We’re told to change our passwords often to minimize getting hacked. Now we’re told this is a bad thing.

But not for any inherent techy reason. It’s because frequent password changing makes many people lower their guard when it comes to creating new passwords.

They get lax and end up with passwords like Bear1, Crazy4uand GetHigh1978. Or, they often only minimally change the password, such as going from Hotbaby!! to Babyhot!!.

Believe it or not, despite an infinite number of permutations involving 26 letters, 10 numbers and 10 symbols, many people struggle to create new passwords beyond just minimally altering existing passwords. And don’t even ask these folks to remember any new and very different, strong passwords.

But if you already have unique, strong and jumbled passwords, you do not have to frequently change them. So if your Facebook password is Ihv1dggnPRvGr8tGamz!, there is no reason to change this 90 days after creating it. However, changing ANY password every six months to a year is still a wise idea. And this infrequency won’t leave you drained.

And you can always use a password manager to do the figuring for you anyways. A password manager will create long, strong and unique passwords, and issue you a single master password.

Rules for a Virtually Uncrackable Password

• Does not include any names that are found in a dictionary, including proper names, sports team names, rock group names, city names, etc.
• Does not have any keyboard sequences, no matter how unintelligible. So even though sdfgh looks jumbled, it’s just as much a sequence as 12345.
• It contains numbers, letters and symbols.
• If you predict struggling to remember a bunch of jumbled passwords, then think of a phrase that you will never forget, especially one that pertains to the account you want to create the password for. An example might be the password for your credit card account. You can shorten “I Hate Making Credit Card Payments” to:iH8tmkngCCpymnt$!.

You can also shorten phrases that pertain to things you love, like for instance, a phrase about your favorite movie, food, vacation, TV show, etc.

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

While some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

• 67% were spear phished last year (spear phishing is a targeted phishing attack).
• E-mails with an employee’s first name had a 19% higher click rate.
• The industry most duped was telecommunications, with a 24% click rate.
• Other frequently duped industries were law, consulting and accounting (23%).
• Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

• 99% use e-mail spam filters.
• 56% use outbound proxy protection.
• 50% rely on advanced malware analysis.
• 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

• Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
• Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
• Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

• Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
• Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
• Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Once a thief knows your Social Security number…you’re at very high risk for having your identity stolen.

A report on bankrate.com says that the IRS is warning of a cyber attack on its electronic filing PIN application. Thieves infiltrated it with malware in an attempt to claim other people’s refunds as their own. Over 450,000 SSNs were involved, and over 100,000 of them enabled the hackers to access an E-file PIN.

Endless scams are directed towards SSNs, like the classic phishing attack. A phishing attack basically goes as follows:

• An e-mail arrives with an alluring or threatening subject line, which may actually be a warning to protect your SSN.
• The e-mail looks legitimate, complete with logos and privacy information at the bottom.
• The hacker’s goal is to get you to fill out a form that includes typing in your SSN.
• The FTC warns of a “Get Protected” subject line for the latest scam. This scam e-mail mentions the “S.A.F.E. Act 2015” that protects against fraudulent use of SSNs.
• Like many phishing e-mails, the “Get Protected” one contains fake information.
• These e-mails include a link that, when clicked, will release a virus, or take you to a website that will download a virus or lure you into revealing sensitive information.

Three Ways to Get Scammed

Most people make important decisions based on emotion. Cyber thieves know this, and they prey on fear, greed and generosity.

• People aren’t thinking straight when emotions are ruling. Logic gets swept under the rug. There’s pressure to act quickly, such as helping the scammer (who pretends to be a grandchild of the victim) who was in an accident: wire money asap. Natural disaster scams prey on the desire to give. The emotion of greed is manipulated in “You’ve Won!” and inheritance scams.
• Of course, before the fraudster plays with emotions like a cat playing with a mouse, he first gains your trust, pretending to like the same things you do, whatever it takes so that you don’t question him.
• Scammers are adept at appearing credible, such as tricking your caller ID into showing “IRS” or the name of your bank in the ID field. They may have a snazzy website up, a “badge number,” noise in the background to simulate a call center, even a fake accent.
• Remember, scammers are pros. It’s going to seem legitimate.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Identity thieves are after children’s Social Security numbers. With this number, a thief can do so many things like open a credit card account and rent an apartment. Kids’ SSNs have great appeal to crooks because:

• A child’s record is usually very clean.
• This means fertile opportunities for new credit lines.
• Kids usually don’t check their credit reports and thus the fraud can go undetected for years.

Parents should consider putting a freeze on their kids’ credit. Simply getting the credit monitored will not prevent thieves from opening accounts using the child’s SSN. A freeze does literally that: blocks a fraudster from doing anything.

Experian

• Will not create a file for a child unless required by state law, unless they are victimized.
• However, will give a free copy of an existing file of a child to the parent and will freeze it upon request.
• There may be a very small fee unless the parent provides proof that the minor’s identity was stolen.

Equifax

• Their freeze is free and doesn’t answer to any state requirements.
• The child need not already be a victim of ID theft to get the freeze.

Trans Union

• Their site allows parents to check for a credit file of their kids.
• Freezes are permitted only in states that allow this. Fees may apply.

Innovis (another credit reporting agency)

• Parents can place a freeze no matter what their state says.

Not all the states provide protection for minors’ credit. Find out what your state’s requirements are, as some, for instance, provide only a flag on the Social Security number. Other states have protection going up only to age 16.

Signs that someone is using your child’s SSN:

• You receive an IRS notice claiming your child didn’t pay income taxes.
• You get an IRS notice informing you that another tax return used your child’s SSN.
• You receive collection notices for things you didn’t purchase.

Rejection of government benefits because the benefits are going to another account with your child’s SSN.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda.

This is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company.

There is a pattern that most insider threats use: The first step is to gain access to the company’s system. Once they have access to the network, they will investigate it and seek out any vulnerable areas. The malicious insider then sets up a workstation to control the scheme and spread the destruction.

What type of destruction can you expect? The hacker could introduce malware or they could steal or delete critical information, all of which can be damaging to your business. Fortunately, there are ways to protect business from these types of hacks.

Most companies protect their IT systems with firewalls, anti-virus programs, data backup software and even spyware-scanning technology. The problem is that these technologies only work when hackers are trying to get information from the outside.

One way to protect against insider threats is to ensure that employees can only access the data necessary to do their jobs. You should look at the flow of data throughout the organization to determine how information is shared and where it becomes vulnerable to theft or other security breaches. Then work with each department to implement the proper security controls.

The process of preventing data loss begins with discovering the data, classifying it, and then deciding how much risk your company may face if the data gets out. Some of the tools and procedures you may want to consider for protection include:

• System-wide encryption
• Password management
• Device recognition
• Access controls
• Data disposal

It’s important to create security policies and procedures that are easy for employees to understand. The more transparent these policies are, the more effective your departments will be when communicating what they want and need.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Do you shop at Amazon.com? Are you aware they have a back door through which hackers can slip in?

Let’s look at Eric’s experience with hackers and Amazon, as he recounts at medium.com/@espringe.

He received an e-mail from Amazon and contacted them to see what it was about. Amazon informed him that he had had a text-chat and sent him the transcript—which he had never been part of.

Eric explains that the hacker gave Eric’s whois.com data to Amazon. However, the whois.com data was partially false because Eric wanted to remain private.

So Eric’s “fake” whois.com information wasn’t 100 percent in left field; some of it was true enough for the customer service hack to occur, because in exchange for the “fake” information, Amazon supplied Eric’s real address and phone number to the hacker.

The hacker got Eric’s bank to get him a new copy of his credit card. Amazon’s customer service had been duped.

Eric informed Amazon Retail to flag his account as being at “extremely high risk” of getting socially engineered. Amazon assured him that a “specialist” would be in contact (who never was).

Over the next few months, Eric assumed the problem disintegrated; he gave Amazon a new credit card and new address. Then he got another strange e-mail.

He told Amazon that someone was impersonating him, and Amazon told him to change his password. He insisted they keep his account secure. He was told the “specialist” would contact him (who never did). This time, Eric deleted his address from Amazon.

Eric became fed up because the hacker then contacted Amazon by phone and apparently got the last digits of his credit card. He decided to close his Amazon account, unable to trust the giant online retailer.

• Frequently log into your account to check on orders. See if there are transactions you are unaware of. Look for “ship to” addresses you didn’t authorize.
• Amazon’s customer support reps should be able to see the IP address of the user who’s connecting. They should be on alert for anything suspicious, such as whether or not the IP address is the one that the user normally connects with.
• Users should create aliases with their e-mail services, to throw off hacking attempts. In other words, having the same email address for all your online accounts will make it easy for them to be compromised.
• If you own domain names, check out the “whois” info associated with the account. It may be worth making it private.

Be very careful when sharing information about yourself. Do not assume that just because a company is a mega giant (like Amazon), it will keep your account protected from the bad guys.