Your Digital Doppelganger

Introduction

Well, good morning, everybody, and welcome to today’s session from Practical Cybersecurity on Digital Privacy. And our title this morning is a little bit different. “Your digital doppelganger, lots of hackers would love to be you.”

You know, if we’ve learned anything about digital privacy over the last few years, it’s the fact that there are all sorts of people. People that want all sorts of stuff that we have. And so, the question that we have to ask as we walk through life in a digital age is how do we protect our stuff as best we can? How do we go ahead and keep the things private that should be while letting other folks see the things that should be public?

Online Identity vs Digital Footprint

Well, let’s start out by talking about two concepts, and these two concepts actually form a good basis to help us understand what’s going on. The first concept when we talk about our digital footprint is to think about the question of our online identity.

Online Identity

Now, your online identity is a collection of all that information that represents you on the internet, or some people call it your digital persona. So, you might think about your information on Facebook or your profile information that you placed out on LinkedIn. Or all sorts of things like that to help identify who you are as a person so people can find you and interact with you.

Digital Footprint

But besides your online identity that you have, we also have something called our digital footprint. And that digital footprint is going to be that trail of data you leave behind when you use the Internet.

So, for example, you go to a certain website, you type in a URL web browser, that URL is going to go out to the domain name system, a footprint that says your web address went to this place.

Or we might talk about cookies that are left on your computer from some ad that you looked at and somebody else is doing digital remarketing and so they’re able to use those cookies to trail back and present you ads for whatever it was that you looked at sometime ago.

What’s the difference?

So, this difference between your online identity–basically the definition you are–and your digital footprint–the trail of breadcrumbs that you’d leave behind as you go about on the Internet.
It’s really an important thing to understand. What people don’t understand and recognize is that all this data that you leave behind is important. All of this data is often collected and shared, and I should have added, a lot of times it is sold.

So for example, I’m told that certain DNS providers may turn around and sell the data that is collected on one web search. We’ve all seen information online about how the information on where your cell phone goes as it gets the different hours.
That data is collected and put together and sold.

So, you take all of these parts and pieces of the different data that a person leaves, the result is that not only is that data often collected and shared stole, but the other result is that hackers can turn around and use that data to exploit something somehow.

Why Am I A Target?

Now there’s lots of different ways in which hackers may try to exploit that data, and we’ll come back to that in a little bit. But probably the first question we should ask is why in the world are you a target?

A lot of people think, well, I don’t have anything. Why will the hackers want to come after me? Or I don’t have any money, or I don’t have…fill in the blank with whatever it is. Why in the world am I a target?

To Exploit Your Identity

Well, you’re a target for a number of reasons. First off, you’re a target because actors want to exploit your identity. Actors find out who you are and they recognize that you are a person. You’ve got different items that come along with being that, and so they’re going to try to exploit your identity for a number of different reasons. Sometimes it may be that they want financial gain. 

I was talking to a bank friend of mine recently and they were talking about how frequently customers are coming into the bank as they are being exploited for financial gain. Often through some kind of social engineering.

So, a hacker may call you up and we won’t see you. Sometimes you’ll get this call that says you know that it’s a child or a grandchild making money. Or sometimes it’ll be something that plays on your sense of needing extra cash and they’ll say to you, we have left this big amount of cash if you do that. Or sometimes it’s something that plays off of your fear. I’ll say you have to send us so much money to stop this attack from taking over your network. There are 1001 ways in which social engineering is used to try to exploit you.

To Gain Access To Bigger Targets

Not only does it exploit you, but particularly if you’re a business, hackers will want to use this first footstep and then move on up into bigger targets so that they can get more money or more ransom. More whatever.

To Leverage Your Online Persona

So no matter who you are, no matter what, how much it is that you’ve got, if you’ve got computer resources, if you’ve got a digital identity, if you’ve got an online persona, so to speak. If you do anything and leave bread crumbs and tracks, you’ve got folks that are going to be coming after you for a lot of different reasons.

These are only a few that you see on the screen right now. There may be more reasons why a person wants to come after you as an actor.

The Consequences

And so the consequences can be absolutely devastating for many people if they find that they have indeed succumbed to this and find out that they have indeed fallen victims to the hacker of some kind.

Financial Consequences

Sometimes that consequence comes to the form of financial problem with all those stories, and I’ve seen it within my own family. We’ve all seen stories of people who had finances drained from their bank accounts or taken. And this financial fraud strikes very close to home.

One thing that really aggregates me is that many times these hackers will prey on older folks because they know older folks many times aren’t as computer savvy. And so, as they try to prey on them, they know they’ve got retirement funds that they would just absolutely mercilessly drain them to try to do it. Sometimes they will use a fake love interest to try to do that, as there’s all sorts of one of the main consequences of abuse is financial fraud.
Hackers may also do account takeover. I knew of a case one time where an individual was contacted by hackers and the hackers talked them into giving their entire financial account information over to the bad guys under the guise that the bad guys were going to protect them from what somebody else was trying to do. And this was a gentleman who had, you know, he had enough money to live on, but he wasn’t wealthy and they mercilessly wanted to take his money. And they do that frequently.

Reputational Damage

When hackers take over a business in particular, there’s reputational damage. It gets out into the news that your firm has been ransomed and that you find all your data is encrypted and they’re holding it for ransomware. You may find out that if you’re in healthcare or something else that has PII, that that information is threatened and released.

What a lot of places don’t understand or don’t fully comprehend is that this reputational damage, while it’s hard to put a dollar value to it, can be enormous and can actually seriously hurt, or seriously destroy your business. So besides the financial and account implications, there’s also reputational ones, and once again, if you’re a company that works with larger firms, they may use you as a stepping stone to move up the line at some level.

How Do Hackers Work Against Us?

So if you got all of these bad folks that are after your stuff, if you got all of this stuff that’s coming after you, trying to find some way to take over your stuff and make you a victim of their next fraud, it’s good for us if we think about how hackers can work against it. There are new ways to develop every day, but these are some of the most common ways that we see hackers working against it.

Phishing

Frequently they use some kind of a phishing term. Now in today’s world phishing has taken on all sorts of different forms, but phishing is simply means the PH con. It simply means that they’re throwing out a net trying to find out who’s going to bite and take the bait and then become their next visit.

Phishing traditionally has been done using e-mail. So, you get this e-mail that says, hey, we discovered that your bank accounts are under attack. Please call us and put up your data. Everybody wants to protect their bank account.

Used to be we always got the emails from the Nigerian prince or whoever that was going to leave us so many millions of dollars if we’d only call and so much money to get the process started. Phishing frequently by e-mail takes lots of formal and it is still effective, as you still find people who fall for that around the world.

Vishing

In today’s world, the second term that’s taking on a bigger prominence is what’s called “vishing, which is basically voice phishing. Now with the advent of AI, that makes phishing even more tenable because it’s very easy or with a small snippet of a person’s voice to turn around and create a whole sentence so that when you get somebody on the line, they think that you’re that person. So you’re grandparents, you get a call from somebody claiming to be your grandson.

Grandson says, “Grandma, I’ve been in a wreck. I need money to get out of…whatever…”. And from Grandma’s perspective, because of the use of AI, that voice on the other end sounds extremely like the grandson. It sounds identical to it, as AI can produce this.

I got a call one time. I was at my parents’ house and this call came in from a voice who was claiming that they were a grandchild and all that. And the voice they were trying to claim that the voice didn’t sound like it because they had had broken their nose in an accident. Had a cold. And with all that, it no longer sounded like itself. Vishing works, and it particularly works against older folks who want to protect their family.

Smishing

Similar to that is something else called smishing that comes over SMS or text messaging and as this smishing comes over and you get a text message. Once again, text message Grandma I need help. Text message Grandpa I’ve been in a wreck.

Next message your counselor or your tax accountant, please contact us immediately, and we all sorts of these forms like that. And while it’s tempting to say why can’t we just block the phone numbers they call from, because of the ease with which you can fake a phone number from which you originate, it’s virtually impossible to block it.

Web Forms

We also are seeing more and more web forms, and it seems like, from what I’m watching, that web forms are coming back as useful. They were down for a while, they’re back. But web forms can come up.

A frequent one you see is one that comes up and says that your computer is under attack. This is Microsoft. Call this number and we’ll help you fix it or some variation of that. And it always costs money. And they always want access to your computer. And then once they do that, who knows what’s going to take off from there?

Fake Documents

And then the old fake documents. Many times this involves paper that actually comes in the mail from somebody, or it may be a PDF that comes online. Particularly if it’s a PDF, the PDF or other Word document or something will have embedded scripts in it.

So, you get a document, you think it’s from a vendor that you know and that you trust and that you deal with. You open that document and that script runs, and who knows what’s going to happen to your computer at that point in time. So fake documents are another form of phishing, and we see this one a lot, particularly against businesses with all that going on. And so as a hacker work against you with phishing, that combined with the social engineering often makes it very real and very valid and oftentimes difficult to spot threat.

Every business has on their website something about who they are and what they do, maybe contact information. You go to LinkedIn and you can find out the contact information for people for who they are. And so finding social engineering with the different types of phishing that you see up there often results in success for the bad guys as they want to get some kind of stuff from you.

How Do We Protect Ourselves?

So with everybody arrayed against us and everybody working to try to get into our stuff and take over, how in the world do we go about protecting ourselves in this kind of world? You know, it honestly is really difficult for many people when things are arrayed and so much is done to try to get into our stuff and take over our things.

Strong, Unique Passwords

There’s a lot of ways we can protect ourselves. And so most important–this one you have heard multiple times—use strong, unique passwords. That means that the password you use to get into your e-mail is different from the password you use to get into your bank account, which is different from the password you use to get into your IRA accounts, which is different from the password you use to get into Facebook.

Strong, unique passwords. Strong meaning there’s complexity, uppercase, lowercase, numbers and special characters. Strong meaning also that it is long. Nowadays 16 is kind of the minimum number of characters you should have, and really you’re better off if you get larger.

Password Managers

If we had to remember all that on our own, that would be virtually impossible. So password managers help us out. Your browsers now all have password managers built in. If you’re in some kind of a business and need some kind of a password manager for a corporate environment, there’s a number of good choices that are out there.

Passphrases

If you find it difficult to remember passwords or want to remember stuff you don’t want to write down, it’s always good to use passphrase. So you might choose two or three words that are unrelated. Mix in some numbers and special characters and make this passphrase.

One of the favorite one comes from the comic strip and you use a donkey battery and numbers and an exclamation. And that’s a good way to do it. You can find on the internet, passphrase generators that will pick two or three random words that you put them together in a package to create your own special passphrase.

Multi-factor Authentication (MFA)

But passwords alone aren’t going to do the job. That’s why nowadays virtually everybody talks about having multi-factor authentication. And while multifactor authentication is good, does a great job and stops–I think I read last 95% of the attacks (it is really good)–multifactor authentication takes up time.

You’ve got several different variations. Probably the most common are multifactor authentication where you’ve got some kind of an authenticator on your phone, and then when you go to the website, you enter username, password, and then it asks for a code. That can come through an authenticator app on your phone.

Sometimes, rather than doing it by the authenticator app, the website may choose to send an e-mail with the code to you, or it makes sense to choose to send a text message to you with the code.

Whatever you’re doing, and I know there’s all the arguments about which one of these different types of multi-factor authentication are the best. From my perspective, anything’s better than nothing. So, if you prefer text message or text multi-factor authentication, do it. Just set up an MFA on everything that you possibly can to do it.

By the way, from use over a long time, using the authenticators on your phone is not onerous, it’s not too hard to do.

Stay Alert for Phishing

Well, besides using strong unique passwords and using multi-factor authentication, stay alert for phishing. Learn to spot suspicious stuff. So if an e-mail comes from somebody in a foreign country that they left so many millions of dollar with a lawyer and whatever…that they’re ready for you to call, that’s an alert, particularly if you didn’t know somebody.

If the spelling is off and doesn’t sound like that it is in good English or flowing language, that’s something to look at. Watch out for the emails. I knew some somebody who received some phishing attempts and they simply changed how the e-mail address the domain was a little bit and had actually gone and registered the domain just to try to impact this particular company. Stay alert for phishing and learn how to spot it.

That’s going to get harder with AI as things become crafted better, but learn how to spot it.
Then the last thing, probably just a very basic one, remember to keep your software updated. Now I’ve known of businesses who didn’t want to put any updates on their computers because they said, “We don’t want anything to change.” Therefore they went for eight years without updates. And I know of one in particular that had personally identifiable information and refused to do updates on it, and it was a mess.

Updating your software is likewise one of the very big things you can do. For example, if you end up succumbing to a phishing attack, it comes with a script within a PDF document or a Word document. You accidentally click on that so that the document tries to open and the script runs. Many times your updated software, if you have it updated, will stop those things from happening, as that’s another barrier to put in place of the bad guy.

Note: we are just a short time away from end of life for Windows 10. Windows 10 end of life comes in the middle of October ,and after that, what that means is that while Windows 10 will continue to function, Microsoft will no longer put out any security updates or any security patches for them. That’s a big deal because you can bet that the bad guys are stockpiling Windows 10 zero day exploits right now. So as soon as Microsoft quits putting in updates, you can guarantee they’re going to be using these to try to plot an attack.

So what do you do?

Well, you get a couple of options. If you are determined to keep Windows 10 for another year, it is possible for you to pay a fairly small amount of money to get security updates for another year for your box.

For personal machines, it’s either going to be, I believe, $30-$31…something like that. You can get it for free with certain things, reward points or using certain backups on your computer. So if you’re a personal computer, you can get that relatively inexpensively.

If you’re in a business environment, you can get updates for Windows 10 machine for another year by simply adding in the little license will be roughly $60-some.

The second year that price is going to double. The third year it’ll double after that. After that there’s no more updates available for Windows 10 whatsoever. So, I’d encourage Windows 11. I’ve used it a lot for several years. We use it here in our in our environment. Go ahead and update.
Likewise, remember to keep your Linux boxes, other Windows versions, your Androids, or your iPhones updated, as well as keep your applications updated. All of these things are additional vectors that that bad guys try to use to get into your stuff.

Then some additional tips that we just kind of picked up over the years—things I think you’ve probably heard many times. I’d like to throw out some additional things. OK, in today’s world, we would all like to think that our personal information, our Social Security number, our credit cards, our bank account ID, those things are all private. But in reality, in today’s world, your credit cards, your username…many of these things, your birthday, your Social Security number, many of these things have likely already been leaked in a breach.

So whether we want to admit it or not, that information is probably already out there. So we should still try to protect that information, don’t get it wrong, but we should also be defensive on protecting our stuff they might be trying to get into.

For example, from the standpoint that our stuff is probably already out there, I would definitely encourage people to reach your credit to monitor your credit accounts. You can do this through the three major reporting area agencies. To put alerts on any of your bank accounts or your credit card information itself, any savings accounts, any brokerage accounts, all that, so that you know that somebody else is trying to get into your stuff and you don’t expect it.

It is quite likely that you want to use some of the identity monitoring services that are out there. There are some of them, LifeLock is probably the most well known, that will help monitor your identity and help you recover if something happens and your stuff is compromised.
Besides monitoring your identity, it would also be good to limit oversharing on social media.

OK, so I know we all think that when we put something out on social media.

In our mind, we only have in mind that our few friends are going to be the only ones to see it. So, we post it on Facebook or we post it on…wherever.

I was teaching a class one time just about this very thing and there was college student in class, who had posted a bunch of stuff that was way, you know, personal, thinking that only their closest friends were the only ones that saw it. And I was able to demonstrate how, because of the way they had their settings set on their social media accounts, that anybody, any place was able to see it. They were absolutely horrified to realize that they were putting stuff out there for anybody to see, including folks that they absolutely did not want to see it.

It’s good to limit oversharing on social media. Just because you can put it on there doesn’t mean you necessarily should.

Likewise, monitor your financial accounts. I make it a practice to check my financial accounts daily so that if something happens and somebody does get in there and money is taken out without my approval, I’m able to immediately get on with my bank and stop it. I don’t want this kind of stuff to go on.

And then more tips, more insight on this. We found a good website called staysafeonline.org. If you’ve got family members, if you’ve got co-workers.

if you’ve got parents or somebody who needs good information, possibly from somebody other than you to help them understand the importance of staying safe. Stay Safe Online is a very good website with a lot of very good information on how to take care of yourself.

Well, I know we’ve covered a lot. If you would like to talk more about this subject, you can see how to get ahold of us. Our phone number, feel free to call us at 620-221-3614, e-mail us at sales@custominternet.biz, or drop by our website at practicalcybersecurity.com.

Likewise, you have the ability to get a one-page, summary handout of this presentation at https://www.practicalcybersecurity.com/your-digital-doppelganger.

It’s something you can use with your business or your parents or your social circles, whatever you like. And then don’t forget that you’ve got replays of this webinar available on YouTube at https://youtube.com/@practical-cybersecurity.

Well, for all of you here, thank you very much for coming. You guys online, watching it later, thanks so much for taking the time. Feel free to get in touch. We’d love to chat with you about how to be digitally secure in today’s online environment.

Thanks for coming.