Author: lebowitzit

In my last post, I explained why I won’t attempt to fix printers, particularly inkjet printers, for clients, and I illustrated my reasons by showing how my own inkjet printer had developed a problem that was too expensive to fix, even though I was providing my own skilled labor. That undoubtedly left you wondering what printer I would recommend, and perhaps hoping that I would demonstrate my choice by buying one for my own home office. Well, I am going to partially disappoint you. I’m not going to make any printer recommendations, because I don’t find any affordable printer satisfactory. For the last year or so, I have been telling clients to just go out and buy a printer they like, and I would set it up for them as best I can. But since I now had to make this very decision for myself, I thought it might be helpful for you to see how an IT pro goes about determining which printer is the least of all the evils for his own use.

In the affordable (under $500, considering today’s prices) printer space, the first two options – color/monochrome and printing technology – are more or less considered together. If you expect to print in color, that dictates an inkjet printer, because color laser printers are relatively bulky, heavy and start at over $500, and none of the color laser printers that cost less than $1,000 will print color photographs well. If you have no use for color, and just want a monochrome printer, then you’re automatically looking at monochrome laser printers, because except for specialty printers, there are no monochrome inkjet printers. The last time I owned a laser printer was in the mid 1990s, when I obtained a secondhand HP LaserJet Series II. Since 1998 or so, when I bought an HP DeskJet 720c, I had only owned color inkjet printers. They were good for the kids’ homework assignments, which often involved color graphics, and for awhile, I also printed my own greeting cards and photographs. So, I figured on getting another color inkjet printer.

Next came the options. In addition to printing, I do a lot of scanning and some copying, so an all-in-one printer makes the most sense for me. I usually print on both sides of the paper in order to save paper, so duplex printing was a must. Much of the scanning I do involves multiple pages, often both sides of each page, so my new printer would also need to have a document feeder and support automatic duplex scanning as well. Finally, I have multiple computers that have to use the printer, and it will occasionally be used by a tablet and maybe a smartphone or two. That meant my new printer would need to be a network printer, and since Ethernet is a much more reliable way to network a printer than wi-fi is, I wanted the new printer to have an Ethernet connection option. My Epson WorkForce (second to last printer) had two paper trays, so I could load photo paper or envelopes without unloading my regular letter paper. My Canon MAXIFY (last printer) lacked that, and its paper handling was inconvenient in comparison, but still, this would be a nice-to-have feature, not a must-have feature. So… I wanted an inkjet all-in-one printer with a document feeder, automatic duplex printing, automatic duplex scanning and an Ethernet connection, multiple paper trays optional.

Now it was time to consider brands. This narrowed my choices considerably. I have learned to avoid HP all-in-one printers, and some of their simple printers, because I have come to consider HP’s printer software dysfunctional. In the years after I bought my aforementioned HP DeskJet 720c printer, HP continued to develop the software package that they distributed with their printers. Its core components were given ever more features, making it more capable, but also making it arduous to install, a drain on computer resources, and prone to malfunctioning, which often needed to be fixed by uninstalling and reinstalling it, doubling the arduousness. More recently, HP replaced all that with a new app that they call HP Smart. The problem with it is that I have found the name “HP Smart” to be a misnomer. HP Smart is supposed to detect your new HP printer, find whatever drivers and software it needs and install them. In my experience, though, HP Smart fails to do that, requiring me to seek assistance online to get the printer installed. Once everything is up and running, HP Smart also becomes the scanning software, if the printer is an all-in-one, and in most cases, it doesn’t support scanning directly from the printer console. That’s not the end of the world if the printer is right next to the computer, but it’s a nuisance when scanning to a computer across the room or in a different room. So, no HP models for me.

My last two printers were an Epson WorkForce model, with what Epson calls “Precision Core” technology, and a Canon inkjet model, both of which failed prematurely due to print head clogs and failures. My online investigations indicated that this is an ongoing problem with Epson and Canon models. Still, technologies evolve and improve with time, so I might have been willing to take a chance on one of these brands again if I had been able to find one for less than $150 with the features I wanted. But I found that inkjet all-in-one printers with document feeder, automatic duplex printing, automatic duplex scanning and Ethernet connection were priced in the $300 range. For that kind of money, I wasn’t taking a risk on another Canon or Epson model.

That left Brother and a small selection of off-brand printers. The problem with off-brand printers is that consumables – ink, mostly, but sometimes other parts – might be hard to find. And it turned out that the only Brother models that had the feature set I wanted were large-footprint printers that could accommodate ledger-size paper. I have no use for ledger-size printouts, and I have no room for a printer that large. Those bruisers were expensive, too, with prices starting around $450. So, I found myself at a dead end.

That’s when I decided to reconsider whether or not I needed to be able to print in color. I haven’t printed a color photograph in over a year because I’ve found a number of online services that charge less to print and mail me color photos than I would pay for ink and photo paper to print them myself. That’s not as convenient as the ability to print my own photographs on a whim, but I almost never need color photos right away. My two older children used to print homework assignments in color all the time, but I only have one kid in high school now, and she mostly submits her assignments online and rarely needs to print anything. I haven’t made my own greeting cards in years, and I don’t think I even have any greeting card stock left. None of my business printing requires color.

Relieved of the need to stick with inkjet technology, I started my shopping expedition over again, this time looking at compact monochrome laser all-in-one printers with document feeders, automatic duplex printing, automatic duplex scanning and Ethernet connections. I found far more and better options. I still ruled out HP because of software concerns, and Epson doesn’t make any laser printers, but I knew of some venerable Brother MFC-L2700 series models and Canon imageCLASS MF200 series models that would likely be in my price range. I also hoped to find some small business models from Lexmark, Okidata, and Samsung.

In the end, the best deal I found was on the Brother MFC-L2750dw pictured at the top of this post, so that’s what I purchased. I knew it would do everything I needed it to do, because I have resold that same model to clients in the past. It uses two consumables other than paper: toner cartridges, which yield anywhere from 2,500 to 5,000 pages depending on the capacity you buy; and drum units, which last for about 15,000 pages. Brother-branded toner cartridges aren’t overly expensive compared with other printers’ branded cartridges, and Brother’s MFC-L2700 line is very popular, so there is very affordable 3rd party toner available for it. I’ll probably stick with Brother branded drums, which also aren’t terribly expensive, especially since I anticipate that mine will last 3-4 years apiece at the rate I print.

My new Brother MFC-L2750dw printer doesn’t have dual paper trays, but it does have a single-sheet override slot. That should make envelope printing more convenient.

Printer reliability has been a sore spot for many years now. My inkjet printers have lasted about 4-1/2 years on average, and even laser printers, which were once known to outlast virtually all other kinds of office computer equipment, now sport a lot of poorly made plastic parts. However, I’ve resold the Brother MFC-L2750dw and its predecessors to about 20 clients, and most of them have lasted 7 years or more. At least one that a client bought in 2010 or 2011 still works perfectly and has never needed anything more than consumables and an occasional paper jam removal. So, the chances of this one lasting longer than two inkjet printers – that’s roughly my break-even point, if we only consider the price of the printer – seem pretty good.

Is the Brother MFC-L2750dw perfect? No, not at all. I really wanted a color laser printer, but affordable, compact color laser printers that print photographs well do not exist. Professional reviews of this model suggest that other laser printers, such as the Canon imageCLASS MF200 series and most HP LaserJets, have better print quality, especially on graphics and very small fonts. And the MFC-L2750 printer driver on my laptop already messed itself up once and I had to reinstall it. But as I said at the beginning of this post, no affordable printer is truly satisfactory. As long as this one’s shortcomings are things I can live with, that’s the closest thing to a win that I can expect.

Every two or three weeks, I get a call from someone who is sure their email was hacked. As the title of this post implies, in every case to date, I have found that their email was not, in fact, hacked, but there are a number of reasons why someone not thoroughly familiar with how the online world works might think otherwise. Note that just because someone’s e-mail wasn’t hacked doesn’t mean that a bad actor didn’t gain access to it. The purpose of this post is to help you understand how this actually happens and what you can do to protect your email account.

Hacking vs. Cracking

Let’s start with proper terminology: If someone gains access to your email account, or any other account or device you have, that isn’t hacking per se. “Hacking” means writing a short computer program for some very specific purpose. That purpose isn’t necessarily malicious. In fact, traditionally, it wasn’t malicious. Think in terms of “life hacks” featured in YouTube videos that show you how to soften butter faster for baking, or get wrinkles out of shirts without ironing, or build a mousetrap for less than $1.00. In the programming world, “hacking” is, quite literally, coding a hack, i.e., writing a bit of program code that solves a specific or unanticipated problem. For example, one of my clients depends heavily on being able to access data on a NAS via certain drive letters. Windows sometimes “forgets” those drive mappings, so I wrote a hack for them, in the form of a batch script, that re-establishes their drive mappings.

The proper word for breaking into a device or account is “cracking”.

Once upon a time, cracking usually involved hacking, although as you’ll see later in this post, that is usually no longer the case. Therefore, I’m going to use the words “crack”, “cracked” and “cracking” when referring to accessing someone’s account or device without permission.

How Can You Be So Sure That My Email Wasn’t Cracked?

The short answer is because cracking the security on email servers is hard, and crooks are lazy.

As I’ve said often, the days when people wrote malware, broke into computers and committed other online mischief just to get a thrill or show off or maybe find a job as a programmer are long gone. That’s not to say people no longer desire those things; it’s just that technology has provided more effective ways to get them.

Nowadays, people trying to get into other people’s accounts are usually trying to steal money. The attempt may be direct, like getting into someone’s bank account, or indirect, like using someone’s e-mail address to send out scammy spam mail that tries to bilk lots of people out of their savings. On rare occasions, the unauthorized access may be the work of an online stalker or cyberbully, but most of the time, money is the motive.

What nearly all modern cyber-criminals have in common is that they’re lazy and impatient. Getting good enough at cracking to breach logon security takes a lot of time, effort and money. That’s why I can be so certain that your email wasn’t cracked. Server software companies learned decades ago that as long as their logon systems were easy to defeat, there would be crackers breaking in, so they made logon systems among the toughest to crack. That’s not to say cracking them is impossible. If you’re enough of a celebrity or your work involves the sort of information that international spy organizations want, there might just be enough motivation for a bona fide professional cracker to break into whatever computer systems you use and get it. And if you’re one of those high-risk individuals, then I recommend you stop reading here and go find yourself a very high-level cybersecurity company to protect your digital assets. But the overwhelming majority of us aren’t worth that kind of effort, and the petty crooks and schnooks who want access to our accounts aren’t motivated, patient or capable enough to crack in.

But someone got into my email! If they didn’t hack/crack in, how’d they get in?

The short answer is that you gave them your email address and password.

Previously, I said that cracking into servers, particularly email servers, is too hard for most of us to be worth the effort, and I stand by that statement. But it’s very easy and inexpensive to trick people into handing over their account logon information, and so that’s what modern cybercriminals do. Here are the most common ways this is done:

Phishing

This is, by far, the most common method of stealing email passwords, as well as other kinds of account credentials, and even personal information. Since we started talking about people thinking their email had been hacked, I’ll pick on that. The perpetrator composes an email message intended to look as though it came from a popular email provider, such as Google (GMail), Yahoo or Microsoft (Outlook.com). The email will claim that your account has been compromised, that the company is cleaning up old accounts and you need to prove that you’re actually using yours so they don’t close it, or some other persuasive come-on to get you to click on a convenient link and log on. If you click on the link, it takes you to a web site that looks like your regular GMail, Yahoo Mail or Outlook.com logon page. And if you then type in your email address and password, it will add those to a list of email account credentials the crook has been collecting, then, most likely, pass you through to your real email account.

The reason you have no recollection of having been phished is because the crooks rarely make use of the addresses and passwords they collect. Instead, they collect them for awhile, then sell their lists on the so-called Dark Web, which refers collectively to shady web sites where stolen information is bought and sold. Whoever buys that list will eventually make use of your credentials, but that probably won’t happen until months after the phishing incident took place.

Malware

While less common than phishing, there have been incidences of malware being used to capture account credentials and report them via the Internet to a server-side program being run by cyber-criminals to collect them, either for their own use or for selling on the Dark Web. A number of data breaches reported by major companies in recent years were perpetrated by such malware.

The most difficult part of using malware to steal account credentials is getting the malware installed on a targeted computer. Computers running up-to-date versions of Windows or Mac OS have enough anti-malware software built right in to foil typical attempts to run malware on them. Some of the corporate data breaches of the last few years were perpetrated by insiders, who were employees who were disgruntled, bribed or new hires who were part of the cyber-criminal ring. In other cases, phishing or tech support scam pages were used to trick employees into turning off their computers’ antivirus software and installing them malware, or allowing a criminal to remote in using common remote control software to run the malware.

OK, so someone got into my email because they have my password. What do I do now?

If you still have access to the account, log into it right away, change the password and make sure your account recovery information, typically a cell phone number and an alternate e-mail address, is set so that you and only you receive account recovery and password change request messages. This will lock out the unauthorized person and any ‘bots sending out spam via your account.

And what can I do to prevent this from happening again?

The single best thing you can do to prevent an account takeover – which is what generally happens after your email account credentials end up in the wrong hands – is to turn on two-factor authentication (2FA), sometimes called multi-factor authentication (MFA). Doing this requires anyone wanting to log into your email to have physical access to a second device, usually your cell phone, in order to log into your account, even if they have your e-mail address and password. That, combined with making sure your account recovery information is up-to-date, makes your account extremely difficult to take over.

2FA/MFA works by either sending a message to your second device anytime you want to log into your email, or by requiring a code generated by a smartphone app, such as Google Authenticator. It’s a minor inconvenience, but one well worth bearing, as it makes an account takeover almost impossible.

2FA/MFA is fine for people who access their email via a web browser, but it was a tough sell for those who use 3rd party email client software, such as Windows Mail and Mozilla Thunderbird, as it locked those programs out. Fortunately, 3rd party email clients have evolved to work with 2FA/MFA or their alternatives. For example, Mozilla Thunderbird can display a GMail logon page, and it is also designed to work with the Oauth2 protocol that GMail uses to allow 3rd party software to work with it.

But it’s so convenient to use the same password for more than just email. Is there anything else I can do to foil phishing?

YES!

For starters, get a password manager that will store your passwords invisibly and securely, will fill them in for you whenever you need to log into something, and can be shared among your computers, phones and tablets. That way, you can have the convenience of just remembering one password – for your password manager – without putting your email and other accounts at risk. Lebowitz IT Services is pleased to offer LastPass subscriptions on a monthly basis to our clients.

For our corporate clients, we also offer MailAssure, a world-class, managed anti-spam system. Anti-spam systems treat most phishing attempts as spam. We also offer Ironscales, another managed solution that targets phishing attempts that get past your anti-spam solution and quarantines it.

Finally, learn to recognize what phishing looks like. Remember the old refrain, “But I read it on the Internet — it must be true!”? Internet access has been commonplace for over 20 years now, but surprisingly, there still people who believe that. Phishing depends heavily on that mindset, or at least on the reader’s unwillingness to think critically about what’s on the screen in front of him. If the e-mail message has a Fifth/Third Bank logo in it, then it must have come from Fifth/Third Bank, right? Well, wrong, actually!

I’ve read many articles that talk about telltale signs that can help you recognize phishing attempts. A logo that doesn’t look quite right or doesn’t match the name of the company that the message purports to be from are two such signs. Misspellings, poor grammar, circumlocutions and stilted wording are others. An email domain name that doesn’t look like the company’s domain name is yet another sign, as are URLs that don’t look anything like the company’s domain name when you hover your mouse pointer over links in the message. But all these require attention and a bit of technical knowledge that not everyone has, and many people don’t have the English skills to spot misspellings and grammar mistakes.

So, is there anything that can tip you off to a phishing attempt even if you didn’t ace AP English or have a degree in Computer Science? Absolutely.

Start by looking at the name of the company the message is supposed to have come from. Have you ever had an account with that company, or done business with them in any capacity? You’d be surprised how many people don’t ask this basic question. If you receive a message saying your Yahoo Mail account is going to be deleted if you don’t log into it *right now*, and you can’t remember ever having a Yahoo Mail account, that’s a sure sign of a phishing attempt. If you receive a renewal notice for McAfee or Norton security software, and you have no recollection of ever buying their software, then the message is most likely a phishing attempt. If you need more evidence, hover your mouse over each icon in the “hidden icons” section of your Taskbar Notification Area. If you don’t find a McAfee or Norton icon there, then you aren’t using their software, and the message is most likely a phishing attempt.

Another question to ask yourself is, “Why would this company send me this kind of message?” Since we’ve been talking about email account cracking and takeovers, let’s pick on GMail. GMail is Google’s email service. Google is a company that has long been accused of keeping too much information about everybody. How much information is too much, what kind of information is appropriate for them to keep, and even whether or not this assertion is true are beyond the scope of this article, but if you accept it as fact, then why would Google need to ask you to log into your GMail account *right now* to confirm that you’re still using it? (I’m just going to let that one sink in for a moment. How is it that the same people who believe Google tracks what they ate for breakfast this morning can be tricked into thinking that Google doesn’t know when they last checked their GMail?)

Finally, think about the propriety of using email, which is generally a non-secure, easily faked means of communication, to reach out to someone whose account has been flagged as problematic. The majority of companies know better than to do that. What they do if their internal checks detect something amiss about your account is they lock your account and simply wait until the next time you try to log in. When you do, they display a message saying that your account is locked and why, and then they direct you to a page where you can take whatever action is appropriate, such as changing your password or contacting Customer Service. So, if you receive a message in your email that notifies you of an account problem, particularly if it includes an all-too-convenient hyperlink to a web form, that’s probably a phishing attack.

If you liked the Choose Which Folders Appear on Start settings in Windows 10, then you will appreciate today’s tip. I am going to show you how this feature was implemented in Windows 11, and how it makes use of otherwise wasted space on the Windows 11 Start Menu.

By default, the Windows 11 Start Menu has a line of empty space along the bottom, outlined in red in the picture below:

The good news is that you can fill that space with shortcuts for things like Documents, Pictures, Network and Settings, just as you may have had in the left margin of the Windows 10 Start Menu. To do that, start by opening Settings. There are a number of ways you can do this, but one good way is to right-click on your Start button and then (left) click on Settings, as shown below.

This will open the Settings window. From there, click Personalization.

From Settings -> Personalization, scroll down (a scrollbar will appear along the right edge if you hover your mouse pointer over it) until you see Start in the right section, then click on it.

From the Start subsection, click on Folders.

You will now be looking at the Folders subsection.

On my computer, I then need to scroll the right section of the window down a bit (again, there’s that hidden scrollbar along the right margin) so I can see all the folders. If your screen is large enough, you might not need to do that. I then click on the Off/On toggles for each “folder” I want to appear at the bottom of my Start Menu, like this:

Note that these are the items I like to have at the bottom of my Start Menu. Your preferences may vary. When you’re finished, simply close the window; there’s no Save button to click. Now, when I click my Start button, my Start Menu looks like this:

The red rectangle won’t appear on your Start Menu. I just added that to highlight my new, useful icons. But here’s something that will appear: If you hover your mouse over one of your new icons, the icon will highlight and a fly-over description will appear. Here’s an example in which I hovered my mouse over the Documents icon:

Have you experienced an increase in simple text messages that appear to be intended for someone else? I have; in fact, I’m receiving, on average, three of them per day, and it’s getting rather annoying. The picture at the top of this post is a recent sample.

You probably have some familiarity with SMS scams, i.e., scams perpetrated by text messages, but this doesn’t look like any of the ones I knew about previously. There’s no link to tap on, no well-known company name, no imperative and no real sense of urgency. And you probably already know to just delete all texts like that without a second thought. (Well, hopefully you already know that. If you didn’t, then consider yourself informed.) But this is just a casual, “how ya doin’?” type of text message from someone I don’t know, and apparently intended for someone else I don’t know. So, what harm could there be in texting back a “Sorry, wrong number” message? Which is exactly what I might have done if I hadn’t been busy when the first one arrived and if a second, third and fourth such message hadn’t arrived so soon after the first.

Plenty, it turns out. I had to do some online digging in order to find out what these harmless-looking messages from strangers are all about. Most of the search hits were predictable: warning after warning to delete, without any kind of response, any text message that exhorts you to tap on a link or call a phone number. But messages like those are direct attempts at phishing – called “smishing” when perpetrated by text message – and I already knew about them. I finally happened upon a video clip of a TV news report about the kinds of text messages I’ve been receiving lately. It turns out that they are a relatively new form of social engineering, and an indirect attempt at smishing.

According to the news report, if you respond to one of these texts, the very least that will happen is your cell phone number will end up on a “suckers list”, a list of people likely to fall for texting scams. But the scammer will also try to strike up a conversation with you. They may include a photo of a pretty woman, if they think you’re male, or a hunky man, if they think you’re female. Depending on the sort of information the scammer wants to get from you, the photo may be more than just a head shot, and the person pictured may be dressed in a sexy manner or not at all. That may be an attempt to get you to share a compromising photo of yourself. (That’s not the scam an old guy like me would fall for, but I’m told that many people in their teens, twenties and maybe even thirties are quick to share semi-nude or even nude photos of themselves.) Or the scammer may try to convince you to share financial information, account credentials or personal information. Ultimately, that information will be used to blackmail you, raid your bank account, charge things to your credit cards or steal your identity.

It’s easy to sit there reading this and say to yourself, “Oh, I would never fall for that!”, but social engineering is the art of gaining your trust in order to convince you to willingly give over whatever it is that the scammer wants. There is no doubt in my mind that the perpetrators of this scam are very good at this. The best way to avoid falling for the scam is not to engage them. Just delete the text without responding.

As far as steps you can take to avoid this scam, there currently aren’t many. You could block the phone number, but the scammers use throwaway phones and phone numbers to perpetrate these scams, so the chances are your next scam message will come from a different number. You could forward the text message to “7726” (spells SPAM on a phone keypad), which all the major US cell phone carriers are supposedly using to collect spam reports. Personally, I couldn’t figure out how to do that from my smartphone without it looking like the spam came from my own number, but maybe it’s easier to do this on your phone. You could call your cellular provider, which might be an attractive option if your cellular account doesn’t include unlimited texting, but if you get as many of these irritating texts as I do, it seems to me that you’ll spend a lot of time on the phone with your cellular provider if you do that. Your best option may be to set your phone to block text messages from all numbers not in your contact list. That wouldn’t work for me, because my cell phone number is my business phone number, but I would seriously consider doing that for a personal cell phone number.

My quest for information also turned up some gleeful reports from people who claimed to have counter-scammed the scammers, by texting back things like “Congratulations, you have successfully subscribed to ‘Prayer of the day’! Your account will be debited $0.50 for each new daily message.”, followed by what appeared to be increasingly desperate attempts by the scammer to cancel the “service”. Take these with multiple, large grains of salt. First of all, all those counter-scam reports I saw were 3+ years old. Second, cell phone scammers are probably savvy enough to know that even if they did opt into such a service and couldn’t cancel it, they could solve that problem with a call to their own cellular provider. That’s assuming they’re using their own cellular account in the first place. If they’re using a throwaway phone or account, they won’t care, because they probably provided stolen payment information to the provider in the first place, and their intention is to just ditch it at the end of the month or whenever the provider gets wise to them and shuts the account down, whichever comes first. So, your best bet is to follow my first piece of advice: do not engage.