Cybersecurity expert speaks on protecting yourself from online scams

Over the past 30 years, the internet has revolutionized the world in ways that few other technologies can boast, perhaps matched only by the introduction of the printing press or steam engine.

However, despite the internet being used by 5.5 billion people around the world, few can claim to understand the complex nature of how it works.

To a large degree, this lack of wisdom has resulted in a lack of personal online safety, all while the cyber world morphs into a system that is as volatile as it is useful.

Michael Jensen of Ste. Agathe resident is an expert in the field of cybersecurity. He has impressive credentials and has gained some of his most impressive experience working with top intelligence agencies such as the Department of National Defence.

Part of Jensen’s daily work portfolio is to review the latest hacks and scams circulating on the internet by scouring through threat feeds. It’s his business to know what’s happening so he can provide preventative and restorative advice on cybersecurity to people in some of the country’s uppermost echelons.

Jensen says that his wife would tell him that his job has made him all doom and gloom. In his words, it’s just made him extremely risk averse and sceptical of everything he sees.

Based on the number of people who fall victim to online scams every day, most of the world’s population could stand to adopt a similar scepticism.

In its most basic forms, the purpose of online hacking and scamming is to either steal someone’s identity or steal their money. But if every internet user were to become a little more savvy in regard to protecting their ingress points, places where scammers gain access to personal data, we’d be living in a much safer world.

Thankfully, computer and cell phone operating systems are beginning to provide built-in technology to help users recognize unsafe emails and phone calls as they come in. According to Jensen, people would be smart to pay attention to these warning systems.

Cybercrime, after all, has been reaching new heights at a fast and furious pace. There are a number of reasons for this.

First, Jensen says, the internet has been around long enough for many people to become experts in its use. Second, digital crime is now the most lucrative form of robbery.

“In 2022, there was 3.8 billion dollars stolen in cryptocurrency theft, which was more money than all recorded bank heists combined throughout the history of the world,” Jensen says. “My threat sources probably tell me about three pretty big crypto heists a week.”

What qualifies as “pretty big” in Jensen’s world is any theft totalling more than $2 million. He says he’s seen crypto thefts as big as $600 million, and these happen more often than most care to admit.

“Because cybercrime has become so lucrative, more criminal organizations are turning to hacking and scams as a way to generate income rather than leaning on the more traditional types of crime we normally associate with gang activity,” he adds.

If the last decade has taught us one thing, he says, it’s that cybercrime has unimaginable growth potential. This is where criminals are focusing a lot of their resources.

Monetary and Crypto Scams

According to Jensen, people are being scammed out of their cash or cryptocurrency in many ways.

One is through fake online investment sites where the owner is sweettalked into freely “investing” their currency.

Alternatively, hackers may find ways to access private crypto wallets or attack crypto exchanges.

Very large criminal organizations, some of them major state-sponsored threat actors, like North Korea, are dedicated to this endeavour, says Jensen.

“We’re seeing this more and more with crypto. When a lot of exchanges start up, they’re so focused on bringing in investors and bringing value that they don’t have the time to set up all the security features that they need to.”

Social Media Scams

Every social media user is becoming well-acquainted with online scams. Whether they realize it or not, posts cross their feed every day that attempt to lure users with promises of jobs, daycare spaces, business services, friend possibilities, or fake promotions.

Essentially, they’re all there to engage users. Once you’ve engaged by clicking a link or messaging a host, you’ve put yourself, your data, and everyone in your contact list at risk.

“There’s a term called OSINT, or open-source intelligence, and social media is an OSINT nightmare,” Jensen says. “When people are trying to target you, they rely on LinkedIn, Facebook, Instagram, and TikTok to get them there.”

While social media sites do provide varying degrees of security to protect users, Jensen says that many of these measures are watered down because the social media sites themselves are in the business of making money off your freely shared data.

Pig Butchering and Kidnapping

Another common scam is known as pig butchering. While it sounds crude, the idea is to lure a victim and then spend as much time as it takes to groom them towards a specific end. In other words, they are “fattening the pig before the kill.”

This scam might begin with a text message from an unknown caller reaching out as if you’re someone they know. A clear red flag is when the texter doesn’t go away, even after being informed that they’ve reached the wrong person. Instead they try and befriend you.

Pig butchering is also a common tactic in other forums, like dating apps.

“The whole goal is to establish a long-term relationship, and they’ll devote months sometimes to these scams,” says Jensen. “They are grooming people specifically to get them to a point where they’ll invest in something that is absolutely going to pull the rug out from under them.”

The scammers are sleek and convincing, oftentimes luring vulnerable parties into false investment strategies on the fake websites they’ve created.

In order to gain the investor’s trust, the scammer may encourage them to make a small investment and then do an immediate withdrawal, to prove its legitimacy. Once the scammer feels they’ve reached the height of what the investor will invest, the site disappears along with all the investor’s money.

Jensen says that the really interesting thing about these scams is that they’re able to pull them off through human trafficking. Many of these scamming rings are based in foreign countries where everyday people may be relatively easy targets for kidnappers.

“The scam syndicates take [a person’s] visas, beat them, and make them do nothing but scam people. They’ll give them six phones and all they’ll be doing is trying to scam people throughout North America all day every day.”

According to Jensen, one such scam ring was recently busted in Cambodia, resulting in the release of 200 kidnapped slaves. This is only one of many such organizations.

Some of these crime rings are so large that they operate like a legitimate business, building their own internal departments for human resources, payroll, and accounting.

Between 2020 and 2024, an estimated $75 billion was stolen through pig butchering scams. The crime has become so lucrative that it’s given criminals the financial means to bribe law enforcement officials, invest in secure compounds, and generally insulate themselves from the outside world.

Ransomware

Ransomware tech has been around for approximately ten years. In the early years of its use, scammers would hack individual computers and hijack personal files, like family photos and financial documents, encrypting them so the computer owner no longer had access. These personal files became available to the owner again upon the payment of a set ransom.

In the last few years, though, larger corporations and agencies have become targets to. The monetary gains are exponentially higher. Healthcare agencies, legal offices, educational institutions, and real estate companies are a few examples of those being regularly hit.

The University of Winnipeg fell prey to these cyber attackers in April of this year, putting at risk the personal information of thousands of students and staff.

Jensen also speaks of a major corporate attack on MGM Grand and Caesar’s Palace hotel and casinos in Las Vegas.

“The scammers made away with $300 million in ransom because those companies were losing $80 million per day without access to their data.”

Last year, Jensen says, an unregistered scamming company by the name of Conti was discovered and shut down. Their net worth at the time was estimated to be more than $2.6 billion with a $400 million annual revenue.

Email Compromise

According to Jensen, email infiltration still ranks at the top of all scamming ingresses.

“People store everything in their email accounts,” he says. “Tax information, passwords, copies of their identification, and contacts of their family and friends.”

He speaks openly of a scam that he almost fell prey to a few years back. It took place during the purchase his new home.

According to Jensen, an email appeared in his inbox and seemed as though it came directly from his lawyer’s domain. Attached was a letter on official company letterhead. It looked remarkably convincing.

The letter included detailed information about Jensen’s pending transaction, including the address of the new home and payment details as they had been discussed between Jensen and his lawyer.

Something triggered Jensen to contact his lawyer personally before getting sucked in. This conversation revealed the letter to be false.

Still, Jensen was astounded at the level of personal information the scammer had procured and the sophistication of its presentation.

It’s important that everyone learn to check the true source of suspicious emails since scammers can change the display name of the sender so the recipient believes it’s coming from somewhere else.

Some quick online research can teach you how to do this. It differs from one email provider to the next.

“Particularly savvy users might want to learn how to check email headers in order to get the most information on where an email came from. It’s like a transaction record and shows everything it came in contact with along the delivery path.”

A general rule of thumb for the average user is to learn to hover your cursor over links to find more detailed information about them before clicking.

Remember, once scammers gain access to your email, they have access to the email addresses of everyone in your contact list. Crimes can rapidly perpetuate from there.

Online Banking and Shopping

Online banking has come a long way in recent years in terms of meeting rigid security codes, Jensen says. Generally speaking, if the bank is a well-known institution, people can trust that their online banking safety measures are sufficient.

“Banks are the most incentivized to have good security. The one thing they can’t prevent, though, is the end user getting scammed.”

In other words, it’s easier for scammers to get individuals to give up their banking or credit card information than it is to get those details from a bank or credit card company.

In terms of online shopping, Jensen says it’s important to make sure the website you’re buying from is equipped with recognized security features. One way to do that is to check the website’s uniform resource locator (URL) code.

If it begins with https:// (hypertext transport protocol secure), it means that the website creator has leased a security certificate for a universally accepted encryption system which helps ensure the personal data being transferred between user and website owner remains invisible to outsiders.

A lock symbol appearing on the left side of the URL further indicates that security measures have been taken.

It’s important that the URL contains the letter “s” at the end, which represents a higher level of security. If the URL begins with just https, as opposed to https, or if the lock symbol is missing, it’s not as trustworthy.

Jensen takes security with online purchases one step further with a practice he says everyone should employ.

If he plans to purchase a frying pan from a company calling themselves Kate’s Kitchen, for example, he will first run an online search for that product and company name in his search engine. Here you can quickly find product and company reviews from other customers as well as potential scams they may be accused of.

“Part of the problem with seeing ads on something like Instagram is that there’s no vetting process. They’ll put ads up for anyone who pays for it. If I’m concerned about a product I see on Instagram, I’ll go see if it’s on Walmart online or Amazon or a company that I know exists. In many cases, the scammer has taken a real product that someone else makes and set up a fake website to pretend to sell it to you.”

Jensen learned this little fact the hard way. A family member ordered a product online which never arrived. Their credit card info now rested in the hands of scammers.

As for allowing Google, Amazon, Walmart, or other online sources to save your passwords or credit card numbers online, Jensen says it’s never a good idea.

Cookie Session Theft

There are ways for scammers to gain your personal data while you’re making an online purchase, even if the website is considered secure. This is through a tactic called cookie session theft.

Upon logging into an online shopping account, your personal data is being temporarily saved in what’s known as a cookie. Cookies are what the website uses to track your transactions in order to customize your online experience.

Once you log out of the website, your login session (cookie) is closed. But if a hacker has created an ad or popup which appears on the product page and you click on that ad while logged into the website, the information temporarily stored in the cookie is accessible to the scammer.

“When you have your browser open with your credit card information saved, if they can convince you to click on their malicious website, they have the chance to steal that cookie session. They won’t steal your credit card information; they steal the data that the legitimate website has on you and then trick the website into creating a charge for something else. Basically, they make the website think that it’s you who’s doing the ordering.”

To stay safe, Jensen recommends fully completing your purchase and logging out of the site before clicking on any links or popups.

Mobile Payment Apps

These days, the goal is to make purchasing a product or service as easy as possible. Hence, the popularity of the mobile payment app.

“One truth about everything having to do with the internet is that the more convenient something becomes, the less secure it is. You will always be sacrificing an element of security for convenience.”

Jensen doesn’t quite trust mobile phone apps just yet. While he believes that companies such as Apple Pay are using some pretty advanced security systems, if a hacker has dropped malicious spyware onto your phone, all your mobile transactions become vulnerable.

“The weak point is usually with the end user,” he says. “A person’s made a mistake that allowed the hacker to get information.”

Passwords, Encryption, and Multifactor Authentication

“If you have a password that is less than ten characters, there’s free tools out there that hackers can use that will crack it in under 30 seconds,” says Jensen.

That’s why it’s imperative to create passwords or passphrases that are longer and, thus, harder to decode. Jensen recommends creating passphrases from four different, seemingly unrelated and random things. Like, for instance, bookchairkeylamp.

Throwing in some numbers and characters makes decoding harder still: book$chair%key$lamp3.

Finally, make sure to create different passwords for every online application you use. If hackers get into one, they won’t get into all your data.

Be reminded that social media plays a big role in helping scammers decode your passwords.

You’ve probably come across seemingly innocuous online questionnaires on social media with the supposed goal of telling your friends more about you. However, they’re usually created by scammers who are also there to get to know you better.

“If I was a hacker, I’d be using one of those to build what’s called a dictionary on you. And when you’ve answered those questions, I’ll build combinations out of them to decode your passwords.”

Jensen adds that hacking someone’s Facebook account is a pretty simple affair which requires very little technical online savvy.

In terms of protecting social media sites, people should also consider the personal data they’ve shared or store there. Many people tend to use their social media site as free cloud storage for their family photos, but it’s all at risk if it falls into the hands of a hacker.

“If you put pictures of your kids with their names online and I can guess their ages, it’s easy for me to pretend that I’m someone related to you. And that’s the real risk. And once you put all that stuff out on the internet, you can’t take it back. It’s out there.”

As for the storage of other sensitive information on your computer, Jensen strongly recommends encrypting files when saving them. This is done with a simple right click of the mouse which should take you to an encryption option.

“Is saving files on your computer inherently more dangerous than saving them in a filing cabinet that could catch fire or be stolen? Not really. There are ways to protect them digitally.”

As a secondary safeguard to encryption, Jensen suggests that computer owners store important data in more than one place, like a USB device or another computer. This way, you’re less likely to experience a complete loss should you get hacked or have your computer stolen.

When using storage services such as Cloud, files should still be encrypted.

“Encrypting will create a special key for your user account so that, when you go to access that file, you can decrypt it. But if someone were to get in with a different user account, they don’t have the key to unlock it.”

Finally, multifactor authentication (MFA) is an important tool that Jensen says everyone should be using.

Examples of security factors include the use of personal identification numbers (PINs), passwords, and fingerprint authentication. The requirement for a secondary authorizer, such as a spouse, may also be an option.

MFA isn’t just for online banking protection, says Jensen. It can be set up on certain social media accounts and apps. A simple online search can help anyone learn to set up MFA on any site that allows it.

Unfortunately, some sites like Amazon don’t support MFA yet, although they are working on developing it to add another level of safety for their customers.

Sharing and Reporting

Jensen can relate firsthand to the humiliation one feels when they’ve been scammed or nearly scammed. It’s the kind of experience no one wants to admit to. Yet keeping your silence means the scammer wins. Unreported, they can keep drawing more victims into their nefarious schemes.

“The reality is that scammers can catch you on a bad day, and everyone has bad days. It’s human to click on things online. It’s human to be lazy about passwords.”

It’s important that people speak up quickly, he adds, before others get burned. Also, if possible, get help to deal with the scam that was perpetrated on you. Reporting to local law enforcement may not help you get your money back, but it does put the scammers and their tactics on a registry to help police build files against them.

Reporting scams happening on social media sites is also a really good idea.

“Reporting a scam might not mean that things can be fixed for you, but it might mean it can be fixed for the next person.”

Virtual Private Networks and Antivirus Systems

Jensen cautions against believing everything you hear about virtual private networks (VPNs) for added online security. While they have their place when it comes to encrypting or hiding online browsing activity, they are often advertised as one-stop shops for digital security. To believe they will provide comprehensive scam and malware protection is misguided, Jensen says.

“They are not effective antivirus systems. They are not firewalls. They don’t really keep you safe. They keep your activity hidden to a point, but they won’t prevent a lot of the scams we’re talking about today.”

Jensen is a believer, on the other hand, in having a good antivirus system installed on your device.

“There used to be a time when you absolutely had to pay for an antivirus system like Norton, McAfee, or MalwareBytes. But these days, the free antivirus systems that come in Microsoft and Apple computers have gotten very good. If people feel more comfortable using a paid system, there’s nothing wrong with that. But I want people to understand that online safety doesn’t need to be expensive.”

Stay Safe Out There

At the end of the day, vigilant use of the internet will go a long way towards keeping you safe in a world where dark forces try to separate you from your money and well-being.

“Most people are absolutely bound to a system that they don’t understand but need it to run their lives,” Jensen concludes. “We need to learn how it works at the very least. Do a little bit of work to keep yourself safe. And always be sceptical.”

Brenda Sawatzky, Local Journalism Initiative Reporter, The Niverville Citizen