When you shop online and use PayPal on your computer and mobile devices, it's important that you aren’t vulnerable to fraudsters.
Software is complex and often has minor bugs. Hackers find and exploit these bugs to install malicious software. “Malware” – short for “malicious software” – can capture everything that you type (including your PayPal account name and password) and send it to scammers who use the information to access your account.
Fortunately, device makers and application developers are very diligent about providing updates to operating systems and applications. That’s why it’s a good idea to keep your system and applications updated with the latest releases. The easiest way to do this is to enable automatic updates for your system and applications when possible. Normally this is managed through the Control Panel on Windows and under Preferences on MacOS.
Along with operating system updates, it's important to keep applications up to date because these are also vulnerable. Popular applications are often targets for hackers. Some examples include:
- Web browsers including Internet Explorer, Chrome, FireFox, and Safari
- Microsoft Office
- Adobe Reader
- Adobe Flash Player
When security updates are published, the software company usually indicates problems they’ve fixed. So, even if hackers didn’t know about the vulnerability before the fix, they'll know where to look afterward. It's important to stay current because hackers can exploit systems that don’t have current security patches.
Malware defense: install anti-virus software
Viruses or malware are malicious software that can be installed on your system through security holes or user actions. Someone could send an infected file, or you could download something that seemed safe – but wasn’t. Just like a human virus, malware can be spread in many ways and it's usually unclear how it got onto your system. Anti-virus software can help prevent the installation of new malware and will detect most malware if it does get installed.
If malware gets on your system, it can capture everything you type, like the passwords to your email account, PayPal account, and other financial accounts. These can be sent back to scammers and give them access your accounts, causing financial problems and embarrassment. Malware can read all the files on your system, including your email, your financial records, and personal information. Malware can also take over your system to send out SPAM emails, or attack other people’s accounts. If malware takes over your system, you’re not just a victim – your system becomes part of the problem.
Anti-virus software can run scheduled checks, and will check incoming email for malware that’s snuck onto your system. Traditionally, malware has been a problem for PCs, but more malware is being seen on mobile operating systems (like Android and iOS). So consider anti-virus protection for your tablet and smartphone.
It’s important to stay cautious: anti-virus software will catch most things, but it won’t catch everything. There is a variety of good anti-virus products available and many of them have free versions. For example, Microsoft Essentials, AVG, Avast, Commodo, and Malwarebytes all have free versions that are highly rated. Remember to enable automatic updates, because the anti-virus developers are constantly identifying and addressing new threats.
Be careful what you click
Some malware targets vulnerabilities, like bugs in the software on your computer. Other malware masquerades as games or screen savers, just waiting for you to install them. One common strategy is to display a fake virus test and tell you there’s a problem and that you need to download some software to be secure again. But the software you're persuaded to download is actually malware!
Malware can come from website downloads or attachments in emails. If you receive an unexpected email from someone with an attachment, be suspicious. If the email has only a short, non-personal message like “Hey! Look at this cute puppy!” or “This is funny!” with an attachment, be even more suspicious. Check the sender’s email address if you are in doubt. If you are still in doubt and think you need to see the attachment, call the sender and ask. You may find that the sender’s email account was hacked and is now being used to send out malicious SPAM.
Anti-virus software will help protect you against bad attachments and bad downloads, but it won’t protect you from everything and it’s not a substitute for common sense. Remember that even the best anti-virus software is vulnerable if you don’t keep it up to date.
More security resources
Here are some useful security links with more information to help you protect yourself:
Use a password on your PC
If you forget your password, PayPal and other online accounts use email to help you recover your account access. In most cases, if a thief can access your PC or mobile device, they can also immediately access your email. This makes it easier to attack your online accounts and steal personal information.
That’s why we recommend using a password on personal computers. If someone can access your system for even a few minutes, they can install malware. A password will make it harder for a thief to access information on your system in the event that it’s stolen. And even if the thief eventually gains access to your system, this password gives you more time to change your online, email, and PayPal passwords.
Mobile phone physical access
Even with a PIN-locked mobile phone, you should still be cautious. Since we can send a temporary code via SMS if you forget your account password, someone could easily access your account if they saw an SMS on your unattended phone. So don’t leave your phone out when you aren’t around. Take it with you or keep it someplace secure.
Use a PIN on your device
If a scammer temporarily gains access to your device, they could also access your email or personal information. That’s why you should use a PIN to lock your mobile device. Simple PINs like 1234 or 1111 are the most common and most easily guessed. The same goes for birth month and day (like 0317), which could be easily guessed by somebody that casually knows you. Instead, we recommend thinking of a unique word that you can remember and spelling the word with the numeric pad. For example, “blue cow” would be 2583 (B-L-U-E on the numeric pad). See PIN Security for more details.
You should have the screen auto-lock on your device after a few minutes of inactivity. A short time out (like 3 minutes) reduces the chances of someone accessing your information.
Unfortunately, only 50% of mobile phone users have a PIN on their device. Imagine that someone found or stole your phone, then started calling everyone in your address book at 2 AM. You’d feel very foolish when PINs are such easy protection to enable.
Don’t forget about your smartphone and tablet. Most people don’t secure these as well as they should. By following a few simple tips from PayPal and NCSA, you can have greater security and better peace of mind:
Always activate a PIN or lock function for your mobile device.
A PIN is the simplest and most important thing you can do to ensure security on your mobile device, especially if it's lost or stolen.
Automate software updates.
Many software programs can automatically connect and update to defend against known risks. Turn on automatic updates on your mobile device if that option is available.
Use common sense when downloading apps.
Unknown or repackaged apps can contain malware designed to steal financial information from a mobile device. So always purchase or download apps from companies that you trust and check reviews. When installing new applications, review permissions and decide whether you’re comfortable granting the access that an application requests.
Enable “Find My Device.”
If your phone, carrier, or antivirus software supports a “find my device” feature, it’s a good idea to activate it. This functionality can help you find your device if it’s lost or stolen, and can remotely lock it or wipe it clean if necessary.
Back up your device.
It's critical to back up your device on a regular basis. Some operating systems can do this automatically. If you ever need to exercise the remote wipe feature mentioned above, you'll be glad to have a current backup that you can use to configure a new device.