How to protect your PC against devious security traps

From phishers to hackers to all sorts of attackers, here's what you need to know to stay safe on the Web.

Securing your PC against the malicious wilds of the Web isn't as simple as just keeping your antivirus software of choice up-to-date. In fact, the pervasiveness of security software has forced the bad guys to turn to increasingly clever tricks in their quest to "pwn" your PC.

But fear not! Those sneaky tricks are most effective if victims are unaware of the danger. And today, dear reader, I'm going to show you how to avoid the most devious PC security traps, because in this case knowing is more than half the battle.


Let's start with the devious attack you're most likely to encounter during your day-to-day computing.

Phishing websites mimic the look of another site in an attempt to lure you into entering your personal and account information. Although phishing websites take all forms, attackers especially like to spoof banks and social networks. Phishing attacks typically threaten from two angles: mistyped website URLs and email messages that pretend to be from legitimate sources.

One simple tell gives away a phishing site: The URL doesn't match the URL of the website you think it is. If,, or asks for your Facebook login, run away screaming. (Or at least do the digital equivalent.) I can't stress this enough: Give the URL of any website that asks you to log in a close examination before you pass out your password.

Beyond that, most social media and banking websites use HTTPS encryption by default. If the site that you're on doesn't have the lock icon next to its URL in your browser, that's a good sign that something is afoot.

The big three browsers--Internet Explorer, Chrome, and Firefox--all include safe-browsing warning systems that clue you in to suspected phishing and malware sites, while browser plug-ins such as Web of Trust and McAfee's Site Advisor can provide an extra layer of protection.

Malicious email

Scammers and hackers love email. All too often, tales of hacked Twitter accounts and Web servers can be traced back to the same origin: "A member of the team opened a malicious email message."

Okay, that's not quite true. In most cases, merely opening a piece of email won't send your world crashing down. You have to click a malicious link or open a tainted email attachment. The solution? Be wary of clicking emailed links, and don't open attachments without ensuring their cleanliness first.

That goes doubly so for email purporting to be from banking sites, PayPal, social media, or any other site to which you need to log in; often such messages are phishing attempts. (Yes, the bad guys can fake email addresses.) Instead, open your browser and navigate to the site in question directly. Email providers and programs often flag suspicious email, but their detection systems aren't bulletproof.

Many premium antivirus tools automatically scan email attachments for malware, but you still want to download attachments and scan them manually before opening them, just to be safe.

Though not all malicious email messages originate from foreign lands and contain spelling and grammar mistakes, many do. If you receive an error-ridden missive claiming to come from an official source, be on guard.

Fake update or error warnings

By now you're likely aware of adware, the annoying form of malware that inundates you with a flood of ads or scary messages that promise to disappear for a fee. You can eradicate such nuisances with antivirus tools, but that isn't the case for a similar strain of invaders that try to coax you into installing malware while you surf the Net.

These shifty sites and ads pop up boxes disguised as permission requests to update your browser, or claim that you need to download the latest version of the software to run a feature on the page. Clicking any button--often, even the Decline button--gives the attacker authority to run code on your machine, or brings you to a fake download page to install malware disguised as Flash or QuickTime or whatever. Pwned.

Side-stepping these landmines is fairly simple: If a website prompts you to update your software, manually surf to that software's website and look for updates there, rather than clicking the update pop-up. Don't click any buttons on the pop-ups, either; close the tab or window completely, or reload the page after you've installed the update via official channels.

Other drive-by downloads

Such fake updates and malicious "warnings" are part of a larger trend toward "drive-by downloads," or attacks designed to infect your computer stealthily by exploiting vulnerabilities in software.

Again, the basics for avoiding such attacks are fairly simple. Keep security and antivirus software active on your machine--but just as important, make sure that your PC and its other applications are current. Stay on top of Windows Update (Control Panel > System and Security > Windows Update), or just set it to install new updates automatically. Use Secunia PSI to automate updates for the rest of your programs: This superb software works in the background to look for new patches, applying updates automatically if possible, or prompting you to install them manually otherwise.

If you want to reduce the chances of running into fake update/error requests, you could use a plug-in such as NoScript to block JavaScript in your browser. Doing so breaks many feature-rich aspects of the Web, but you can whitelist sites you trust. Disabling the oft-targeted Java reduces your risk, too. I uninstalled Java and other popular, frequently attacked programs recently, and discovered it wasn't a headache whatsoever.

Also consider activating Internet Explorer's ActiveX Filtering, which blocks all ActiveX content by default. ActiveX is a frequent attack vector for hackers. To turn on the filtering in IE 9 and IE 10, open the Tools menu, hover over the Safety submenu, and click ActiveX Filtering when the Safety options appear.

The aforementioned Web of Trust and Site Advisor plug-ins can raise a flag when you're on a known attack site, but drive-by downloads have appeared in malicious ads on legitimate websites in the past. Stay patched and stay protected.

Zero-day attacks

Zero-day attacks exploit newly discovered, unpatched vulnerabilities to compromise your system. You can't do much about these other than following the tips above. The truly paranoid could lock down all the various security options in their browsers--setting Internet Explorer's security level to High, for example--but to be honest, that's probably overkill.

If you're worried about cutting-edge malware, consider running Malwarebytes Anti-Malware Free periodically, or whenever something raises suspicion. It's designed specifically to identify zero-day attacks, but it doesn't try to block more common exploits, so you'll want to use Malwarebytes to supplement your regular antimalware protection.

OMG hax

Direct attacks by port-sniffing hackers aren't really common, but you can nevertheless protect against such tactics by enabling some sort of firewall. The Windows Firewall tool included in Windows (Control Panel > System and Security > Windows Firewall) works just fine--but it scans only for malicious intrusions.

If you want to keep an eye out for suspicious data flowing forth from your machine--a sign of possible malware infection--then you'll want a firewall that also sniffs for outbound threats, though such firewalls require a bit more effort to set up properly. ZoneAlarm Free Firewall and Comodo Firewall (32-bit or 64-bit) are two stellar free options; most premium security suites also feature robust firewalls.

More ways to protect your PC

While these tips and tricks greatly decrease the chances of your PC catching a bug, strong security doesn't end with behavior changes. Check out PCWorld's security how-to section for scads of in-depth protection tutorials. Want to lock down your laptop for the road, learn how to protect your PC against Prism surveillance, or find some tools for the paranoid? Those items are just the tip of the knowledge iceberg.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerssecurityphishingFacebook

More about ComodoFacebookMalwarebytesMcAfee AustraliaPayPalPrismPSISecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Chacos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place