Originally posted on zdnet.
If you follow one phone security best practice, make it this one.
Every so often I have to dive back into the waters of mobile security and offer up a hard truth for users to swallow. Most often those truths are pretty easy to accept, such as never installing a piece of software unless it’s found in the app store for your ecosystem (Google Play Store and the iOS App Store), using a password manager, or always making sure to keep both apps and the operating system updated.
Anyone can follow those best practices. They’re simple, harmless, and require very little effort on the part of the user.
But then there are other best practices that aren’t quite as easy to follow. Unfortunately, IT admins have had to constantly remind end users to not do certain things for years. And yet, they still happen. No matter how adamant the IT admin is or the consequences of an action might be, end users continue to ignore those warnings, only to wind up having to turn to IT to solve the problems.
When you’re dealing with your own personal device, you might not have an IT department to turn to. When that happens, you could wind up having to go to your carrier and pay for the cost of restoring your device to a working condition (which could be costly) or doing a factory restore (which may or may not fix the problem). And then you might have fallen prey to a ransomware attack, at which points all bets are off. Even if you can do a factory restore, your data could be held under the threat of release if you don’t pay up.
You do not want that.
And this is where probably my most important piece of advice comes into play, with regard to mobile security and it can be summed up with a single, simple sentence.
When in doubt… don’t.
I have a dear friend who regularly calls me with questions like, “I received this text. I don’t know the sender. Should I click on the link?”
The answer, unequivocally, is always a resounding “no!” I then remind that person that if they don’t know the sender of an email, an SMS message, a Facebook Messenger message, a Whatsapp communication, etc. that they are not to open it, tap it, click it, copy it, respond to it, or otherwise interact with it.
And that’s the heart of this issue.
So many users (and even publications) want to very quickly lay the blame square on the shoulders of the companies that provide mobile operating systems and/or mobile applications. Not only is that not fair, but it’s also not helpful. You see, just like within the realm of desktop and laptop computers, the end user must share the burden of responsibility. Google does not make you tap those links sent to you from unknown sources. Apple has never once twisted your arm to respond to a strange text.
And yet, no matter how many times they are warned, end users continue to tap those strange links and respond to those messages sent by unknown users. The end results could be catastrophic to your data, your privacy, and your identity.
According to Avast, global ransomware attacks are up 32% on businesses and 38% on individuals. Those attacks come in the form of fake package delivery information, tech support scams, sexploitation scams, and phishing scams (when an attacker attempts to trick you into divulging personal information to gain leverage over a victim).
You’ve seen these emails and SMS messages come into your phones. I get them all the time. While I was writing this article, I received no less than five such scams and my wife forwarded me an email phishing attack that posed as an order for Geek Squad Gold Plus Tech Support at $499.19. Within that email were phone numbers to tap which I guarantee would lead to no end of trouble. I immediately responded to her to say it was a scam and delete it. This type of attack is so common that I’ve reached the point where I automatically block (or mark as Junk) any email that includes certain phrases or companies that are frequently used in Phishing scams.
I also receive about 10 SMS messages a day on my phone that goes something like this:
Hey, I tried to call you but you’re not answering. What’s up?
The sender of that message is not on my contact list which means I don’t know them. Over the past few years, I’ve developed a simple rule: If I don’t know you I won’t answer the phone or reply to your messages. Now, I don’t hesitate to block and report those messages as spam. The sender may be legitimate, but I’m not taking my chances.
And that’s the attitude every mobile user should adopt. Err very well on the side of caution and you’ll avoid a lot of common attacks on your privacy and data.
And that, my dear friends, is the hard and simple truth about phone security that you (and everyone you know) need to accept.