• Limit Exposure:  You can limit your exposure to mail fraud by utilizing online conveniences like eStatements, online bill pay, direct deposit and online banking.
• Opt-Out:  You should opt out of receiving credit card and insurance offers. You can do so by calling 1-888-5OPTOUT or on the web at  https://www.optoutprescreen.com.  This tells credit card companies to stop sending pre-approved credit card applications to your house.  By filing a simple change of address form with the post office or by contacting your creditors, an identity thief can have your personal mail sent to his or her own address.  Banks and other companies now send letters to both the new address and old address when a change is made in order to stop this type of fraud.
• Lock your mailbox:   If your postal carrier is willing, you can buy a padlock for your mailbox. Place it unlocked inside your mailbox. When the carrier delivers your mail, he or she locks the box. This works well with rural-delivery style boxes with a hole to accommodate a lock, or you can drill holes in a wall-mounted box. The method is not foolproof, however.  Persistent thieves have been known to use hacksaws to remove locks; some smash open mailboxes with baseball bats -- or even steal the mailbox, lock and all. 
• Replace a wall-mounted mailbox with a mail slot:  If you have door-to-door delivery, ask your local Post Office if you can replace your mailbox with a mail slot on your front or garage door. The postmaster needs to approve any changes in delivery. If you add a mail slot, make it large enough to accommodate catalogs and boxes of checks. Mail slots are not allowed, however, in rural delivery areas or newer neighborhoods with cluster boxes.
• Buy a security mailbox:  Check the yellow pages under "mailboxes" for listings of companies that sell tamper-resistant mailboxes. Heavy-duty metal boxes are available in both wall-mounted and free-standing models (the latter may be sunk in concrete to prevent vandalism.) Security mailboxes typically have a slot for the carrier to deliver mail. Mail goes down a chute and into a locked compartment.
• Ask your apartment manager to improve security:  If you're a renter and your mailbox lock doesn't work, insist that the management repair the damage. Counterfeit keys are another problem in rental communities, since often the same key opens all the boxes. Managers can counter these problems by installing security cameras or moving mailboxes into a mail room where residents must use an access key to get inside.
• Get a post office box:  If theft is a concern, the cost of renting a post office box may be worth the investment, since thefts from such boxes are rare, according to postal authorities.
• Consider a parcel locker:  If you own a home-based business and receive frequent shipments of valuable goods, you may wish to invest in a parcel locker. If you use multiple delivery services, however, you'll need one for postal deliveries and a separate locker for others, such as Federal Express or United Parcel Service.
• Pick up mail promptly:  Mail thieves often follow carriers on their routes, striking within 15 minutes after delivery. If you're home during the day, pick up mail as soon after delivery as possible. If you're not home, ask a trusted neighbor to get your mail. Thieves can steal mail from your mailbox in order to get credit card applications and other sensitive data.
• Outgoing Mail:  Outgoing mail is especially lucrative for thieves because it can include bills that you are paying by check or credit card. It's more common for mail to be stolen from apartment or housing complex mailboxes because they combine several households - mail in one place. 
• Keep your mailbox visible: Trim shrubbery to keep your mailbox as visible as possible, eliminating hiding places for thieves.

Protecting Outgoing Mail

• Don't leave outgoing mail in your mailbox: That little red flag is an invitation to thieves. Take outgoing mail to your office, or mail it at a post office or mailing outlet store.
• Don't mail holiday gifts from home: They'll not only steal your package, they'll peel off the stamps and use those, too.
• Don't put mail in street mailboxes: The highest rate of mail theft locally is from those big, blue Postal Service mailboxes located on street corners and at other public places.
• Send valuables via registered mail: Registered mail is kept under lock and key, and it is signed for every time it changes processing centers.

When you send money to people you do not know personally or give personal or financial information to unknown callers, you increase your chances of becoming a victim of telemarketing fraud.  To protect yourself from the damage of identity theft and fraud, exercise caution using the tips below.

Government

• The IRS - Tax scams persist year-round, threatening people with jail time or prosecution if they don’t pay debts to the Internal Revenue Service.  Given that fake IRS phone calls continue to plague consumers, the IRS itself has repeatedly published a list of things you will not experience with a legitimate IRS representative, including phone calls demanding payment, threatening arrest and asking for specific payment methods like a prepaid debit card.

Rewards & Prizes

• Lottery scan or advance fee fraud “419” frauds. Named after the relevant section of the Nigerian Criminal Code, this fraud is a popular crime with West African organized criminal networks. There are a myriad of schemes and scams – mail, email, fax and telephone promises are designed to entice victims to send money, ostensibly to bribe government officials involved in the illegal conveyance of millions outside the country. Victims are to receive a percentage for their assistance.
  
  There are many variations of phishing and 419 schemes, but they all have the same goal: to steal the victims’ money or personal and account information.
  
• Investment Scams - Salesperson convinces a senior that an unusual asset, like a horse farm, is worth significant investment.
• Charitable donations - Unscrupulous charities take advantage of generosity and memory loss to request donations repeatedly.
• Grant fraud scam - Perpetrator poses as a representative of a government agency or some other organization with an official sounding name. He or she contacts older adult notifying him or her that they’ve been selected to receive a grant and requests the older adult’s checking account number in order to deposit grant the funds into the account.
• Sweepstakes - ‘Contest’ claims a senior won a prize and needs to send in money to collect winnings.

Money & Finance

• Money transfer scams - Often part of an Advance Fraud Scheme, a perpetrator convinces an older adult to send funds via Western Union or other money transfer services, using a number of elaborate schemes.
• Mystery shopper - Perpetrator enlists older adult to become a “mystery shopper” for them and sends older adult a counterfeit cashier’s check. They are instructed to cash the check, wire a portion back to the perpetrator and keep the remaining amount (appeals to those on a fixed or limited income).
• Misappropriation of income or assets – A perpetrator obtains access to a vulnerable adult’s Social Security checks, pension payments, checking or savings account, credit or ATM cards, and withholds portions of checks cashed for themselves.
• Charity scams – The victim is persuaded to buy a valueless or nonexistent product, donate to a bogus charity, or invest in a fictitious enterprise. Seniors are particularly vulnerable to this type of fraud because they are often at home during the work day to answer the phone. Social isolation is also a factor where fraudsters prey on lonely seniors anxious for someone to talk to. They devise schemes that require multiple phone calls and development of a trusting relationship. 
• A payday lender - “Congratulations, you’ve been approved for a payday loan!” This is a variation on the sweepstakes scam and the call from “your credit card company” offering you lower interest rates. A good rule of thumb: If you didn’t apply for a loan, ask for a rate adjustment or enter a sweepstakes, it’s probably a scam.
• Reverse mortgage scams - Reverse mortgage scams are engineered by unscrupulous professionals in a multitude of real estate, financial services, and related companies to steal the equity from the property of unsuspecting senior citizens or to use these seniors to unwittingly aid the fraudsters in stealing equity from a flipped property.
• Obituary scam - Using obituaries to target recent widows, scammers attempt to collect false debts of the deceased.
• Magazine subscriptions - Company sends free magazines and convinces a senior he owes money for the subscription.

Family & Friends

• Yourself - If your own phone number ever pops up on your phone screen, don’t answer. It may seem harmless in the moment, but this scam reportedly collects and classifies numbers of people who answer the phone as good numbers to target with other scams. It may be tempting to see who’s on the other end of the line — since it clearly isn’t you — but you may be signing yourself up for many more unwanted phone calls.
• Identity theft – Using one or more pieces of the victim’s personal identifying information (including, but not limited to, name, address, driver’s license, date of birth, Social Security number, account information, account login credentials, or family identifiers), a perpetrator establishes or takes over a credit, deposit or other financial account in the victim’s name.  Fraudsters gather victim’s information through various means; however, senior citizens are often susceptible to social engineering techniques that fraudsters use, such as “phishing” to entice victims to supply personal information such as account numbers, login IDs, passwords, and other verifiable information that can then be exploited for fraudulent purposes. Phishing is most often perpetrated through mass emails and spoofed websites, but it can also occur through old fashioned methods such as the phone, fax and mail.
• Fake accident ploy - Similar to the Grandparent scam, here a perpetrator convinces an older adult that the older adult’s child has been seriously injured or is in jail and needs money for medical treatment or bail.
• Fictitious relative – The perpetrator calls the victim pretending to be a relative in distress and in need of cash, and asks that money be wired or transferred either into a financial institution account.
• Online Dating and Romance / Sweetheart scams – The perpetrator enters the victim’s life as a romantic interest in order to gain influence and eventual financial control. This type of scam often goes unreported due to the embarrassment and emotional impact on the victim. At times the victim knows they are being duped but they simply don’t want to be alone.

Conclusion:  All of these tactics can put you at risk for identity theft, fraud or financial losses that could damage your credit or financial stability. If you receive a suspicious phone call, you can report it to the Federal Trade Commission, and as a fraud-monitoring precaution, it’s a good idea to regularly review your credit scores and reports for signs of abuse.

6 Warning signs that its a phone scam:

If you hear these--or similar--"lines" from a telephone salesperson, just say "no thank you," and hang up the phone.

1. "You must act 'now' or the offer won't be good."
2. "You've won a 'free' gift, vacation, or prize." But you have to pay for "postage and handling" or other charges.
3. "You must send money, give a credit card or bank account number, or have a check picked up by courier." You may hear this before you have had a chance to consider the offer carefully.
4. "You don't need to check out the company with anyone." The callers say you do not need to speak to anyone including your family, lawyer, accountant, local Better Business Bureau, or consumer protection agency.
5. "You don't need any written information about their company or their references."
6. "You can't afford to miss this 'high-profit, no-risk' offer." 

9 Tips to Avoid Telemarketing Fraud:

1. Don't buy from an unfamiliar company. Legitimate businesses understand that you want more information about their company and are happy to comply.  It's never rude to wait and think about an offer. Be sure to talk over big investments offered by telephone salespeople with a trusted friend, family member, or financial advisor.  Always take your time making a decision. Legitimate companies won't pressure you to make a snap decision.
2. Always ask for and wait until you receive written material about any offer or charity. If you get brochures about costly investments, ask someone whose financial advice you trust to review them. But, unfortunately, beware -- not everything written down is true.
3. Do your research.  Always check out unfamiliar companies with your local consumer protection agency, Better Business Bureau, state Attorney General, the National Fraud Information Center, or other watchdog groups. Unfortunately, not all bad businesses can be identified through these organizations.
4. Ask for information.  Obtain a salesperson's name, business identity, telephone number, street address, mailing address, and business license number before you transact business. Some con artists give out false names, telephone numbers, addresses, and business license numbers. Verify the accuracy of these items.
5. Sending money.  Before you give money to a charity or make an investment, find out what percentage of the money is paid in commissions and what percentage actually goes to the charity or investment. Never send money or give out personal information such as credit card numbers and expiration dates, bank account numbers, dates of birth, or social security numbers to unfamiliar companies or unknown persons.
6. You must not be asked to pay in advance for services. Pay services only after they are delivered.  Some con artists will send a messenger to your home to pick up money, claiming it is part of their service to you. In reality, they are taking your money without leaving any trace of who they are or where they can be reached.
7. Don't pay for a "free prize." If a caller tells you the payment is for taxes, he or she is violating federal law.
8. Before you receive your next sales pitch, decide what your limits are -- the kinds of financial information you will and won't give out on the telephone.
9. Never respond to an offer you don't understand thoroughly.   Before you send money, ask yourself a simple question. "What guarantee do I really have that this solicitor will use my money in the manner we agreed upon?"  

• Don’t connect your devices unless you need to.   The first step is to consider what functionality you need from the device. Just because your TV or fridge can connect to the internet, doesn’t mean you definitely want to hook it up. Take a good look at the features it offers and learn exactly what internet connectivity brings before you connect.
• Create a separate network.  Many Wi-Fi routers support guest networking so that visitors can connect to your network without gaining access to shared files or networked devices. This kind of separation also works well for IoT devices that have questionable security.
• Pick good passwords and a different password for every device.  It’s very important to pick strong passwords, but you must also make sure that you pick a different password for every device. If a hacker manages to get one of your passwords, they will typically try it with other services and devices. Reusing passwords is not a good idea. Use a password manager to keep track of all your passwords.
• Turn off Universal Plug and Play (UPnP). Sadly, UPnP can make routers, printers, cameras and other devices vulnerable to attack. It’s designed to make it easier to network devices without configuration by helping them automatically discover each other. The problem is that hackers can also potentially discover them from beyond your local network because of vulnerabilities in the UPnP protocol. Is best to turn UPnP off completely.
• Make sure you have the latest firmware.  If you want to make sure you have the latest security patches and reduce the chances of a successful attack, then you need to keep your firmware fully updated. Vulnerabilities and exploits will be fixed as they emerge, so your IoT devices and your router need to be regularly updated. Automate this wherever possible or set a schedule to check for updates every three months or so.
• Be wary of cloud services.  A lot of IoT devices rely on cloud services, but the requirement for an internet connection in order for something to function can be a real problem. Not only will it not work when the network is down, but it may also be syncing sensitive data or offering another potential route into your home. Make sure you read up on the provider’s privacy policy and look for reassurances about encryption and data protection.
• Keep personal devices out of the workplace.  Don’t take your personal IoT devices to work. There are lots of potential security concerns for wearables. Every enterprise should have a clear BYOD policy, and it’s often a good idea to prohibit personal IoT devices from connecting to the network, or at least limit them to a guest network.
• Track and assess devices.  Businesses need to track everything connected to the network and monitor the flow of traffic. Devices need to be assessed to determine the level of access they should have, to keep them fully patched and up to date, and to protect data end-to-end to preserve its integrity. Unknown devices should flag an alert. Understanding which devices are connected and what they’re doing is a prerequisite for proper security.

For Smart T.V. Security

• If your smart TV runs on the Android platform, go to the Google Play store and download any of the security apps designed to protect your Android smart phone.
• If your Wi-Fi router allows you to create multiple accounts, set up a guest account for your TV. This way they're not on the same network as my PC and laptop where you do all of my sensitive stuff. 
• Make sure that "firmware" -- permanent software built into a computing device's read-only memory -- is up to date when you first use the TV and set it to automatically accept future firmware updates as they become available.
• Be careful when installing new applications because they could be hiding malware. Your best bet: Avoid apps from unknown sources and non-official locations.
• Limit what you do online via that television. Even though these TVs make it easy to get online, don't use them to do anything that involves account numbers, PINs, passwords or other sensitive information.
• Don’t do any kind of financial transaction through your TV is a really bad idea.
  
  

The top 10 internet of things vulnerabilities

Insecure Web interface

Overview: An attacker uses weak credentials, captures plain-text credentials or enumerates accounts to access the web interface.

How Do I Make My Web Interface Secure?

• Default passwords and ideally default usernames to be changed during initial setup.
• Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account.
• Ensuring web interface is not susceptible to XSS, SQLi or CSRF.
• Ensuring credentials are not exposed in internal or external network traffic.
• Ensuring weak passwords are not allowed.
• Ensuring account lockout after 3 -5 failed login attempts.

Insufficient authentication or authorization

Overview: An attacker uses weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface.

How Do I Make My Authentication/Authorization Better?

Sufficient authentication/authorization requires:

• Ensuring that the strong passwords are required.
• Ensuring granular access control is in place when necessary.
• Ensuring credentials are properly protected.
• Implement two factor authentication where possible.
• Ensuring that password recovery mechanisms are secure.
• Ensuring re-authentication is required for sensitive features.
• Ensuring options are available for configuring password controls.

Insecure network services

Overview: An attacker uses vulnerable network services to attack the device itself or bounce attacks off the device.

How Do I Secure My Network Services?

• Ensuring only necessary ports are exposed and available.
• Ensuring services are not vulnerable to buffer overflow and fuzzing attacks.
• Ensuring services are not vulnerable to DoS attacks which can affect the device itself or other devices and/or users on the local network or other networks.
• Ensuring network ports or services are not exposed to the internet via UPnP for example.

Lack of transport encryption

Overview: An attacker uses the lack of transport encryption to view data being passed over the network.

How Do I Use Transport Encryption?

• Ensuring data is encrypted using protocols such as SSL and TLS while transiting networks.
• Ensuring other industry standard encryption techniques are utilized to protect data during transport if SSL or TLS are not available.
• Ensuring only accepted encryption standards are used and avoid using proprietary encryption protocols.

Privacy concerns

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily.

How Do I Prevent Privacy Concerns?

• Ensuring only data critical to the functionality of the device is collected.
• Ensuring that any data collected is of a less sensitive nature (i.e., try not to collect sensitive data).
• Ensuring that any data collected is de-identified or anonymized.
• Ensuring any data collected is properly protected with encryption.
• Ensuring the device and all of its components properly protect personal information.
• Ensuring only authorized individuals have access to collected personal information.
• Ensuring that retention limits are set for collected data.
• Ensuring that end-users are provided with "Notice and Choice" if data collected is more than what would be expected from the product.

Insecure cloud interface

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the cloud website.

How Do I Secure My Cloud Interface?

• Default passwords and ideally default usernames to be changed during initial setup.
• Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms.
• Ensuring account lockout after 3- 5 failed login attempts.
• Ensuring the cloud-based web interface is not susceptible to XSS, SQLi or CSRF.
• Ensuring credentials are not exposed over the internet.
• Implement two factor authentication if possible.

Insecure mobile interface

Overview: An attacker uses multiple vectors such as insufficient authentication, lack of transport encryption and account enumeration to access data or controls via the mobile interface.

How Do I Secure My Mobile Interface?

• Default passwords and ideally default usernames to be changed during initial setup.
• Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms.
• Ensuring account lockout after an 3 - 5 failed login attempts.
• Ensuring credentials are not exposed while connected to wireless networks.
• Implementing two factor authentication if possible.

Insufficient security configuration

Overview: An attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data.

How Do I Improve My Security Configurability?

• Ensuring the ability to separate normal users from administrative users.
• Ensuring the ability to encrypt data at rest or in transit.
• Ensuring the ability to force strong password policies.
• Ensuring the ability to enable logging of security events.
• Ensuring the ability to notify end users of security events.

Insecure software or firmware

Overview: Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking.

How Do I Secure My Software/Firmware?

• Ensuring the device has the ability to update (very important).
• Ensuring the update file is encrypted using accepted encryption methods.
• Ensuring the update file is transmitted via an encrypted connection.
• Ensuring the update file does not expose sensitive data.
• Ensuring the update is signed and verified before allowing the update to be uploaded and applied.
• Ensuring the update server is secure.

Poor physical security

Overview: Attacker uses vectors such as USB ports, SD cards or other storage means to access the Operating System and potentially any data stored on the device.

How Do I Physically Secure My Device?

• Ensuring data storage medium cannot be easily removed.
• Ensuring stored data is encrypted at rest.
• Ensuring USB ports or other external ports cannot be used to maliciously access the device.
• Ensuring device cannot be easily disassembled.
• Ensuring only required external ports such as USB are required for the product to function
• Ensuring the product has the ability to limit administrative capabilities.

• Make sure meetings are password protected.  In the user settings, turn on "Require a password" for instant meetings. Even when the setting is turned off, there may be the ability to require a password when scheduling a meeting. It may not be practical to password protect every meeting, but conference organizers should use this measure as often as possible.
• When possible, don't announce meetings on social media or other public outlets. Instead, send messages only to the participants.
• Carefully inspect the list of participants periodically, whenever possible. This can be done by the organizer or trusted participants. Any users who are unauthorized should be removed. 
• Carefully control screen sharing. User settings should allow organizers to set default sharing settings. People who rarely need sharing should turn it off altogether. Organizers should allow all participants to share screens only when the host knows and fully trusts everyone in a meeting.
• Disable any Join Before Host options so that organizers can control the meeting from its very start.
• Use the Waiting Room option to admit participants. This will prevent admittance of hackers should they have slipped through any initial access.
• Lock a meeting, when possible, once it's underway. This will prevent unauthorized people from joining later. Managing Participants allows an organizer to mute all participants, eject select participants, or stop select participants from appearing by video.
• Be aware of everything that's within view of your camera. Whether working from home or an office, there may be diagrams, drawings, notes, or other things you don't want other participants to see. Remove these from view of the camera before the meeting starts.
• If possible, consider using a browser to connect to meetings rather than the dedicated conferencing app. The number of vulnerabilities a hacker can exploit increases with every installed app.  Today, most browsers are hardened against attacks. Other types of software are less so.

• Find a place and make it your office.  Do not share it with others while you are working.
• Don't leave confidential information lying around.
• Don't send your work emails to your printer or personal email just to make it easier to print.
• Only use Apps approved by your organization to communicate.  
• Always call and verify since you won't be able to verify requests in person for confidential information or to transfer funds.
• Be cautious of IOT devices like Alexa, Siri or Google Home.  Don't have sensitive conversations near any IOT devicethat can be listening.
• Do not share devices or passwords with other family members.  Make sure that any devices used for work have a unique password and a lock screen timeout.
• Don't try to resolve technical issues yourself as this could create security risk.  Instead work with your IT department or helpdesk.
• Don't let browsers remember your passwords.  For all work related site, use a different and unique password that is long and complex.
• If you company provides you with a dedicated computer or virtual desktop, use it.  Don't use a personal computer for work.
• Wired network is better than Wi-Fi.  If possible, connect your work to a wired network instead of Wi-Fi.
• Connect to Corporate With a VPN - Remote workers should be connected to an encrypted, corporate-owned VPN connection in order to get access to any company data. Split tunneling should be disabled to avoid data bridging the encrypted and non-encrypted connections.
• Be Wary of Public Wi-Fi - Be careful using public Wi-Fi if you're working on the go. Public Wi-Fi can make your computer vulnerable to hackers.
• Harden Your Wireless Access Points - Ensure any wireless access points on your network are appropriately hardened. Another recommendation is to turn on wireless beaconing so that you must know your SSID to connect to it. This is in no way foolproof, but it is an added layer of protection. Many wireless attacks are simply done against the easiest targets in crowded areas. By not broadcasting your SSID, you can minimize your wireless footprint so that only those people who know your SSID can connect to you.
• Update System and Software Patches Regularly - Security researchers show that installing system and software updates is the best defense against common viruses and malware online, particularly for computers running Windows. Software makers often release updates to address specific security threats. By downloading and installing the updates, you patch the vulnerabilities that virus writers rely on to infect your computer.
• Don't Forget the Firmware - Any device on the home network should be kept up to date, including the router that allows connection to the Internet. Remote workers should regularly check for firmware updates on their home routers, printers, scanners, and other peripherals, apply any updates, and use strong passwords -- and multi-factor authentication, if possible.
• Use Two Separate Machines - Do work on your work computer and personal computing on your personal computer. If you intermix the two, you increase the chance that an infection will contaminate both your work and personal life. This will be especially bad if you get infected on a business email or communication and it moves over into your personal accounts.
• Use the Tools the Company Gives You - There is a reason for the IT and security teams: to aid you to do your job in the most secure method. The tools that are used on a company level typically go through some type of vetting and assessments for potential security impacts. Stick with the condoned tools and you will have support and security for the application. Use something not authorized and you could have any number of vulnerabilities to be exploited.
• Don't Rely on a Consumer-Grade Router - Make sure that your router is up-to-date and that you maximize all security options.
• Ensure Routers and Firewalls Are Properly Configured - Follow the manufacturer's instructions and ensure your Internet router/firewall is properly configured, including no remote management, no ingress ports, proper outbound filtering, and non-default administrative credentials.
• Turn on Auto Updates - Set anything -- routers, smartphones, endpoints -- to update automatically. You will still need to verify the updates were applied, but [you will] save yourself the downtime in installation."
• Segment Off Your Personal Network - One of the easiest ways of protecting work-at-home endpoints is to put company assets on their own wireless networks. A home user can connect more than one wireless device to their cable modem or other gateway device and keep their personal devices, home automation, or other components on a separate network. Especially if the company configures and provides the device, it can minimize the risks of disclosure of WPA keys or other avenues of attack.
• Use a Password Manager - Reusing the same password for everything is incredibly common and can put all of your accounts at risk. If an attacker gets one password, then they get them all. A password manager ensures that you have unique and strong passwords for all of your accounts and can make remembering all of the passwords far easier.
• Enable MFA Wherever Possible - Ensure two-factor authentication is enabled on your personal accounts, and hopefully your professional organization also requires it! Two-factor combats phishing attacks and will help protect against credential stuffing attacks as well. You should also never reuse passwords, especially work and personal passwords, as an attacker can pivot between them with ease.
• Avoid Browser Extensions - Compromised extensions can mine employees' credentials, track their activity, and give attackers access to the data stored locally on their devices. When your team is remote, it's important to have a strict extensions policy in place. Browser extensions are notoriously difficult to vet for vulnerabilities. The safest course of action is to ban them entirely.
• Bring a Fresh Battery Pack - You need to power up your tablet, so why not just plug your cord into that handy USB port at the airport kiosk? The answer is because you don't know if that port has been hacked and is capable of transmitting malware to your device. The best way to not pick up malware from a public port is to carry your own portable battery pack or to use a charging cable that plugs into the power supply, not the USB port.
• Unsecured Document Sharing Can Be Your Downfall - The downfall of many an employee is actions upon frustration. When documents have issues uploading in email or in authorized applications, the employee may use alternative means, such as Google Drive.  If you need to share a document and the size is an issue, reach out to your IT help desk for direction in a secure fashion."
• Double Down on Skepticism - When you're working remotely, chances are you'll be catching up with email and other communications while on the move -- and that means you may not be as suspicious or critical about scanning for signs of phishing or social engineering as usual. You've got to turn your risk detector on high when you're working remotely. If you've got any doubt about a message in your inbox when you're on your phone, defer acting on that message until you can look more closely.

Mobile Phone Tips

• Keep a Close Eye on Devices on the Road - Operational security is more important around holidays than any time of the year. As people go out and do their shopping, run errands, etc., they tend to take a laptop along to get work done while they are waiting. Watch for shoulder surfers, sit with your back to a wall with a clear view of the entrance, and never leave anything unattended, not even for a moment. Things walk away quickly, and, worse, someone could stick a low-profile device into an unused USB port you wouldn't notice until they'd key-logged and screen-scraped for a while.
• Don’t login to company websites via emails or texts. If a company wants or needs you to login to your account, you should already know how to access your account from the company’s own site or app. Even if it takes a few more clicks, it’s time well saved because you will automatically miss out on "logins" that could compromise your security.
• Don’t make payments via links in emails or texts. This is point 1 in a different guise. If you need to pay a company online, reach the payment page by following your own research, or using a link from a document you already have such as a contract or a recent bill. Don’t get begged, cajoled or frightened into taking exactly the "short cut" the crooks want.
• Don’t turn off security features because a document tells you to. Avoid opening unexpected or unsolicited email attachments if you can. If a document asks you to [Enable content] when you open it, or make some other security downgrade, don’t do it – it’s a trick.
• Don’t trust apps because the app creator tells you to. App reviews, positive app comments and high download counts are cheap to buy if you have no scruples. Reputation must be earned – it can’t be bought or self-declared. If in doubt, ask someone you know and trust for advice.

What is cloud computing?

In simple terms, cloud computing is a method of storing files and data in a centralized network that can be reached from anywhere and by any type of device. This includes mobile phones, tablets, laptops and desktops. The notion of the "cloud" is because this data is placed in a network where say someone in NYC could access as well as someone in California.

Many people use cloud-based computer services and they don’t even know it. Consumers access and share information using remote server networks whenever they log on to social networks, like LinkedIn or Facebook, edit photos on Flickr, blog with WordPress, or create files using Google Docs. These are examples of cloud computing, which, simply defined, is how we store and share data, applications and computing power on the Internet.

Is it safe?

While there are so many advantages from using the cloud to store your data, of course there’s the question of safety and security. Primarily, the method of cloud computing is an extremely safe way to store data. Most companies have a system in place with their own firewalls and anti-virus software to protect their data stored on the premises. The issue comes about when computing is outsourced, and the control over security is no longer in your hands

Here are some tips to protect your data in the cloud:

• Look for a Secure Web Address: Before shopping online or giving any sort of personal information, look at the URL—if the website is secure connection enabled, it will have an ‘s’ after the ‘http’ portion of the URL. An ‘https’ URL tells you the website has an SSL license, meaning your information is scrambled as it travels across the internet. 
• Don’t Provide Personal Information: Don’t put anything in the cloud you would not want others to see, especially the government or a private litigant. A credible website will never need sensitive personal information, like your social security, PIN, or bank account numbers. If a site you don’t trust asks you for anything personal, don’t trust it! It could be a phishing scam trying to gain access to your personal information.  Pay close attention if the cloud provider reserves rights to use, disclose, or make public your information.
• Create Strong Passwords: Make long passwords with at least eight or more characters. For added security, include punctuation, symbols and a mix of upper and lowercase letters. Don’t ever use the same password for all of your accounts and change them at least once a month.
• Be Wary of Downloads: Don’t ever download a file from a website you don’t trust. There’re many malicious websites out there which let you download corrupted files with viruses and trojans that can infect your computer and steal your personal information.
• Check for Site Updates: Credible websites are updated often with security measures. Look around to see when the site was last updated. If it’s been more than a couple of months, you might not trust the site.
• Look for Contact Information: If you’re thinking about purchasing something from a website, look for the company’s contact information, including a physical address and a telephone number. This information is usually in the website’s footer. Don’t assume that a phone number is real—always call and ask questions to make sure the company is legitimate.
• Read the Privacy Policy: Read the privacy policy before placing your information in the cloud. If you don’t understand the policy, consider using a different provider. Also make sure that the cloud provider gives advance notice of any change in the terms of service or privacy policy.  Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider.
• Leaving the Cloud: Know exactly what happens when you remove your data from the cloud provider. Does the cloud provider still retain rights to your information? If so, consider whether that makes a difference to you.
• Delete Cookies Often: Cookies are small files designed to track your web activity. When you enter information into a site, such as a user name and password, the site uses cookies to remember your information so you don’t have to enter it the next time you visit. Hackers can use cookies to gain access to your accounts, so you should delete them often. Deleting cookies differs depending on which browser you use, but it’s usually found in your browser’s privacy settings.

Internet safety

• Never open suspicious files.  Assume that any file you receive may be potentially infected, even if you know the sender well. Viruses, spyware and other malicious code typically originate from an infected PC and its address book, thus it will most likely come from family, friends, or business associates. When working with your email, browsing websites, or chatting via an Instant Messenger, do not accept any unsolicited files from anyone since they could contain malicious code.
• Clicking Unknown Links.  Avoid going to any URLs in email messages that may be questionable. Hackers often infect web pages with malicious code, so do not visit any website that you are not familiar with.
• Anti Virus.  Always keep your anti-virus, anti-spyware, and firewall protection up to date. New threats emerge regularly so it is critical that you keep your protective software and firewall technology current. In addition, scan your system monthly with the settings recommended by your Internet security provider.
• Restrict Administrative Privileges.  It is important to make sure that all employees have a level of administrative access equal to their job responsibilities. This includes not allowing employees to install software, music files, games, etc., as well as restricting access to external services such as web mail and remote control services. These types of restrictions will help protect your organization from spyware such as keystroke logging.
• Operating Systems.  Keep your operating system and your application software patches up to date. In order to prevent being infected by malicious code, keep the software patches up to date for your operating system, i.e.: Windows, Linux, Apple, as well as for your applications, i.e.: Internet Explorer, Firefox and Safari.
• Stay Informed and Educated.  It is important that not only your IT department stays up to date on the latest threats but that your employees and your business customers are also advised of them and that you educate them about the techniques of "safe computing." Internet security providers release formal alerts on the latest threats and vulnerabilities and how to protect against them.
• Spam.  Spammers scan the internet to find computers that aren't protected by security software, and then install bad software - known as "malware" - through those "open doors." That's one reason why up-to-date security software is critical. Malware may be hidden in free software applications. It can be appealing to download free software like games, file-sharing programs, customized toolbars, and the like. But sometimes just visiting a website or downloading files may cause a "drive-by download," which could turn your computer into a "bot."Spammers take over your computer is by sending you an email with attachments, links or images which, if you click on or open them, install hidden software. Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment - even if it looks like it's from a friend or coworker ' unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.
• Don't Let Your Computer Become Part of a "BotNet" Some spammers search the internet for unprotected computers they can control and use anonymously to send spam, turning them into a robot network, known as a "botnet." Also known as a "zombie army," a botnet is made up of many thousands of home computers sending emails by the millions. Most spam is sent remotely this way; millions of home computers are part of botnets
• Use Security Software That Updates Automatically.  The bad guys constantly develop new ways to attack your computer, so your security software must be up-to-date to protect against the latest threats. Most security software can update automatically; set yours to do so. Also, set your operating system and web browser to update automatically.   If you let your operating system, web browser, or security software get out-of-date, criminals could sneak their bad programs – malware – onto your computer and use it to secretly break into other computers, send spam, or spy on your online activities. Don’t buy security software in response to unexpected pop-up messages or emails, especially messages that claim to have scanned your computer and found malware.  Scammers send messages like these to try to get you to buy worthless software, or worse, to "break and enter" your computer.
• Treat Your Personal Information Like Cash.  Don’t hand it out to just anyone. Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. So every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about whether you can really trust the request. In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information.
• Check Out Companies to Find out Who You’re Really Dealing With.  When you’re online, a little research can save you a lot of money. If you see an ad or an offer that looks good to you, take a moment to check out the company behind it. Type the company or product name into your favorite search engine with terms like "review," "complaint," or "scam." If you find bad reviews, you’ll have to decide if the offer is worth the risk. If you can’t find contact information for the company, take your business elsewhere.  Don’t assume that an ad you see on a reputable site is trustworthy. The fact that a site features an ad for another site doesn’t mean that it endorses the advertised site, or is even familiar with it.
• Give Personal Information Over Encrypted Websites Only.  If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address (the "s" is for secure).  Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, the entire account could be vulnerable. Look for https on every page of the site you’re on, not just where you sign in.
• Protect Your Passwords. Here are a few principles for creating strong passwords and keeping them safe:

1. The longer the password, the tougher it is to crack. Use at least 10 characters; 12 is ideal for most home users.
2. Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birthdate, or common words. 
3. Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
4. Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam.
5. Keep your passwords in a secure place, out of plain sight.

• Back Up Your Files.  No system is completely secure. Copy important files onto a removable disc or an external hard drive, and store it in a safe place. If your computer is compromised, you’ll still have access to your files.  

Web Browser Security:

One of the most critical points of entry to your computer or gadgets is your Web browser. Unfortunately, your Web browser can have hundreds of security holes that hackers can, and do, exploit. Maybe your browser isn't updating, or perhaps you have add-ons or plug-ins installed that have their own security holes.
1. KEEP BROWSER UP TO DATE

One of the easiest ways to keep hackers away is to make sure your Web browser up to date. A lot of times, browsers like Microsoft's Edge, Mozilla's Firefox and Google Chrome issue patches and fixes for bugs they know about. Typically, they get most of them before hackers can have a field day exploiting vulnerabilities.
Fortunately, most browsers these days are automatically updated. For instance, if you installed Microsoft's new Windows 10 operating system, its default setting is to automatically update your software and issue patches, including for its Edge browser.
Firefox and Chrome also have default settings for automatic updates. You just need to restart them occasionally for the latest updates to install. If you're not sure if you're set up for automatic updates, here's how to check:
Chrome: Google Chrome updates automatically, and turning that off isn't easy. That's good. But to make absolutely sure you've got the latest version, you can click on the Menu icon (little box with three horizontal lines in the upper right corner of your page). Choose "Help and About," then "About Google Chrome."
If you need to change the update settings, go to Menu>>Settings, and then click the "Show Advanced Settings" link. Click or un-click "Protect You and Your Device From Dangerous Sites" to turn automatic updates on or off.
Edge: If you're using Windows 10, go to Start>>Settings, then click "Update & Security." Windows Update should say your device is up to date. If it's not, choose "Advanced Options," then "Choose How Updates Are Installed" and select "Automatic (recommended)."
Internet Explorer: In Windows 8, using a mouse, right-click in the lower right corner of the screen and choose "Control Panel." If you're using a touch screen, swipe from the right of the screen and tap "Settings," then "Control Panel." In Windows 7 and Vista, go to Start>>Control Panel.
In Control Panel, click "System and Security." Under "Windows Update," choose "Turn Automatic Updating On Or Off." Choose "Install Updates Automatically" from the drop-down menu.
Firefox: Click the Menu icon (far upper right-hand corner; it's three horizontal lines) and choose "Options" and then "Advanced" in the left-hand column. Select the "Update" tab on the right, and under "Firefox Updates," make sure "Automatically Install Updates (Recommended: Improved Security)" is selected.
2. UNINSTALL UNNEEDED PLUG-INS
To do this in Windows 10, go to Start and select "All Apps." That's essentially Windows 10's version of the Control Panel. That will list all the programs installed on your device. Right click on the one you don't want; then select Uninstall.  In older versions of Windows, go to Start>>Control Panel, then under "Programs," click "Uninstall a Program." Select the plug-in you want to remove, and click Uninstall.
3. SECURE YOUR WEB BROWSER
Today, web browsers such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.
There is an increasing threat from software attacks that take advantage of vulnerable web browsers. We have observed new software vulnerabilities being exploited and directed at web browsers through use of compromised or malicious websites. This problem is made worse by a number of factors, including the following:

• Many users have a tendency to click on links without considering the risks of their actions.
• Web page addresses can be disguised or take you to an unexpected site.
• Many web browsers are configured to provide increased functionality at the cost of decreased security.
• New security vulnerabilities are often discovered after the software is configured and packaged by the manufacturer.
• Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
• Third-party software may not have a mechanism for receiving security updates.
• Many websites require that users enable certain features or install more software, putting the computer at additional risk.
• Many users do not know how to configure their web browsers securely.
• Many users are unwilling to enable or disable functionality as required to secure their web browser. As a result, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.

4. ENABLE CLICK-TO-PLAY PLUG-INS
Adobe Flash. There have been many holes in Flash and we recommend that you disable or at least limit this Plug-In.  
It's called click to play. Instead of a plug-in always running, you have to click on it to activate it. Here's how to do that.
Chrome: Menu (horizontal lines in the upper right corner)>>Settings. Click "Advanced Settings" at the bottom of screen. Under "Privacy," choose "Content Settings." Under "Plug-ins," choose "Let Me Choose When To Run Plug-in Content."
Edge: This browser doesn't really have click-play. You have to disable and re-enable plug-ins manually.
Windows 10:  Right-click on the Start menu and choose "Control Panel." Click "Network and Internet" and then under "Internet Options" click "Manage browser add-ons." Click the "Manage add-ons"  button and then highlight a specific plug-in in the "Toolbars and Extensions" area. If a plug-in is enabled, click the "Disable" button in the lower-right corner.
If you're just interested in Adobe Flash, in Edge, click the icon with the three dots in the upper-right corner, then select "Settings." Click the "View Advanced Settings" button and you'll see the "Use Adobe Flash Player" option. Turn this off when you don't need to use Flash.
Internet Explorer: In the far top right corner, click on the little gear icon and choose "Manage Add-Ons." Highlight a specific plug-in in the "Toolbars and Extensions" area. If a plug-in is enabled, click the "Disable" button in the lower-right corner.
Firefox: Menu (horizontal lines in the upper right corner)>>Add-Ons. Choose "Plugins" in the left-hand column. Next to each plug-in, you'll see a drop-down menu. Change each one to "Ask To Activate."
5. GET RID OF UNNEEDED BROWSER EXTENSIONS
Browser plug-ins and browser extensions are easy to confuse. Plug-ins handle video or other content that the browser can't handle on its own. Extensions are bits of code that add new features to the browser.
Extensions have a downside, though. Many of them need your passwords to do their job. That opens up extensions to hackers, who use extensions to install malware.
A couple of tips: Before you install an extension, make sure it's coming from a trustworthy source and has been around for a while. Second, be sure to review your extensions every once in a while, to weed out the ones you don't need any more. If you're not using an extension, or you suspect it's not from a reliable company, delete it. Here's how:
Chrome: Go to Menu>>More Tools>>Extensions, then click "Remove" on each extension you don't need.
Edge: Microsoft's new browser is going to start introducing extensions sometime this year.
Internet Explorer: This browser does not support extensions.
Firefox: Menu>>Add-Ons. Choose "Extensions" in the left-hand column, then select the ones you don't want and click "Remove."
6. RUN ANTI-EXPLOIT SOFTWARE
While most security software is great at detecting and stopping the millions of viruses out there before they can install, security holes in your browser and other programs give viruses a better chance to slip past unnoticed. Unfortunately, you don't even know there's a security hole in a program until the developer releases an update. Until now.
Software companies are starting to release anti-exploit programs. This watch your programs for signs that someone might be trying to use them to sneak on to your system. Then it blocks those attempts.
If you think of your main security program as the castle wall and the army guarding it, an anti-exploit program is the guy watching for traitorous citizens trying to open the backdoor.
7. TYPOSQUATTING
One mistyped letter could lead to ID theft.  Missing just a few letters in a web address can cost you the money in your bank account, or start an all-out identity theft attack, because of a type of fraud called "typosquatting." The typosquatter's URL will usually be one of four kinds, all similar to the victim site address:

• A common misspelling, or foreign language spelling, of the intended site: exemple.com
• A misspelling based on typos: xample.com or examlpe.com (xample.com redirects to a scam site that tries to trick you into downloading malware, it is not suggested you visit it)
• A differently phrased domain name: examples.com
• A different top-level domain: example.org

An abuse of the Country Code Top-Level Domain (ccTLD):  example.cm by using .cm or .om.  A person leaving out the letter o or c in .com in error could arrive at the fake URL's website.
Once in the typosquatter's site, the user may also be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.  The fraudulent site is trying to get you to login with your user name and password or download malware with a fake "flash updater" pop-up, for example.
Stay Safe:

• When visiting any web site, double-check the URL before logging in.

• Be very careful entering things. If you're going to PayPal or you're going to your bank, just be very careful and pay attention to what you type.

• Make sure you're on the real website by looking at the address bar on your browser. 

Common Misconceptions:

Misconception:  Windows Updates Make Antivirus Software Unnecessary

Since Windows updates are crucial to your PC’s security, if you’re diligent about installing patches you can forget using an antivirus. This, however, is a deadly mistake.

Truth: Windows Updates Come After The Fact.  Windows Updates patch known vulnerabilities, but aren’t meant to protect from everyday threats.  While keeping Windows up-to-date is a necessary part of security, it can’t replace an antivirus, which works nonstop to protect you.  Also remember that anti-virus software is a management tool to catch already known viruses.  AV software does not stop brand new viruses or social engineering scams.

Misconception:  Malware Infections Are Obvious

Truth:  A Lot of Malware Is Silent.  There are dozens of rogue applications that are spying on you without making a sound. Many of these create zombie computers, which are responsible for much of the spam and website attacks that happen constantly. Additionally, if you fall for a phishing scam and a password falls into a thief’s grasp, they could be accessing your accounts — quietly, of course, so that you don’t suspect anything.

Don’t assume that just because everything looks normal that it is. Change your passwords regularly to be sure that someone isn’t getting in behind your back.

Misconception: I Don’t Do Anything Important On My Computer, So I Don’t Need To Be Careful

This is probably the most common reason people give for not keeping their computer safe. Sadly, it’s a poor excuse and those who give it are wrong.

The Truth:  At the bare minimum, a virus or other malware infecting your PC — even if your financial info isn’t at risk — is going to take time to deal with. Your time is valuable, and if you’re recruiting a tech-savvy friend to fix your PC after your neglect, their time is affected too. Wiping your computer and starting fresh thanks to malware means more time and effort to get your programs re-installed and running just the way you like.  In addition, Malware isn’t looking to steal files on your system. Rather, it’s tracking your every keystroke, stealing passwords, or even hacking into your webcam to spy on you. 

Misconception:  I don’t run Windows, so I’m immune to Malware

The Truth:  All platforms are vulnerable and this includes iPad, iPhone, Android and other  mobile devices.  While Windows viruses won’t affect Mac computers, Macs can still get infected with viruses.  In addition, you can fall for phishing tricks, perhaps via email or social media, no matter what platform you use.   Accidentally handing your password over to a fake site is going to yield the same result no matter if it’s done on Windows, Mac, or Android.

Misconception:  My Apple or Andoid tablet is secure

The Truth:  There is a plethora of mobile-based malware and viruses out there today.  Never let your guard down and carelessly open a web site, email or attachment on a smart phone or tablet.  These devices can be infected and can infect a corporate network if connected as a BYOD device.

Misconception:  Windows Is Inherently Insecure

The Truth:  Ever since Windows 7 hit the scene, the virus problem has been significantly curtailed. The problem is that most Windows users don’t care enough to update their systems with pertinent security patches. Microsoft is good about plugging security holes as they’re found, but if users don’t apply those updates, they leave themselves vulnerable.  At that point, Windows itself is no longer at fault.

Moreover, Windows is the world’s most popular operating system. Combine that with the fact that Windows does not require its users to be tech-savvy and you’ve got a recipe for high number of security incidences. 

Misconception: You don’t need security software

The Truth:  The ones who create malware and viruses are always looking for new ways to facilitate the spread of malicious software, which means that their methods are always evolving.

But more importantly, we are human. Humans make mistakes. We can’t keep our guards up 24/7 and sometimes we’re lazy, forgetful, or reckless. All it takes is one lapse in judgment for your computer to be infected and that’s the real value of antivirus software: it protects you through your mistakes.

If you aren’t using antivirus software, install one now along with a virus scanner. Afterwards, if you find that you have an infection, clean it up as soon as possible.

Misconception: All You Need Is Security Software

The Truth:  Malware and virus creators are always engineering new ways to spread their code.  Antivirus companies are always one step behind (they have to study a virus to understand it’s signature before they can protect against it) which means that the notion of antivirus is fundamentally reactionary.  AV software does not stop brand new viruses or social engineering scams.