“Phishing” scams trick web users into downloading an infected file, clicking a toxic hyperlink, or giving up private information.  Increasingly, phony offers on social networking sites and text messages (also known as SMiShing) are also used to target mobile devices as well.  The end result of successful phishing attempts differs from one scam to the next, but the most common types of attack result in a hacker gaining access to sensitive information (like the password to your online banking site or your email account), access to the information you store on your laptop or mobile device, or even control of your device

Some phishing scams rely on widely recognized brand names to cash in on your trust, as in the case of the “Wallmart” phishing attack last week.  A more sophisticated strategy known as “spear phishing” targets people who are thought to be using a specific credit card, bank, or other online payment system before sending fraudulent messages.  Most of us are more likely to open a message we think is sent from our bank than from a bank we’ve never used.

As a rule of thumb, if you are at all unsure about the origin of your email (as with an unprompted “Thank you for your purchase!” message), do not click on links contained in that email. Instead, go directly to the website domain to check your account and search for the sale or offer described. And remember: If an offer sounds too good to be true, it probably is.

If you suspect you’ve been a victim

Realizing that you might have opened yourself to a phishing attempt can be pretty scary, so if you think you’ve downloaded a fishy file or clicked a dubious link, there are several steps you can take:

1.) Change your passwords. If you believe your email account, online banking or payments information, or social media account has been compromised, change your login information as soon as possible.  This could stop a phisher from accessing your account, or at least prevent him from doing any serious damage.

2.) Update your security software. Make sure that your antivirus or cross-device security software like McAfee LiveSafe is up-to-date on ALL of your devices (smartphones, laptops, PCs, Macs, or tablets).  And if you’ve downloaded a file or visited a website that might have infected your device, run a security scan and wipe any questionable items.

3.) Check your financial records. Even if you’re unaware of an initial phishing attack, your bank and credit card statements will reveal if your information was compromised. As a best practice, thoroughly check your statements each month, and if you suspect fraudulent activity, immediately contact your bank directly via phone to place a fraud alert on your account.

According to Barrett, while passwords are still required for so many applications and services, they have simply outlived their usefulness. Barrett predicted that we will all start moving towards alternative security measures sooner rather than later, one of those being a technology called biometric security.

Biometric security refers to identifying users based on their human traits or characteristics, such as a fingerprint or eye scan. Until recently, the concept has been primarily reserved for science fiction and spy movies, and existing technologies have proven to be either unreliable or too expensive to commercialize. Still, the concept has remained attractive for security researchers. After all, an eye or a fingerprint is definitely one password that you’ll never forget.

Currently, biometrics is used in a number of industries. For instance, the FBI has long been a leader in using biometrics such as fingerprint recognition and voice patterns. Biometrics has also been incorporated into a number of financial institutions. For example, Bank United has used iris scanners for ATM access, and Barclays has used voice recognition to verify customers over the phone.

Over the past few years, the industry has matured and biometric technology has evolved to become cheaper for device manufacturers and websites. Device users are also growing more eager to embrace the technology. A new survey by Nuance reports that 90% of smartphone users would prefer voice recognition authentication, with 85% being dissatisfied with current authentication methods such as pins and passwords.

Ultimately, users at home might be closer to using biometric security than they think. This week, we announced McAfee^® LiveSafe^™ service, the first unlimited cross-device security option to use McAfee® Personal Locker secure storage with facial and voice recognition technology. While broad adoption of biometric security options will take time, it is exciting to think about a future where our digital lives are secured through something as unique as our facial features or voice.

What are your thoughts towards biometrics? Let us know in the comments below.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

In the study released by IObit, they found that 30% of users always accept the “Keep me Logged-in” feature on Facebook, Twitter and Pinterest. The study also revealed that 45% of users only change their password when required to do so and that another 15% of users have never changed their passwords. This common user behavior leaves millions of social accounts susceptible to attack and personal information vulnerable to exposure. Those who use the same password for all of their online accounts are in even more danger, because once a hacker has access to one account, he/she can now access all of a user’s accounts that use the same password.

As our society becomes more and more connected through social media sites, it is important to remember that these sites are susceptible to attacks just like any other website. What the study reveals is that people aren’t aware that the tendency to “stay logged in” is putting their personal privacy and security in danger. Users shouldn’t wait until something bad happens before they take action. Having a strong password and updating it regularly is the simplest and most effective way to keep your digital accounts secure.

Unsure if your password is strong enough? Run it through the Intel Password Tool – as an added bonus, the service is currently running a sweepstakes for those who get their password graded and take steps to secure their accounts. For more information on best practices for password safety, you can also join us this afternoon for a Twitter Chat with Intel, the Department of Homeland Security and STOP. THINK. CONNECT. The chat starts at 3pm ET, and you can attend the event and participate by using the hashtag #ChatSTC.

If you’re the type who never changes passwords because you’re prone to forgetting them, check out our McAfee All Access product. It features the new McAfee SafeKey, allowing you to easily and securely store all of your usernames and passwords to various sites, while also offering one-click logins.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

Last week we saw an example of the impact of an account hack. On April 23^rd, the official Associated Press Twitter account (@AP) became compromised and sent out the following tweet at 1:07pm ET:

By 1:08pm ET the Dow Jones Industrial Average had plummeted by 150 points, losing more than $137 billion. Market turmoil lasted for approximately 5 minutes before representatives from The Associated Press and the White House confirmed that the tweet was a hoax and a result of the account being hacked. After the hack was debunked, the Dow Jones regained all of its losses; however, the incident casts a spotlight on the influence of robot traders (computers programmed to make stock trading decisions based on real-time data) and the weight of social media updates.

The attack also shows an evolution in the way cybercriminals can exploit technological weaknesses by manipulating social updates from influential accounts or profiles. Now, more than ever, it is imperative that you take an active approach to your online security. Here are a few tips to ensure that your social accounts remain yours:

1. Use Strong Passwords
   Get out of the habit of easily identifiable passwords. Keep in mind that the top 5 online passwords are:
   1. password
   2. 123456
   3. 12345678
   4. abc123
   5. qwerty

   If your password is on the above list or even similar, it’s time to update it immediately. Unsure if your password is strong enough? Run it through Intel’s password tool (plus you could win an Ultrabook!).

1. Change Your Password Often
   Try to change your login passwords at least 2 times a year. A good habit is to sync this up with changing your clocks and smoke detector batteries during the Daylight Savings Time switch. By changing your passwords regularly, you’re limiting the time that a hacker might have access to your account, if it were compromised without your knowledge.

1. Use Different Passwords for Each Site Login
   It can be tempting to use the same password for your Facebook, Twitter, email, online banking etc. accounts—especially if you’re prone to forgetting your passwords. Don’t do it! You should always have a separate password for each website login. At the very least, you should have different passwords for your non-commercial accounts (Facebook, Twitter, etc.) and your online financial accounts. If your passwords are the same and a hacker manages to steal the password for one account, then they now have access to all of your online accounts.

1. Monitor Your Apps and Keep Them Updated
   Having third-party apps connected to your social account can be a huge convenience, by allowing you to quickly log into websites using your social credentials. However, be sure to verify that a site or app is trustworthy before you allow authorization. Routinely check your list of connected apps to ensure you recognize them. Finally, if there are ever updates—accept them! Most app updates address bug fixes and security concerns.

1. Keep Updated on Password Safety Best Practices
   Staying informed of best practices will keep you security savvy. Join us for a Twitter chat on May 7^th at 3pm ET as we discuss password safety with Intel, the Department of Homeland Security and STOP.THINK.CONNECT. Attend the event and participate by using the hashtag #ChatSTC.

If you’re worried about forgetting or losing your passwords, check out our McAfee All Access product. It features the new McAfee SafeKey, allowing you to easily and securely store all of your usernames and passwords to various sites, while also offering one-click logins.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

However, with the help of website traffic visualization technology, VideoLAN Organization has been able to share a behind-the-scenes look at what actually happens to a website when it is being attacked.

What you’ll see in the video below is a record of the April 23^rd DDoS attack against VideoLAN:

In this video, each ball represents a server request, and the different colors represent the specific computers that sent each request. A server request occurs when you enter a web address in your browser to gain entry to a desired web page, and if too many requests are sent at once, the web page will become overwhelmed and fail to load.

In this visualization, the paddle you see is the server attempting to keep up with the requests (think of it like the classic game of Pong). During an attack, requests completely bombard the website with traffic at one specific chokepoint, leaving other legitimate requests (colored balls) to bounce away unfulfilled. In this way, a hacker can monopolize a server and effectively take down an entire website. If a site cannot keep up with a high number of requests, it will not work properly, and you will be greeted with an “Error Not Found” page instead.

For context, here is another traffic visualization for a site that isn’t experiencing an attack:

While it’s not yet clear why a hacker wanted to attack VideoLAN’s servers, DDoS attacks mainly affect organizations, businesses, and retail websites–not home computers. Still, the videos above provide a great visual resource to understand how these attacks work.

Do your part to stop DDoS attacks:

While your personal computer may not be the victim of a DDoS attack, if your computer becomes infected with malicious software, it could easily be used to assist cybercriminals in this type of disruption. As I stated above, one way that hackers generate this much traffic is through a botnet, or a network of infected computers. To ensure your computer doesn’t become part of a botnet, always keep security software like McAfee All Access up to date, and regularly scan your device for potential threats.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter with @McAfeeConsumer.

How are cyber criminals able to fool Google and Bing?

During the course of their research, IT security institute AV-Test found that cyber criminals exploit search operators through the process of search engine optimization, or SEO. SEO is used by all major website operators to ensure that sites are searchable. For example, SEO ensures that when you type in a term like “shoes,” your search engine results will include popular websites like Zappos or DSW. However, malware developers use one SEO tactic in particular to infect users’ machines – backlinking.

Backlinks, also known as inbound links, are incoming links to a website. Search engines such as Google and Bing use the number of backlinks a website has as one indication of the popularity or importance of a website. With this in mind, cyber criminals will create a significant number of smaller, fake websites that link to an infected site. Once this network of linked websites is in place, Google and Bing are effectively tricked into believing the infected website is important, ranking that page alongside legitimate sites like Zappos.

In addition to backlinking, malware developers also take advantage of breaking news and popular search topics to integrate keywords that encourage users to click. For example, a cybercriminal might create an infected website called “Boston Donations” to fool users looking for a way to support Boston Marathon victims. All of this work allows the cybercriminal to take advantage of the search operator’s process and deliver malicious software whenever a user clicks on their site. This is known as a “drive-by” download–just clicking on a link and opening it from Google or Bing can install dangerous code on your device.

What can I do to search safely?

Luckily, search engine operators such as Google and Bing are constantly making efforts to remove malicious websites from their results.  To make sure that your search results are as safe as possible, I recommend the following search practices:

1)    Stick with Yahoo or Google when it comes to search. The AV-Test research concluded that while both Bing and Google had issues with serving malicious content in their results, Bing returned 5x the amount of malicious links than Google.

2)    Turn to trusted sources for your news. Cyber criminals take advantage of top news stories to exploit search engine providers. If you are looking for information on breaking news, make sure you only click on results from known websites such as CNN, Fox or Reuters, just to name a few.

3)    Keep your software up to date. Infected websites typically take advantage of vulnerabilities in a users software. These vulnerabilities include outdated browsers and add-ons.

You can also guarantee that you have the best possible Internet protection on all devices you search on (tablets, laptops, smartphones, PCs, and Macs) by using security software such as McAfee All Access with McAfee SiteAdvisor installed. SiteAdvisor software adds safety ratings to your browser and search engine results, blocks known bad sites on Android mobile devices, and along with McAfee All Access, also blocks risky links in email, social networking sites, and IM.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter with @McAfeeConsumer.

The upward trend in mobile shopping is clear, but are consumer worries justified?

Stick to Known Retailers

Most big online retailers take security and information protection seriously, so whether you’re on a phone, tablet, or laptop, you’re much better off starting your search at the site of a well-known retailer like Target, WalMart, or Amazon.com. Still, even large retailers aren’t immune from security breaches (Zappos reset the passwords for over 24 million customer accounts after a breach in January). To help yourself avoid risky sites, download a browser plug-in like McAfee SiteAdvisor, which gives safety advice before you visit a risky site–even on Android mobile devices.

Buy from Home

Only make online purchases using your own desktop, phone, or laptop. Public computers, like those in libraries, shouldn’t be used for secure transactions. In addition, never conduct a transaction over a public Wi-Fi network–at a coffee shop, mall, hotel, or airport for example. These connections are often insecure, and sensitive information like credit card numbers could be intercepted.

Ensure Connections are Safe

If you absolutely need to make a purchase while traveling, make sure you are connecting to websites using encrypted HTTPS connections. HTTPS stands for HyperText Transfer Protocol Secure, which means that the communication between a website and your computer is encrypted to increase security. (Learn more about encryption here.)

Before you make a purchase, always check your web address bar to see whether or not your website is using HTTPS. If the URL has changed or does not include https:// in the address bar, end your session and buy from another retailer.

Protect ALL Your Devices – Not Just Your PC

Despite their security concerns, at least 53% of consumers reported that they don’t regularly update security settings on their mobile devices. This is one of the key reasons that consumers believe their smartphones and tablets are less secure than desktop computers – many simply don’t keep their smartphone security up-to-date.

If you plan to make purchases on any mobile device, make sure you take proper security precautions by downloading a cross-device solution like McAfee All Access that can protect your smartphones, tablets, Macs, laptops, and desktop PCs. In addition, using your smartphone’s built-in screen lock setting is one of the easiest ways to keep your personal data more secure, and you shouldn’t hesitate to change your PIN, swipe pattern, or password on a regular basis.  You should also make a point of downloading any software updates from the phone’s manufacturer on a regular basis, as these updates often include fixes to any weak points in the software’s security.

Ultimately, online shopping security should not depend on the device we shop on. The technology is available to make buying on your smartphone, tablet, laptop, or PC equally secure; it’s just a matter of putting in that extra effort to download security software and stay aware of your surroundings on the web.

For more on this topic and other emerging threats, be sure to follow our team on Facebook and on Twitter with @McAfeeConsumer.

Here are a few of the most common workplace security mistakes, as well as a few tips on how to avoid them:

1.    Losing Your Mobile Device

While not everyone has had the misfortune of having a device lost or stolen, it’s extremely likely to happen to at least one person in your workplace at some time. Just think of all the personal information you’ve sent in professional emails: Your contact information is in your email signature, you may have copies of client records in your “Sent” folder, and your HR manager likely has your social security information stored somewhere in their files. Despite those risks, a third of people don’t bother to protect their mobile devices with a PIN or password. To give you, your boss, and your coworkers peace of mind, you should also install security software that will locate, lock, and wipe your phone remotely in the case of device loss or theft.

2.    Downloading Risky Apps

Whenever you download an app on your smartphone, tablet, or laptop, you’re handing over your personal details to the developer of that app. While many apps require certain data to run (for example, Google Maps requires access to your location), some applications collect extensive information without your knowledge. Recent research found that more than 100,000 Android applications on Google Play are “suspicious” or “questionable” because of what they collect about users. Free apps are particularly suspect, and an app with access to your contact information can be used to mine information about your company’s employees. In turn, this information can easily be used to carry out sophisticated spearphishing attacks that can compromise your entire workplace.

3.    Working Remote – With or Without Your Corporate Device

According to a recent study, 46% of employees admit to transferring files to and from work and personal computers when working from home. This can pose a serious risk to your employer’s data, since personal computers are rarely protected or maintained as well as corporate devices. Talking about sensitive company issues where others can hear or intercept the conversation becomes much more common when you’re working from home or in a coffee shop. If you do work remotely, never hold work conversations in a place where you could be overheard, and always connect to a VPN over a secure Wi-Fi network (NOT the free Wi-Fi in your favorite café).

4.    Passwords on Post-Its

You’ve seen it; I’ve seen it. When your IT guy gives out a particularly complex password to remember, our first inclination is to write it down on a Post-It and stick it on the side of our work computer. In fact, 55% of us admit to sharing password details with friends, family, or coworkers – a habit that could leave corporate or personal data open to theft. To avoid this mistake while still maintaining a variety of complex passwords, try a password management system like McAfee Safe Key, which is included with your McAfee All Access subscription.

5.    Foregoing Security Software

No matter where you work, all employees need to understand that they are handling sensitive business data whenever they work from a personal or corporate device. Take some time to install a security solution on all of your mobile devices, and when it’s your phone or laptop that gets stolen, your coworkers (and boss) will thank you. It only takes a moment to download, and this step could save you a lot of time, money, and potentially your job.

To learn more about this topic, be sure to join our team on Facebook and on Twitter with @McAfeeConsumer.

Malware (short of malicious software) is a type of program designed to interrupt the normal operation of a computer, often stealing private information or slowing down the computer’s processing speed.  Viruses, spyware, Trojans, ransomware and adware are all forms of malware.  Hackers often disguise malware by packaging it alongside video or audio content, which is then downloaded on peer-to-peer file sharing networks.

Known in Internet shorthand as “P2P,” peer-to-peer networks allow users to download media files such as music, movies, TV shows, and games from other connected computers. Sometimes this type of file sharing is legal (such as downloading an open source book), but many times, it is considered illegal “pirating” of copyrighted content. The first well-known generation of P2P software was Napster, which gained fame in the early 2000s after running into legal difficulties over copyright infringement. Other examples you may have heard of include services like Kazaa, Limewire, and BitTorrent.

In the case of Game of Thrones, since the malware files were packaged with the TV show file, but weren’t a part of the file itself, malware creators relied on the widespread use a specific P2P network, BitTorrent, to infect computers. BitTorrent is different from other P2P networks, because it works by downloading pieces of a file from several other computers at once, putting them together correctly once they’ve been copied to your machine. This allows for faster download speeds, but it also means that malware creators can easily sneak malicious software into any popular download (like Game of Thrones).

Of course, there’s a simple way to protect your Internet connected devices from getting infected – don’t download copyrighted content from P2P networks. Of course, this is easier said than done if you have teenagers in the house, which is why I encourage all parents to have a conversation about the dangers of P2P networks before an infection occurs. In addition, make sure you have security software like McAfee All Access running and up-to-date, which will effectively protect all devices in your home.

For more information on this and other emerging threats, be sure to join our team on Facebook, Google+, and on Twitter with @McAfeeConsumer.

Wait – What exactly is a bitcoin?

In a nutshell, bitcoins are a virtual currency that you can use to buy products online. Bitcoin is not the first currency of its kind, but it is by far the most successful to-date. They’re created through a slow, complicated computer process known as “mining,” and once a person has a bitcoin, he or she can trade it with anyone who will accept it as payment for goods and services (just like US dollars).

As bitcoins have grown in popularity, they’ve also grown in vendor acceptance: You can now purchase music, download magazines, or even upgrade your WordPress account with bitcoins. Still, the currency is not regulated by any central bank, and the entire process is anonymous and untraceable – which means it’s not surprising that scammers are now trying to hack the bitcoin system.

These sound valuable – How do I get one?

The value of bitcoins has been soaring as of late, which is why many news outlets and investors have been taking notice. Still, the entire system is entirely untested, resistant to government regulation, and extremely volatile. On top of that, buying your own bitcoin is a lot harder than it sounds.

The first thing to realize about buying a bitcoin is that you can’t use a credit card, because transactions are meant to be completely anonymous. Your only options are to give up your banking information to a suspicious online exchange (NOT an option), or use a complicated process that includes walking to your local supermarket, using a system like Moneygram to pay a cash-payments service, and then transferring the money through another process that eventually credits your bitcoin account.

For most of us, the best course of action is to sit back and watch the bitcoin drama unfold, but this most recent hack also serves as a reminder of the real-world impact of large scale cyberattacks. No matter how sophisticated the system, no website is invulnerable to attack, which is why it’s so important to follow security best practices in all of your online activities. This includes using a variety of unique, complex passwords – especially for online banking accounts – and keeping security software like McAfee All Access up-to-date.