Using the Internet safely

Introduction

Most people have no trouble at all on the Internet, and it's no worse than (say) buying something from the local paper, but some people, especially when new to the Internet, seem to abandon all common sense and get caught by the unscrupulous. Reading this document will ensure that it's not you who gets caught.

These tips are the sort of thing everyone gets to know after a few months, but written here to speed up the learning process for you.

Websites

• Never accept any unsolicited downloads offered by a website – if you didn't ask for it, you don't want it!  Windows will always pop up a window saying that the site wishes to download something to you, and asking for your permission.  NEVER give it.
  
  Downloading anything from a website can be very dangerous: some downloads can run automatically once downloaded, and any of them could change your internet settings, install a virus, install a trojan, and so on. (A trojan could watch your keystrokes and send them to someone else, who would learn anything you type: your passwords, credit-card details, anything.)
  
  
• Beware of "pop-up" windows.  The worst a website can do (unless you allow a download) is to hijack your "home page", so that you see some unwanted page every time you start your web browser.  While annoying, this isn't catastrophic, but in general be careful what you click on.  Most adverts and pop-up windows are clickable, and some of them are designed to look like Windows error messages or other warnings, hoping that you'll click on a fake "OK" or "Cancel" button.  (Here's an example.)  If the cursor is a hand, it's a clickable link, not a Windows error message, so don't click it.  Banner ads are part of the page, and you'll just have to ignore them; pop-ups open in a new window (like this), sometimes behind your main window, sometimes in front of it; you should close any pop-ups only by clicking in the top right-hand "X".
   
• Beware of scams and free offers.  There are plenty of websites out there of dodgy or unknown provenance, and just because something looks genuine doesn't mean it is.  If something's too good to be true, then it probably isn't true!  
  
  There's a fascinating list of scams from the link at the left.
  
  In general, just ask yourself whatever you'd ask when looking at an advert in the local paper. Do you know who and where these people are? Is there a postal address (beware PO boxes) and a phone number – beware numbers starting 07 (mobiles), 09 (premium rate) or 00 (international). Most websites aren't UK based, so phone numbers may not make much sense – for example, I often see 1-800 numbers, which are American freephone numbers (and generally don't work from here).


• Look at the website address (at the top of your page viewer) – is it what you'd expect?  That's the only thing you can be sure isn't faked, so look at it carefully – is www.johnlewisonline.co.uk necessarily John Lewis the department store? What about www.john-lewis.co.uk and www.johnlewis.co.uk and www.johnlewis.com? Always good to check website addresses against advertising or other reliable sources.


• Don't download software from the Internet to search for virus or spyware or "improve performance" unless you know it's reputable. Most isn't. See here. If prompted by a message apparently from Windows saying you have a virus or spyware, be suspicious – Windows has no such detection ability (although your anti-virus add-on might – be aware of what such a message from your anti-virus software should look like).


• Don't assume that just because an anti-virus product has a good-looking website, it's genuine. Fake anti-virus software makes a lot of money for scamers, so they can afford to pay for the best websites. Is there a contact address or e-mail address on the website. What happens if you google for the contact address (most are fake) or the name of the product?

E-Mail

Watch out for "phishing" e-mail – this is e-mail that looks as if comes from your bank, or from someone else with whom you have an account (eBay, Paypal) and is a big problem. These fake e-mails want you to click on a link with will take you to what looks like your bank's login page for you to type in your login details – in reality the pages are fake and by typing in your login details you tell the scammer what they are! The scammer can then login to you account and transferred your money to an unsuspecting third-party who is tricked to sending it on to an untraceable address.

Scammers send out millions of e-mails asking people to "verify" their details by typing them into a web page, and provide a link to your (convincing-looking but fake) web site. Within hours they can collect online banking details for thousands of gullible people. (Example here.)

There is also a lot of spam offering "a job as a financial controller", which offers people thousands of pounds for use of their bank accounts. The deal here is that your "employer" pays money into your bank acount, you take it out and send it on as cash (to an untraceable address, of course).

So, how to avoid being duped:

• Check e-mail that looks like it comes from your bank. Is it addressed to "Dear Customer", "Dear Customer of Barclays Bank", "Dear someone@example.com" or similar? A bank would always use some detail that isn't in your e-mail address – such as addressing you by your proper name (not just what's in your e-mail address) or mentioning your account number. Don't be fooled by talk of "security procedures" or "upgrades". Watch out for poor or strange English (most phishing scammers don't seem to use English as a first language).


• Don't follow links in e-mail – they may not go where they say they do. Know the online address of your bank, and type it into your browser directly. Or (second-best) google for it.


• Beware of e-mails claiming to be from your ISP saying you have a virus and attaching some software to "cure" it

Files

A key thing to understand is how extensions tell you what type of file you may have downloaded or been sent, and thus whether it's likely to be dangerous or not.

The last three letters in the attachment's name (double-click the message in your inbox to see the full message and all attachments) are the extension, and the extension tells you what will happen when you double-click the attachment.  So it's worth knowing a bit about extensions.  Note it's the last three letters after the final dot that counts, so "harmless document.doc.exe" has an EXE extension, not a DOC extension (and is probably not harmless!).

I've categorised them as safe, probably safe, and dangerous:

Safe

These extension types are always completely safe to double-click.

Probably Safe

The extension types above are probably safe to double-click, but did you expect this type of file from the sender?  It might be worth pausing to think for a moment; also watch out for any warning messages from Word or Excel or PowerPoint if you do decide to double-click.  There is a remote chance that these types could contain an embedded program (called a macro), and an even remoter chance that such a macro could be a virus.

Any other extension you should treat with extreme suspicion.

Dangerous

Personally, I wouldn't double-click it until I had a better idea what it was, who it had come from, and whether they (and it) could be trusted. The above are all programs, and all thus very dangerous to run unless you definitely know their provenance. It's not an exhaustive list, so in general I'd treat any unsolicited e-mail with an unknown extension type with deep suspicion. As a minimum, contact the sender (by e-mail or phone) to see if he or she really sent it, and why.

Thanks

If you've got any comments on this page, feel free to contact me via the link on the left.