 Comments/in , /by

Today’s criminal hackers are very different than those who hacked for fun and fame a decade ago. Every week, I see stories about more criminals in faraway lands, making millions from various scams, emptying the bank accounts of small businesses or draining the financial reserves of entire towns.

High-tech crimes can be committed by lone individuals, by small groups, or by organized web mobs. These web mobs structurally resemble the longtime operation of the Russian and Italian mafias, the Irish mob, the Bandidos, and the Hells Angels.

The Anti-Phishing Working Group has noted the success of Avalanche, a particularly large and successful web mob with an emphasis on phishing: “Phishing has always been attractive to criminals because it has low start-up costs and few barriers to entry. But by mid-2009, phishing was dominated by one player as never before—the ―Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and crimeware– malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts.”

Avalanche was responsible for two-thirds of all phishing attacks launched in the second half of 2009, and for the overall increase in phishing attacks across the Internet.

Cybercrime of this magnitude requires a carefully ordered hierarchy. The players include:

  • Programmers, who write the viruses that will infect victim’s PCs
  • Carders, who sell stolen credit card data
  • IT guys, or black hat computer professionals, who maintain the hardware necessary to keep the operation running
  • Hackers, who look for vulnerabilities in networks and plant malicious code
  • Social engineers, who come up with the scam and write phishing emails to send to potential victims
  • Money mules, who are often foreign, traveling to the US specifically to open bank accounts, and who may also launder money
  • Bosses, who run the show, bring together talent, manage, and delegate

All of this is very real and it is happening right now. Even though data security hasn’t been in the media spotlight this year, we should all be aware of these risks.

To protect yourself from the bad guy, make sure your PC is fully updated with critical security patches, antivirus software, anti-spyware software, a secure wireless connection, and a two-way firewall. Check your online account statements frequently, and consider investing in identity theft protection that monitors your credit reports and monitors your information on the internet’s back ally chat rooms.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. Disclosures

Criminal Hackers Create 3 Million Fraudulent Websites Annually

/0 Comments/in , /by

A recent study shows that organized criminals create approximately 8,000 malicious websites every day, or over 57,000 each week.

These malicious websites model legitimate websites that we visit every day, such as bank websites, online shopping sites, and eBay. According to this study, the most frequently impersonated companies include Visa, Amazon.com, PayPal, HSBC, and the United States Internal Revenue Service.

People are typically directed to these scam sites in one of three ways:

1. Often, potential victims end up visiting these spoofed websites via phishing scams. Phishing, of course, occurs when you receive an email that appears to be sent from your bank or other trusted entity, and a link in the email brings you to a website that is designed to steal your login credentials.

2. Scammers lure victims to their scam sites via search engines. When a website is created and uploaded to a server, search engines index the scam sites as they would any legitimate site. Doing a Google search can sometimes lead you to a website designed to steal your identity.

3. Social media sites like Facebook and Twitter are free, and this gives scammers an advertising platform. Criminals simply post links in status messages, on group pages, or fan message boards, using the legitimate appearance of the site to gain credibility.

Once a computer user clicks one of these links, he or she ends up on a website that is riddled with malicious software, which may install itself on the victim’s computer even if the victim doesn’t click or download anything on the scam site. This tactic is called a “drive by.” Or, users may be tricked into clicking links to download files. Either way, the ultimate goal is to gather usernames, passwords, and, if possible, credit card or Social Security numbers in order to steal identities.

By understanding how these scams work, PC users can begin to learn what to do while online and, more importantly, what not to do.

Never click on links in the body of an email. NEVER. Always go to your favorites menu or manually type the address into the address bar. This means that you should never copy and paste links from emails, either.

When searching out a product or service, be aware that you could be led to a scam site. A properly spelled web address is one indicator of an established, legitimate site. Try to restrict your business to sites you know and trust. Also, before entering credit card information, look for “https://” in the address bar. This means it’s a secure page and less likely to be a scam.

Just because a link for a tempting deal appears on a popular social networking website doesn’t mean it’s legitimate. I’d shy away from clicking links. Use your common sense. If it seems too good to be true, it is.

Forewarned is forearmed.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. Disclosures