5 Of The Most Common Ways Malware Is Spread (And How To Stay Protected)
The internet is a very large place filled with things both wonderful and terrible. One of the not-so-wonderful things is malware, a simple catch-all term that refers to any software with malicious intent. Unfortunately, malware is everywhere, and it's no exaggeration to say you probably narrowly escape its claws multiple times a day.
There are various different types of malware, including viruses, trojans, ransomware, worms, adware, and spyware. A lot of these are self-explanatory — ransomware holds your data to ransom, adware spams you with ads, and spyware spies on you. Viruses and worms are both types that are made to spread, and trojans disguise themselves as something legitimate.
The type of malware almost doesn't matter though — they're all bad and you don't want any of them, so what is important is understanding how it spreads, and how to avoid it.
The type of attacks you're most vulnerable to depends on who you are, what devices you use, your internet activity, and the extent of your knowledge on this subject. In this list, we're keeping it simple and covering the kind of stuff that average internet users are most susceptible to, including information to help you understand what to click and what not to click.
Phishing emails
Email addresses are incredibly easy to get hold of. You can buy them, guess them, collect them from social media — they're everywhere. This means basically anyone can send you an email, and they can send whatever they want.
One popular way email scammers try to steal sensitive information is by pretending to be a legitimate company. The bigger the company, the more people it's relevant to, so top names like Amazon, PayPal, DHL, Microsoft, Google, LinkedIn, WhatsApp, and FedEx are common.
You might also see region-specific phishing emails parading as the postal service in your country, or even a tax agency. For scammers, the trick is to pick names that you know and already give money to, so you're not suspicious when you read the email. The email itself can spread various different types of malware, as well as trick you into entering information like account numbers or passwords.
Links in the email can also direct you to fraudulent websites and prompt you to download malware. These kinds of links can also come from people you know: When scammers successfully break into an account, they'll often send their phishing emails to the victim's entire contacts list.
The hint to avoiding these kinds of tricks is to always pay attention when you're checking your emails. Whenever an email is requesting you to act, click the sender to view the email address — it's probably just a string of random letters, numbers, and general nonsense, rather than the proper sender.
Fraudulent websites
One way scammers can get you to download their malware is to pretend to be something you actually want to download. When you want to download the Firefox internet browser, for example, you'll probably just type "Firefox" into Google and click on their website.
However, there's no guarantee that the real website will be the top result. Scammers can fool search engines into ranking them higher than official websites, and they can even pay Google to display an ad right at the top of the page — and yes, this can happen without Google realizing it's a scam.
Since the fraudulent website can't have the exact same address as the real one, it will usually have a spelling mistake or an extra element. This will be enough to alert some users, but others, such as people with a different native language, dyslexia, or eyesight problems might be more likely to not notice. You can also just forget to check if you're in a rush or not aware of the danger.
Once you've clicked, a decent fraudulent website will look almost, if not completely, identical to the real thing. There's no telling exactly what kind of malware you might install — some will make you aware of your mistake right away, while others might work their evil in the background and stay hidden. Stay safe by bookmarking real versions of websites, typing the address directly into the address bar, and of course, having a proper security solution set up.
Fake apps
Unfortunately, it's not just fraudulent websites you need to worry about — there are also fraudulent apps. It's so quick and easy for us to hop onto the App Store or Play Store to download apps, and as storefronts run by trustworthy companies, it can feel like a very safe process. However, as you start scrolling further and further down that results list, more and more small and unknown apps will start to appear, and it's very likely that some of them will be malicious.
Some mimic successful apps in the hope that you'll accidentally download them instead of the real version, or advertise themselves as a free version of a popular paid app. Once you download them, however, the malicious code scammers have inserted into the app will do its job and cause you all kinds of trouble.
Other scammers just make generic apps, like alarms, calculators, calorie trackers, flashlights, and calendar widgets, which do actually do what they advertise — but also steal your data in the background.
To stay safe, you need to pay attention and keep a lookout for the telltale signs. Check reviews and download numbers, look for strange language and spelling mistakes, see if the screenshots look legitimate, and check the "More by" section to see what else they've made. If you're just downloading something like a flashlight app, you should also check the app permissions. If they want access to your location, browser history, and photo gallery — that's probably a red flag.
Remote Desktop Protocol (RDP)
Remote accessing a computer means controlling one computer from a different device. If you let someone remotely access your computer, you'll literally see them moving around your cursor — until they block your screen, of course. This software is usually used for tech support or even tutorials in school IT classes, but scammers can also use it to steal pretty much any and all data on your computer.
While this type of attack can happen through scammers breaking into vulnerable servers and networks, it's mostly carried out through social engineering. In other words, the scammers trick you into consenting: It's often done over the phone, so older people are more susceptible.
Scammers pretend to be a computer company or service provider and convince the victim that something is wrong with their computer, and it requires tech support. They might try to scare you off trying to fix the problem yourself by throwing around complicated technical terms, so the only thing to do is give them remote access so they can do it themselves.
Once they're in, they have access to everything. They can download software to your computer to record your keystrokes and collect passwords or hold your computer to ransom and demand payment. On top of all that, they might also ask for payment for "fixing the issue." Almost no legitimate companies will ask for remote access, so be wary of anyone who does. An up-to-date system is also a must-have for staying safe.
USB drives
Everything included in this list so far falls under the category of "social engineering," and this last point is no exception. Rather than doing crazy hacky stuff, it's a lot easier for scammers to just trick people into doing what they want. These are often the most famous scams, and most likely to affect the average user.
This trick has been around for quite a long time, but it still works and still happens. It involves sticking unknown external devices into your computer — most commonly, USB drives. While more tech-savvy people probably store and share everything through the cloud, USB drives are still in popular use all over the world, and they can turn up in all sorts of places.
You might find one left on a café table, or be offered a free one at an event as a way to share files or just as a fun freebie. This was once a popular way for scammers to get their ransomware into companies — they'd hand out drives at industry events and wait for an unwitting employee to plug it into their work computer and compromise the entire organization. Nowadays, high-security companies don't even let non-company USB drives onto the premises.
If you find a USB drive and plug it into your device, a whole host of different things could happen, and none of them are good. Keyloggers, ransomware, spyware, and other types of malware could be downloaded to your device — especially if you don't scan it first.
The stay-safe-checklist
To round things up, here's a list of some of the most important tips for staying safe and avoiding malware during normal computer activities.
-
Always keep your software up to date. Anytime your operating system or any of your downloaded programs want to update, make sure you let them do it.
-
Use a password database like 1Password or LastPass. These services will pick completely random passwords for you and store them, making sure all your passwords are strong and no two accounts use the same one.
-
Use two-factor authentication with any service that offers it for an extra layer of protection.
-
Never click suspicious attachments in emails. Check the sender's email address, check for grammar and spelling issues, and think about whether their request actually makes sense.
-
Always double-check websites before you download from them to make sure they're real and offering the real deal. If you find sites claiming to let you download software like Photoshop for free, don't fall for it!
-
Don't stick unknown USB drives in your computer, period. There's no reason good enough to risk it.
-
Don't believe anyone who says they need to remote access your computer. If someone calls up saying they're from Microsoft and you're not sure whether to believe them, just hang up and call Microsoft's official customer service yourself to double-check.
-
If you think you're already infected, check the common signs.