Francis Oywech explains how scammers mine social media to steal personal info — and what you can do to stop them.
The safest personal data is the data that you don’t post online on social media or your LinkedIn profile.
That’s according to security expert Francis Oywech, IT operations manager for Northeastern University’s External Affairs team. Oywech says the less detail we provide about ourselves online, the safer we are from scams, fraud and phishing attacks.
“I try to leave very few traces on my social media,” he says. Security breaches that ordinary people experience have become much more sophisticated, he adds.
“The nature of attacks has changed,” he says. “It used to be operations of 50 to 100 individuals devising methods, but now they have bots collecting personal information.”
Oywech may recommend the “less is best” approach to protecting personal data, but he also has practical tips to share that will help prevent fraud.
Oywech has four rules for protecting passwords: Don’t write them down on sticky notes and keep them on your desk. Don’t use password generators or managers; they can be hacked. Change your password every six months. Don’t use your birthday or other data that someone could find online about you in your password.
“The best way is to choose a phrase that you can remember, that’s not written down or kept anywhere,” he says, “and modify it with different special characters.”
Personal details like where you live, where you went to school, family members and friends’ names, hobbies and even what kind of food you like to eat — these are gold for bad actors to build profiles of people in order to scam them, Oywech says.
It’s called social engineering.
We’ve all heard stories about an older person who received a phone call, supposedly from a grandchild who is in trouble and needs money. The scammer who made that call had enough detail about the older person to create a plausible story. Through social media accounts, scammers can learn the names of grandchildren, where they live and enough detail to be convincing on the phone.
“Whether it’s LinkedIn or Facebook or any account, I try to leave as little detail as possible,” Oywech says. “If a job recruiter wants to know more about me, they can ask me. That’s why interviews are there, right?”
Scams shift throughout the year, Oywech says, and can be aligned with common events. Emails about phony student loan deals appear in mailboxes during the summer, while messages claiming that a package couldn’t be delivered show up before the winter holidays.
Watch out for any message that asks you to fill out a form or click through to a website. Suspicious websites will begin with http://, while secure sites will begin with https:// (the “s” indicating that it is secure). Fraudulent websites that ask for personal information are likely planning to sell the data, Oywech says.
When you’re ordering a Lyft or a pizza for delivery, you need to share your location. But otherwise, Oywech says, don’t let the world know where you are.
It used to be that smartphones allowed users to either turn off their location, or leave it on. But today, Oywech says, users can be more specific. By going into a phone’s privacy and security settings, it’s possible to choose which — if any — apps can know where you are at any given moment. Oywech recommends only allowing apps to know your location when the app is in use.
When you have the option to add a second form of identity verification, take it. Oywech says that thumbprint or facial recognition steps that are required to access an account add a layer of security to ensure that no one else can break in and acquire data. Similarly, virtual private networks (VPNs) — more common in workplace networks — add a security barrier to block fraudulent activity.
Finally, since many people have upwards of three or four devices they use for work and personal purposes, it’s crucial to know where your devices are. Especially with devices that you don’t use as often, there is a risk of losing track of them.
“If your phone is your primary, chances are you don’t even interact with the second one much,” he says. “You have to actually know where all your devices are physically at all times.”