Scammers hold computers hostage


via Scammers hold computers hostage

Recently, my mother-in-law told me about a lady in her Sunday School class who had been victimized by a scammer. The lady’s caller ID said the call came from Microsoft, and the caller claimed he could help her computer run faster. Because the call appeared legitimate, she went along with it and allowed him to access the machine remotely. She didn’t realize until it was too late that the caller had installed software on the victim’s computer that locked it, and then he threatened to destroy all the information on the machine unless she paid a fee.

“Tech support” scams are not new; for years, scammers have been trolling for victims by cold-calling, then convincing them their computer needed to be fixed, and demanding to be paid. It’s a lucrative business; the tech site quotes Microsoft estimates that scammers took in $1.5 billion in 2015 using the technique.

But in the past few months, tech-support scammers have started emulating the tactics of “ransomware” scammers, calling targets and claiming their computer has been infected by viruses. By using remote access (granted voluntarily by the unwitting user) to install malicious software on the machine, the scammer takes control of the machine and promises to release it if a fee is paid. This escalation gives unprecedented levels of control, and for victims, it can prove a costly intrusion — at risk is sensitive personal information, as well as photos, videos and other information stored on the machines.

In October, Malwarebites published a white paper titled, “The Anatomy of Tech Support Scams: How Tech Support Criminals Continue to Exploit Consumers and Businesses Without Getting Caught.” The paper noted that the target is still the elderly (who are often considered less tech-savvy), but the scammers’ nets are widening.

“Not surprisingly, most tech-support scams heavily target a demographic that is not tech savvy — the elderly,” the authors noted. “…However, with the emergence of tech-support scam lockers this year, anyone is now a potential victim. This new tactic no longer just employs social engineering, and criminals are no longer solely targeting less tech savvy individuals.”

What’s also changing, the white paper noted, is where these scams originate. While most tech-support scams came from India, Florida is becoming a hotbed of tech-support scam activity. The paper goes on to detail some tactics used by tech-support scammers, as well as potential ways to address the problem. If you’re interested in the topic, it’s worth a read.

There are ways to prevent yourself from being a victim of this pernicious scam. The Federal Trade Commission has shut down a number of such operations in the past couple of years, but criminals continue to seek victims. Here are a few of the FTC’s pointers for recognizing and preventing a scam:

  • Don’t give up control. If someone calls claiming your computer has been infected with a virus, hang up immediately. They may fool your caller ID into thinking it’s a local call, but these numbers can be “spoofed” to fool you.
  • Don’t fall for online ads. Here’s a new word to many of us: malvertising. This is advertising on the web, through email or search engine results, that promises to rid your computer of virus and malware. By clicking on links, you can highlight yourself as a potential victim. If you need tech support for your computer or a web service you use, the FTC advises that you look for the company’s phone number in your printed software documentation or confirmation emails, then call it.
  • Protect your personal information. Never provide your credit card number, bank account numbers or passwords to someone who calls and claims to be from tech support.
  • Don’t give in to pressure tactics. If a caller pressures you to buy a computer security product or says there is a subscription fee associated with the call, it’s a huge red flag.

More on this topic is available at

AG’s office victim of phishing emails


via AG’s office victim of phishing emails,

Mississippi Attorney General Jim Hood is warning Mississippi consumers about a widely circulated email alleging to be from the “Office of the Attorney General,” a bogus solicitation that could infect your computer with malware.

The email, which Hood in a news release called a “brazen attempt to install damaging malware,” has reportedly been received by multiple businesses and individuals. It claims a complaint has been filed with the Hood’s office and includes a link to view the complaint. But when clicked, the address takes users to known malware sites. Recipients are warned to delete the message immediately, and don’t click on the link.

“We have received numerous calls and reports to our office this week from consumers who have received this email,” Hood said. “In one report, the recipient clicked on the link provided, which in turn wiped out her computer. The email is fraudulent. Our office does not send requests for responses to complaints by email.  Consumers should not open any links or attachments, nor should they reply back to this email.”

Like many “phishing” emails, this one appears legitimate, says it’s from the “Office of the Attorney General” and claims the “office” has received a complaint against the business. It provides a link to “view the complaint” along with a timeline and instructions to file a rebuttal. Cleverly, the email contains language that the office “cannot render legal advice nor can it represent individuals or intervene on their behalf in any civil or criminal matter.”

Even if the content of a message sounds reasonable or convincing, Hood encourages consumers to look for errors in spelling, grammar or wording that indicate the email is fraudulent.  “These errors are sure signs of a scam,” Hood noted in a news release.

In addition to deleting scam emails and not clicking on links in those emails, consumers who receive suspicious emails or text messages may want to contact the business supposedly sending the message to let the business know its name is being fraudulently used in a phishing attempt.

“We appreciate those who came forward to let us know that a scammer was impersonating our office,” Hood said.  “When consumers are vigilant in their efforts to avoid malware, computer viruses, and potential identity theft, it makes our job easier.”

If you have responded to one of these emails, call the Consumer Protection Division of the Mississippi Attorney General’s Office at 800-281-4418.

Some uh-ohs with Pokemon GO


via Some uh-ohs with Pokemon GO,

PDF: The_Clarion-Ledger_State_20160718_A002_0

“Oh, wonderful,” I muttered to myself as I perused story after story about Pokemon GO. “Another way to keep people glued to their phone screens while they walk into open manholes and traffic.” And sure enough, this new game has exploded across the globe, reviving the moribund Pokemon brand and helping introduce a new generation to the devilishly cute cartoon creatures. If you see knots of people who appear to be wandering aimlessly around your neighborhood, transfixed by their phone screens and oblivious to all else around them, it could be Pokemon GO.

In case you’ve been on Pluto the past week and haven’t checked your newsfeed, Pokemon GO is an “augmented reality” game played through an app, a sort of scavenger hunt in which people visit a specific (real-world) location to find and “collect” Pokemon characters. The app will activate your phone’s camera feature when a Pokemon is “nearby”, superimposing the cartoon creatures on the image of a park bench, a monument, a landscape, or (disturbingly) inside people’s homes.

(For the uninitiated, “Pokemon” is a shortened form of “pocket monsters” and first became known a couple of decades ago as kids played Pokemon games on their Game Boy handheld consoles, watched Pokemon cartoons, and — of course — traded Pokemon cards.)

While it is laudable that the game is getting couch potatoes off their feet and involved in social interaction, the game has also created a slew of problems and concerns, ranging from players being targeted by crooks (even right here in central Mississippi), to users disrespecting somber sites, like Arlington National Cemetery, the Holocaust Museum and the 911 Memorial. It has also alarmed many people because the app is collecting personal data from cellphone users, including users’ birthdays, email addresses and physical location.

Here are a few of the concerns that have been raised, and although many users are young adults, the game is especially magnetic for kids and teens. The ever-reliable Consumer Reports published an article by Tercius Bufete, who along with many others has highlighted things parents should be concerned about:

  • It’s only free to a point. While the app is free to download, users can make in-app purchases up to $99.99. Also, the app uses constant location tracking, which can drive up your data usage, and since distracted kids can easily drop their devices as they hunt, it could result in broken devices requiring costly repairs. Before using the game, check the settings to ensure in-app purchases are controlled.
  • Stranger danger. The game encourages players to work with other people, which could be concerning because your kids might be interacting with strangers. An in-game feature called “Lure Module,” which attracts Pokemon to a “PokeStop” for 30 minutes, could be used to lure people to a place where they could be attacked or abducted. It would be a good idea to ensure your kids travel in groups of people you know, and never go alone.
  • Personal data could be compromised. The product requires you to register, and although the app does include a parental notice that they can request restrictions on personal data, it will also collect data on the user’s specific location, and keeps messages sent between players.
  • Trespassing. When the geocaching craze hit a few years ago, property owners raised concerns about people stomping across their property looking for hidden caches of “treasure” using GPS devices. Similarly, there have already been many cases of Pokemon GO users entering personal property while hunting for Pokemon characters. Users could easily wander into a dangerous construction site, for example, or be mistaken for thieves.
  • Personal injury. When your attention is glued to your phone screen while walking, you might easily stumble on a curb or obstacle, or into a busy street. Studies have shown that texting can change the way you walk, leading to potential injury and even death. Over the past several years, people have been killed as they used their mobile devices while walking.

While Pokemon GO is probably like a meteor that will burn brightly for a while, then be replaced by the next shiny object, it’s likely that it’s a harbinger of things to come, as the “digital” world merges with the “real” world. For parents, the task will be to ensure our kids are as safe and informed as we can make them as they live in the new realities to come.

Are apps tracking your kids?


Stock Photo

via Moak: Are apps tracking your kids?,

When we install a new app on our smartphones or other devices, most of us will quickly give our consent to the verification screen that pops up, which asks us to verify our privacy preferences. It might ask for permission to peruse your social media profile, provide location information, and even post to Facebook and other social media on your behalf. Because you’re in a hurry to get the app loaded, it’s easy to click “OK” and get on with our lives.

Few of us pay attention to this small (but important) question, but the apps we download could actually be providing a lot of information about us to companies who want to track our movements and preferences, monitor our activities and even gather information about us to sell to others.

Since many devices have “geo-location” capabilities, they can detect where your smartphone (and, by extension, you) are, with an impressively small degree of error. Some devices can even track your location in stores, figure out what merchandise you might be examining and predict your purchasing habits with amazing accuracy. Of course, if you’re OK with this, it’s not a problem. But for many people, it would be disturbing if they knew how much information was being shared without their knowledge or consent.

But a recent case has illustrated that apps can be gathering much more than you think. A Singapore-based company called InMobi will pay nearly $1 million in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges it deceptively tracked the locations of consumers without their knowledge to serve them geo-targeted advertising.

“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”

Among the FTC’s allegations is that InMobi mispresented that its advertising software would only track consumers’ locations when they opted in and in a manner consistent with their device’s privacy settings. “According to the complaint,” noted the FTC, “InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.

The company, which has reportedly reached more than a billion devices worldwide through thousands of popular apps, has a huge global footprint. The FTC alleges inMobi “created a database built on information collected from consumers who allowed the company access to their geolocation information, combining that data with the wireless networks they were near to document the physical location of wireless networks themselves. InMobi then would use that database to infer the physical location of consumers based on the networks they were near, even when consumers had turned off location collection on their device.”

InMobi stands accused of violating the Children’s Online Privacy Protection Act by collecting this information from apps that were clearly directed at children, “in spite of promising that it did not do so.” The complaint noted that InMobi’s software tracked location in thousands of child-directed apps with hundreds of millions of users without following the steps required by the act to get a parent or guardian’s consent to collect and use a child’s personal information.

Under the terms of the settlement, InMobi was originally assessed a $4 million civil penalty, which is suspended to $950,000 based on the company’s financial condition. In addition, the company will be required to delete all information it collected from children and will be prohibited from further violations of the Children’s Online Privacy Protection Act.

The company will also be prohibited from collecting consumers’ location information without their affirmative express consent for it to be collected, among other conditions, and must create an extensive privacy program, with monitoring and independent auditing every two years.

The FTC has some good tips at to help you learn more about device tracking.

Patient information released without OK, feds say

AdobeStock_94761244.jpegvia Moak: Patient information released without OK, feds say,

A company that produces Electronic Health Records has agreed to settle allegations from federal regulators that it allowed sensitive health information to be posted online without letting patients know it would be disclosing the information.

In 2012 and 2013, California-based Practice Fusion, described by the Federal Trade Commission as a “cloud-based electronic records company,” allegedly began posting online patient reviews of doctors it had collected, but failed to tell the patients the details of how they would be used. In some cases, sensitive information allegedly appeared in the reviews.

“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the Internet.”

Electronic Health Records have been controversial, with advocates promising they will create a more seamless experience for patients who see multiple providers, help lower costs through greater efficiency and reduce the risk of errors. But privacy watchdogs have warned that consumer information could be compromised if the information is not handled with great care. In a 2012 survey conducted by Xerox, just over a quarter of Americans said they wanted their records to be digitized. It should be noted Practice Fusion wasn’t accused of allowing the compromise of EHR data, but of failing to give proper notification to patients before posting the information online.

Federal laws require any business that handles sensitive health information to go to great lengths to protect that information, with stiff penalties for violations. And consumers must be informed of any intent to share that information (that’s why you get those annual notices about protecting your privacy and have to sign separate privacy acknowledgement forms when you visit the doctor).

According to the FTC’s complaint, Practice Fusion began a public-facing, health care provider directory in 2013, including reviews of physicians. To populate the reviews, Practice Fusion began sending emails to patients of physicians who had contracted with Practice Fusion to provide electronic health records services. The emails allegedly were sent to “help improve your service in the future,” and asked them to answer questions about their recent visit to the doctor.

But when consumers discussed their recent visit, they often included details and could leave their name and contact information. For example, one consumer talked about a depressed child, another revealed she was concerned about a yeast infection and another spoke of a “Xanax prescription.”

Although the company didn’t admit any wrongdoing, it noted in a statement that it had discontinued the system in 2013. “The proposed consent agreement is not related to our core businesses, nor how we have operated the survey feature since April 2013,” noted a statement on the company’s website. “The complaint associated with the consent agreement does not allege that anything that we are currently doing is problematic.”

The FTC’s announcement didn’t disclose any monetary penalties, but did note the agreement prevents Practice Fusion from “misrepresenting the extent to which it uses” information. In addition, it must “clearly and conspicuously disclose — separate and apart from a privacy policy, terms of use or other similar document — that it is making such information publicly available and obtain consumers’ affirmative consent.”

Who are these imposters?



via Moak: Who are these imposters?,

Every day, Mississippians get calls from people who claim to be something they’re not. In past columns, I’ve written many times about various ways scammers dupe victims into sending money, turning over key pieces of their identity, or participating in international schemes. Nearly every time, the person getting the call ends up holding the bag, losing their life savings, or unwittingly helping someone commit a crime.

Fraudulent calls are rampant. Just last week, my own elderly parents called to tell me they’d gotten a call from someone claiming to be with the IRS, saying they owed back taxes, and threatening them with prosecution if they didn’t pay up immediately. The only problem: These are all lies (my folks knew better, and didn’t take the bait.) The IRS is not going to call anybody to demand immediate payment, and in fact, if they have a beef with you, you’re going to get a lot of “snail mail” first.

This type of scam has become so prevalent it’s risen to become the top source of complaints to the Federal Trade Commission, with volume rising sharply in the past two years. Many of these schemes originate overseas, making it that much more difficult to stop and prosecute.

Other “imposter” schemes include:

The Grandparent Scam. This is where a crook calls an elderly person, pretending to be their grandchild (or claiming to be their lawyer, or a police officer). The criminal tries to get the grandparent to wire money or even purchase things like iTunes gift cards, to help their grandchild out of trouble.

Tech Support Scams. The potential victim gets a call from someone claiming their computer is infected with a virus, and that if they pay up, it can be fixed over the phone.

Government Agencies Scams. It may be the IRS, or Social Security, Medicare or any number of other agencies, but they’re all the same; the scammer indicates there is some problem, which will go away if you send cash.

Online Dating Scams. You might think the beauty (or hunk) you’re corresponding with online is all he or she claims to be. They say all the right things, and you think you’ve met your soulmate. But often, it’s just a ruse. In the worst cases, they are actually grooming you so they can steal your money or identity.

Last week, the Federal Trade Commission released a new series of videos and informational pieces called “Imposter Scams.” For the first time, they’ve taken a wide-lens approach to helping bring these schemes to light and empower people with the means to recognize them.

It would be a good idea to spend a few minutes perusing the videos. They’re short (less than a minute), concise and easily understood.

But regardless, if you get a call from anyone claiming you have a problem that can be fixed with an immediate payment over the phone, don’t take the bait. Remember that such calls are usually from imposters who want you to panic and make decisions you wouldn’t normally make. If you think there might be some truth to the caller’s claims, ask for their contact information, then hang up and try to verify the information yourself. If you do need to make an emergency payment, get some advice, and never wire money to an unknown account, or give anyone the information they need to access your bank or credit card accounts. And, if someone threatens you, report the threat immediately to local law enforcement.

Ultimately, it’s up to all of us to educate ourselves, keep an eye on those who might be vulnerable, and not make it easier for crooks to find victims. Visit to view the “Imposter Scams” materials.

To catch a ‘phish’

via Moak: To catch a ‘phish’,

Mississippi Attorney General Jim Hood is warning consumers about emails that appear to be from a legitimate business, but are actually designed to commit identity theft.

According to a news release from Hood’s officeWednesday, the so-called “phishing” email message attempted to gain the trust of consumers by claiming to be from a Memphis-based financial institution, but was in reality an attempt to gain access to their banking information. “(T)he scammers in this latest email ruse stole company letterhead and used language in the email that initially makes it appear that the customer is being contacted by the institution,” noted the release. “However, a closer look shows that the email is illegitimate.” And, brazenly, the message included verbiage warning consumers about the dangers of spam email.

“As we rely more and more on technology in our daily lives, scammers respond with increasingly sophisticated ways to use technology to cheat and steal,” Hood said. “Fortunately, there are often some red flags that can help consumers spot these brazen attempts at fraud and identity theft.”

Some of those red flags included grammatical errors and inconsistent fonts that were present in the purported bank message.

Phishing is one of many tactics used successfully by scammers. Although they’re sometimes poorly-executed as this one was, sometimes, the thieves take pains to ensure they look legitimate. They may contain actual logos of known businesses and financial institutions, and often use scare tactics to get consumers to click on links or request a response. For example, they might say your account has been compromised, or that you are in danger of losing money or benefits. By clicking on links or replying, unwitting consumers can open themselves to becoming victims.

Hood provided these recommendations:

  • Never provide personal or financial information in response to any unsolicited email or text. Instead, delete them and don’t respond.
  • Keep in mind that financial institutions themselves will not seek to “verify” such information as bank account or credit card numbers, since that particular information is generated and maintained by the institution itself.
  • Don’t open links or attachments on any unsolicited emails or text messages that request personal, financial or account information. It is likely such links and attachments lead to viruses and malware designed to steal data.
  • Always be suspicious of anyone who emails or sends a text message and asks for money to be wired or placed on a prepaid debit card.
  • If you get a suspicious email or text message, contact the business supposedly sending the message to let the business know its name is being fraudulently used in a phishing attempt.
  • If you’ve been victimized, or think you might be, contact the Consumer Protection Division of the attorney general’s Office at (800) 281-4418.

For more information, visit

App helps close Craigslist safety gap

AdobeStock_1137647.jpegvia Moak: App helps close Craigslist safety gap,

If you’ve ever bought or sold something on the iconic website Craigslist from a local source, you might have experienced a moment of trepidation when you finally click the button to finalize the transaction. The next inevitable question: where to meet to make the exchange? In recent years, there have been many news reports of people who met up on Craigslist to conclude business, only to find a criminal waiting there to murder, rob, rape, swindle or otherwise attack them.

It’s a big issue for people who do a lot of business on Craigslist. The site has a list of tips to help people avoid being the victim of a crime, but still, disturbing accounts surface. In

January, the Washington Post’s Caitlin Dewey reported a grisly milestone had recently been reached: At least 101 homicides have been linked to Craigslist transactions. That doesn’t count the numerous lesser crimes (or near-misses) reported by people using Craigslist to meet. And criminal activity works both ways: Crooks sometimes place ads on Craigslist to lure victims, while others troll the ads, looking for possible targets. And sometimes, things go wrong during the transaction.

One issue that frustrates many users is that Craigslist’s management has always maintained they’re just providing a marketplace, and have no control over the actions of the people who use it. While that might be legally defensible, it has not calmed the rising chorus of protest from people demanding that something be done.

Many Craigslist regulars have gotten smarter about picking a meeting place, and gravitate towards places with police around, such as the parking lots or lobbies of police stations. This week, Craigslist users have a new tool that can help find those places. The Qwilo app (currently only available for Apple) has a new feature called Safe Meeting Places. With a simple click using your cellphone’s geo-location feature, you can how find them on a map.The app can be downloaded here.

“Craigslist is a great place to buy things but there’s always a bit of apprehension when meeting a buyer or seller you found on the Internet,” said Phillip Lee, Product Manager for Qwilo, in a news release.  “We built the Safe Meeting Places feature to make it easier for Craigslist users to find a safe public place where they can conduct their transactions without fear of violence or being scammed.”

In general, many experts advise you to heed Craigslist’s own safety tips if you’re meeting someone as the result of a Craigslist interaction:

  • Insist on a public meeting place.
  • Don’t meet in a secluded place, or invite strangers into your home.
  • Be especially careful buying/selling high value items.
  • Tell a friend or family member where you’re going.
  • Take your cellphone along if you have one.
  • Consider having a friend accompany you.
  • Trust your instincts.

And, if you must meet someone at your house (say, for example if you’re selling a large piece of furniture), Lifehacker advises you to leave the door open, make sure you’ve got a friend around or available to call, and try to meet outside your house or apartment if possible.

While these precautions might not have prevented all of the Craigslist-linked crimes, having a safer place to meet could save some lives and property.

Some wireless routers pose identity theft risk


via Moak: Some wireless routers pose identity theft risk,, 3/2/2016

PDF: Wireless router security

A few weeks ago, I wrote about the possible dangers from wireless baby monitors, which (due to flaws in their security software and improper installation) could serve as an entry point for voyeurs or people looking to steal information to commit identity theft. The explosion in the use of these seemingly innocuous devices have led to calls of alarm from many privacy advocates and Internet security experts.

But recently, another point of vulnerability in our wireless world was exposed; certain wireless routers sold for home use may pose similar threats if not properly installed. Specifically, wireless routers made by Taiwan-based ASUSTek were the subject of a Federal Trade Commission settlement, after a FTC investigation found they contained flaws that would allow hackers easy access.

The routers, sold under the ASUS brand, came with options to attach a hard drive to their routers to allow users to — in effect — create their own “cloud” storage devices, accessible over the Internet from anywhere. The “AiCloud” and “AiDisk” features were certainly convenient, but if you stored your sensitive information — say, tax documents — on the drives, they could be vulnerable. The FTC alleges that, in February 2014, hackers did just that, using the devices’ vulnerabilities to access connected storage devices for nearly 13,000 consumers.

Under the FTC settlement announced this week, the company will be required to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”

Many consumers just aren’t that tech-savvy, and if you’ve just gotten your new router out of the box and are eager to take it online, you might be tempted to skip the portions of the setup menu filled with acronyms like “WEP,” “WPA” or “WPA2.”  And some routers may set the default value to something like “password,” which is easily accessible by your average third-grader. But to be effective, the router’s security settings need to be properly installed; it’s a good idea to have it set up by somebody who understands it.

As the “Internet of Things” grows, creating an increasing web of connections among objects and services surrounding us, this problem needs serious attention. “The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

If you happen to have one of these routers (or any router), here are a few tips to make sure your information is as safe as possible:

  • Download the latest security updates. According to the FTC, the ASUS router update tool often indicated that software was current when it wasn’t, putting people’s home networks at risk. Moving forward, ASUS is required to provide accurate information about software updates. So check the router’s software update tool and the ASUS support site again for the newest security updates.
  • Check if access to your network storage is limited. Make sure access to AiCloud and AiDisk is limited to what you want. The FTC took issue with the default option during AiDisk’s set-up, which gave anyone on the Internet access to your storage. For more privacy, choose “limited” or “admin rights” access instead of “limitless.”
  • Change pre-set passwords. According to the FTC, ASUS pre-set weak default passwords on every router. So create new passwords that are strong and unique for both your router and any “cloud” services — something only you know. This can help prevent hackers from getting easy access to your network.

More tips are available from the FTC’s website at

Baby monitors allow hackers, voyeurs into homes


via Moak: Baby monitors allow hackers, voyeurs into homes,, 1/27/2016

PDF: Baby monitors

New parents (and even experienced ones) spend a lot of time worrying about their babies. And with good reason; there are a lots of things to be worried about. You can’t be there 24/7 to watch your baby in the crib or as they play in their room, so technology came to the rescue a couple of decades ago with the introduction of the baby monitor.

At first, these were just pretty walkie-talkies, which allowed you to have a base unit in the baby’s room and a monitor elsewhere in the house to let you hear what was going on. Later came video monitors that provided real-time feed through Wi-Fi and made the feed available online. Now, you can keep an eye on your little one from your workstation anywhere.

But many parents might be lulled into a false sense of security when they use this technology; that feed might not be secure. Back in September, the trendy blog Fusion Network published an article revealing the results of security tests done on nine video monitors, and the results were not promising: eight of the nine monitors tested got an “F,” and Fusion awarded one a “D-minus.” It turns out that hacking into the monitors and hijacking the feed were child’s play for hackers.

All of this scrutiny comes after increasing reports of baby monitors being used to remotely spy on people, verbally abuse infants and bring embarrassing attention to the camera manufacturers (and highlight the problem) by posting live feeds from 1,000 baby monitors on unsecure websites. All this creepy activity has led to increased concern from parents and privacy advocates, who worry that the monitors could not only lead to sick voyeurism, but also could allow hackers a doorway into the home networks and lead to identity theft.

Last week, the Federal Trade Commission reported that it had tested five baby monitors to determine their level of security. They found two of the five didn’t encrypt the feed to make it more secure and only one required a complex password.

So, how can you protect your baby and your family from unwanted intrusion? The FTC’s Seena Gressin offered these tips:

  • Make the monitor’s security features a priority.When shopping for a baby monitor, look for ones that use strong security protocols to transmit audio and video feeds to your home wireless router and to the internet. WPA2 is a standard wireless security protocol for home routers. To protect the feed on the internet, make certain the monitor uses an industry standard encryption protocol, such as SSL or TLS. Check the package or contact the manufacturer to find out.
  • Use the monitor’s security features. Once you’ve purchased a monitor with good security features, use them! Keep the monitor’s software current and check its password settings to make certain it requires a password. Then, choose a strong password and enable the monitor’s security features so that it encrypts information transmitted via the internet.
  • Access the monitor securely. When accessing the monitor from a mobile device, confirm that your app is up-to-date and consider password-protecting your mobile device as well.

Other experts advise you consider unplugging the unit when it’s not actively being used, such as when no one is at home, and change the passwords often on your home’s Wi-Fi network as well.