Skip to Main Content
You are now in the main content area

The ultimate guide to staying safe online

Top tips to detect scams, protect your accounts and more
By: Lindsey Craig
October 13, 2023
Two young women watch a laptop together.

Is that email really from who you think? If in doubt, always check the URL domain before you click. (Photo: Timi David/Unsplash)

You’re on your way to class, and your phone starts ringing. You don’t know the number, but you’re expecting a call - so you answer.

The person says they’re calling from your bank, and there’s an issue with your account. They need to verify some of your information. Do you confirm?

Not without following some very specific steps first, says Richard Lachman, professor in The Creative School at Toronto Metropolitan University (TMU), who says these kinds of situations are all too common.

And, he explains, students are particularly vulnerable toward the beginning of the school year.

“They’re setting up new email addresses and bank accounts for OSAP and student loans, meeting and adding new classmates, friends and teammates to social media - it’s an ideal situation for scammers,” he said.

But, that doesn’t mean we should be scared of technology - instead, we just need to stay vigilant.

So, to help ensure you stay protected, check out these tips to keep your information safe:

Friend/Follow requests: accept or decline?

The start of the new school year is a good time to carefully evaluate who’s following you on social.

“Students will be meeting a lot of new people - some will be flooded with requests,” Lachman said.  

So, when you get a friend or “follow” request, there are a few things you can do before clicking “accept”:

  • Click through to see how many friends that person has. If there aren’t many, it may not be a “real” account.
  • Look at how many people are following that person. If it’s just a few followers, it’s a red flag.
  • Is there anything about it causing you to pause? For instance, what photo have they used? Do they live in your region? Is the account only reposting messages from other sites?

“It only takes a few seconds to look at these things - and scams can happen with just a click,” Lachman said.

A young Black male sits outside looking at his phone on a fall day.

It’s easy to click on a “phishing URL” - or a malicious website - if you’re not paying attention. (Photo: Timi David/Unsplash)

Lachman explains three types of common social media scamming strategies:

  1. You're contacted by an entirely fake account, and they’re trying to connect with you to boost their followers on their own account (to seem more legitimate, and win the trust of others)
  2. An online quiz asks innocuous questions, but buried in the list is information that could be used to steal your identity (for example, the street where you were born)
  3. A friend’s account has been compromised. When that happens, the scammer might pretend to be that person, and reach out to the friend’s contacts asking for help or money
A woman looks at her cell phone and evaluates whether to accept a request to connect.

It’s important to be vigilant about who you allow to connect with you online. (Photo: Magnet.me/Unsplash)

Another thing to be mindful of is which of your profiles are publicly visible and which have your real name.  

“Do your best to keep your social and professional or student life separate. Maybe you’re not doing anything illegal in that photo, but maybe it doesn’t represent the company or the school you’re applying to,” Lachman said.  

He notes that for some students, such as a student in fashion or design, Instagram might be their professional profile.

“In that case, you just need to be thoughtful about who you are speaking to every time you are posting,” Lachman said. “It’s a bit sad - you can’t be your unfiltered self, but you need to be deliberate about what you make public.”

 

One of Lachman’s top tips is to use a password manager.

“We all create passwords, and we hate that we have the upper case and lower, and the three special characters - we never remember them,” he said.

The solution? A password manager.

With a password manager, you can create or generate strong, unique passwords for all your accounts and applications. You’ll also be able to store and manage them in one place. This makes it easier to maintain unique passwords for every account you own without having to memorize them. Plus, you’ll only need to remember your password to your password manager to have all your passwords available at your fingertips.

A woman holds a cell phone over a laptop.

Have trouble remembering all of your passwords? A password manager can make life easier, says TMU expert Richard Lachman.  

It means that that one password needs to be very secure.  

“But instead of, you know, ‘Hello123’, you use three random words that make sense to you but no one else,” Lachman explained.  

“So maybe for you it’s ‘horse-stapler-cheeseburger’, and maybe a number and special character is in there too. But it’s three words that are easy for you to remember and that no one else could ever guess.”

Lachman’s next recommendation is to use two-factor authentication (or MFA - multi-factor authentication) for your accounts. This involves an app that is downloaded to your phone, or getting a text-message. When you log into your email, you will be prompted to enter a special number or code, which you will find in the authenticator app on your phone, or get by text.  

“So, for someone to break into your email, they would need both the email password and the authenticator code,” Lachman said, noting that Instagram and Facebook are “hammered” with attacks, so it’s worthwhile to have this for social media too.

What’s also important to be mindful of is to ensure you have a backup system in place.  

Every student will have a crash at some point - they might lose their term paper or their photos. So, figure out how you’re going to back everything up because you could lose weeks of work,” Lachman said.

Phishing is a cybercrime in which a target or targets are contacted by someone posing as a legitimate institution or figure to lure someone into providing sensitive data, such as banking and credit card details or personally identifiable information. It can happen in various ways, including email, telephone, text message or social media. 

The information is then used to access important accounts and can result in identity theft and/or financial loss.

“The tricky part is, for instance with email, the link could be in what looks like a regular email from say, student services or your bank.”

People stand in a long line with cell phones in hand.

If you’re not careful, it’s easy to click on a link that appears to be authentic, but isn’t what you think. (Photo: Camilo Jimenez/Unsplash)

To determine if a link is authentic, hover your mouse over the link, and view the URL that appears. The area to focus on is the domain - or what comes just before the “.com”, “.ca”, or other last letters in a website URL. If it’s a scam, the domain won’t be that of the institution it claims to be.

To do this on your phone, try holding your finger over the link instead of tapping; you should be able to preview the full URL without loading it.

Whatever device you’re on, Lachman says, “Always look before you tap.”

Short for “voice phishing”, vishing is a similar type of social-engineering. It involves defrauding people over the phone, enticing them to divulge sensitive information for the attacker’s financial gain.

“So, you get a call, maybe from a number with a fake caller-ID, and the person on the other end seems to know a lot of the authentication information that they'd have if they were really with your bank or say, tech support. They get you to provide a few other pieces of information, and then they can access your account,” Lachman explained.

That’s when ransomware attacks can occur. The attacker gains access to your private data, encrypts it - then demands a ransom payment to retrieve the information.

"You might click on a link that encrypts your entire computer and the scammer will say, “If you want access to your term paper or all your photos, you have to send this much money to this account first, and then we’ll give you access."

Richard Lachman

Lachman says it’s become even easier to do this - since, firstly, attackers can access some of our personal information online, such as our friends, acquaintances, and job titles from platforms like LinkedIn. Making it even easier for an attacker? Generative AI, which can clone voices and create scripts to read in the style of a company.

How can you prevent any of these vishing scenarios from happening?

“Don't give any information out over the phone to anyone who calls you. If your bank seemingly wants to talk to you, get a file number or another reference, look up the contact number on the web, and call them back, he said, adding, “Don't trust the link emailed to you either, as scammers can also make a fake website that looks like the real thing, but with a fake address.”

A young Black woman looks down at her phone while standing in a coffee shop.

Students are often targeted by scammers during the fall season, since many are opening new accounts and are “flooded” with new friend and “follow” requests, says Richard Lachman, professor in The Creative School at Toronto Metropolitan University. (Angelo Moleele/Unsplash)

Another scheme that is especially important for students to watch out for are job scams. Students are often targeted since many are eager to pay off tuition fees, student loans and rent- and fast.

But experts say there are many signs to look out for which hint that a job is not legitimate. They include:

  • Requesting your personal information
  • Not interviewing the candidate
  • Job is offered quickly 
  • High pay for a basic job
  • Being asked to send money in advance
  • All communication is on chat apps

“Keep in mind that if a job is legitimate, the employer typically will want to meet the candidate, ask for references, and the pay will be more in line with a typical salary for the position. If it sounds too good to be true, it probably is.”

Richard Lachman

Buy-and-sell apps are a great place to find a deal on everything from concert tickets to  furniture or clothes for the new school year. But there are things to be mindful of when arranging to buy or sell an item.

First, experts say to never send an e-transfer to an unknown person or account before you’ve received the item or service.  

Secondly, when meeting up for the exchange, it’s important to be mindful about where you agree to meet and how the payment will be made.

For items that are portable, choose a neutral location. In some cities, local police stations allow people to meet in a “safe transaction site” or even the front lobby to exchange the item.

A man holds a credit card over a computer.

Experts say that when buying or selling online, it can be wise to create a different email or social media account to interact with others. (Photo: Rupixen.com/Unsplash)

“They’re unlikely to rob you in front of a police station,” Lachman said.

For the transaction itself, be sure to check that the e-transfer is completed on the spot with the buyer. You may also want to create a different email address for buy-and-sell transactions. Those using Facebook Marketplace may also want to create a different Facebook account with a different name and photo just for such transactions.

The bottom line 

“If you’re not sure, trust that unease. Just say no or don’t click,” Lachman said. “We don't want to make it seem like the world is so terrifying and scary… Just do a few simple things and then you can enjoy.”

TMU links for online safety and security:

Related:

Share This
Facebook, opens new window X, opens new window LinkedIn, opens new window Pinterest, opens new window Reddit, opens new window Tumblr, opens new window

More News

All News Stories
Subscribe to TorontoMet Today  (external link)