Mum's The Word

Ben Jackson interviews Tony Neate

CEO, Get Safe Online

Tony Neate is the Chief Executive Officer of Get Safe Online – the UK’s leading source of unbiased information on online fraud, viruses and identity theft. After a 30-year career in policing, including leading the fight against crime with the Hi-Tech Crime Unit and the Serious Organised Crime Agency, he reveals why he never puts anything online he wouldn’t tell his mother and why we shouldn’t fear a ‘fib’ on social media questionnaires.

Are people too open online?

Many people are very free online and in social media sites – they put everything on there. “Hello my name is Tony Neate – this is where I live, this is my place of birth, this is a picture of me drunk in the gutter, oh and by the way I hate my bosses, and these are the people I speak to.” We put it out there. Your first rule online should be, if you wouldn’t say it to your mother, or a policeman, don’t say it online. That’s the way it’s got to be. We’ve got to watch what we say to other people and we’ve certainly got to watch our photographs. My mantra, especially when I talk to kids about this issue, is “What goes online, stays online.”

They need to know that if they go for a job with the police and even some big businesses now – they will ask you to sign a form to get permission to look through all your social media first. So you need to be careful what you do and be careful what you say online, because we build up a history of ourselves.

Take the example of Paris Brown. Paris was the UK’s first youth and crime commissioner. She was 18 and was going to start work on the Monday. Then the press got hold of her social media and found things she had said when she was 14 and all of a sudden she hadn’t got a job. (Her twitter account where she posted more than 4,000 messages, included references calling homosexuals ‘fags’, immigrants ‘illegals’ and travellers ‘pikeys’, and included a tweet saying: “I really wanna make a batch of hash brownies.”)

How do you go about keeping your details private on social media?

I’m like the Queen. I have two dates of birth. My real date and then the date of birth I use online. I don’t want to use the word ‘lie’ because it’s not a lie exactly, but in the same way, when I’m asked to give my mother’s maiden name, I don’t. I always give the same name, but it’s not my mother’s maiden name because that can be discovered. You can go to and you can find that out.

British people are very obedient, so when there’s a form that says: ‘Where do you live,’ ‘What’s your date of birth? ‘What are your hobbies?’, we fill it out. But we certainly don’t have to. Certainly on social media sites, we don’t have to be as truthful as we would be otherwise.

”What goes online, stays online”

How should parents deal with that issue?

We should talk about security together. When my children were young I got them bikes. They each had a helmet, they had lights that worked and brakes that were tested. Now, in the same way, we should sit down with our children and go through their computer security. Show them what you’re doing and it might be that they know what to do better than you.

Are our problems with cyber security getting bigger?

Probably, yes. If everybody did the right thing and put the right security on their computers two or three years ago we would hardly have anything. But now we have the social engineering, the telephone calls, the emails purporting to be from someone, the spear phishing that targets individuals. Previously you might have had received a phishing email, saying ‘Dear Client, Dear Sir, Dear Customer’, but now it’s more likely to start ‘Dear Tony.’

What about the security of firms we give our information to?

Absolutely. We should also be secure in our networks. It should be built-in at source security. It’s not an add on. When Microsoft first looked at their operating system – eight or nine years ago – they took every one of their developers ffline for two weeks and gave them training in secure code, because it’s what they had to do. That’s a lesson everyone should be making.

I’ve been banging the drum for 15 years about people being more secure online, saying: “Look after your passwords, secure your internet,” but then sometimes companies give it all away.

When I was in the National Hi-Tech Crime Unit where I was head of industry liaision, I discovered some of the most secure companies were porn and gambling, because if they lost personal data that was it for them. I saw that if they lost data, they wouldn’t sack someone. They would employ three more people to work with them. That was their attitude, security was the be-all and end-all for everything that they did. That’s the attitude we have to have for everything we do and every industry has got to do it as well.

We haven’t reached that stage yet. We say to some of these companies that they have got to use Get Safe Online. They have got to use a trusted independent organisation with integrity that is going to tell them the truth.

Have consumers woken up to the threat of cybercrime?

Certainly individually and as companies, people have to start taking it more seriously. More and more people are going online. Around 1.5 trillion will be spent online this year and three billion people will be online by the beginning of this year.

It’s what the gangster said in America when he was asked why he robbed banks – “Because that’s where the money is,” and that’s what’s happening online – from opportunists all the way up to serious crime. We still have people who break into houses. People still break into cars. Crime is crime. People will keep doing it – and we’ve got to make it harder for them.

Is the Internet something to fear?

We have to be one step ahead of the criminals and not one step behind. We’ve achieved that to date and the reason is that we all still go online.

If every time you went online you were defrauded, you were bullied or you were scammed, you wouldn’t do it anymore. When you park your car at a certain carpark and every time you park there it gets broken into, you stop parking your car there.

The internet’s a fantastic place, it’s great and we’ve all got to be on it, so let’s make ourselves secure!



PASSWORDS. You’ve got a number of keys and you need a number of passwords. My advice is: “Write down the clue to your password in a notebook. I used to use my uncle’s dog’s name and my clue was ‘Uncle Brian’s dog’. Uncle Brian died 10 years ago and his dog died 20 years ago. So if anyone can work out who Uncle Brian was, never mind who his dog was, then good on them. That’s the type of thing we’ve got to do.”

A password phrase is great if the website allows you to do phrasing, but if the site only allows you 10 characters, you can always pick a phrase you know – like ‘Tramps like us, baby we were born to run’ and take the first character from each word to get ‘tlu,bwwbtr’. You could also consider using a password creator, like:

Avoid substituting obvious numbers for letters, like a 3 for an e, as criminals are wise to it, or ending your password with the numbers 1-10 or the months of the year when you have to change them regularly – if someone already has the first 99% of the password, it’s not difficult to get the rest.

PASSWORD SAFES. I use a combination of two or three really tough passwords and a password safe. But you’ve got to remember the master password. It’s like losing blood when you’ve lost that password – because it’s like losing everything else. You need to make sure the password is safe and is from an accepted and trusted source – but remember nothing is 100% in this world.

SECURE WEBSITES. There are two easy ways to check a website is secure before entering your password or credit card details. The web address ends with ‘https:’ – the ‘s’ at the end stands for secure – meaning extra encryption for communication between computers has been added. A padlock symbol is visible at the side of the browser window when you log in or register. If the padlock is on the page itself, this is probably a fraudulent site. Make sure you also check for misspellings, additional words or unusual website addresses, which may be a clue to a fake site.

AVOIDING RATS. It is more and more common for criminals to use spyware called a RAT – (otherwise known as a remote access trojan). This can allow your computer or mobile device to be used to spy on you. This is known as ratting. A RAT can be downloaded with an email attachment, but won’t show up in your lists of programs. They can take control of your webcam and use the video they take for blackmail or other purposes. So it’s wise to download updates to your programs and apps when prompted to do so, because they often include security fixes.

Take great care about which links you click on to and which emails you open even from people that you know – and cover your webcam when not in use, whether it is a built-in or clip-on device.

PUBLIC WI-FI. Ensure you have effective and updated antivirus and antispyware software and a firewall, particularly for Microsoft and Android phones, and remember if you’re not using a secure web page, don’t send or receive private information on public WiFi. Business people wishing to access their corporate network should use a secure, encrypted Virtual Private Network (VPN).

CONTACTLESS PAYMENTS. Contactless fraud is still at a low level. It uses something called Near Field Communication. If your phone uses this technology make sure it is locked by a PIN, which you should change regularly. Always check your bank statements to ensure payments have not been taken from your account and ask your bank who holds liability in the event of an incorrect payment. For the really determined, you can use foil, or special card sleeves, to protect the cards in your wallet.

WEB SEARCHES. Avoid ‘pharming’ by checking the address in your browser’s address bar after you arrive at a website to make sure it matches the address you typed. This will avoid ending up at a fake site even though you entered the address for the authentic one – for example ‘eebay’ instead of ‘ebay’.

Website owners often have a digital certificate that has been issued by a trusted third party, such as VeriSign or Thawte, which indicates that the information transmitted online from that website has been encrypted and protected from being intercepted and stolen by third parties.

When using websites that you do not know, look for an Extended Validation (or EV-SSL) certificate. Clicking the padlock symbol in the browser frame will launch a pop-up containing the details.

PHISHING. Scam emails often pretend to come from banks, credit card companies, online shops and other trusted organisations. They try to trick you into going to the site, for example to update your password to avoid your account being suspended. The embedded link in the email itself goes to a website that looks exactly like the real thing but is actually a fake designed to trick victims into entering personal information. Most Microsoft and other email clients come with spam filtering as standard. Ensure yours is switched on. You can also allow filters to be set to allow emails to be received from trusted sources.