For several months, I studied the topic of Internet fraud in order to collect the most complete list of actions that would protect me from crooks and their machinations. The result of the study was a checklist, which I want to share with everyone. Its goal is to make hacking digital assets difficult and pointless.
I suggest that the reader complete as many items of this checklist as possible, but I must say that this will be associated with some inconvenience when using a smartphone. But here everyone chooses: convenience or security. You quickly get used to inconveniences and they stop being such, and at the expense of security-hacking any of your accounts can cost a lot of money, time and nerves.
For convenience, the items are sorted by importance and divided into blocks: Required, Important, and Desired. There is also a list of Digital Hygiene Rules and What to do in an emergency. How to perform this or that action can be easily found on the Internet, so for the sake of clarity, I give the actions themselves and short explanations. In the final part of the article, I will give some real-world examples.
I tried to collect the most complete collection, but if you have something to add, write in the comments.
[HEADING3]Examples[/HEADING]
They communicate on the darknet, use each other's services, exchange information, and participate in the shadow economy. Scammers are not stupid or illiteratepeople, they have accumulated a lot of knowledge about their " craft”, constantly exchange information, improve their skills, look for loopholes, multiply and multiply. They will come up with new non-obvious schemes. However, there is not much movement from the state or banks to protect the population in this direction, despite the fact that the SOBR periodically comes to visit scammers. Although there is a fairly simple solution against fraudulent call centers. Articles about bank card thefts and phone divorces continue to appear on the Internet, as well as disappointing statistics about the damage caused by digital scammers. But it is beneficial for banks to make services convenient, and these amenities are not always associated with security. Therefore, in the near future, it is better to rely only on yourself and be able to defend against attacks.
My point is that unfortunately there is no 100% protection against scammers. Anyone can get caught. But you can minimize the risks, and even better, play ahead and make possible attacks unprofitable and complex. It is important to complete as many items from the checklist as possible to ensure the maximum level of protection that works in the complex. I will be glad if this article will prevent at least one fraud!
I suggest that the reader complete as many items of this checklist as possible, but I must say that this will be associated with some inconvenience when using a smartphone. But here everyone chooses: convenience or security. You quickly get used to inconveniences and they stop being such, and at the expense of security-hacking any of your accounts can cost a lot of money, time and nerves.
For convenience, the items are sorted by importance and divided into blocks: Required, Important, and Desired. There is also a list of Digital Hygiene Rules and What to do in an emergency. How to perform this or that action can be easily found on the Internet, so for the sake of clarity, I give the actions themselves and short explanations. In the final part of the article, I will give some real-world examples.
I tried to collect the most complete collection, but if you have something to add, write in the comments.
Preventive measures
Required data
| Action | Explanation |
| 1 | Set the PIN code on the SIM card | if your smartphone is lost or stolen, the crook will not be able to quickly use your number, you will gain time |
| 2 | Apply for a mobile phone number at the office.operator's ban on actions with a power of attorney | so that crooks can't make a duplicate sim card using a fake power of attorney |
| 3 | Issue a ban on registration of real estate transactions without personal presence | to exclude the sale of an apartment under a fake power of attorney or a fake EDS |
| 4 | Set up an EDS release notification in your Public Services Merchant Profile | if fraudsters issue a fake EDS on your behalf, you will know about it right away |
| 5 | Set up two-factor authentication on government services, tax and other websites mos.ru, rosreestr | scammers won't be able to log in even if they find out the password |
| 6 | Install caller ID on your smartphone | in most cases, scammers call from numbers marked as fraudulent. But sometimes they replace the number with a real bank number, then see point 40 |
| 7 | Install antivirus software on your smartphone | protection against trojans, stillers, and other malware |
8 | Regularly update the software on your smartphone, including security updates | protection against current attack methods and closing vulnerabilities |
| 9 | Create different passwords for different websites and apps or use a password manager | if the password for public services matches the password for a simple forum, then by hacking this forum, the hacker will get the password for public services |
| 10 | Set up an alert for each login to the public services website | if scammers gain access to your account, you will immediately know about it |
| 11 | Set daily limits for spending and transfers by bank card | scammers will not be able to withdraw more than this amount. It will be difficult to raise the limit |
| 12 | Configure receiving bank transaction confirmations via push, not sms | sms is an unreliable protocol, and it is susceptible to wiretapping and attacks. However, if you are traveling to an area without Internet or roaming, temporarily return the notification via sms |
| 13 | Issue a ban on the “Mobile translation " service at the mob office.the operator | if your SIM card is compromised, you won't be able to withdraw money from it |
| 14 | Configure your smartphone to hide notification texts on the locked screen | if the phone is stolen, the scammers will not be able to read the bank codes on the locked screen |
15 | Set a code word in your mob's office.the operator | to quickly block your sim card in an emergency |
Important ones
16 | In your Google (Apple) account, specify the backup phone number and backup email address | if your account is compromised, you will need this to restore access. |
| 17 | Set the smartphone screen to auto-lock for no more than 30 seconds | if the phone is stolen, it will be blocked in time |
| 18 | Remember the code words and security questions for all the banks where you are served | so that in case of an emergency, you can confirm your identity in the call center without wasting time |
19 | Don't choose security questions that are easy to answer, such as your mother's maiden name | this information is often found in the public domain or in purchased databases |
| 20 | Learn your loved ones ' phone numbers by heart | so that you can call your loved ones from a different phone number in an emergency |
| 21 | Enable alerts about your credit history requests | you will be immediately notified of any intentions to apply for a loan for you |
21.1 | Enable notifications about map operations | this will allow you to quickly identify fraudulent debits, and without wasting time, call the bank |
| 22 | Keep the phone number linked to your bank account with you at all times | if a fraudster issues a duplicate SIM card, you will immediately know about it. Why you can't keep a separate SIM card for banking operations |
22.1 | For the main card that you use to pay in stores and online, prohibit cash withdrawals and purchases outside of your country | stolen cards are usually used in other countries. If you need to pay for foreign goods or services, create a separate virtual card for this purpose. If you are traveling, please temporarily lift this ban. |
22.2 | When paying online do not enter your card details in the pop up window where the payment system's website address is not visible | fraudsters can create a full copy of the payment page, but it will lead to the fraudulent server |
| 23 | Disable auto-save passwords on your smartphone and computer | otherwise, if the phone is stolen, the thief will be able to see all the saved passwords, including those that were saved from the computer. |
| 24 | Set limits for auto-replenishment of the sim card balance | if the SIM card is compromised, fraudsters will not withdraw all the money from the bank card |
| 25 | Write down the hotline numbers of banks and mobile operators on the main and backup phones | so that in case of an emergency, you can quickly find and call the hotline |
| 26 | Disable automatic MMS reception on your device | there is an old vulnerability that allows you to upload viruses to your device via MMS |
| 27 | Revoke the rights to view sms and calls for those apps that don't need it | the Trojan can be embedded in a harmless app that has sms permissions. |
27.1 | Perform a revision of the extensions in your browser, and remove any unused extensions. | scammers buy back old extensions and upload malicious code as updates |
27.2 | Perform a review of the apps on your smartphone and delete the unused and old ones | scammers buy back old apps and upload malicious code as updates |
| 28 | Set up push notifications for emails sent from your email address | so that you don't miss an important notification from a government or banking service |
| 29 | Mark mobile phone numbers as not spam.the operator and the banks that you use | to avoid missing text messages about security issues |
| 30 | Install antivirus software on your home computer | protect against viruses, Trojans, and spyware |
31 | Install the latest operating system and application updates, including security updates, on your home computer | this will allow you to close detected vulnerabilities, protect yourself from attacks and the latest versions of viruses. |
32 | Disable the ability to connect remotely to your computer: disable remote desktop, close external ports | one of the most common hacking methods is to search through open ports of potential victims and simple passwords to the Remote Desktop |
| 33 | Be served at the bank through a call center where you can't change the linked phone number | fraudsters get personal data in various ways and can link their phone number to the victim's account |
| 34 | Set a fingerprint or password for contactless payment with your smartphone (or disable it) | if the mobile phone is stolen, the thieves will not be able to pay them |
34.1 | On the wi-fi router, set a complex administrator password and change the device's IP address | to prevent crooks from logging in as an administrator on a wi-fi router |
34.2 | Set a complex password to connect to the wi-fi router | so that crooks can't brute-force their password |
Desirable ones
35 | Carry a spare phone with a working SIM card | to quickly block your primary phone number if it is lost or stolen |
| 36 | Set a PIN code on your smartphone to view files, photos, and open instant messengers | if your phone is stolen, your files, contacts, and correspondence will not be exposed to fraudsters |
| 37 | If possible disable remote access recovery via remote channels | if you forgot your password, create a new account |
| 38 | Apply to the Federal Tax Service for a ban on registering a legal entity using EDS | to exclude the registration of an individual entrepreneur or LLC in your name using a fake EDS |
| 39 | Don't use face unlock on your smartphone | if the phone is stolen, the thief can unlock the smartphone from the photo. The probability of this is low, but it happens, so it's better to protect yourself |
Digital hygiene rules
| 40 | If you receive a suspicious or disturbing call from anyone, hang up immediately. Don't pick up the phone until you understand the situation yourself. Call back only to official numbers | protection from phone scammers |
| 41 | Do not pay in advance, refuse to pay in advance in any transactions and situations if the company or person is little known to you | protection from online and offline scammers |
41.1 | For an important and large purchase, carefully check and punch the seller's documents. Do your due diligence | scammers buy fake passports, punch and forge documents. Then they sell cars and real estate that don't belong to them. In such crimes, the buyer usually loses everything, and the seller takes the property back through the court. |
| 42 | Do not let us copy or take pictures of your passport anywhere except in the branches of banks and government agencies. Do not send scanned documents by email | we reduce the likelihood of personal data leakage. If you insist on making a copy, carry your own copy with some of the information covered up. If there is no way to avoid copying, at least do not let us copy all the pages. How to issue cards based on a scanned passport |
43 | Do not leave a foreign passport as a deposit.passport with a biometric chip | the one who has a biometric passport in his hands.passport, can open an individual entrepreneur. At least the green bank has such a service |
| 44 | Please check your domain carefully before paying online | to avoid getting caught by phishing |
45 | Check the transfer details immediately before making a payment | there are viruses that replace banking details at the last moment |
| 46 | Do not keep large amounts on the card that you use to pay in stores or online | in the worst case scenario, scammers will only be able to steal a small amount |
| 47 | Cover the terminal with your palm when entering the pin code | protection against card data theft |
| 48 | Do not shine CVV2 (do not turn the card upside down again) | protection against card data theft |
| 49 | Carefully give the app permissions for sms and receiving calls | protection against spyware that steals data |
50 | Do not give access to your notebook messengers and banking applications | this way you will give the outside world less information about yourself |
51 | Check the device administrators in your smartphone settings | there should only be verified apps that actually need these permissions. |
52 | Set the device boot password if your smartphone model has one | additional security factor |
53 | Apply for an eSIM if the smartphone model and carrier allow it | eSIM is more convenient and reliable than a regular SIM card |
| 54 | Do not rush to click on links where you need to enter personal data. If you clicked through, check that the site is real | one of the main threats that continue to work to this day is phishing resources. Scammers can steal personal data, find out the answers to security questions, or throw you a virus |
55 | Don't enter your bank card details in unknown online stores or apps | they can be hacked and all bank card details stolen. Scammers also create legitimate online stores. When you buy from such a store, your card details will fall into the hands of fraudsters |
| 56 | Be careful on sites with pirated content | you may come across malware, such as spyware that steals passwords |
57 | Do not run any cracked programs or key generators on your computer. If you need to use cracked software, run it on a virtual machine | viruses are embedded in pirated programs and key generators |
| 58 | Do not install potentially dangerous apps: unofficial music downloads, pirated content, etc. | they may contain Trojans |
| 59 | When opening any file that even people you know have sent you, be careful. The most common way to infect a computer is if the victim runs a malicious file on their own | the malware can be contained in a file of any format, and it can be encrypted to bypass antivirus programs. Your friends may not know that the file they are sending contains malware |
60 | Files that you received by email, via instant messengers, or downloaded yourself from the Internet, please check for virustotal.com | A phishing email is no different from a regular email, and it is one of the main malware infection schemes. Better play it safe. For convenience, install the extension |
| 61 | Withdraw money from a bank card abroad only at bank branches | crooks steal bank card data through skimmers and shimmers installed in ATMs in places where there are few people |
| 62 | When abroad, try to pay with cash or contactless phone calls | it is advisable not to pay with a bank card. Many countries have developed criminal networks for stealing card data, taking photos, and using infected POS terminals |
| 63 | Do not give anyone a bank card. All operations must be performed in your presence | protection against card data theft |
| 64 | Don't log in to your accounts from other people's devices | these devices may contain a Trojan or any other malware. |
| 65 | Do not store very important files on your computer | if you need to format your computer because of an encryption virus, the data will not be returned. It is better to store on removable media |
66 | Do not store important or secret files and correspondence on your smartphone. Be mentally prepared that the phone may fall into the wrong hands | to prevent leakage of personal data and personal correspondence. Make it so that your phone can be given to anyone without any risks |
| 67 | Don't connect to free Wi-fi | exclude attacks on you via unsecured networks |
| 68 | Install apps only from Google Play/App Store and with a good rating | protection against viruses and trojans |
| 69 | If possible do not use single ATMs in places where there are few people | protection against skimming. It is best to use ATMs in bank branches or large buildings. There crooks will not be allowed to make frauds with an ATM |
| 70 | Keep large amounts in a bank that is not connected to remote control | eliminate the possibility of remote theft |
| 71 | Don't store document scans in cloud providers | reduce the chance of them being leaked, such as when your phone is stolen |
| 72 | Do not install root rights on your smartphone | if a Trojan gets caught, it will be able to do anything on your device |
| 73 | Practice locking your device from a loved one's phone | training in case of theft of your device |
| 74 | Do not give the phone to unfamiliar people | protection against data theft and malware installation |
| 75 | Use trusted major telecom operators | in some virtual telecom operators, you can use social engineering to obtain personal data |
| 76 | Make your vk and fb accounts invisible to anyone but your friends | public photos are siphoned off from social networks and stored on left-hand servers used by fraudsters. You can't delete your photos from such servers |
| 77 | In social media profiles, provide a minimum of information about yourself, make a full-length photo on your avatar, delete it (or delete it), and replace your last name with a nickname | scammers use search by photo, phone number, last name and first name. This way they collect information and think through attack options |
| 78 | Have cash at home | in case you need to block your cards and accounts, protecting them from fraudsters |
| 79 | Periodically change: code words, answers to security questions, passwords for personal accounts | personal data can leak even from banks, fraudsters can get a job in call centers of banks, so it is a good practice to periodically change sensitive information, for example |
| 80 | Periodically check the information on the websites of State Services and the Tax Service: EDS issued to you, participation in organizations, information about your property, notifications from Rosreestr, FSSP. In the mail settings, check that there is no redirection to left mailboxes, as well as suspicious sessions and linked devices | in case of notifications about actions that you haven't performed, you should take action quickly. You can check whether a legal entity is registered with you in the tax service's personal account or here |
81 | Periodically change your civil passport | if you treat your passport as a key to all your data and a password to identify your identity, then a preventive replacement of your passport every few years will definitely not cause any harm. It might even be useful. However, I recognize this item as optional |
What to do in an emergency
If your phone was stolen
| 82 | Use your spare phone to log in to your google / apple account and mark the phone as stolen. Or do erase device | if there is no spare phone, then do this from the phone of a loved one/friend who is nearby. If you are alone, go straight to the next item |
| 83 | Block your SIM card via the mobile operator's hotline | ask a passerby, taxi driver, security guard, or police officer to give you a phone number. If there are no people, get to the nearest mobile phone store |
| 84 | Call the hotlines of the banks where you are served, block all bank cards and accounts | act quickly |
85 | Block all important accounts (email, government services, tax, online banking, social networks, email document management) | |
| 86 | Let your family and friends know that your phone was stolen, and also make a post in social networks | so that scammers do not call your friends on your behalf and do not engage in blackmail. Memorized phone numbers of your loved ones will come in handy here |
| 87 | Write a statement to the police | it is possible that illegal actions will be made from the number, you will have proof that you have nothing to do with them |
| 88 | Log out of all messengers on the stolen device | so that the thief doesn't get the correspondence |
| 89 | Untie a stolen device from your google account, instant messengers, government services, financial apps, and social networks.networks | to prevent a thief from doing their business in your accounts |
| 90 | Change passwords for important accounts: email, government services, tax, bank accounts, social networks | do this when a duplicate sim card has already been issued |
If you received a text message about debits that you didn't make
91 | Make sure that the text message came from the real number of the bank or payment system, check that the card balance has actually decreased | so your card is being used by an attacker, so act quickly |
| 92 | Block all bank cards | hurry up before the crooks withdraw all the money |
| 93 | Call the bank and report any debits that you haven't made | act quickly, take screenshots of the chat with the bank, record conversations with the bank on a voice recorder |
94 | Do not rush to write a statement to the police under the dictation of the bank | if the money was stolen without your knowledge - it was stolen from the bank, this is very important! Do not contact the police as a victim. The bank will conduct a dialogue as if the money was stolen from you. But this is not the case! Send a claim to the bank stating that the aggrieved party is the bank, and you are a witness. The bank must return the money to your bank card |
If you were illegally issued a microloan
95 | Do not make payments to repay this loan | you didn't apply for this loan |
95.1 | Withdraw all your money from this bank | it is also advisable to revoke all previously given debiting acceptances. Read more here http://fgramota.ru/docgenerator/web/site/description?id=60 |
| 96 | Write a claim to the bank | demand to cancel the debt, exclude the loan agreement from the list of agreements to which you are a party, correct the credit history in all BCS, return all payments debited from your account by the bank under this loan agreement, and pay compensation for expenses incurred as a result of forced labor. Wait 15 days. If the bank refuses to comply with your legitimate requests, see the following points |
96.1 | File a similar complaint with the Financial Ombudsman | additionally, indicate that the affected party is the bank that was deceived by fraudsters |
96.2 | Submit a similar complaint to the Bank of Russia's online reception desk | additionally, indicate that the affected party is the bank that was deceived by fraudsters |
| 97 | Ask the lender for a copy of the fake loan agreement and a copy of the passport that it was issued for | |
| 98 | Write a claim to the court to declare the loan agreement null and void due to the fact that you did not enter into it | in this case, the bank will have to prove that it was you who took the loan, but this cannot be done because you did not take the loan. Fraudsters stole money from the bank, not from you. Formulate the statement so that the affected party is the bank that did not show due diligence and fell for the trick of fraudsters. Add to the application a claim for payment of legal penalties and compensation from the bank. After the situation is resolved, get a certificate of absence of debt to the bank. Examples of court decisions in favor of clients: VTB https://pastebin.com/6TPwgLkx, Alpha https://pastebin.com/rzpzZjSc, OTP https://pastebin.com/xD34FRST, ICD https://pastebin.com/bmvh05Lz |
If a fake EDS was issued to you
99 | Call the management Center and revoke the certificate | the certificate must be revoked by the certificate authority that issued it |
| 100 | Block EDS on public services | it should be understood that blocking in the personal account of public services does not cancel the certificate |
| 101 | Write a statement to the police | |
If an individual entrepreneur has been illegally opened for you
102 | File a police report as soon as possible |
| 103 | Write an objection to the Federal Tax Service about illegal registration of an individual entrepreneur, as soon as possible |
| 104 | Contact your lawyer if a loan has been issued to the sole proprietor |
If you lost your passport
105 | Write a statement to the police and get a ticket-notification |
106 | Make sure that you didn't have time to register an individual entrepreneur using your lost passport |
107 | Make sure that you haven't become the head of the left LLC |
108 | Make sure that the loan was not issued to you |
If the SIM card is suddenly disconnected
109 | Call a mobile phone number.to the operator and find out the reasons for disconnection |
| 110 | If the card was disabled by a third party, these are scammers. Block bank cards and accounts until the situation is resolved |
If there was an unauthorized login to your email account
111 | Restore access to your account and change your password | |
112 | Block all important accounts (public services, tax, rosreestr, finance, social networks, email document management) | |
113 | Change passwords for all important accounts | |
114 | Delete suspicious session, unlink suspicious devices | |
115 | Open your account settings and make sure that the fraudster didn't set up email forwarding to your mailbox | |
116 | Check all important accounts for actions that you haven't performed | no EDS issued, no individual entrepreneur issued, no loans taken, no participation in left-wing LLC's, no applications for state services submitted, no documents signed in the EDI system |
If you hacked an account on government services
117 | Block all important accounts (tax, rosreestr, finance, social networks, electronic document management) |
118 | Call the state services hotline and report a break-in |
[HEADING3]Examples[/HEADING]
- They stole your phone and gained access to your email and personal account.operator, changed the code word in the bank, withdrew money from the credit card. It could have been prevented by following the following steps:: 1, 15, 17, 35, 82-90.
- Crooks made a fake cellular base station. The victim made a call from the coverage area of this station, after which the data about the SIM card fell into the hands of fraudsters. Then they made a clone of the SIM card and, using the Mobile Payments service, stole money from the account. There were no text messages or calls, the victim accidentally noticed that the money in the account was greatly reduced. It could have been prevented by following the steps: 13, 24.
- Crooks hacked the victim's Yandex email address and linked the victim's bank card to the account. Then a small amount was withdrawn in several payments. It could have been prevented by following the following steps: 91, 92, 93.
- The classic scheme of telephone divorce with the bank's security service, the prosecutor and the Central Bank. The crooks were well prepared for the attack, using photos of relatives in their dialogues and intimidating them. As a result, the girl took out loans under dictation and transferred money to “secure " accounts. The damage is 700k. It could have been prevented by completing points: 6, 12, 40.
- The victim had a Trojan on her device. A call from the " security service”, a long communication with scammers, the woman reported that an SMS with a code had arrived, but she did not call the code. As a result, the crooks linked their phone number and transferred 230k to their master account. It could have been prevented by following the steps: 6, 7, 40.
- A call from the "security service", a long conversation, scammers asked to open the Alfa Bank application and asked if the SMS came. As a result, the victim did not name the code from the text message, but the money from the account was stolen. Most likely, there was a Trojan on the device that sent SMS messages to the scammers ' server. It could have been prevented by completing points: 6, 12, 40.
- The crooks somehow found out the code word and the answers to the security questions. Then they linked their phone number to the victim's bank account and emptied the card, forcing it into overdraft. It is difficult to get a card without an overdraft enabled, but it is possible. Such an attack is prevented by following the following steps:: 33, 79, 91, 92, 93.
- The crooks somehow found out the code word and answers to the victim's security questions, linked their number to his bank account, issued a credit card and withdrew 93,000 rubles from it. It could have been prevented by following the following steps:: 6, 21, 33, 40, 79.
Conclusion
Many people think that they will never fall for the tricks of scammers, that they are outdated and easy to see through. But this feeling is deceptive. I will list the types of scammers that specialize in different types of attacks:- hackers (break into servers and accounts, steal and sell personal data, invent new fraudulent schemes)
- carders (buy and use stolen bank card databases),
- phone scammers (social engineering, blackmail),
- skimmers (steal bank card data),
- offline scammers (scams outside the Internet, theft of phones, bank card data, personal data),
- virus writers (creating and distributing malware),
- manufacturers of forged documents and scans (supply the shadow market with fake documents)
They communicate on the darknet, use each other's services, exchange information, and participate in the shadow economy. Scammers are not stupid or illiterate
My point is that unfortunately there is no 100% protection against scammers. Anyone can get caught. But you can minimize the risks, and even better, play ahead and make possible attacks unprofitable and complex. It is important to complete as many items from the checklist as possible to ensure the maximum level of protection that works in the complex. I will be glad if this article will prevent at least one fraud!
