Enable Security Features on Smartphones and Tablets:
Specific security features vary between devices and operating systems. Use whichever features your device offers that provide the best security for your needs:
- Password, passcode, or PIN: Setting a password, passcode, or PIN to access your device is generally simple and effective. Use a code that is four digits or longer, and keep it secret, like you do for your email password or passphrase.
- Unlock pattern: Some handheld devices let you set unlock patterns that function like PINs. Use a pattern with some complexity (for example, with at least five points), keep it secret, and protect it from observers. Additionally, be aware that smudges on the face of your device may reveal your pattern to unauthorized users.
- Device lockout: Most handheld devices provide a lockout option that locks the device if someone makes several consecutive unsuccessful attempts to enter the password, PIN, or pattern. Using the lockout option can thwart a brute-force attempt to guess your password, PIN, or pattern. Setting the lockout limit to 10 attempts is usually sufficient.
- Auto-wipe: Auto-wipe is similar to the lockout option, but more secure. After several consecutive unsuccessful password, pattern, or PIN attempts, the device will automatically erase (wipe) all stored data and reset itself to the factory defaults.
- When you use the auto-wipe option, make sure to back up your data regularly (for example, to a desktop computer or a cloud storage service). Consult your device’s documentation for instructions on backing up data.
- Encryption: Certain handheld devices are capable of employing data encryption. Consult your device’s documentation or online support resources for information about available encryption options.
The following common features are frequently useful, but can also create security risks. You may want to consider disabling them:
- Bluetooth: Consider disabling Bluetooth connectivity on your device unless you need it. Hackers and data thieves can use Bluetooth connections to “eavesdrop” on your device and access your sensitive data.
- GPS: Consider disabling Global Positioning System (GPS) and other location services unless you need them. Your physical location (or the locations of your device) is a piece of sensitive data that you may not want stored or broadcast. Conversely, if your device is GPS-enabled, some apps and services (such as Find My iPhone) can help locate your device if it is lost or stolen.
Find, Lock, or Erase a Lost/Stolen Device
Android Devices
Find, lock, or erase a lost Android device
If you lose an Android phone or tablet, or Wear OS watch, you can find, lock, or erase it. If you’ve added a Google Account to your device, Find My Device is automatically turned on. Learn how to make sure that your device can be found if it gets lost.
To find, lock, or erase an Android phone, that phone must:
- Be turned on
- Be signed in to a Google Account
- Be connected to mobile data or Wi-Fi
- Be visible on Google Play
- Have Location turned on
- Have Find My Device turned on
If you used your lost phone for 2-step verification, you must have a backup phone or backup code. Remotely find, lock, or erase
1. Go toandroid.com/find and sign in to your Google Account.
- If you have more than one phone, click the lost phone at the top of the screen.
- If your lost phone has more than one user profile, sign in with a Google Account that’s on the main profile. Learn about user profiles.
- The lost phone gets a notification.
- On the map, you’ll get info about where the phone is.
- The location is approximate and might not be accurate.
- If your phone can’t be found, you’ll see its last known location, if available.
4. Pick what you want to do. If needed, first click Enable lock & erase.
- Play sound: Rings your phone at full volume for 5 minutes, even if it’s set to silent or vibrate.
- Secure device: Locks your phone with your PIN, pattern, or password. If you don’t have a lock, you can set one. To help someone return your phone to you, you can add a message or phone number to the lock screen.
- Erase device: Permanently deletes all data on your phone (but might not delete SD cards). After you erase, Find My Device won’t work on the phone.
- Important: If you find your phone after erasing, you’ll likely need your Google Account password to use it again. Learn about device protection.
Find, Lock, or Erase a Lost/Stolen Device
Apple Devices
If your iPhone or iPad are lost or stolen: these steps might help you locate the device and protect your information.
If Find My [device] is enabled on your missing device
You can use the Find My app to find your device, take additional actions to help you recover it, and keep your information safe.
- Sign in to iCloud.com/find on the web or use the Find My app on another Apple device.
- Find your device. Open the Find My app or go to iCloud.com and click Find iPhone. Select a device to view its location on a map. If the device is nearby, you can have it play a sound to help you or someone nearby find it.
- Mark As Lost. This will remotely lock your device with a passcode and you can display a custom message with your phone number on your missing device’s Lock screen. It will also keep track of your device’s location. If you added credit, debit, or prepaid cards to Apple Pay, the ability to make payments using Apple Pay on the device is suspended when you put your device in Lost Mode.
- Report your lost or stolen device to local law enforcement. Law enforcement might request the serial number of your device. Find your device serial number.
- If your missing device is covered by AppleCare+ with Theft and Loss, you can file a claim for your lost or stolen iPhone. Skip to step 7 below.
- Erase your device. To prevent anyone else from accessing the data on your missing device, you can erase it remotely. When you erase your device, all of your information (including credit, debit, or prepaid cards for Apple Pay) is deleted from the device, and you won’t be able to find it using the Find My app or Find iPhone on iCloud.com. After you erase a device, you can’t track it. If you remove the device from your account after you erase it, Activation Lock will be turned off. This allows another person to turn on and use your device.
- Report your lost or stolen device to your wireless carrier, so they can disable your account to prevent calls, texts, and data use. Your device might be covered under your wireless carrier plan.
- Remove your lost or stolen device from your list of trusted devices.
If you use Family Sharing, any family member can help locate another member’s missing device. Just have your family member sign in to iCloud with their Apple ID, and you can find any device that you or your family members use with Family Sharing.
If Find My [device] isn’t turned on on your missing device
If you didn’t turn on Find My [device] before your device was lost or stolen, it can’t be used to locate your device. But you can use these steps to help protect your data:
- Change your Apple ID password. By changing your Apple ID password, you can prevent anyone from accessing your iCloud data or using other services (such as iMessage or iTunes) from your missing device.
- Change the passwords for other internet accounts on your device. This can include email accounts, Facebook, or Twitter.
- Report your lost or stolen device to local law enforcement. Law enforcement might request the serial number of your device. Find your device serial number.
- Report your lost or stolen device to your wireless carrier. Your carrier can disable the account, preventing phone calls, texts, and data use.
- Remove your lost or stolen device from your list of trusted devices.
Find My [device] is the only way that you can track or locate a lost or missing device. If Find My [device] isn’t enabled on your device before it goes missing, there’s no other Apple service that can find, track, or flag your device for you.
Social Engineering, Phishing, & Other Malicious Activities
If Find My [device] is enabled on your missing device
9 Examples of Social Engineering Attacks
Examples of social engineering range from phishing attacks where victims are tricked into providing confidential information, vishing attacks where an urgent and official sounding voice mail convinces victims to act quickly or suffer severe consequences, or physical tailgating attacks that rely on trust to gain physical access to a building.
The nine most common examples of social engineering are:
- Phishing: tactics include deceptive emails, websites, and text messages to steal information.
- Spear Phishing: email is used to carry out targeted attacks against individuals or businesses.
- Baiting: an online and physical social engineering attack that promises the victim a reward.
- Malware: victims are tricked into believing that malware is installed on their computer and that if they pay, the malware will be removed.
- Pretexting: uses false identity to trick victims into giving up information.
- Quid Pro Quo: relies on an exchange of information or service to convince the victim to act.
- Tailgating: relies on human trust to give the criminal physical access to a secure building or area.
- Vishing: urgent voice mails convince victims they need to act quickly to protect themselves from arrest or other risk.
- Water-Holing: an advanced social engineering attack that infects both a website and its visitors with malware.
The one common thread linking these social engineering techniques is the human element. Cybercriminals know that taking advantage of human
emotions is the best way to steal.
Traditionally, companies have focused on the technical aspects of cybersecurity – but now it’s time to take a people-centric approach to cyber
security awareness.
How Does Social Engineering Happen?
Social engineering happens because of the human instinct of trust. Cybercriminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network.
Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:
- Thanks to careful spear phishing research, the cybercriminal knows the company CEO is traveling.
- An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address – but the spelling of the CEO’s name is correct.
- In the email, the employee is asked to help the CEO out by transferring $500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company.
- The email stresses that the CEO would do this transfer herself but since she is traveling, she can’t make the fund transfer in time to secure the foreign investment partnership.
- Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and his colleagues by complying with the email request.
- A few days later, the victimized employee, CEO, and company colleagues realize they have been a victim of a social engineering attack and have lost $500,000.
Examples of Social Engineering Attacks
Savvy cybercriminals know that social engineering works best when focusing on human emotion and risk. Taking advantage of human emotion is much easier than hacking a network or looking for security vulnerabilities.
These examples of social engineering emphasize how emotion is used to commit cyber-attacks:
Fear
You receive a voicemail that says you’re under investigation for tax fraud and that you must call immediately to prevent arrest and criminal investigation. This social engineering attack happens during tax season when people are already stressed about their taxes. Cybercriminals prey on the stress and anxiety that comes with filing taxes and use these fear emotions to trick people into complying with the voicemail.
Greed
Imagine if you could simply transfer $10 to an investor and see this grow into $10,000 without any effort on your behalf? Cybercriminals use the basic human emotions of trust and greed to convince victims that they really can get something for nothing. A carefully worded baiting email tells victims to provide their bank account information and the funds will be transferred the same day.
Curiosity
Cybercriminals pay attention to events capturing a lot of news coverage and then take advantage of human curiosity to trick social engineering victims into acting. For example, after the second Boeing MAX8 plane crash, cybercriminals sent emails with attachments that claimed to include leaked data about the crash. In reality, the attachment installed a version of the Hworm RAT on the victim’s computer.
Helpfulness
Humans want to trust and help one another. After doing research into a company, cybercriminals target two or three employees in the company with an email that looks like it comes from the targeted individuals’ manager. The email asks them to send the manager the password for the accounting database – stressing that the manager needs it to make sure everyone gets paid on time. The email tone is urgent, tricking the victims into believing that they are helping out their manager by acting quickly.
Urgency
You receive an email from customer support at an online shopping website that you frequently buy from telling you that they need to confirm your credit card information to protect your account. The email language urges you to respond quickly to ensure that your credit card information isn’t stolen by criminals. Without thinking twice and because you trust the online store, you send not only your credit card information but also your mailing address and phone number. A few days later, you receive a call from your credit card company telling you that your credit card has been stolen and used for thousands of dollars of fraudulent purchases.
Download the Definitive Guide to People-Centric Security Awareness to learn how focus on human emotion and risk can instill a security culture in your organization that protects against social engineering attacks.
How to Protect Against Social Engineering
“People affect security outcomes more than technology, policies or processes. The market for security awareness computer-based training (CBT) is driven by the recognition that, without perfect cybersecurity protection systems, people play a critical role in an organization’s overall security and risk posture. This role is defined by inherent strengths and weaknesses: people’s ability to learn and their vulnerability to error, exploitation and manipulation. End-user-focused security education and training is a rapidly growing market. Demand is fueled by the needs of security and risk management (SRM) leaders to help influence the behaviors that affect the security of employees, citizens and consumers.” (Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 18 July 2019) |
To protect against social engineering attacks requires a focus on changing behavior. When company employees understand how easy it is to be tricked or scammed by a social engineering attack, they are more likely to be vigilant and suspicious of emails, voicemails, texts, or other cyber-attack approaches.
Changing human behavior is not easy and does not happen overnight. We know from first-hand experience that the best way to instill a cyber security aware culture and to create internal cyber heroes is with a people-centric approach to security awareness training.
To effectively protect your company against social engineering requires a focus on five people-centric elements as the foundation for security awareness training:
- High Quality Content: engages users and provides a training program that resonates and changes behavior.
- Personalized Campaigns: provide content that employees can relate to and apply to their day-to-day.
- Collaborative Partner: work with a partner who uses a consultative approach to understand your unique needs to deliver a custom security awareness program designed specifically for your organization.
- Security Awareness 5-Step Framework: a training and awareness program built on a proven methodological approach to learning and changing behavior.
- Security Awareness As A Service: provides flexibility and support to effectively deploy, measure, and report results of phishing simulations, awareness training, and campaign visibility.
How to Stay Protected Against Social Engineering
To stay protected against social engineering attacks, it’s important to recognize the power of ego. Each of us wants to believe that we would never be tricked or scammed by a phishing email or other social engineering attack. However, as we know, cybercriminals rely on all aspects of human emotion and nature to subtly deceive and trick people into acting.
It’s only with first-hand experience of being phished or violated by another social engineering approach that people really appreciate how social engineering works. By using a people-centric approach to security awareness training that uses phishing simulations, engaging and relevant content, and an understanding of human nature – you can stay protected against social engineering.
Risks of Public Wi-Fi
What is public Wi-Fi?
Public Wi-Fi can be found in popular public places like airports, coffee shops, malls, restaurants, and hotels — and it allows you to access the Internet for free. These “hotspots” are so widespread and common that people frequently connect to them without thinking twice. Although it sounds harmless to log on and check your social media account or browse some news articles, everyday activities that require a login — like reading e-mail or checking your bank account — could be risky business on public Wi-Fi.
What are the risks?
The problem with public Wi-Fi is that there are a tremendous number of risks that go along with these networks. While business owners may believe they’re providing a valuable service to their customers, chances are the security on these networks is lax or nonexistent.
Man-in-the-Middle attacks
One of the most common threats on these networks is called a Man-in-the-Middle (MitM) attack. Essentially, a MitM attack is a form of eavesdropping. When a computer makes a connection to the Internet, data is sent from point A (computer) to point B (service/website), and vulnerabilities can allow an attacker to get in between these transmissions and “read” them. So what you thought was private no longer is.
Unencrypted networks
Encryption means that the information that is sent between your computer and the wireless router are in the form of a “secret code,” so that it cannot be read by anyone who doesn’t have the key to decipher the code. Most routers are shipped from the factory with encryption turned off by default, and it must be turned on when the network is set up. If an IT professional sets up the network, then chances are good that encryption has been enabled. However, there is no surefire way to tell if this has happened.
Malware distribution
Thanks to software vulnerabilities, there are also ways that attackers can slip malware onto your computer without you even knowing. A software vulnerability is a security hole or weakness found in an operating system or software program. Hackers can exploit this weakness by writing code to target a specific vulnerability, and then inject the malware onto your device.
Snooping and sniffing
Wi-Fi snooping and sniffing is what it sounds like. Cybercriminals can buy special software kits and even devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even hijack your accounts.
Malicious hotspots
These “rogue access points” trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Say you’re staying at the Goodnyght Inn and want to connect to the hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on
“GoodNyte Inn,” but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information.
How to stay safe on public Wi-Fi
The best way to know your information is safe while using public Wi-Fi is to use a virtual private network (VPN), like Norton Secure VPN, when surfing on your PC, Mac, smartphone or tablet. However, if you must use public Wi-Fi, follow these tips to protect your information.
Don’t:
- Log into any account via an app that contains sensitive information. Go to the website instead and verify it uses HTTPS before logging in
- Leave your Wi-Fi or Bluetooth on if you are not using them
- Access websites that hold your sensitive information, such as such as financial or healthcare accounts
- Log onto a network that isn’t password protected
Do:
- Disable file sharing
- Only visit sites using HTTPS
- Log out of accounts when done using them
- Use a VPN, like Norton Secure VPN, to make sure your public Wi-Fi connections are made private
Mobile Application Delivery/Marketplace
- As of 11/18/2020 the only reputable places to download and install / update apps are the Google play store for Android devices and the Apple app store for Apple devices. These stores come pre-installed.
Trademarks:
Android and Google Play are registered trademarks of Google, Inc.
Apple, iPhone, iPad, and iPod Touch are registered trademarks of Apple Inc. App Store and Apple Pay are a service mark
of Apple Inc.
Norton Secure VPN is a Copyright of NortonLifeLock Inc.
Other names may be trademarks of their respective owners.