• United States




7 easy steps to Internet street smarts

Jul 28, 20157 mins
Data and Information SecurityMalwarePhishing

The Internet is a lawless place rife with shady characters. Learn to avoid their sleazy ploys and get back home safe

internet addiction
Credit: Thinkstock

Whether or not you were born in a big city, you quickly learn the rules of walking in congested public areas, full of people who want your money.

You learn what areas and which people to avoid. You learn to walk like you know where you’re going and to ignore strangers trying to get your attention, especially if they want to divert you from a main street to a more secluded spot.

Being on the Internet is like living in the biggest city possible. Aggressive thieves are everywhere. Worse, there are no street cops and no one to help you when things go south. But as with walking in a big city, a few commonsense precautions can help you avoid becoming a victim.

Here are seven streetwise behaviors that will keep you safer.

1. Be suspicious of everything

Be a city boy or girl instead of a bumpkin. It’s a fact that most email on the Internet is malicious. It’s a fact that you’re more likely to get infected visiting a website you trust and go to every day than you would with a porn site (unless, of course, that’s one in the same).

Assume all emails asking for something or asking you to click on something are malicious — even those with attachments that say they’ve been scanned and are virus-free. If that joke your friend forwarded to everyone contains a link, following that link will very likely result in infection.

If you’re having a problem with your computer and you search for an answer, that fix-it site with drivers and registry repair programs was likely created by malware writers. Most of the programs on the Internet claiming to be antimalware software are, in fact, malware programs.

Unsure whether that antimalware program is legitimate? check out AV-Test or VirusTotal. Both sites test and use dozens of legitimate antimalware programs every year. If your antimalware program isn’t listed in one of those sites, don’t trust it.

If an email or a website wants you to install something, never do it. Yes, sometimes you need additional software to view a legitimate website, but it’s fairly rare. Most of the time, you’re really being asked to install malware, even if you’re visiting a trusted, well-trafficked website. Legitimate websites often get infected by malware that asks users to install malicious agents.

If you’re asked to install a common program from, say, Adobe, start another browser session and go to to install a known, clean copy. Don’t download it from anywhere else.

2. Assume all antimalware software fails

Antimalware scanners are great at detecting malware after the malware is a day or two old, but on the first day, good luck. Any vendor claiming 99 or 100 percent accuracy is lying.

You can get a general sense of how accurate your antimalware scanner is by visiting AV-Test, but take any “extremely accurate” ratings with a grain of salt. Antimalware software vendors lie with statistics; all antimalware programs are horribly inaccurate.

If you ever upload a malware program to VirusTotal, which has more than 50 antimalware scanners scanning every file, you’ll never encounter a situation where every antimalware scanner detects the file you’ve submitted. VirusTotal, owned by Google, will not reveal how each antimalware program performs against all submitted files. They could, but then the antimalware vendors probably wouldn’t let them use their antimalware scanners. The antimalware vendors don’t want you to know the real story and statistics.

What can you do?

Individually, every antimalware scanner is inaccurate, but all of them together make a great scanner. What one scanner might miss, 57 rarely do. Anytime you suspect a file is malicious, submit it to VirusTotal. Even better, download and install the free Microsoft Process Explorer program. You can configure it to submit each currently executing program to VirusTotal automatically (see my post on this topic). Once you’ve installed it, one click and five seconds later, you’ve submitted every program your computer is running to 57 antimalware engines. It’s awesome!

3. Patch, patch, patch

Most people get infected because they don’t install patches. I’ve never investigated a computer that had all necessary patches installed. Worse, most people don’t install the most important patches — for Java, Adobe products, and so on.

I’m not sure why people are so hesitant to patch. I suspect that besides the time it “wastes,” they aren’t sure if the patch is real — and fear a fake one will infect their system.

Here’s a good rule of thumb: If your computer asks you to patch something outside of the browser or before you open the browser, it’s probably a legitimate patch. If you get asked to patch something while you’re browsing the Internet, stop right there. Any legitimate patch you need will bug you when your browser is closed, even patches for the browser itself.

4. Use unique passwords on every website

Websites get compromised all the time. Bad guys steal databases of log-on credentials. It happens.

You can minimize the damage on your end by making sure the password they’ve stolen from you works only on the website that has been compromised. You don’t want criminals to steal your password from some website you barely care about — then use it on your business or banking websites.

For the record, I don’t use a password manager and I don’t write down my complete password anywhere. Instead, I keep a document with my long list of passwords by website, which lists only abbreviations of my passwords. If that list is stolen or viewed, it won’t do bad guys any good.

Finally, don’t use password reset question answers that can be researched or guessed by anyone. When the password reset question asks “What’s your mother’s maiden name? or “What was your first car?” or “Your favorite elementary teacher,” reply with “tree” or something like that. If it can’t be guessed or researched, it will be a lot harder for a bad person to take control of your account.

5. Always go to real websites to do anything asked of you in email

Phishers routinely send emails that appear to be from websites where you’re a registered user. Never directly respond to an email sent to you from a website or company asking for a response, especially if they are asking you to confirm private information or to click on something.

Instead, close the email and manually type in the legitimate website’s URL. Anything you need to do will usually be asked upon logon to the real website.

6. Don’t get fooled into installing browser add-ons or helper software

Are you tired of slow Windows bootups? A recent Windows Secrets article revealed that installing common free programs will increase your average Windows boot time from 19 seconds to more than 100 seconds. When those programs are uninstalled, the boot time goes back to 19 seconds. Most of the free programs you install will slow down your system — and many include adware or malware.

Don’t install a program unless you absolutely need to. Sometimes this is tough. Many of the most popular programs we need to install (like Adobe or Java software) will try to install other, unneeded software by default. When you install any program, be sure to uncheck options that indicate that other software will be installed.

You can check to see what programs your computer is already using with a Microsoft utility called Autoruns. It, too, can submit executables for review at

7. Back up your data in at least one offline site

No computer security defense is guaranteed. Everyone makes mistakes. The only truly, completely safe defense is to back up your important data in at least one offline location that is not located on your computer or in the cloud.

Online, things can be compromised and lost. Offline is a pain, but it’s foolproof as long as you store securely.

These words of online street wisdom come from nearly 30 years of work as a computer security expert. They’ll protect you better than, say, long and complex passwords. They will protect you better than two-factor authentication. It will protect you better than the best single antimalware program.

Do these things and stay safe.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author