For individuals

1. Be sceptical about suspicious e-mails that you have received.

It is very easy to falsify an e-mail by displaying the name of an acquaintance or a company/institution you know as the sender of an e-mail, even though the actual sender is someone with a malicious intent. If there are suspicions about the authenticity of the letter, call the sender and confirm what exactly it is. You can also ask by mail but then make sure to re-check the address of the person receiving the letter. By replying to the letter directly, it can get forwarded to a third person and this might not be evident right away. The most important thing is to not open a file or a link that has been attached to an unknown letter in your computer -- that is the way the malware spreads into your computer and onwards to your contacts.

2. Update software regularly and make sure you are using the newest version of the software

Security gaps in computer or smart device software that has not been updated are one of the most common ways of hacking into computers and information systems. That is why it is important to update software as soon as it is offered and not think that I will do it at some later point when I have more time. Unfortunately, the news about discovered security weaknesses spreads among criminals as well, and attacking through them is a common occurrence. Additionally, it is important to only use software originating from an authentic source, e.g. the software manufacturer's own web page. The same principles also apply to smart devices, and the applications there must also be updated at first opportunity, in order to reduce the risk of malware spreading.

3. Use antivirus software.

Antivirus software should be used both in the computer and in the smart device. These days, everyone carries along a lot of personal and important information (e.g. e-mails, photos, documents) in the smart devices in their pockets, and that that is why it is important to protect the mobile device from viruses similarly to computers. Several relevant programmes that fight against malware and viruses are free (e.g. Avira, Avast, AVG, TotavAV, Malwarebytes). Antivirus software should also be updated regularly, just like other programmes and applications.

4. Use a strong password.

You should use unique passwords in different environments (e.g. Gmail, Facebook, an e-store account etc.), so that not all of your accounts become public at once, should user data leak. A good password is long, easy for you to remember and hard for others to guess, and contains capital and small letters, numbers and symbols. A good option is to use a secret phrase instead of a secret word. One option is to use a password manager so that you would not have to remember tens of passwords. It is possible to use these for free (e.g. KeePass, Dashlane, LastPass) and in that way you only need to remember one long password for your password manager. It is important to change your passwords regularly and keep them to yourself.

5. **Do not believe e-mails from unknown senders that are threatening or demand quick action.

Emails are the easiest way to spread malware, phish for data and carry out account fraud. Quite often the mailbox receives a notification of a large inheritance or lottery win, and to receive it you are asked for your personal data. This is a fraud scheme that attempts to find out your data and unfortunately it is highly likely that no money is coming. The so-called sextortion letters have also been sent for years already, with the goal of scaring the recipient of the letter with the claim that they have access to the victim's IT devices and an overview of the web pages that the person has visited. The letter claims that you have visited web pages with adult content and additionally they have gained access to your web camera which has been used to film the recipient in intimate situations. The most sensible approach is to ignore these kinds of letters and just delete them.

6. Do not enter your account information anywhere at the direction of a stranger and do not forward them to a stranger in any other way.

Quite a common phenomenon these days are phishing letters that reach people by e-mail, with the objective of finding out the user name and password of your mail account, your bank information and PIN codes, or other information related to you. On average, the Information System Authority gets notified of 65 phishing pages a month but there are sure to be many more that are not registered as an incident. Make sure that the web address you are at is letter-for-letter what it should be (google.com vs g00gle.com). There are also fraudulent calls where the caller introduces himself as a bank employee or a policeman and then asks for various personal data (name, phone number, home address, user account information, bank card number and the three digit code on the back of it) by phone. A bank would never ask that kind of information from their customers over the phone and would never log into a customer's online bank for them remotely. If you get a call like that, do not share your card information or any other personal data, just end the call immediately.

7. Use multi-factor authentication.

If at all possible, use multi-factor authentication. Both the ID card and Smart-ID are tools for two-factor authentication. Two-factor authentication is provided for by Google (Gmail), Microsoft (Hotmail), Meta (Facebook, Instagram, Whatsapp) and many other service providers. When using multi-factor authentication, you have to verify your identity in two or more ways (e.g. upon login, the device is asking for both your password and a code received via a text message). If someone gets access to your password (e.g. through phishing, malware or previously leaked passwords), they won't be able to access your mail account without the code in your phone. Generally it is not necessary to enter the code in your phone every time but only when logging in from a new location or with a new device.

8. Create regular backup copies of files both in your computer and in your phone.

Regularly backing up your data is useful both when a device is malfunctioning and when it has been infected with malware. The most secure way is to keep backup copies on an external hard disk or a memory stick that should not be permanently connected to the computer. Should it happen that the computer is infected with malware, ransomware or a virus, the devices connected to it are also in danger. If ransomware tries to encrypt files on the local drive, external data carriers, as well as the network drives, the backup copy must be held separately so that the backup would not be infected when the network drive is encrypted. In addition to this, there are also a number of cloud solutions available for backing up data (Google Drive, Microsoft Onedrive, Amazon Drive, Dropbox, iCloud), making backup copies of your documents automatically through the internet. Back up the files both in your computer and on your phone once a week, for instance.

9. Do not publicize your personal information.

If you use social media, always think before you post something and review the privacy settings of your account. Quite often people have a public Facebook or Instagram account where they post about different life events. For instance, when going on a trip, they announce that they are at the airport at that moment, about to go abroad, sometimes even adding a picture of their plane ticket. They also post pictures during the trip and notifications about their exact location. Information like this can be dangerous when in the wrong hands. It is also not sensible to reveal your home address, bank card data and other such information. If you are not certain that only your good friends will be seeing your posts, it is wiser to leave the information private. For the same reason you should also not accept friend requests of strangers.

Where to find information on the most common cyber attacks?

• News and threat assessments published by the Information System Authority
• Regular summaries of the past month's most important events and the situation in the Estonian space, as well as in the international environment (see also Cyber Security Yearbook (in Estonian))
• The Information System Authority Facebook page (in Estonian) and CERT-EE Twitter account.

It is easiest to protect yourself from danger that you are aware of and that you know how to recognize.

Last updated: 23.02.2022 14:10

Did this response answer your question?