Strengthening your hardware and software defenses against online criminals is the first step to staying safe. But a truly savvy surfer must also be able to recognize the bad guys and approach even the good guys with a degree of caution.
Obviously, some activities are inherently risky: conducting financial transactions without proper security, responding to spammers, and most things involving file sharing. Interestingly, less than 28 percent of those surveyed share files, but 39 percent say they've replied to spammers.
Many people do financial chores online: 51 percent pay bills, and 32 percent e-file taxes, for example. With such sensitive data flying around, you need to think twice about what you divulge--and when.
Don't expect online companies to safeguard your privacy for you--at least, not yet. Today, companies don't have to post privacy policies (but don't even consider doing business at a site without one). Even the ones that do, however, don't always make it clear that your data will be passed around to others like chips at a birthday party. And they certainly don't warn against actions their affiliates might take or notify you when criminals have breached their security (a recent California law has begun to address this--see "Capitol Hill on the Case" for details).
More bad news: Plenty of malicious elements online are actively seeking to defraud you, and they're getting sneakier.
Out to Get You
Identity theft is the worst-case scenario for people whose personal information has been compromised. According to a study conducted for the Federal Trade Commission (FTC) this spring, the number of identity theft victims rose over the past six years to a staggering 9.9 million in the United States in the last 12 months (3 percent of our group are among such victims). What's more, thieves are hard to catch: Law enforcement statistics show less than 5 percent of cases end in arrest.
You may have run into an increasingly common hoax called "phishing"--a scam in which a thief sends convincing e-mail messages asking for sensitive data to confirm or reactivate an account, with links to a phony site where you fill it in.
Becky Roberts, an account executive and avid EBay seller in Ventura, California, took the bait in one such e-mail. It was disguised as an EBay request for updated information, complete with logos. Though she canceled her credit cards and placed fraud alerts on her accounts, she still lives in fear of the fallout. "Someone out there knows everything about me," Roberts says. (Similar recent scams have involved Citibank and PayPal, among others.) Also, she says, it took EBay a week to respond when she wrote to ask if the request was legit.
Credit card thieves are stepping up attacks with automated tools that may make crimes easier to perpetrate, according to a study by the Honeynet Project, a nonprofit research group of information security pros.
Our survey takers are familiar with this peril: 18 percent said that their credit card numbers had been stolen, or that mysterious charges had appeared on their bills.
For better security, try the following:
- At least skim privacy policies. Scan for words such as use, distribute, or share, which should refer to how the site will use the data it collects. Look for references to those with whom it shares information: internally, with affiliates, or with third parties. And check whether the policy can change without notice to you--and if it does, whether you'll have the chance to delete your data. AT&T's Privacy Bird, a browser add-in, monitors some privacy policies for you; go to www.privacybird.com to download it or to get more details.
- Be wary of e-mail asking for account information. Contact the company via phone or e-mail (but not by reply) to confirm it sent the request. If you get a fraudulent e-mail or are targeted by identity thieves, notify the legitimate company the crooks are hiding behind, alert police, and visit www.idtheftcenter.org for more info.
- Create different online identities. For example, reserve one e-mail address for friends and family, another for business associates, and a third (perhaps a free account, like one from Yahoo or Hotmail) for activities like shopping and chatting, which can make you a spam target.
- Don't automatically give a site everything it asks for. Aside from a shipping address, most online transactions don't need more data than a brick-and-mortar store.
- Perform due-diligence checks on companies. Check the site's policies and security features: Is there an s following the http in the URL, or an SSL Secured lock icon to ensure safe transmissions? Does it store your data on its servers; if so, is it encrypted? Does it display a Truste or BBB (Better Business Bureau) Online logo (which indicates the company has agreed to specific standards of practice)? Check sites like the BBB's for complaints.
- Review your financial statements monthly. Look for unauthorized charges and money transfers. Have credit bureaus (www.experian.com, www.equifax.com, or www.transunion.com) contact you when there's an inquiry or activity on your credit, to get early warning of potential trouble. This service costs $80 a year and includes three credit reports.
- Check for warnings about scams and other threats. Sites like www.consumer.gov/idtheft and www.privacyrights.org often have such information.
The guidelines above are a start, but they're by no means exhaustive. Click here for more privacy tips, information, and top downloads.
It's inconvenient to be a good privacy consumer, says Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School. "But you've got to make security a key issue in every decision you make."
That starts with more effectively using the tools that you already own, avoiding shortcuts such as no-brainer passwords that leave you vulnerable, and surfing smarter and more skeptically.
Anne Kandra is PC World's Consumer Watch columnist and a contributing editor; Andrew Brandt is a senior associate editor.