Just been working out why I was getting so much scammy/spammy/malware from a friend. Turns out it’s not even coming from his actual email address (this is common), but there are other mutual friends cc’ed in the dodgy messages and it seems that the source was a hack on a social media account that harvested his contacts last year. Anyway, it’s a case of closing the stable door after the horse has bolted, but in case you haven’t been hacked here’s some quick advice:

First, make sure you have a very long password, as long as the site will allow…

E.g. This: vbfgr123$$$$$$$$$$$$$$$$$$$$$ is a better password than vBf4r123

Mixed case alphanumeric passwords with non-alphanumeric characters are good, but the bottom line is that a short password will usually be cracked before one that is even just a single character longer.

Second, enable multi or two-factor authentication (2FA). It’s a pain it adds extra work to your login, you have to use an authenticator (an app on your phone or the SMS/text messaging) but it adds a greater level of protection, but that extra work is nothing compared to the extra work of being hacked or being a victim of ID theft.

Third keep an eye on permissions for your accounts, make sure there aren’t any third party apps connected unless you really have to have them, go into Facebook, Twitter, GMmail etc and their security settings pages, remove any apps or connected programs you don’t need and watch out for anything you don’t recognise. If you see something odd, remove it and immediately change your password. Make sure you have a phone number associated with the account. If you don’t want to use your day-to-day phone number grab a free PAYG SIM.

Fourth, and probably the one I should’ve put first. Never click a link in an email, even from a friend, even if you’re expecting it. Even if you’ve been talking about security and they’ve sent a link to a site they think you should check out. You can never be sure that somewhere in the chain a third party or malware hasn’t intercepted the email and changed links to point to something malicious. Type the link directly into the address bar in an incognito/private mode window in your browser.

Fifth, make sure your antivirus (AV) software is active and up to date and that your router has a password set and its builtin firewall enabled. Free AV is fine and I am currently recommending Avira (February 2016), in the past Panda and AVG have been my choice, it changes regularly. Check the AV league tables and switch to another if the ones I mention are longer at the top of their game.

Sixth, use a web browser with builtin phishing protection and install a Web-of-Trust browser plugin to highlight any dodgy links.