Your Guide to Staying Safe Online Part 2 with RCMP Officer Brian Ferguson
In this eye-opening episode of our podcast, we dive deep into the world of online safety with RCMP Officer Brian Ferguson. Consider this your ultimate guide to staying safe online.
Brian shares invaluable insights on protecting yourself from cyber threats, including the importance of regular password changes, the risks of public Wi-Fi, and the dangers lurking in social media oversharing. From the “30-Day Password Challenge” to the perils of internet-connected home devices, this episode is packed with practical advice for navigating our increasingly digital world. Whether you’re a tech novice or a seasoned internet user, Brian’s expertise offers something for everyone.
Show Notes: Your Guide to Staying Safe Online
Zena: Welcome back for part two of our conversation with Brian Ferguson, a tech crime expert from the RCMP. In our last episode, we delved into the common online scams targeting retirees, and Brian shared some invaluable advice with us and steps we should take. Today, we’re going to continue this important discussion, focusing on safe online financial practices, social media privacy, and how to effectively respond to cyber incidents. Brian has a wealth of knowledge to share, and I know you’ll find today’s part two just as insightful. So let’s pick up where we left off and dive right in.
Brian: So, that’s, you know, the idea—to protect yourself. And again, there’s a few other things you can do to help yourself in that regard. Password security is always a thing, and it’s so tough. When I first started this, we did critical infrastructure protection. So yeah, we were protecting power grids and energy companies, making sure that those were secure so that we would have lights, water, and all that stuff.
One of the gentlemen I talked with gave me a good analogy. He said, “You can put 10 locks on your door, right? And that would be a pretty secure door. It would take somebody a long time to get through 10 locks. But after the first week of you having to open 10 locks to get into your house every day, you’d kind of get tired of it. This is taking me a long time to get into my house all the time.”
So eventually, that 10 locks would become 9 locks, then 8 locks, and then 7 locks, and by the end of it, you’d be down to 1 lock. Because if it’s more difficult for you, you’re going to find yourself becoming, you know, a little more lazy with it, and you’re going to just reuse the same thing over and over again. We see the same kind of thing with passwords. Some people have different passwords for the majority of their online presences just for that exact reason. If somebody gets a hold of one of them, they can’t get everything.
And it’s difficult because, again, I trust no one and nothing, so I always make sure that I try and change those passwords on a regular basis. Recommendations can be, you know, every 30 days, depending on how important that is to you, or I would say how paranoid you are. If you feel like you’ve gone somewhere or done something where your password might have been exposed or somebody may have seen it, then change it immediately. Something like that, you know, might change if you think, “Oh, wait a minute, I don’t know what was going on here with my account. Something happened.” Get in there and change everything—get all your passwords updated.
There are password managers out there, software that you can use to save all your passwords. I’m not a big fan of saving them on your computer so that when you go to a site, it pre-populates your username and password, because those are exploitable. If somebody gets into your system, they can dig that out of your computer. They can find where you’re storing all that information because it’s got your username and passwords. Lots of times it’s encrypted, but there are ways to get that stuff out. So again, it’s easy for it to pre-populate the field for you, so you just hit log in. Well, look at that—I don’t have to remember the password anymore. Well, neither does someone else. If they gain access to your computer and go to that site, and it pre-populates, especially for your bank account, they can just hit log in, and they’re into your system without needing to know your password.
The other piece, from a security perspective, is always to enable that multi-factor authentication or two-factor authentication so that it sends you a text message. I always recommend having it sent to your phone because if someone has exploited your email address, and your two-factor authentication is sent to your email, if they get into your email accounts, they’ve got it. But it’s less likely for them to get a hold of your cell phone and your cell phone number, and it’s impossible for them to change that unless they get into your system to change the phone number.
There was a sneaky version that someone was using. I’ll give you a circumstance where, say, I got a hold of your credentials to log into your bank, and it had two-factor authentication set up, and it would send you a text message with a code. So I type in your username and password, and it says a code has been sent. Say I somehow sent you a message like, “Oh, hey mom, I’m trying to get into my email, and I’m locked out of it. I’m sending this from my friend’s phone. Can you please send me the code they sent you so I can get into my email?” Then you’ll see something pop up on your phone saying, “Here’s your code,” and you might text back, “Oh yeah, it’s 91111.” Now they’ve got your two-factor authentication to get into your system.
So, you know, if you didn’t request it and something pops up on your phone, verify by voice with the person you’re talking to. And if you didn’t send that login attempt, but an authentication text gets sent to you, it means someone’s got your password. That should immediately spark in your head: change it all—get in and change all of your passwords.
Zena: Every 30 days, you think?
Brian: Well, that, you know, if you want to be protected, that is one of the best ways—to have a revolving set of passwords. I wouldn’t recommend using them for more than six months at a time, just because if it does get exposed, it’s tough to come up with a whole bunch of different passwords. The bigger part for me is having a secure location where I actually have a book. In case of my inability to speak, the passwords are kept, but that’s in a secure spot. It’s not on a Post-it note on my wall or anywhere visible—it’s in a secure location so that if something does happen, or I just forget, I can go in and check. What was my password for that? Because I don’t use that service or whatever it is very often.
Yeah, so that’s what I do to keep my security together. And I haven’t had a problem, but I think someone got a hold of my Netflix account because I could tell—the most-watched movies were all in Hindi. I saw “Continue Watching” and thought, “I don’t think that’s me.” Then I went and looked, and sure enough, someone had gotten in. They couldn’t charge anything, but they were using my account. So, I went in and did wholesale password changes on absolutely everything because obviously, somehow, they got my email address and my password. That sparked the whole change.
Zena: I love that in our office, we have what’s called the CEO Family Planner. It’s kind of like the “What If” binder, and it’s about documenting all your logins. If something were to happen to you, someone’s got to get in there, whether it’s your phone, your laptop, your bank account—you name it. That’s also a place to save passwords, and we always say to keep it locked. And whether it’s every few months or every 30 days, go through, change your passwords, and then update it in that CEO Family Planner for those in our office so that your loved ones can at least get in there and help with any estate planning. Or if, like you said, something happened and you’re in the hospital, you broke both your arms, and you need someone to go in there—they’ve got it.
Brian: Yeah, exactly. And the other thing with all kinds of technology—never wait to update your systems. As much as, you know, sometimes people are like, “Oh God, another update—it’s going to take 20 minutes for this thing to do that.” There’s a reason why they send a lot of those updates out: it’s because someone has found an exploit and a way to take advantage of your system. A lot of times, the emergency updates they send out fairly quickly mean it’s significant, that someone could exploit your system, your phone, or whatever device, and gain access to it or information from it. So always keep it as up-to-date as possible so that you at least have the latest security patches, so someone can’t use an old exploit.
We found, strangely enough, during my infrastructure protection days, that we actually thought we had some very large network virus released into this one environment. We found out later it was a very old virus that was looking for video game credentials—login and password for a video game that hadn’t existed for 10 years. Somehow it was still there, but it was so old that a lot of the virus patterns didn’t identify it because they had never seen it anywhere. So they just dropped it off the list. But again, it was a matter of keeping yourself current and up-to-date. Once we notified the virus providers, they were like, “Oh yeah, sure, we got it.” They sent a patch, and immediately everything got locked down, and it scrubbed it out. So again, just keeping it current.
Zena: So, changing passwords, enabling multi-factor authentication—what about personal devices? Well, and then updating before anything asks you to update. But on laptops, what kind of security programs should a person be running on their home computers or iPads? What kind of…
Brian: I always recommend good antivirus software. Depending on what type of computer you have—if it’s a Mac, a PC, or whatever system you use—they all have a version of malware protection. That’s going to be your biggest concern, that there’s something out there that gets into your system or a rogue application that starts running. Once it does that, hopefully, the virus patterns kick in to protect your systems.
Microsoft, by default, has Defender, which is an antivirus built into the system, but there are many others you can download. I don’t recommend one over another. I believe you have to research which ones work best for your system. Some are very comprehensive, while others keep a low profile on your computer system. Having one of them is probably best, ensuring there’s something on your computer. The basic firewall package and Defender package from the operating system providers is good and will protect your system to a degree. But again, I always kind of double up on that, and there are a few malware software options out there that protect you specifically from malware that could lock your systems down or things like that.
I always say to be cautious with programs that you don’t know about—that’s probably the hardest part—untrustworthy downloads. Depending on what people surf and look at online, if you’re downloading software from a source you’re not sure about, it could be risky. A while back, it was movies, some computer software, and different sites that people would visit. Those sites often have content that’s prone to being full of malware trying to infect your system because they’re popular, right?
Years back, I’ll use an example—it used to be if you downloaded music, whatever the latest song that had come out was, a lot of those downloads were filled with viruses because everyone wanted that song. They would download it, and that was the best way for viruses to spread—when thousands of people download them and run them on their computers. Now, any untrustworthy application or download from an unknown source—you better have good antivirus software on your computer to protect yourself. They are quite ingenious with how the software can sneak into the system. It might even trick out an antivirus software because it’s not doing anything bad—maybe it’s just listening.
Zena: So that’s one way. Now, share with me because I’m curious—I’ve heard about this, and I don’t know if it’s an urban myth or if it’s real. When traveling to hotels, there’s this group forum saying that a specific hotel across the border—don’t stay there because they use the hotel’s free Wi-Fi, and numerous people have been hacked every time. It’s almost like a hotspot for that to happen. So, tell me about traveling and using Wi-Fi in different areas. The first place that rings alarm bells for me is airports. I travel quite a bit, and I never use Wi-Fi in hotels and airports. Is that accurate? Are those places prone to hacking?
Brian: Well, sure they are. We actually did a test here in Saskatchewan at a—well, I won’t mention the place—but it was a hotel. We went into their business center, where they had computers available for guests. You could download and print off your boarding passes, send emails, and things like that. Those computers were pretty much filled with malware. All it was doing was capturing any credentials you typed into it and sending that information out to someone else because it’s a public computer.
Now, there are programs out there, like Microsoft’s educational version, where it’s called a virtual machine. Every time you log in, it wipes everything off the computer, so it’s a fresh build each time. If I installed malware on it, as soon as I log out, everything is deleted, and it comes back up with a different instance. So, there are ways that companies are protecting themselves.
Another big one we encountered was something called “Free Public Wi-Fi.” Have you ever seen that as a wireless access point? In airports, there used to be tons of them. You’d open up your device and see a list of available networks. Most airports have their official Wi-Fi, like YQR in Regina, where you log in through a gateway screen. But people would create a hotspot called “Free Public Wi-Fi,” and you’d be amazed at how many people would try to connect to it. It was a hotspot that I owned, right? And if I were a bad guy, any information sent through that connection would go through me. I’d capture anything that passed through it. People did it all the time.
When you’re out there, you have to be cautious. Am I saying not to use public Wi-Fi? No, you can use it. But the problem is, I wouldn’t check my bank account or email over public Wi-Fi. I would use it to check the weather or Google Maps, but if I’m doing anything secure, I wouldn’t want to be on a public network. In those cases, I’d use my cellular data because it’s secured. With Wi-Fi, I don’t know where that access point is coming from. So, trust where you are. If you’re using a public computer just to check something, never log into your email—especially don’t ever log into your bank account from a public terminal. You may as well consider whatever you type in there as being broadcast to the world or printed on the front page of a newspaper because that’s how public you’ve made that information.
Zena: I’m patting myself on the back now because, when I went to Europe and was traveling around with my mom, she was like, “Just use the Wi-Fi; it’s free here.” But I said, “No, thanks, I’m good,” because I was still doing a little bit of work on the road, and I wanted to make sure it was secure. What about Wyze cams? You know, those Wi-Fi camera security systems for homes that you can buy at Costco? Are there any problems there? As we’re getting more tech-savvy and setting these up ourselves, getting away from what used to be monitored by SaskTel, I know a lot of people are now setting up their own monitoring and mini cams. Any tips, hints, or stories?
Brian: The only concern I have with those is if you set them up and connect them to the internet. There are camera systems that you can connect to the internet, so if you were in Europe and wanted to check what’s going on in your backyard, you’d log in, type in your username and password, and see your cameras. If it’s a closed system and just running off your house, with you looking at it from screens inside and recording it for security, I don’t have a problem with that. But the moment you connect it to the internet, you open yourself up to the possibility of someone else accessing your system.
If you haven’t changed the default passwords—and I’ve seen numerous times where people keep the default password—it might be something like “admin/admin.” If I can log in with that, I can look at your cameras and see everything inside your house. If I get access to your computer, I might get that information right out of there too.
I’ve personally witnessed situations where people didn’t change the admin passwords—they were still the defaults. It’s easily searchable online to find the default admin password for a specific model of camera or wireless system. You just keep trying and checking. We found tons of instances where people could be looking into homes through baby monitors or other cameras, literally staring at your child. If it’s connected to the internet, anyone could access it.
The moment you connect those cameras to the internet, you open yourself up to risks. So, take steps to change all the passwords and ensure you’re not using defaults—make them something specific and unique. And if you don’t need to see your cameras from the road, why are you connecting them? Just disconnect them from the internet, and now it’s a closed-circuit system, recording only for security in your absence. It’s all up to your personal level of comfort. The more access you want to have to your information, the more open you are to someone else accessing that information.
Zena: So, where are you seeing the future of security going? It’s a big joke in our office—everything we do with clients is password protected. I always say, “I’d rather just have drops of blood or have them read my eye,” because this whole multi-factor authentication and passwords can be overwhelming. But where do you see it going in the future? With AI and voice recognition becoming more common, are you seeing anything down the road that will be the next step? I guess it’s always evolving into the next scam, but is there anything coming down the pipeline?
rian: Well, biometrics has always been a big thing. Right now, Apple products use face recognition, and you can use thumbprint IDs to get into things. Nexus users have used retina scans for ages to gain access in airports. So, it’s around, and to be honest, it’s really one of the more secure ways of doing things. Your voice, digitally, is difficult to recreate. You can get close, but digital voices don’t mimic human voices perfectly. So, it’s very difficult for someone to fake that part. But if they get enough samples of you talking, say from a podcast, they can splice together different things you’ve said.
So, using specific code phrases and things like that is important. I was talking with your husband about it, and I said it’s going to be a kind of “get your helmet” speech. You might need to put your helmet on a lot of times because we don’t want to instill fear—that’s not the point—but you need to understand that when you put yourself online, especially anything personal, you’re going to expose yourself. You can find out a lot about a person. For example, when I was doing critical infrastructure protection, they had a thing called spear phishing. They would actually go to a company’s website and find out who the chief financial officer is. Then they’d find out, “Oh, Bob Smith is the CFO,” and start digging and sending, “Hey, Bob Smith, here’s an invoice from marketing. They’ve got this new promotion they want done. Joe, the CEO, has approved it. Can you just pay this invoice?”
Zena: We get that all the time. So, it’s already there. We’ve got some things in place to make sure that we don’t open them. But I’m sure though, one day something will happen. You’re exactly right, especially with an online presence. The most recent one that I thought was a bit more creative—at least it wasn’t the usual ones—was when I’d done a lot of articles for Globe and Mail, Financial Post, and Toronto Star. They’ll contact you, wanting to send you a copy to put on your wall. And of course, my mom, she’d love that—having my name in print. But I’ve never opened them. I did a little bit of research on the side because, as you said, trust no one. I researched and went to the source, and it was a complete fraud. So, as soon as you’re online… If anyone out there—okay, tell me about Facebook. Speaking of being online, tell me about social media. Is Facebook and Instagram the hotbed for getting information and stealing things?
Brian: Well, it can be. Facebook started it, and I think Instagram and TikTok, and other social media platforms have followed. People share their lives more now. At one point, it was just updates, but now people are literally living their lives on these platforms and putting out tons of information. It always hurts me a little bit because I’m like, “Oh, don’t talk about your house. Don’t tell me you’re going to Greece for three weeks, because now if I want to rob your house, I know you’re not going to be there for three weeks.” Or don’t tell me that you’ve got three kids or that today’s their birthday and they’re five. Why? Because now I know their birthdate—I know today is their birthday, they’re five years old. So now I have their birthdate, I have their name.
Zena: And their name is probably a password with their birthdate.
Brian: Exactly. That person might have used something like “Jonah1991” as a password. The more you share, the more people can gather about you. Trust me, the internet is an amazing source for detective work. People will take everything. Just as we talk now, I always notice in Zoom meetings when people have blurred backgrounds. There’s a reason for that—some people do have stuff on their walls they don’t want shown. But on the other side, I always appreciate when they blur their backgrounds because if I saw that you have a diploma from the University of Guelph in marketing, and I see a picture of your husband and three kids, now I know you’ve got three kids. I know you went to school in Guelph. I can start piecing together information. If there’s a window in the background, I might take a look to see if you live in the countryside or if there’s a road nearby. I can start digging in and finding out where you are, purely from the pieces you’ve just given me.
So, blurred backgrounds are great—nothing is revealed. You’re not giving out any information about yourself unless you choose to do that. It’s about only releasing the amount of information that you want to be released. For social media, live your life, do as you like. If you want to send out information, that’s fine. Lots of people make a living by showing others their lifestyle, what they’re doing, where they’re going, who their friends are, what their kids are doing. That’s fine. But be wary that there’s someone out there who, if they have any malicious intent, can gather a lot of information about you.
Zena: So, um, limit it, you know, I didn’t Google you before this, Brian, but I’m guessing if I had, I wouldn’t have found anything.
Brian: Oh no. You know what? There’s some, uh, police stuff, but I usually keep a pretty low profile. I actually have a Google alert set up for myself, so if anything with my name pops up, I get notified. Anytime I’ve done any public work from the policing perspective—announcements or news media stuff—I’ll see the alert pop up saying, “Oh, Corporal Ferguson said this.” I do that just so I know exactly what’s being put out there about me. I don’t Google myself much. But, unfortunately for me, because my name is relatively common, there’s a journalist in Scotland named Brian Ferguson who posts regularly, so I get lots of alerts. I know what’s going on in Edinburgh very well.
So, again, when you’re living your life in a social media environment, I wouldn’t say one platform is more prevalent than the other for scams. Facebook Marketplace, for example, is full of scams. People are selling products that don’t exist and want you to send them money to hold the item. The standard rule applies here: if you can’t meet the person in person and hand them money, then don’t send them money. They’re under no obligation to give you the product once you’ve sent the money. So, if you can’t see them, don’t pay them.
Be careful in that sense. Social media-wise, we can kind of roll into one of the scams, the grandparent scam. It’s where your grandchild sends you a message saying, “Help, I’m in Mexico. We have no money, our phones were stolen, our passports are gone, I’ve been arrested, and I need a thousand dollars to get out of jail.” And it’s coming from their social media account.
Zena: Right.
Brian: So, as a regular person, when you see that, you panic. “My goodness, my grandchild’s in trouble,” and you immediately want to help. “What can I do? What do you need? How do I get it to you?” The first thing to do is call them. Talk to their parents, their friends, someone who can confirm if they went to Mexico, if they’re in trouble. Ask questions outside of the initial request, even if it comes from a trusted source like their Instagram account. All I have to do is breach your grandchild’s Instagram account and send messages to the contacts. People think, “Oh, this is from her account, so it must be her,” and they trust that. So, don’t trust anything. If you get a message saying someone needs something urgently, contact them directly.
The other big one I always want to tell people is that nobody ever takes payment in gift cards. Nobody. You can’t go to a restaurant and pay with Canadian Tire money, so you can’t pay with iTunes cards or Apple Store cards either. If someone asks you to get them gift cards, that’s a red flag. My wife just told me that one of my daughter’s friends got duped for two grand buying Apple gift cards, not realizing that nobody gets paid in Apple cards. By the time he realized how ridiculous it was, all those cards had been drained, and the funds were gone.
The hardest part for someone who gets taken is the embarrassment—you don’t want to tell anybody, right?
Zena: Yes, I’ve seen that with seniors. The embarrassment and the fear of judgment, thinking, “Please don’t put me in a home.” I think that’s a very common concern among older people.
Brian: Yeah, and if it does happen, there are places you can go, like the Canadian Anti-Fraud Centre. You can report it online, saying what happened. If you don’t feel confident calling the local police and reporting it, I encourage people to do that. Lots of times, the money ends up offshore, and there’s little to no chance you’re going to get it back, but I never say never. I never want to discourage someone from reporting it because sometimes, the scammers do make a mistake. The money might actually be funneled to someone in the country who’s ferrying it out. In a lot of cases, they have someone within the country where you’re sending that money to, and that person is ferrying it out, giving them insulation from the scammer. It looks more legitimate to you. For example, if Revenue Canada said to send a Western Union to Nigeria, you’d be suspicious. But now they’re saying, “Send this to Guelph, Ontario—this is our payment hub,” and then that person in Guelph sends it somewhere else.
Zena: Yeah, take us through the steps then. If you are a victim of a scam of some kind, whether it’s a romance scam, tech support scam, or another type, what should a person do? Take us through the steps of recourse.
Brian: Sure. Well, the first thing is to document everything because that’s going to be the first step. When did this start? How did it start? Was it that you responded to an email, answered a call, or called a 1-800 number? What did you do, and when did you do it? These are always going to be the key questions. Did this start yesterday, or did it start six months ago? Document everything. If there were any emails, text messages, or anything that was sent to you, save it. Save it on your system so that if needed, investigators can look back and try to find any digital evidence that might be left behind. This can help them figure out where everything went.
If it was a significant amount of money, and if it went through a bank, for instance, if someone transferred money out of your accounts, you need to know that information. Contact your bank. If it went through your bank, the bank can guide you through the process. If it was just you moving money out, there’s not much you can do other than document it. But if money was moved out of your accounts by someone else, then you need to talk to your bank and say, “Someone accessed my accounts and did this. I didn’t do this.” Then start the process with your banking institution. They’ll guide you through it.
Banks train their tellers to look for people taking large amounts of money out to pay someone or sending wire transfers. They should ask questions like, “Are you sure you want to send $50,000 out of the country?” Not to be intrusive, but they want to try and protect you as well. So again, documentation is key—timelines of when everything occurred, what you did, and what has gone on.
The next step I would say is to immediately change your passwords. Change any passwords you use for online banking, PIN numbers, everything. Contact all your credit card companies, close all accounts, and change the numbers at least. If you suspect your systems have been infiltrated, request that your credit card companies cancel your cards and reissue new ones. This ensures that your accounts are secure because they won’t have the old information.
If your computer was used or accessed, especially if someone instructed you to download software that allows remote access to your computer, that computer is compromised. You need to have it formatted and wiped clean because someone has likely left something behind to report any information that’s on it. I would consider that entire system infected until it has been wiped and the operating system reinstalled, so it’s a complete rebuild. Don’t save any data from that system, because any files could be infected. If you copy them to a thumb drive and reload them onto a fresh build, you could be reintroducing the compromised data into your system. Unfortunately, you may have to lose everything.
Report it to the police and to the Canadian Anti-Fraud Centre. Make an online report there as well so that they can start tracking the number of these incidents and the types of scams being used. Scammers do change their tactics, and if they do, the authorities need to know about it so they can start alerting people. “Hey, they’ve changed this; now they’re doing something differently.” So protect yourself in this way.
Zena: You know, right now, I’m making a note to go home and change my passwords—it’s time to update.
Brian: Well, think about it. For any of the listeners out there, just think about how long you’ve had that password for your bank account. If it’s been a year, change it. It’s a pain to remember different passwords, I know, but I like my money staying right where it is. There’s no 100 percent security out there; it doesn’t exist. I could inadvertently release information or access something that allows someone to gain access to my system. Nobody’s immune to it, but you can take steps to mitigate it. Like you said, only keep a certain amount in some accounts so that if someone does get into your system, they can only do minimal damage. That way, not all of your life savings gets wiped out.
Zena: Okay, so control the things we can control.
Brian: Exactly. And trust nobody—always go to the source.
Zena: I love it.
Brian: Trust, but confirm. If your daughter sends you something, confirm with her that it’s legitimate.
Zena: I love it. Thank you, Brian, for sharing all that. We appreciate your knowledge and experience.
Brian: I appreciate the opportunity to do so. And again, if you want more information, there’s a site called GetCyberSafe.gc.ca. It’s a Government of Canada site with great information—much of what we just talked about. It’s a great resource to learn how to protect yourself, including securing yourself with virtual private networks, firewalls, and understanding the issues with public Wi-Fi. It’s helpful for navigating the digital world we live in.
Zena: I love it. We’re going to share that link in our show notes so everyone can access it. Thank you so much, Brian.
Brian: Hey, no problem. Thanks a lot.
