Best Practices
Best Practices for Instant Messaging (or on-line chatting)
- Do not click on links to files stored on a website
• Links Sent By Friends -- Do not assume that since a friend sent you a link to a website/file, that the
link is harmless. The link could point to malicious content. Your friend's computer may be compromised, and
a malicious program could be using your friend's IM software to send out links to others in order to propagate.
• Away Messages -- Do not click on any links in away messages. Some malicious programs will add a
link into an IM’s away message. Anyone who clicks on this link could compromise their computer's security.
• Suggestions: Verify with the person that sent you a link that they really meant to send it. Also, if
you've clicked on a link that is supposedly to pictures, a web browser should open and display the pictures. If
you click on a link that should open a picture, and a box opens asking you if you want to "open", "run", or "save"
something, cancel it immediately! - Do not accept file transfers you are not expecting
• Possible Consequences -- If you do, you could be downloading a malicious program that could make
your computer unstable, be used to steal your personal information, and/or be used to attack other computers.
• Files Sent By Friends -- Do not assume that a program/file is safe because a friend initiated the
transfer. We have seen many cases where a computer has been compromised, and a malicious program will
use the IM software on that computer to spread. Therefore, if your friend's computer is compromised, a
malicious program may send you an IM that appears to have been deliberately sent by your friend.
• Suggestions: If you receive an offer to accept a file transfer, inform the person you are talking with that
they just sent you an offer to download a file, and ask them if they meant to send you that file. - Do not give out personal/sensitive information over Instant Messaging clients
• Chats are usually Not Encrypted -- Instant Message (IM) conversations are almost exclusively
unencrypted. This means that when the conversation is being transferred over the network, it is in a humanreadable
form. If someone captured or viewed the conversation while it was in transit, they could easily read it.
For example, if you were to give out your social security number and a few personal details while Instant
Messaging, a malicious user could possibly intercept this information. They may then use this information to
assume your identity and commit various forms of fraud.
• Shoulder Surfing -- Perhaps you are talking to a friend via IM. You divulge some personal information to
your trusted friend. However, your friend may be talking in a public, or semi-public, place without your
knowledge. If your friend is not careful, someone could walk by and read your conversation/personal
information.
• Logging -- Sometimes people turn on logging for the conversations that they have. If you tell one of these
people personal information, it will be stored on the person's computer in a log file. This creates a chance that
someone, possibly malicious, could access these log files and obtain your personal information.
• Suggestion: Do not liberally give out your personal information. If for some exceptional reason you
must give out personal information, insist that it be done in a secure manner. Consider calling the person you
must give the information to.
Further Recommendations:
• If your IM client supports it, configure your options to only allow/accept messages from people you know.
• Certain clients, notably IRC (Internet Relay Chat) clients, automatically accept file transfers. If your client
provides an option for this functionality, turn it off.
• Exercise discretion. If your friend is sending you “pictures from the beach” in the middle of the winter, be
suspicious.
Click here to download a .pdf of this file