Cyber Awareness: How to Avoid Email Scams and Data Theft

Parish offices receive hundreds of legitimate emails each day, so it was natural for the bookkeeper to open one whose subject was, “Thanks for your prompt payment. Receipt enclosed.” But this time, it was a bad move. Opening the attachment shut down the bookkeeper’s computer and the entire network serving the parish and the school. They were infected with the Crypto Locker Virus, one of the many cyber threats to computer systems.

Fortunately, the parish deacon does a daily backup of all files, so he was able to restore the parish and school systems, with the loss of “only” one day’s worth of work.

Another parish reports that a caller claiming to be a representative of the power company told the pastor the electric bill was overdue and the service would be shut off by the end of the day. The caller said the priest should purchase a $250 Moneypak at the local drugstore and read the serial number and redemption code to the rep.

Fortunately, the pastor was suspicious. He contacted the power company directly and confirmed the call was a scam. Twenty-first century thieves are using new versions of old tricks to ply their trade. Healthy skepticism and cyber security must be integral to every parish, school and organization safety plan. As more information is stored and shared electronically, it is important that data is protected.  

Here are the easiest, most effective ways to protect computers, users and stored information:

  • Parishes, schools and organizations must have a local firewall, in addition to whatever is offered by the Internet service provider. Facilities that access the internet wirelessly, using WiFi, should use a password-protected wireless router set to a password different from the default one chosen by the manufacturer. Don’t forget to turn the security features on!
  • All schools and any parishes that allow young people unsupervised access to computers must have Internet filtering software.
  • All computers must have current virus protection. Use the automatic update feature to make sure it is effective against newly identified viruses.
  • Keep computers and other electronic devices in locked rooms when not in use. In public areas, bolt computers to the desk with a cable.
  • Safeguard passwords and change them frequently. Do not give them to service providers or anyone who calls or emails a request. The pastor should keep a master list of user names and passwords, stored in a secure place.

Password Security

Selecting strong passwords and storing and managing them safely is a critical aspect of cyber security. To help you in this process, the United States Computer Emergency Readiness Team (US-Cert) publishes helpful information on its website. An excerpt from US-Cert is included below:

Selecting a Password

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or "crack" them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to "Il!2pBb." and see how much more complicated it has become just by adding numbers and special characters.

Longer passwords are more secure than shorter ones because there are more characters to guess, so consider using passphrases when you can. For example, "This passwd is 4 my email!" would be a strong password because it has many characters and includes lowercase and capital letters, numbers, and special characters. You may need to try different variations of a passphrase—many applications limit the length of passwords, and some do not accept spaces. Avoid common phrases, famous quotations, and song lyrics.

Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

Here is a review of tactics to use when choosing a password:

  • Don't use passwords that are based on personal information that can be easily accessed or guessed.
  • Don't use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords.
  • Use both lowercase and capital letters.
  • Use a combination of letters, numbers, and special characters.
  • Use passphrases when you can.
  • Use different passwords on different systems.

E-Mail Security

Some of the newest viruses fall into the “ransomware” category. When the computer user clicks on something unfamiliar in an email, ALL the files on the user’s computer are magically encrypted and access to the system is denied. The user is then offered a “key” to restore files and access, but there is a hefty fee, or ransom. This is preventable:

  • Don’t open or respond to unsolicited email, also known as spam. Just delete it!
  • And don’t click on links in unsolicited email. Most viruses and malware are installed when the unsuspecting user clicks the link.
  • NEVER email personal information, including user names and passwords! Savvy scammers use logos of familiar banks and credit card companies in emails purporting to update account information or offer special deals.
  • Don’t use links or phone numbers from an email to contact a business you usually use. When in doubt, pick up the phone. Use the phone number on your debit or credit card, or the contact info from a recent statement. 
  • Use your head: Nigerian princes are not likely to need your help in a money transfer operation. Your best friend is not stuck in a foreign country on a vacation he never told you he was taking. Why would people you do not know send you funny photos or embarrassing videos? And legitimate companies do not ask for personal or account information in emails.
  • If something looks sketchy, don’t click on it.

For more information, please go to:
http://www.us-cert.gov/ncas/tips/ST04-003