Cybersecurity tips for students: Stay safe on social, avoid scams, protect your accounts and more
It happens all the time.
You get a text message, an email, or a notification on your phone: “Someone has logged into one of your accounts. Click on this link to report it,” it says. What do you do? Is it real? How do you know?
A few minutes later, you get a “follow” request on Instagram. You don’t actually know the person, but they’re friends online with a guy you just met in res - so you should just accept, right?
Later, a message pops up on your phone - it’s from your cousin who’s on vacay in Thailand. She needs money ASAP. “Please help!” she writes. Do you send the money?
Not without following some very specific steps first, says Richard Lachman, professor in The Creative School at Toronto Metropolitan University (TMU), who says these kinds of situations are all too common.
And, he explains, students are particularly vulnerable at the beginning of the school year.
“They’re setting up new email addresses and bank accounts for OSAP and student loans, meeting and adding new classmates, friends and teammates to social media - it’s an ideal situation for scammers,” he said.
But, that doesn’t mean we should be scared of technology - instead, we just need to be smart.
We need to ask ourselves, ‘How can we be a little bit safer? Is it abstinence? And no - abstinence from the internet is not going to work.
So, if you’re a student looking to score an A in online security - or if you’re a mom, dad or sibling who could benefit, too - check out these tips to keep your information safe:
Friend/Follow requests
The start of the new school year is a good time to carefully evaluate who’s following you on social.
“Students will be meeting a lot of new people - some will be flooded with requests,” Lachman said.
So, when you get a friend or “follow” request, there are a few things you can do before clicking “accept”:
- Click through to see how many friends that person has. If there aren’t many, it may not be a “real” account.
- Look at how many people are following that person. If it’s just a few followers, it’s a flag.
- Is there anything about it causing you to pause? For instance, what photo have they used? Do they live in your region? Is the account only re-posting messages from other sites?
“It only takes a few seconds to look at these things - and scams can happen with just a click,” Lachman said.
Types of scams
Lachman explains three types of scamming strategies:
- You're contacted by an entirely fake account, and they’re trying to connect with you to boost their followers on their own account (to seem more legitimate, and win the trust of others)
- An online quiz asks innocuous questions, but buried in the list is information that could be used to steal your identity (for example, the street where you were born)
- A friend’s account has been compromised. When that happens, the scammer might pretend to be that person, and reach out to the friend’s contacts asking for help or money
Warning signs
Lachman says scammers will either be very specific with their request, or very simple and generic to make the “ask” seem straightforward and common.
They will also know what might trigger a young person to panic.
You might click on a link that encrypts your entire computer and the scammer will say, 'If you want access to your term paper or all your photos, you have to send this much money to this account first, and then we’ll give you access'
Professional vs personal profiles
Another thing to be mindful of is which of your profiles are publicly visible and which have your real name.
“Do your best to keep your social and professional or student life separate. Maybe you’re not doing anything illegal in that photo, but maybe it doesn’t represent the company or the school you’re applying to,” Lachman said.
He notes that for some students, such as a student in fashion or design, Instagram might be their professional profile.
“In that case, you just need to be thoughtful about who you are speaking to every time you are posting,” Lachman said. “It’s a bit sad - you can’t be your unfiltered self, but you need to be deliberate about what you make public.”
Use a password manager
One of Lachman’s top tips is to use a password manager.
“We all create passwords, and we hate that we have the upper case and lower, and the three special characters - we never remember them,” he said.
The solution? A password manager, such as Last Pass and 1Password, or the free manager built into Google Android or Chrome.
With a password manager, you create one password, and the password manager creates different passwords for you across all of your accounts - banking, social media, email, etc.
It means that that one password needs to be very secure.
“But instead of, you know, ‘Hello123’, you use three random words that make sense to you but no one else,” Lachman explained.
“So maybe for you it’s ‘horse-stapler-cheeseburger’, and maybe a number and special character is in there too. But it’s three words that are easy for you to remember and that no one else could ever guess.”
Two-factor authentication
Lachman’s next recommendation is to use two-factor authentication (or MFA - multi-factor authentication) for your accounts. This involves an app that is downloaded to your phone, or getting a text-message. When you log into your email, you will be prompted to enter a special number or code, which you will find in the authenticator app on your phone, or get by text.
“So, for someone to break into your email, they would need both the email password and the authenticator code,” Lachman said, noting that Instagram and Facebook are “hammered” with attacks, so it’s worthwhile to have this for social media too.
Phishing (not fishing) attacks
Phishing is when someone sends you a link which appears to be authentic, but isn’t. The sender may ask you to click on it, and if you do, it may take you to a site that installs compromising software on your computer.
“The tricky part is, the link could be in what looks like a regular email from say, student services or your bank,” Lachman said.
To determine if a link is authentic on your computer, hover your mouse over the link, and view the URL that appears. The area to focus on is the domain - or what comes just before the “.com”, “.ca”, or other last letters in a website URL. If it’s a scam, the domain won’t be that of the institution it claims to be.
To do this on your phone, try holding your finger over the link instead of tapping; you should be able to preview the full URL without loading it.
Whatever device you’re on, Lachman says, “Always look before you tap.”
He also notes that if you receive a message or a call asking for your account or personal information, don’t give it to them. Ask if you can call that institution back to check with them, and use the number on their website.
Back it up
Another crucial step in protecting your files and accounts is to ensure you have a backup system in place.
“Every student will have a crash at some point - they might lose their term paper or their photos. So, figure out how you’re going to back everything up because you could lose weeks of work,” he said.
Buying and selling online
Buy-and-sell apps are a great place to find a deal on furniture or clothes for the new school year. But it’s important to be mindful about where you agree to meet and how the payment will be made.
For smaller items that are portable, choose a neutral location. In some cities, local police stations allow people to meet in a “safe transaction site” or even the front lobby to exchange the item.
“They’re unlikely to rob you in front of a police station,” Lachman said.
For the transaction itself, be sure to check that the e-transfer is completed on the spot with the buyer. You may also want to create a different email address for buy-and-sell transactions. Those using Facebook Marketplace may also want to create a different Facebook account with a different name and photo just for such transactions.
On a final note, Lachman reminds that while getting a credit card or a driver’s license can be exciting, “posting a photo of it online that shows the number on it is not the best idea.”
The bottom line
“If you’re not sure, trust that unease. Just say no or don’t click,” Lachman said. “We don't want to make it seem like the world is so terrifying and scary… Just do a few simple things and then you can enjoy.”
–
TMU links for online safety and security:
- Online Personal Safety
- Criminal Harassment and Stalking
- Phishing awareness
- Protecting Data (Practicing Digital Self Defence, Protecting Confidential Data, and Protecting your Identity)
Related stories: