Staying safe online

As more people venture online during the Coronavirus lockdown, staying safe is more important than ever.  

Unfortunately, just as in the real world, there are criminals online that are trying to make money. They do this by: 

  • Tricking you into giving them money
  • Stealing your data (such as your email address or password) to sell for money 
  • Using your bank or card information to take your money 

The good news is that by taking some precautions and following simple rules you can spot and ignore scams pretty easily - and feel confident that you are safe online. 

Consider who to share data with and how

When you start using the internet you will probably have to set up online accounts with various companies - this could be an email provider (like Hotmail or Gmail), social media (like Facebook and Twitter), online shopping and banking accounts or entertainment services (like the BBC or Netflix). 

Most of these ask you for some information when setting them up, such as email and postal addresses and maybe phone numbers. This is all pretty standard and whilst it can be disconcerting handing the information over, it is how the internet works. 

Not all online companies may be reputable though - so here are some things to bear in mind:

Consider who you give data to 

  • Do you know of the organisation in the ‘real world’ (e.g. Tesco)?
    If not, what can you find out about them before setting up an account with them? 
  • How did you find out about the organisation?  
    If someone you know and trust recommended them, that's a good sign. If it’s from an unknown source then treat it with caution.
  • Look for websites with the magic padlock.
    Sites that ask for your data or take card payments should have something called an SSL certificate - which means your data will be transferred to them securely. A site without one is not to be trusted for submitting data or payment details. To find out, look at the website address in your browser:  
    • Secure sites (SSL certificate) start with https and have a padlock symbol 
    • Unsecure sites (no SSL certificate) start with http and don’t have a padlock symbol

Consider what data you supply

  • Companies should only require information that is relevant to the service they are providing. They might ask for more, but it is often optional, so only provide information you are comfortable sharing.
  • Genuine purchases rarely need more than a name, email and postal address, anything extra is probably unnecessary and possibly suspicious
  • Social media account information (e.g Facebook) might end up publicly available - so adjust your sharing settings to control what is ‘out there’. While sharing your name will be useful, there is unlikely to be a need to share your phone number, email address, postal address, date of birth etc.  
  • Some data, such as email addresses, will be stored by the company to enable your account to run. Many sites also offer to save your card payment details so you don't have to enter them each time. Generally, this is not recommended by safety experts, as it does mean your card details are stored online, something that is best avoided.

Protect your data with passwords

Having strong and different passwords for different accounts is your best first line of defence. While it can be annoying having multiple passwords, it really is important and a good habit to get into. 

The most common way to find out your password is by guessing - but the guess is not done by a human - it’s done by computer. A computer will automatically try as many passwords as it can - and they can try lots very quickly. They will start by trying obvious and common ones, such as: Password1234, Abcd1234, Qwerty or 11111111.

They will also not be fooled by common replacements. They are just as likely to find ‘Password1’ as they are ‘P@55w0rd’. 

Set strong passwords: The key to beating these types of attempts is to set a password containing unlinked words or phrases, using a mixture of lower and upper cases letters and numbers - and symbols if possible. 

Ideally the numbers and words would be random, but you could use words that mean something to you to make it easier to remember. However, they should be hard to find out and not connected. For example, they might be your siblings middle name, name of your first pet, your first teacher, first school etc.

A good approach is:

  • Choose three short (4 to 6 letters) unrelated words eg chair, boat, garlic
  • Choose two sets of two digits eg 56, 89
  • Arrange and capitalise them eg 56ChairBoatGarlic89
  • You could add symbols too eg Bo@t instead of Boat

Different passwords: It may be tempting, but avoid using the same password over and over for different accounts. Also try to avoid variations, eg changing 56ChairBoatGarlic89 to 56ChairBoatGarlic90 for a different site. 

Don't write passwords down; this is the rule lots of people break, and if you have lots of passwords it’s understandable, but it really should be avoided. Rather than writing the actual password down it's better to write down a clue that will help you remember it (e.g eldest child’s middle name, school, teacher) If you do this, it is better to have it hand written and not kept near your computer. 

Change passwords regularly: changing passwords every six months or so is a good idea if you can. 

Don’t share your password: while most passwords are obtained by automated computer programmes, there are some criminals that will try and trick you into telling them your password. The absolute golden rule is unless you know the person personally and have absolute and complete trust in them, don't ever tell your password over the phone, in email, under any circumstance in fact. No company should ever ask you to tell them your password over the phone or email.

Two-step verification

This is an additional security feature offered by some online accounts that allows you to link your mobile phone number to the account to create a second security step.

After you enter your password you receive a text message with a code, you enter that code to complete the login. You don’t necessarily have to do this every time, once you are logged in on your usual device, just the password is fine. However, if an attempt is made to access your account on a different device, it will ask for a text message code.

Another way some companies use it, especially in online banking, is to text you after some activity on your account to check it was you. If it was, you don’t have to do anything but if it wasn’t, you know to contact the bank.

Be aware of online scams 

Types of scam

There are two main types of online scam: 

  • Phishing: these are scams that try and trick you into giving away information or money. They usually contain an offer or a demand. The aim is: 
    • to get you to transfer money from your bank account or make a card payment, 
    • or to get you to supply information about yourself that can then be sold or used to access your money.
  • Computer security attacks: these scams often start with a request to click on a link or open an attachment. If you do, it is easier for the criminal to hack into your computer, and so access your information and control what your computer does to: 
    • steal information and sell it
    • steal your financial details (e.g card details) to then steal your money 
    • hold you to ransom - they might offer to stop accessing your computer for a fee.

Both of these types of scam most commonly start with you receiving an email. They can also start via social media e.g. a post on Twitter or Facebook, or in an advert on a webpage. 

Scams only work if you act 

For both these types of scam criminals use the ‘throw enough mud and see what sticks’ approach. The same scam will be tried on thousands, if not hundreds of thousands of people at the same time, and the criminal behind the scam is just waiting to see who takes the bait. 

Criminals will programme computers to automatically do this for them - they are not writing and sending thousands of emails. This is how they can try so many scams.

The important thing to note is that these scams only work if you act. If you don’t act, and ignore the email, social media post or advert the scam is over before it's even started. 

Common scams 

The types of message you might see are: 

  • giving you a hard luck/sob story 
  • selling you a product or service that doesn’t exist
  • telling you you owe money for a product or service that you have ordered
  • a free offer of something 
  • informing you you’ve won a prize 
  • asking for personal information
  • asking you to verify some details
  • suggesting you’ve been hacked and you need to change your password

Whatever the starting point, they are ultimately trying to get you to: 

  • make a financial transaction or supply personal data (phishing)
  • click on a link or open an attachment (computer attack).

Caution is the best approach, so don’t act on the email or post until you are sure it's genuine. 

Spotting a scam email 

If the email is from someone you don’t know and you have done nothing to invite or instigate the email, then it's probably a scam and should be treated with caution.

Other things to consider: 

  • Is it likely?
    • Offers that sound too good to be true almost certainly are. 
    • You don't get anything for free and you don’t win prizes for competitions you didn't enter. 
  • Is it asking you to act quickly?
    • Often scam emails will use language that creates a sense of urgency or panic to get you to act without thinking first - resist this urge and give yourself time to think.
    • Very rarely do reputable companies require immediate action or use language in this way. 
  • Does the language sound right?
  • Ask yourself ‘why have they contacted me?’ 
    • If you were stuck abroad and needed help (a common scam) would you guess at a random email address and ask for help?
    • If you have never heard of a company, why would they email you? Companies should only email people if the person has given permission to be emailed - so a company emailing you out of the blue is already doing something they shouldn’t. So is it likely that their great offer on flights is genuine? 
  • Are there nuggets of truth?
    • Be aware that scammers might seem to know a little bit about you. Some scam attempts use bits of information available on the internet to make their message seem more convincing. For example, if you are a trustee of a registered charity your name will appear on the public register - as will those of other trustees. So the name of the charity and another trustee could be used to make the message seem real.  
    • Some scam emails might look like they come from an organisation you know or have an account with. The email might use the name and logo, and the sender email address might look like the company's email address. A closer look may help you establish if it is genuine or not:
      • Does the logo look a bit blurry, or stretched?
      • If you hover your mouse over the email address, does a different one show?  For example, an email from Amazon may look like it comes from 'account-alert @ amazon.service' - but the actual email address is ‘efforncedeti5693 @’
      • Does the sender name eg Google Photos look different to the sender email address eg 'kit @'?
  • Some scam emails might look like they come from a person you know. Real email accounts can be compromised or hacked, so always read emails carefully, even from friends, family or acquaintances, before clicking on any links or opening any attachments.

Check authenticity

If you have been through all the above and think the email might be genuine, and of interest, hold off clicking on any links in the email, opening any attachments, replying or making payments, and do some final checks first to verify the individual or company through a method other than the initial email or social media post:

  • Google the offer - if it’s a common scam it will probably come up in the search results 
  • Google the company - if you can find details about the company or individual online, can you see the same offer on their website? 
  • Call the company to ask if it's real - but try and find a phone number independently - don’t call the number in the email they sent you.  
  • Use TrustPilot - a site that has reviews of companies and is a good guide to what is genuine or not. 
  • If it’s from a company you have heard of or dealt with in the past:
    • Do you have any old emails you know are genuine that you could compare it to? 
    • Google the company name and ‘scam emails’. A lot of companies have sections on their website explaining what their genuine emails are like, detailing scams involving their name, and providing ways for you to check if something is real or not. 

Remember, if you have a concern and aren’t sure what to do, it’s always better to wait - or ask someone you know for help. Keeping yourself aware of possible scams, and taking a cautionary approach before acting, will help to keep you safe online.

We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.