Published: April 9, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
With all the mobile apps and desktop software applications, there are literally hundreds of patches and updates available every single day. Patches and updates are used to resolve bugs, enhance usability and most importantly to address cybersecurity issues. The problem is that often times when an update becomes available, the user is not made aware of the exact reason for the update. Instead, a simple message may pop up on your screen that says something like “An update is available for Application Name. Would you like to install now?” Then you are given the choice to answer yes, no or remind me later. Because the user is not specifically told what the update will address, they are more inclined to simply ignore the message because they don’t feel like dealing with it at that particular time.
If the update is only there to enhance the user experience or address a non-critical bug, then ignoring the update is probably no big deal. On the other hand, if this update is addressing a critical security vulnerability, then ignoring it leaves the user’s computer at risk. To make matters worse, in many cases by the time an update becomes available to an end user to address a security vulnerability, cyber criminals are also already aware of the issue and are actively trying to attack as many unpatched systems as possible.
So of course, the logical assumption here would be to simply install every patch and update that you are notified becomes available. But wait, there is a problem. You see, those pop-ups that tell you a new patch or update is available, often turn out to be fakes. The problem is that the pop-up could actually be a message displayed on your screen by a cyber criminal attempting to install malware on your computer. So, how do you know when the pop-up is real and when it’s an attack?
The best advice I can give is to always err on the side of caution and start with the assumption that the message is malicious and designed to get malware onto your computer. Because so many attacks start with bogus messages claiming to be security updates, no matter how real the message looks, your action should be to close the pop-up without choosing to install anything.
Now, I know this goes against the most important rule, which is to always make sure your computer has the latest updates and patches; but trust me on this. A random pop-up on your screen is far more likely to be malicious. In addition, if you attempt to close the pop-up and it won’t let you, this is yet another indication that it is absolutely a fake. If this happens, your last action should always be to reboot your computer.
Under no circumstance should you give up and simply agree to install the proposed update. The cyber criminal’s hope is that you will give up on trying to close the pop-up and finally just agree to install the so-called update. Of course if you do, you have just fallen victim to a malware attack.
But what about a real update? Obviously, if there is a legitimate security patch available, you want to make sure it is installed on your computer. The first thing you need to find out is if installing it is something you are responsible for doing or are all updates provided by your IT department. If your IT department is responsible for keeping your computer up to date, then there is nothing you need to do. If there is a legitimate update, they will take care of it. On the other hand, if you are responsible for applying the latest updates on your computer, then your next step should be to confirm if an update is really available. In most cases this is as simple as opening the application about which you had been notified needed an update and selecting the option “Check for updates.” Almost all applications have this or something similar as an option. If it comes back with a message saying an update is available, you should apply the update immediately.
Another option is to visit the official website of the manufacturer of the application. There you can find out the latest version available and confirm your application is current. In some cases, your best option is to reboot your computer and when you log back in, wait a few minutes before you start doing anything.
Many applications on your computer are designed to automatically check for updates when the computer first starts. After you have logged into your computer, but BEFORE you open any web browsers, some applications might place a pop-up message on your screen indicating an update is available. But only if you wait a couple of minutes. Because you have not yet opened any web browsers, you can feel very confident that these pop-up messages are legitimate and can follow their instructions to install the latest updates. Again, it is important that this all takes place before you open a web browser.
Security update notifications are a common tactic used by cyber criminals and can put your computer at risk. However, if you follow the simple guidelines that have been outlined in this document, you should greatly reduce your chances of falling victim.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com