Cybersecurity

Cybersecurity

We use the Internet every day: making online banking payments, doing online shopping and even handling formalities in an e-office. Internet provides unbounded possibilities, simplifies our lives, but poses many threats as well. Each and one of us may be the target for cybercriminals.

Learn Internet safety rules. Find out what methods cybercriminals can use to gain access to your data and money, and don’t get scammed! Find out what to do when you suspect your data got into the wrong hands!

Cybersecurity basics

Protect your data

Never share online your sensitive personal data such as personal identification number (PESEL), ID number, passport number or payment card number.

Update your software

Older versions of computer software may have loopholes used by cybercriminals. Remember to install software and its updates only from verified and trusted resources.

Make sure you have good antivirus programme

Use antivirus programme and make sure it is always up to date.

Choose strong passwords

Never use simple, easy to guess passwords. Remember not to use the same passwords for different systems. And above all: never share your passwords with anybody.

Log in safely

Use multi-step log-in verification on the websites you use. Use e.g. additional authentication with a phone (text message).

Don’t know – don’t click

Never click on links or open e-mail attachments received from an unknown source.

Don’t trust unknown networks

Unless it is essential, do not use untrusted public communications networks to make electronic banking transactions.

Use encrypted connections

If you must use public networks, consider using VPN, or at least check if the connection is encrypted.

Secure your mobile devices

Secure access to your mobile devices as best as possible e.g. with a fingerprint, so that only you have access to it.

Use limited principle of trust

Limit your trust in the people you chat with online – somebody could have taken control over that person’s account and in this way they may try to obtain your data.

Questions and answers

1. How to use the Internet safely?
In order to use the Internet safely follow these few rules:

  • make sure you have up-to-date antivirus program installed on your computer,
  • systematically update your software such as: the operating system, internet browser, Office package, Acrobat Reader, etc. Regularly update apps on your phone,
  • do not open attachments and links in e-mails from somebody you do not know or from e-mails you are not expecting. Breaking this basic rule is the easiest way to infect your computer. It also applies to social media. Be careful what links you click, even those sent by a good friend. Somebody could have taken over their account and sent malicious links or viruses,
  • on your mobile do not install any apps upon somebody’s request, do not install the apps from unofficial stores (other than Google Play or App Store),
  • if you use your phone or computer for important purposes such as banking or access to important information, do not share that device with a child. The child may not know all the safety rules yet,
  • try not to use public WiFi networks. In such networks there is a high risk of intercepting sensitive data or your passwords. If you must use such networks, consider using VPN solution,
  • use strong passwords if possible – use two-factor authentication e.g. password + text message, password + token. Also remember not to use the same password for a few accounts.

2. How to create a strong password?
There are a few rules you must remember about when creating safe password. The following are the most important:

  • password should be unique, one of a kind, unrepeatable,
  • password should not be easy to guess by third persons, so it should not contain name, surname, date of birth, etc.,
  • to build your password you should not use the sequence of letters, numbers or other symbols, e.g. abcd, 1234, QWERTY  
  • also, password should not be a one word in any language, written normally or backwards, such passwords are easy to guess,
  • do not use ‘save your passwords’ option in a browser,
  • do not use easy, simple “dictionary” expressions e.g. mypassword,
  • safe password should consist of at least 12 characters, however the more the better. We recommend passwords with 12-16 characters,
  • password should be complex so it should contain small and capital letters, also numbers and symbols,
  • to create safe password you may also use an expression, a phrase that you will remember easily e.g. a quotation or saying written with a bit of change e.g. [email protected]@in. This way you can create a strong password that criminals will be unlikely to break,
  • we also recommend using password manager that, apart from storing the passwords, usually also has the function to generate complex passwords.

3. How to send a file securely?
To send a file securely e.g. a file with personal data, it is best to encrypt it. Use a special software for encryption e.g. PGP, or file compression software e.g. 7zip or WinRAR that have the option to password-protect any RAR archive. To send such prepared file, use an e-mail, and if the file is too large – a platform for sharing files. It is also a good idea to use the cloud. Remember: always sent the password for the file to the recipient via another channel than the file was sent, e.g. text message.

4. What should I do when I am in doubt the e-mail/phone call I received is true?
When you answer a suspicious phone call:

  • ask for the caller’s data (name and surname)
  • disconnect, call the institution’s hotline and ask if this call was really made upon this institution’s request. Also, ask if the person with a given name and surname is their employee.

When you receive a suspicious e-mail:

  • before you click or open an attachment, check who the sender is and what the content of the e-mail is,
  • pay attention to the sender’s address. Most fake e-mails are sent from addresses that have nothing in common with the institution they claim they are from,
  • pay attention to the content of the email. In fake e-mails you can often see spelling or grammar mistakes,
  • in case of suspicious e-mails, do not open or click on links,
  • send the suspicious e-mail to CERT using the form on the incident report website,
  • report such suspicious email to the institution the criminals claim they are from.

5. How to recognize social engineering that cybercriminals use to talk us into action?
Social engineering is the ability to manipulate, and used in wrong faith may be an effective tool in the hands of cybercriminals. Most cyberattacks use social engineering (e.g. time pressure, pretending to be the decision-making person) and rely on people’s reflex and behavior. Using social engineering the criminals break barriers and securities. How to recognize that the person you are talking to uses social engineering?

Cybercriminals who use social engineering:

  • will refuse to give you their return number as they will not always be prepared to give a safe number for them,
  • will offer unusual bargain – such that does not happen in real life,
  • will be persuading that they have power, e.g. pretend to be somebody important trying to intimidate and threaten you with the consequences,
  • will stress the importance and urgency of the matter to force you into hasty and snap passing information, immediate decision making or action,
  • when you start asking searching questions they will start to show hostility and will give off-hand answers as they know that factual conversation will easily expose them,
  • will try to refer to many surnames so as to “catch” the person you may recognize. Thus they will build trust as this name will become “a key” to obtain personal information from you,
  • will try to dull your vigilance with flatteries, complements and fake attempt to help, 
  • will try to coax you into unwise behavior by increasing your curiosity.

How not to get caught by social engineering? First of all – be assertive. Verify received information, call back, do not panic, do no act rashly, try to evaluate the situation calmly. Do not disclose sensitive information and do not follow thoughtlessly the orders of somebody whose identity you are not able to verify in a given situation. However, if you do get manipulated, then after such situation react appropriately to the threats identified and criticality of the information/data disclosed. If justified, report it to your supervisors, law-enforcement authorities, inform your bank.

6. How to prevent data loss?
Most of us store valuable data (notes, documents or family photos) on the computer, laptop disc, or in smartphone memory. We forget that device failure or human error are the most common cause for data loss.
In order to minimize data loss, regularly make back-up copies on external storage device or in cloud that are connected to the device only for the time of making copies. Many devices and apps allow for automatic back-up now. Malware may also easily erase or damage files important to you. Using antivirus software is a good practice which also limits the risk. 

7. How to protect sensitive data?
First of all, let’s explain what sensitive data is. It is a kind of personal data that is subject to specific protection as it refers to private sphere. Sensitive data, except for biometric data, is not used for identification (in the Internet, bank or other institution). The following data is considered sensitive:

  • racial or ethnic origin,
  • political opinions,
  • religious beliefs,
  • philosophical beliefs,
  • trade union membership,
  • genetic data,
  • biometric data,
  • health,
  • sexuality and sexual orientation.

However, sensitive data often also covers the data and information the disclosure of which may allow for identity theft and depriving somebody of their privacy. As a natural person you yourself decide who and in what conditions processes your sensitive data. The companies of course have the obligation to make sure this information is appropriately secured against unauthorized access. Each service that requires data, requires consent to processing. You will notice that when you go on internet shops’ websites or when using social media.

How best to protect sensitive data?

  • when passing your data to somebody, make sure it is really essential for this person/institution,
  • do not send your data in electronic form without prior securing it, encrypt each document with the strongest possible password,
  • do not store scans of your documents, photos or contracts online,
  • do not save your data on unknown or public devices,
  • always verify the materials that you share e.g. in social media,
  • try not to use public, generally accessible Internet spots,
  • never ever share your login and passwords with anybody,
  • always use the principle of limited trust,
  • do not have confidential conversations in public places,
  • always remove data from discs and devices that you no longer use, an old device that is sold or thrown away may become a valuable booty for cybercriminals,
  • change computer, e-mail or banking system passwords regularly,
  • if possible, use two-factor authentication,
  • pay attention to the e-mails sent by institutions, e.g. banks or courier companies, fraudsters pretend to be working for the companies or financial institutions and that is why you need to make sure the e-mail really comes from the concrete sender,
  • use up-to-date antivirus software,
  • be careful when you download files, install games or applications as together with the downloaded files there may be a virus installed. After downloading a file, it is worth scanning it with antivirus programme,
  • pay attention if SSL encrypting protocol is used on the websites with log-in functions, secure website starts with “https” and has padlock icon next to the URL in the address bar,
  • try to educate children regarding data protection obligation. The youngest are usually not aware of the threats and that is why fraudsters use their credulity.  

8. How to use electronic banking safely?
As there are more and more attempts at phishing data for electronic banking you need to be particularly alert when using internet banking services. Fraudsters, in order to obtain access to bank account of the victim, most often use phishing attacks, social engineering or malware. To be effectively protected against these threats:

  • check if the log-in website has the right address. You should obtain the right website address from your bank. Always enter it fully in the address bar of the browser. The address in search results in a browser may be manipulated,
  • pay attention to the layout of the bank’s website. If it looks in any way different than usually, make sure you have got the right website address,
  • verify if the connection is encrypted (padlock icon next to the website address),
  • do not use internet cafes or devices that belong to other people,
  • when using electronic banking do not use unknown networks,
  • never use links that you received via e-mail or text message to log in to electronic banking,
  • do not forget to log out of the banking system when you finish using it,
  • do not run untrusted software on the device you use, and also update the installed system and software on it.

9. How to verify if the internet store is real?
Fake stores most often offer branded products in bargain prices. If the offer is too good to be true – this should rise your suspicions.

Before placing an order, verify if the internet store is not a fraud attempt:

  • verify the company’s data using generally available information (headquarters’ address, statistical identification number - REGON, National Court Register number - KRS etc.),
  • read the regulation placed on the store’s website,
  • check opinions about the store. Pay attention to the history of those entries. Fake internet stores have a short lifecycle,
  • call the number given on the store’s website,
  • if you have doubts, select “pay-upon-delivery” as the method of payment. Fake internet stores frequently exclude this method of payment,
  • verify how long the store has functioned, e.g. by checking when the domain was registered. The newest the store, the bigger the risk of fraud.

What to do if you purchased from fake internet store?

  • if you made payment using any link on the fake store’s website or sent by this store, inform the bank immediately and change your electronic banking password,
  • report the case to the police,
  • if you paid by credit card, you can make a claim in your bank.

Report fake store to CERT using the form on report the incident website.

10. How to check SSL certificate?
A few years ago it was believed that when visiting websites with a padlock in the address bar you make a secure connection. Today the padlock only means that the connection with the server is encrypted and it does not guarantee that the given website belongs to the company you want to connect with.   

Therefore it is important to verify if a given website is actually made available by the company we wanted to get to. It is worth knowing that fraudsters without any problems may register a domain the has a slight difference in letters and they may generate a certificate for such website (e.g. safewebiste.com is something completely different than safewebsite.com).

The browsers verify if the certificate of the visited website is valid and they show an alert if the certificate does not meet the security criteria (e.g. if it is expired, or if its verification is not possible). If the browser indicates any problems with website’s certificate, it is recommended to contact the website’s owner to verify the connection.

You may also verify SSL certificate yourself. Usually you just need to click the padlock symbol. If the certificate issuer made the extended validation (EV) of the domain owner’s identity (the owners do it for particularly crucial systems) the browser will display the information for which company the verification was made.

Clicking in the certificate window, you may see its details and the most important:

  • expiry date – which for fake websites often means just a few days back,
  • alternative names of the entity – for which addresses the certificate was issued.

Issuer’s name – trusted entity that issued the certificate and period of validity.

Dictionary

Cyber attack

Any attack aimed at information systems, computer networks, infrastructure or our personal computer devices. A cybercriminal tries to obtain access to data, functions or other restricted areas of the system without authorization, potentially with ill-intentions. As a result of cyber attack, theft, change or destruction of a specific object (e.g. data) is possible.

Identity theft

Deliberate use of personal data of another person, registered address, personal identification number (PESEL), most often to obtain financial or personal gain. Identity theft is also called identity fraud as it means using somebody else’s data and not “cancelling” the victim’s data.

Hacker

A person with high computer (or electronic) skills that is connected with hacker society. Hackers have thorough knowledge of the Internet, know many programming languages and operating systems. They use their knowledge e.g. to break into computer systems.

Malicious software

Software that is specifically designed to disrupt or damage the computer system in which it was installed.

Doxing (doxxing)

The act of publicly revealing private personal information about an individual or organization, usually via the Internet.

Malware

Software that is designed for malicious purposes and it works contrary to the user’s expectations. This term does not include the applications that due to some imperfection can unintentionally cause harm.  

Spam

Irrelevant or unsolicited electronic messages. The idea of spam is to bulk-send the same information to unknown people. The content of the message is not relevant. In order to call the e-mail a spam it must fulfil three conditions simultaneously: the content of the e-mail is independent of the identity of the recipient, the recipient has not given consent to receive this e-mail, the e-mail content may give cause to believe that the sender may obtain the benefits disproportionate to the benefits of the recipient.

Cookies

Small text that the website sends to the browser and the browser sends it back at next entries to the website. Cookies are mainly used to maintain sessions e.g. by generating and sending back temporary identifier upon logging. They may have a broader use, by saving any data that may be coded as a sequence of characters. Thanks to this the user does not have to enter the same information each time they come back to the same website or change from one website to another.

Two-factor authentication

An extra layer of security of the user’s account against its unauthorized takeover. Also called two-step verification. Recently it is very popular in banking applications and e-mail accounts. The first step is giving your login and password when logging in. In the next step the user must provide a unique code that they get via e.g. text message, e-mail or it is generated in a special application.

CERT

A team established to handle security incidents in the Internet. Cert Polska has been active since 1996, and since 1997 it has been a member of FIRST (Forum of Incidents Response and Security Teams). It cooperates with similar teams in the world. Local teams reacting to security incidents also function in particular institutions or economy sectors. 

Firewall

One of the ways to secure networks and systems against intruders. This may be computer device with special software or just software that blocks unauthorized network access to the computer it guards. Its basic task is to monitor incoming and outgoing connections and also block access for the connections considered malicious.

SSL certificate

Used to encrypt data transferred between the server and user’s computer. It may be the server of www, e-mail, FTP or other. SSL Certificate is installed on the server and it enables its authentication (verify the authenticity) and making a secure connection.

Vishing

Kind of phishing. The criminals contact the victim by phone. Similarly to phishing, the aim of this attack is to obtain data that the criminal may use to commit a crime e.g. purporting to be a bank’s employee, they first inspire trust of the speaker, and next will ask them for data authentication to electronic banking. They often do it under the pretext of stopping a blocked transfer that has allegedly just been made from the speaker’s account.

Pharming

Fraudulent practice that uses previously installed malicious software (malware) on the computer device, the task of which is to direct the victim to a bogus website of the bank, fast online payments or simply e-mail account. By authenticating on a bogus website we give the criminal our authentication data. Malicious software may get to our computer by installing unverified software, application or by opening an attachment in the e-mail from an unknown source.  

Skimming

Fraud method based on copying the magnetic strip of our debit card. Fraudsters place a special scanning device in the cart reader in ATM and a camera directed at the keyboard. The card’s data is copied and PIN number registered. This kind of fraud is used by thieves also in some shopping malls where the fraudster may temporarily get hold of our card. For this reason it is crucial not to share your debit card with anybody, and all the more keep it within our sight at all times while shopping.

Phishing

A method where the criminal purports to be another person or institution in order to obtain confidential information (e.g. log-in data, credit card details), infect the computer with malicious software or coax the victim into specific actions. Phishing does not require advanced technical knowledge or looking for loops in securities. It bases on the weakest link of the computer network protection, i.e. user’s mistakes. An example of this type of attack is an e-mail with an attached link that directs the user to a bank’s bogus website. This website is usually an exact copy of the original website on which the user is asked to log in to electronic banking. This way the fraudsters obtain authentication data to our account. Recently social media and communicators are more and more often used for this type of attacks.  

Social engineering attack

Manipulation in order to scam the recipient. Fraudsters use social engineering in contact with a potential victim by e-mail, phone, social media, internet communicators as well as text messages. Example of this type of fraud is “ BLIK”, “grandchild” or “Great Bargains” in case of online shopping, and investment offers that are supposed to bring a high ROI. Frauds on online shops are also a popular way of money extortion. In this case the criminal offers goods at a bargain price, stating that contact with them is only possible via text message or communicator. This way they send a link to a fake website of fast online payments, and the victim unaware of the threat, under time pressure, logs in on the fake electronic banking website, at the same time enabling the criminals to access their account.

Ransomware

Software that blocks access to a computer system and disables reading the data (often via encrypting techniques), next demands ransom from the victim to regain access to it. Ransomware belongs to the so-called malicious software (malware). The most basic ransomware programmes only put a block on a system, which is quite easy to cancel for experienced computer users. More advanced programmes use the technique called cryptoviral extortion: they encrypt the victim’s files, while at the same time disabling their normal reading, and demand ransom in return for decrypting the data. Restoring data without a decrypting key is nearly impossible. Nowadays ransomware attacks are connected with prior data coping by the attackers. This enables them to demand ransom and threaten to disclose the confidential data.

SIM card duplicate

Fraudsters that have obtained victim’s data such as personal identification number (PESEL) or ID number, are able to make the duplicate of their phone’s SIM card. When they have the active duplicate of the card, using the taken over phone number, they may e.g. confirm transactions in a bank account.

Watch the video: Become a Ninja - protect your data!

Worth knowing!

  • If you have fallen victim to a cyberattack or have noticed something alarming online – report it via CERT website.
  • If you lost your ID, payment card, driving license, passport - report it immediately in "Withheld documents" system (available in Poland) by phone +48 828 828 828 or via cancelling cards system.