Control access to your devices
Secure your devices against unauthorized access just like you protect your home against burglary.
On the Allegro CERT website, we devote a lot of space to various types of threats, such as phishing campaigns and other methods of attack used by cybercriminals. The aim of the latter is clear: to deceive, defraud or induce Internet users (including our buyers and sellers on Allegro) to perform a specific action: click on a link, make a transfer, install malicious software, etc. However, have you ever wondered how criminals select their victims? Where do they get the data about them to carry out phishing campaigns on a massive scale, or, conversely, those targeted at a specific person or company?
In simple terms, information about us, such as our first name, last name, email address, phone number, place of residence, and other similar data, can be divided (from our perspective as users) into two groups:
The first group includes primarily information about us that we have posted or provided on various occasions online. Unfortunately, in the era of social media and an extensive “digital life,” we very often set traps for ourselves by thoughtlessly sharing information about ourselves with more or less random Internet users in more or less random places. In extreme cases, this can lead to the phenomenon of “identity theft,” resulting in a complete loss of control over one's data (for example, someone can use our data to obtain false documents and take out a loan in our name).
The second group is data that is not yet on the Internet or is not easily accessible to everyone (because it is held by providers we know and trust). Please note that this does not mean that it is impossible to find information about us or that it cannot appear in a leak—we are only saying that criminals would have to go to much greater lengths to access it, which they are usually unwilling to do.
The above paragraphs lead us to the simple conclusion that if we want to minimize the chance of becoming a victim of an attack, we should minimize the amount of information we give to criminals on a silver platter. You will learn how to do this below.
Data protection on the Internet is not easy, as it requires a reasonable balance between our desires and needs and security and privacy issues. However, there are a few rules that can significantly reduce the chance of our data being targeted by criminals who want to use it for nefarious purposes:
Use services and websites you trust (such as Allegro! 🙂). Larger providers usually have well-prepared privacy policies, undergo regular audits and security tests (internal and external), properly secure data, and cooperate with institutions such as CERT Polska and similar national organizations that care about cybersecurity. This rule applies not only to online purchases, but also to services where we have our email account or various other applications that we use and which ask us to provide our data at various stages.
Remember that a trusted provider is only half the battle! It is up to you to configure the settings correctly on the website you use. This rule is particularly important for social media, because that is where we post the most information about ourselves. An example is the visibility of our profile: most websites offer several options here (the profile and/or its content can be seen by everyone on the Internet, only people logged into the website, or only people on our friends list). It is worth reviewing these settings from time to time and adjusting them to your preferences.
Do not disclose your email address, phone number, and, if you do not have to or do not want to, your full name in publicly accessible spaces. Of course, in order to make purchases on Allegro, for example, you must provide us with your basic shipping information (but then see point 1 above), but posting such information on a random forum, on your social media wall, or on Discord is a very bad idea.
Never, ever post photos of your documents, credit or payment cards, or any identifiers such as your social security number, ID card number, or similar information online. Remember that, as in the case of the data described in the point above, criminals rarely “read” this data manually—they have tools such as various types of robots (so-called scraping bots) that can “extract” it en masse from the websites where it has been posted. Of course, there are legitimate cases where providing data such as your PESEL number or ID card number (e.g., at a bank) is necessary, but this should be the exception rather than the rule.
Be aware that criminals often use data from leaks to prepare attacks, and you may not even be aware that such a leak has occurred! That is why it is so important to consciously choose trusted services and providers. If you want to check whether your email address has been included in a (known) leak, visit https://haveibeenpwned.com. Of course, apart from confirming this, it is important to remember the rules above... Data that you have not posted online cannot be leaked 🙂
The less data we publish about ourselves online and the smaller the audience that has access to it, the lower the chance that we will be targeted by criminals. It is worth taking a moment to review the settings of the services, applications, and websites we use—many of them have easy-to-enable settings that protect our privacy and data. We also encourage you to review other articles on the Allegro CERT website, where you can learn more about other aspects and layers of security, such as MFA and password managers, which will help you feel even safer.