Accessibility and Website Information Skip Site Wide Navigation Skip to Content City Seal | HomeCity of San Diego | Home
Search City of San Diego

Cyber Security

Using the Internet

In 2009 the Internet Crime Complaint Center (IC3), which acts in partnership with the National White Collar Crime Center and the FBI, received more than 336,000 complaints on its website and referred over 146,000 to law enforcement agencies for further consideration. The total loss from all of these cases was over $560 million. You may be at risk if you answer "yes" to any of the following questions:

  • Do you visit websites by clicking on links within an e-mail?
  • Do you reply to e-mails from persons or businesses you are not familiar with?
  • Have you received packages to hold or ship to someone you met on the Internet?
  • Have you been asked to cash checks and wire funds to someone you met on the Internet?
  • Would you cash checks or money orders received through an Internet transaction without first confirming their legitimacy?
  • Would you provide your personal banking information in response to an e-mail notification?

The following security tips will help you deal with dangerous matters associated with using the internet.

E-card Dangers

You receive an e-mail saying "A friend has sent you an e-card." The e-mail appears to be from a legitimate card company, but malware or a virus is downloaded into your computer when you click the link to see the card. You should delete the e-mail if you don't recognize the sender or if you are instructed to download an executable program to view the e-card. And make sure your computer has adequate anti-virus protection.

And even if you recognize the sender your computer could be harmed if the incoming e-mail is phony and you click on a link to an e-card or open an attachment. This happened around Christmas time in December 2010 when employees of various government agencies received phony holiday messages that appeared to come from the White House.

Illegitimate Websites

Cybercriminals are now creating illegitimate websites that will receive high search-engine rankings and thus attract the attention of persons searching for information on a particular subject. Persons just visiting those sites risk having their computers infected with viruses. And if they click on any links in those sites they risk becoming a victim of identity theft and various scams, e.g., ones that claim you can make a lot of money for a small initial investment.

To avoid these problems users should:

  • Keep your computer's anti-virus system up to date with the latest firewalls and software.
  • Use caution clicking on links that claim to provide videos or information on hot topics in the current news, e.g., the earthquakes in Haiti and Chile. And be aware that the bad guys are now tricking Google into telling you that the link is a PDF file, which makes it look more authentic.
  • Do not click on links to other websites. Look up the address elsewhere and retype it into your browser.
  • If the link address is correct, before clicking on it check to see where you would actually go. You can do this by scrolling your mouse over the link and reading the address in the box that will pop up over the link. Do not click on the link if this address does not match the one in the link.
  • Use the tips provided above to counter phishing. Do the following to make sure a website is legitimate, especially if you are planning to make a purchase of a name brand product:
  • Check that the domain name is spelled correctly.
  • Check that the domain name ends in .com, .org, or .net. Those ending in .cn for China or .mn for Mongolia are likely to be fraudulent.
  • Call the phone number posted and talk to a live person.

Phishing

In an e-mail scam known as "phishing" identity thieves fish for personal information by sending realistic-looking e-mail that asks recipients to go to a bogus website and provide personal information such as a credit card number or a Personal Identification Number (PIN). Legitimate banks and financial institutions don't send e-mails asking you to verify your account information. They already have it. The following are examples of scammers posing as the Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI), Federal Deposit Insurance Corporation (FDIC), and the Centers for Disease Control and Prevention (CDC).

Each year during tax preparation time there is a surge in the number of frauds by criminals posing as IRS officials to obtain personal information for identity theft. The IRS never sends out unsolicited e-mails or asks for detailed personal and financial information. Any such e-mail is a fraud. So are telephone calls from someone stating they are from the IRS. Go to the IRS website at www.irs.gov for information on the latest scams and instructions on how to protect yourself from suspicious e-mails or phishing schemes. The IRS also recommends forwarding the suspicious e-mail to it at phishing@irs.gov.

Fraudulent e-mails have also been sent out by criminals posing as FBI agents and officials. They give the appearance of legitimacy by using the FBI seal, letterhead, and pictures of the FBI Director. They may also claim to come from the FBI's domestic or overseas offices. Like the IRS, the FBI does not send out e-mails soliciting personal or financial information. For more information on this kind of fraud go to the FBI website at www.fbi.gov and click on New E-Scams and Warnings under Be Crime Smart.

Another agency that has become aware of fraudulent e-mails in its name is the FDIC. These ask recipients to "visit the official FDIC website" by clicking on a hyperlink that directs them to a fraudulent website that includes hyperlinks that open a "personal FDIC insurance file" to check on their deposit insurance coverage. Clicking on these links will download a file that contains malicious software to collect personal and confidential information.

On Dec. 2, 2009 the CDC issued a health alert warning people not to respond to an e-mail referencing a CDC-sponsored state vaccination program for the H1N1 (Swine Flu) contagion that requires registration on "www.cdc.gov." People that click on this embedded link risk having a malicious code installed on their computer. Examples of this and other hoaxes and rumors can be seen at http://www.cdc.gov/hoaxes_rumors.html.

Use the following tips to counter phishing:

  • Do not open any e-mail from an unknown sender.
  • Do not open any unexpected e-mail attachments.
  • Do not open any attachments that ask you to reset a password.
  • Do not click on website addresses in e-mails you get even if they look real. Retype them into your browser.
  • Do not click on links within e-mail messages purporting to come from your bank.
  • Do not double click on an Internet pop-up offering a link or provide personal information in response to an e-mail or Internet pop-up offer.
  • Use the latest versions of Internet browsers, e.g., Microsoft Internet Explorer 8, which is designed to prevent phishing attacks. Use Explorer in the "protected mode," which restricts the installation of files without the user's consent, and set the "Internet zone security" to high. That disables some of Explorer's less-secure features. And set your operating system and browser software to automatically download and install security patches.
  • Make sure the website page you are entering sensitive information on is secure. You can tell it is secure when the address on the top of your screen where the Uniform Resource Locator (URL) is displayed begins with https:// rather than http://. You can also look for a closed padlock or an unbroken key on the bottom of your screen to indicate the page is secure. If the lock is open the site or the key is broken, the page is not secure. Note that on many websites only the order page will be secure.
  • Read the website's privacy policy. It should explain what personal information it collects, how the information is used, whether it is provided to third parties, and what security measures are used to protect the information. Consider taking your business elsewhere if you don't see, understand, or agree with the policy.
  • Keep your computer up to date with the latest firewalls, and anti-virus and anti-spyware software. The latter counters programs that secretly record what you type and send the information to the thieves. They are often installed when you visit websites from links in e-mail. Use security software that updates automatically. Visit www.OnGuardOnline.gov for more information.
  • Do not buy "anti-spyware" software in response to unexpected pop-ups or e-mails, especially ones that claim to have scanned your computer and detected viruses known as malware, i.e., malicious software.
  • Do not respond in any way to a telephone or e-mail warning that your computer has a virus even if it appears to come from an anti-virus software provider like Microsoft, Norton, or McAfee. "Helpful hackers" use this ploy to get you to download their software to fix the virus or sell you computer monitoring or security services to give them remote access to your computer so they can steal your passwords, online accounts, and other personal information. If you already have anti-virus software on your computer you'll receive a security update or warning directly on your computer.
  • Look for valid trust marks to increase your confidence in using a website. Reputation trust marks like BBBOnline offer a basic level of proof that there is an actual business behind the website and that it follows proper business practices. Privacy trust marks like TRUSTe indicate that the business is aware of identity theft and personal data abuse and abides by the requirements of the trust mark provider in its privacy policy. A Secure Socket Layer (SSL) trust mark like VeriSign indicates that the site uses up-to-date encryption technology to scramble communications between the website and your computer. And security-scanning trust marks like McAfee SECURE indicate that the business uses a regularly scheduled security auditing service for its website to ensure that it is free of viruses, malware, spyware, etc. Before trusting a trust mark you should verify it by clicking on it. A live link attached to the mark should take you to a verification website of the trust mark provider. However, because a criminal could create a false mark and verification website, you cannot know that the mark is valid unless you investigate it further. In any case, use caution when visiting un-trusted websites.
  • Contact your e-mail provider. Most keep track of scams. Send your provider the suspicious message header and complete text.
  • Use caution when entering personal information online.

Safe Cyber Practices

There are presently two similar efforts by the U.S. Government to promote safer use of the Internet. The one by the FTC's Bureau of Consumer Protection is called Stop.Think.Click. The other, developed by a group representing industry, government, academia, and the nonprofit sector in 2009, and promoted by the Obama administration and the Department of Homeland Security, is called Stop.Think.Connect.

Stop.Think.Click defines seven practices for safer computing and provides tips on preventing identity theft, safe use of social networking sites, online shopping, Internet auctions, avoiding scams, and wireless security. It also provides a glossary of terms. The seven practices are:

  1. Protecting your personal information
  2. Knowing who you're dealing with
  3. Using anti-virus and anti-spyware software, as well as a firewall
  4. Setting up your operating system and web browser software properly, and updating them regularly
  5. Protecting your passwords
  6. Backing up your important files
  7. Learning who to contact if something goes wrong online. Go to www.ftc.gov/bcp/edu/pubs/consumer/tech/tec15.pdf for information about these practices and tips.

Go to www.ftc.gov/bcp/edu/pubs/consumer/tech/tec15.pdf for information about these practices and tips.

Stop.Think.Connect suggests that users do the following:

  • Stop. Before you use the Internet take time to understand the risks and learn how to spot potential problems
  • Think. Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact the safety of yourself and your family.
  • Connect. Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

You can learn how to become a partner in this effort by going to its website at www.stopthinkconnect.org. This site also contains the tips and advice for doing the following.

Keeping a clean machine:

  • Have the latest security software, web browser, and operating system.
  • Use programs that automatically connect and update your security software.
  • Protect all devices that connect to the Internet from viruses and malware.
  • Use your security software to scan all USBs and other external devices before attaching them to your computer.

Protecting your personal information:

  • Secure your accounts with protection beyond passwords that can verify your identity before you conduct business.
  • Make passwords long and strong with capital and lowercase letters, numbers, and symbols.
  • Use different passwords for every account.
  • Keep a list of your passwords stored in a safe place away from your computer.
  • Use privacy and security settings to limit who you share information with.

Connecting with care:

  • Delete any suspicious e-mail, tweets, posts, and online advertising.
  • Limit the business you conduct from Wi-Fi hotspots and adjust your security settings to limit who can access your computer.
  • Use only secure websites when banking and shopping, i.e., ones with https:// or shttp:// in their addresses.

Being web wise:

  • Keep pace with new ways to stay safe online by checking trusted website for the latest information.
  • Think before you act when you are implored to act immediately, offered something that sounds too good to be true, or asked for personal information.
  • Back up your valuable information by making an electronic copy and storing it in a safe place.

Being a good online citizen:

  • Practice good online safety habits.
  • Post about others as you would have them post about you.
  • Report all types of cybercrime to you local law enforcement agency and other appropriate authorities.

TOP OF PAGE

Smishing

This is phishing with text messages instead of e-mails. Beware of any messages that request personal information or give you a phone number to call. Before calling verify that the number matches the number of the named institution, e.g., your bank. And never give out personal information unless you have initiated the call.

Social Networking Dangers

Virus creators, identity thieves, and spammers are increasingly targeting users of social networking sites in an effort to steal personal data and account passwords. One of the tactics they use to gain access to this information involves sending social networking users e-mails that appear to come from online friends. For example, some Facebook users have been receiving e-mails from their "friends" that claim to contain a video of them. When they click on it they download a virus that goes through their hard drives and installs malicious programs. The virus, known as Koobface, then sends itself to all the friends on the victim's Facebook profile. A new version of the virus also is affecting users of MySpace and other social networking sites. Cyber-criminals are tricking social networking users into downloading malicious software by creating fake profiles of friends, celebrities, and others. Security experts say that such attacks, which became widespread in 2008, are increasingly successful because more and more people are becoming comfortable with putting all kinds of personal information about themselves on social networking sites. They warn that users need to be very careful about what information they post because it can be used to steal their identities. Facebook users should become a fan of its security page at www.facebook.com/security, which has posts related to all sorts of security issues, tips, resources, and other information.

To avoid problems on social networks or anywhere in the Internet, users should:

  • Not to click on any links, videos, programs, etc. provided in messages, even if a “friend” encourages you to click on them.
  • Get program updates from the company's website, not through a provided link.
  • Customize your privacy so only your friends have access to the information you post.
  • Read your network's privacy policy regularly to stay informed on how it uses or discloses your information.
  • Scan your computer regularly with an updated anti-virus program.
  • Be suspicious of anyone, even a "friend," who asks for money over the Internet.

Suspicious E-mails

Delete any suspicious e-mail without replying, especially the following:

  • Business opportunities to make money with little effort or cash outlay
  • Offers to sell lists of e-mail addresses or software
  • Chain letters involving money
  • Work-at-home schemes
  • Health and diet claims of scientific breakthroughs, miraculous cures, etc.
  • Get-rich-quick schemes
  • Free goods offered to fee-paying group members
  • Investments promising high rates of return with no risk
  • Kits to unscramble cable TV signals
  • Guaranteed loans or credit on easy terms
  • Credit repair schemes
  • Vacation prize promotions
  • Special offers that require a credit check and a small fee for verification expenses to be paid by a credit or debit card
  • Notices of prize or lottery winnings that require you to pay a fee to cover expenses You should also file a complaint with the IC3 at www.ic3.gov. Its website also includes tips to assist you avoiding a variety of Internet problems.

Whaling

In another scam known as "whaling" fake e-mails have been sent to high-ranking executives to trick them into clicking on a link that takes them to a website that downloads software that secretly records keystrokes and sends data to a remote computer over the Internet. This lets the criminal capture passwords and other personal or corporate information, and gain control of the executive's computer. In one case fake subpoenas have been sent to executives commanding them to appear before a grand jury in a civil case. The link that offers a copy of the entire subpoena downloads the malicious software.