Security is always a trade-off with usability. The only completely secure computer is one turned off, in a safe, in the ground, guarded by barbed-wire and armed personnel. Unfortunately this hypothetical computer is also completely useless.
Computer security may be an entire highly-specialized field, but there are a few very effective ways to protect your devices and data.
The key takeaways for avoiding phishing attacks are thus:
Your passwords could definitely use a security increase. Modern desktop password crackers can run at 500 million guesses a second, and a hacker can rent an Amazon cloud cracking array that runs billions of guesses a second for only a few dollars. To see how long it would take a massive cracking array to break your password, check out Steve Gibson’s excellent Password Haystacks website.
Most spouses (and many companies that track your online footsteps through the ads that websites display) will know your “security questions” such as your aunt’s birthday (probably publicly available on Facebook) or favorite vacation spot (search history), etc. The best defense for this using a password management software such as LastPass to make up completely random answers to these questions. LastPass is free for Mac/Windows and works with Internet Explorer, Google Chrome, and Mozilla Firefox Internet browsers.
LastPass stores all your passwords and important secure information behind a single, strong-password, and will generate extremely complex and difficult to break unique passwords for each website (so that someone who breaks into one does not have access to any others), and will automatically enter those passwords for you so you don’t even have to remember them. LastPass is available on iOS, Android, Windows Phone and Blackberry too for a subscription fee of $12/year. We store all of our passwords and sensitive information in LastPass, and LastPass has been audited by third-parties we trust to verify that the information encrypted in LastPass is not even available to LastPass (LastPass can not read your information or give you your information if you forget your password, as it is directly encrypted on your local computer by your “master password”. The “Master password” is the password you use to unlock your LastPass password vault when you login to your computer).
Two-factor authentication is important for banking and other sensitive accounts. 2-factor means any requirement where you have to use a 2nd method besides just your password to sign in from a new device or from a different location. Whether it’s typing in a SMS message, clicking a verification email, pressing a button after answering a phone call, clicking a button in an authenticator app, or typing in a rotating random number from a key fob, this is a very effective extra layer of account security, because even if a hacker gains your username and password, they won’t be able to login because they don’t have your other device with them. Most banks as well as Microsoft, Google and Facebook support 2-factor in some form.
Another feature some websites support is image-verification. Image-verification is helpful to avoid these social-engineering (“phishing”) hacking attempts by showing you an image chosen ahead of time by you, so that you know the site is not a site pretending to be the real one. Verizon Wireless and many banks offer this feature, showing you the verification image on the page after you enter your correct password (where you have to enter your 2nd-factor login or PIN code).
This applies to Macintosh computers and Android cell phones, too. For a good comparison of Anti-Virus products check out av-comparatives.org
More than 50% of viruses exploit old versions of Adobe Flash Player, Adobe PDF Reader, or Oracle Java to get into a system. Nearly 10% of Macintosh computers worldwide were infected at the same time during a single Oracle Java virus outbreak.
Unless they are encrypted and have strong passwords themselves, anyone who has physical access to your devices (and knows what they are doing) is going to be able to break in. Apple iOS 9 and newer has whole-device encryption enabled by default, and if you set a 4-digit passcode it will be strongly encrypted. Windows 10 Professional (a free upgrade from Windows 7 Pro) has a built-in whole-device encryption called BitLocker which can be enabled to encrypt everything on the computer, and thus requiring you to enter the decryption password whenever the computer is turned on. This whole-device encryption is extremely effective at securing physical devices from unauthorized access, and also extremely effective at preventing you from accessing your own device if you forget the password (there is no back-door if you forget the password!), or if the disc gets corrupted. Thus having good, secure, tested backups is even more critical with encrypted devices.
Preventing access to other accounts such as utilities and cell phone carrier accounts is actually much more difficult, because the security these companies have is often wholly inadequate. If you think you’re being maliciously targeted, often your only option is informing companies of the possibility of attempted unauthorized access and manually changing passwords and security codes. Verizon Wireless is the one of a few exceptions in this area as Verizon now requires unique account passwords with image-verification. If you know your Verizon security image this extra step can greatly reduce the chance you’ll accidentally enter your credentials into a fraudulent website and fall victim to one of these so-called information-harvesting “phishing attacks”. (So-called because they are “fishing” for your personal information).
Putting a preemptive credit-freeze in place might sound overly cautious, but it’s also very effective. Though unfreezing can take some time or require a fee, you probably don’t apply for credit all that often. Plus, a freeze is usually cheaper and more secure than using a “credit-monitoring” service.
Okay, so this is # 11, but keeping backups isn’t going to help keep you from getting hacked, but it will keep you from losing everything to ransomware. Remember, if Fortune 500 companies can get hacked, so can you. Keep an off-site backup of your data using an automatic service such as Carbonite or Mozy, and test them periodically to make sure they’re working. If you use a password management app like LastPass, print out your account recovery codes and store them in a safe place.