Financial Wellness
Recommendations for Online Behavior
Spearphishing, malicious ads, email attachments, and untrusted applications can present concerns for home internet users. To avoid revealing sensitive information, abide by the following guidelines while accessing the internet.
Follow email best practices
Email is a potential attack vector for hackers. The following recommendations help reduce exposure to threats:
- Avoid opening attachments or links from unsolicited emails. Exercise cyber hygiene; do not open unknown emails or click on their attachments or web links. Check the identity of the sender via secondary methods (phone call, in-person) and delete the email if verification fails. For those emails with embedded links, open a browser and navigate to the web site directly by its well-known web address or search for the site using an internet search engine.
- To prevent reusing any compromised passwords, use a different password for each account. Consider using a password manager to create and remember strong, unique passwords.
- Avoid using the out-of-office message feature unless it is necessary. Make it harder for unknown parties to learn about your activities or status.
- Always use secure email protocols, particularly if using a wireless network. Configure your email client to use the transport layer security (TLS) option (Secure IMAP or Secure POP3) to encrypt your email in transit between the mail server and your device.
- Never open emails that make outlandish claims or offers that are "too good to be true."
Upgrade to a modern browser and keep it up-to-date
Modern browsers are much better at prompting users when security features are not enabled or used. Modern browsers help protect the confidentiality of sensitive information in transit over the internet. The browser should be kept up-to-date. When conducting activities such as account logins and financial transactions, the browser's URL tab indicates that transit security is in place, usually with a lock icon.
Take precautions on social networking sites
Social networking sites are a convenient means for sharing personal information with family and friends. However, this convenience also brings a level of risk. To protect yourself, do the following:
- Avoid posting information, such as addresses, phone numbers, places of employment, and other personal information, that can be used to target or harass you. Some scam artists use this information, along with pet names, first car make or model, and streets you have lived on, to figure out answers to account security questions.
- Limit access of your information to "friends only" and verify any new friend requests outside of social networking.
- Be cautious of duplicate or copycat profiles of current friends, family, or coworkers. Malicious actors may use impersonated accounts to query you for privileged information or target you for spearphishing.
- Review the security policies and settings available from your social network provider quarterly or when the site's Terms of Use policy changes, as the defaults can change. Opt-out of exposing personal information to search engines.
- Take precautions concerning unsolicited requests and links. Adversaries may attempt to get you to click on a link or download an attachment that may contain malicious software.
Authentication safeguards:
- Enable strong authentication on your router. Protect your login passwords and take steps to minimize misuse of password recovery options.
- Disable features that allow web sites or programs to remember passwords. Use a password manager instead.
- Many online sites use password recovery or challenge questions. To prevent an attacker from leveraging personal information to answer challenge questions, consider providing a false answer to a fact-based question, assuming the response is unique and memorable.
- Use multi-factor authentication (MFA) whenever possible. Examples of multi-factor authentication include secondary confirmation phone/email, security questions, and app/device-based identification. Some forms of MFA, such as app/device-based identification, are more secure and should be used over less secure methods, such as confirmation phone/email. When available, prefer using phishing-resistant MFA options.
Exercise caution when accessing public hotspots
Many establishments, such as coffee shops, hotels, and airports, offer wireless hotspots or kiosks for customers to access the internet. Because the underlying infrastructure of these is unknown and security may be weak, public hotspots are more susceptible to malicious activity. If you must access the internet while away from home, avoid direct use of public wireless. When possible, use a corporate or personal Wi-Fi hotspot with strong authentication and encryption. If public access is necessary, do the following:
- If possible, use the cellular network (that is, mobile Wi-Fi, 4G, or 5G services) to connect to the internet instead of public hotspots. This option generally requires a service plan with a cellular provider.
- If you must use public Wi-Fi, use a trusted VPN. This option can protect your connection from malicious activities and monitoring.
- Exercise physical security in the public place. Do not leave devices unattended.
Do not exchange home and work content
The exchange of information between home systems and work systems via email or removable media may put work systems at an increased risk of compromise. Ideally, use organization-provided equipment and accounts to conduct work while away from the office. If using a personal device, such as through a Bring Your Own Device (BYOD) program, use corporate-mandated security products and guidance for accessing corporate resources and networks. Try to connect to a remote desktop or terminal server inside the corporate network rather than make copies of files and transport them between devices. Avoid using personal accounts and resources for business interactions. Always use a VPN or other secure channel to connect to corporate networks and services to ensure your data is secured through encryption.
Use separate devices for different activities
Establish a level of trust based on a device's security features and its usage. Consider segregating tasks by dividing them between devices dedicated to different purposes. For example, one device may be for financial/personally identifiable information (PII) use and another for games or entertainment for children.
Resources: National Security Agency