"I Have Had A Career That's A Magical Mystery Tour Of All The Creepy Stuff That Happens Online"

We're all aware that plenty of "bad stuff" — phishing, hacks, and scams galore — goes down online, but rarely do we think about the people who are actually tasked with fighting it. Allison Miller is one such woman.

"I have had a career that's a magical mystery tour of all the creepy stuff that happens online," Miller says. "I've seen credit card fraud, account hijacking, email spam, social spam, fake dating profiles, and now I'm in the world of phishing and malware."

As a product manager in security and privacy at Google, Miller's job is to identify security risks and find new ways to warn people before they go to unsafe sites — that is, those containing a combination of phishing and malware — with the help of machine learning technology. "It is like a very nerdy, cyber version of being Nancy Drew, if Nancy Drew had a backup crew of robots acting as scouts for her," Miller says. She and her team detect over 50,000 unsafe sites per week.

We talked to Miller about what she's learned behind the scenes, the most common mistakes she sees people make, and what you can do to stay safe online.

"When you're fighting something that is spam or fraud, you're fighting something that's in your system. In order for us to protect consumers on the web, we have to go out and find things on the web. Google has special crawl technology that will detect whole phishing malware.

"When the Safe Browsing infrastructure detects a bad site, the site gets labeled, for example, as 'phishing,' and added to a list. The list is used by other security and anti-abuse systems around Google, and is used by other browsers and app developers to add 'bad site' checks and user warnings into their sites and apps."

"[The other week] I was still waking up when I was checking my Twitter timeline and noticed a promoted ad from a strange looking account promising to 'verify' users, which is a service offered by Twitter itself. Like a lot of phishing, the phishing lure starts off as a message of some kind, and includes a phishy link. I checked and indeed it was phishing. So I reported the ad and account to Twitter, using their in-app tools, and then I checked out the website. Definitely phishy, so I submitted it to Google's phishing report service. Those are all things anyone on the web can do."

"After 15 years of trawling through the bad behaviors making up that dark side of the web, I've come to terms with the idea that all social and economic systems will get gamed by fraudsters and tricksters. But what drives me — understanding how things are connected and helping people — is more of a motivator than the dark side of it being depressing. I'm here and still committed to helping."

"The first is having an attitude of 'Oh, I don't need security,' and assuming it's only for top secret situations, like protecting against hackers, versus things that are more personal, like random trolls or scams that will take advantage of anyone who is vulnerable. There's a basic level of security and privacy everyone deserves.

"The other mistake is [not realizing] when situations are public versus private For example, conversations on social media are essentially public, and inadvertently revealing personal info, like geotagging posts, increases risk."

"I interact with consumer tech like most consumers, although I might take a few steps to keep things a little more locked down. For example, using strong authentication, having good backups, and avoiding apps that want my location or contacts for no good reason. As a fraud expert, I get questions sometimes about whether or not I take extreme steps to avoid getting my credit card compromised. The answer is not really.

"Sometimes online I will use PayPal if I don't want to share my credit card info. On the other hand I've used my credit card in some very shady point of sale locations, like random ATMs in the middle of music festivals. I think the difference is that, since I know what's happening behind the scenes I know what to expect. And that's a huge piece of the puzzle with keeping people safe online, actually: How [do we] provide the right options and features for people who don't necessarily understand how things work or what to expect when confronted with different choices — whether it's backups, encrypted messaging, strong authentication, or sharing selfies? Making sure security works for all of us, wherever we go online, is a big goal. I'm glad to be contributing."

"Think of your 'domain' as a stack: Devices, apps, and accounts, with behavior, choices, data, and communications on top of that.

"Start by looking at your foundation layer: devices. Make sure you turn on auto-backups, keep system software up to date, and turn 'off' things that don't need to be on, like, say, location tracking in certain apps. Also make sure there's a password or pin on your device and don't share it.

"Next up: apps. Be a picky buyer [and only] get apps from trusted sources and check to see what permissions it needs: What data it's going to use and how it's going to use it. Does a flashlight need your location and contacts? Maybe you don't need a flashlight after all.

"Another biggie is accounts. You need strong, unique passwords. Enable two-factor authentication if you can get it. One lazy trick: An authentication concierge, or password manager, does all the work for you. Chrome has a good one built into the browser and there are other options like 1Password & LastPass.

"Lastly, behavior. remember that 'online' is basically public, unless you've taken some advanced moves to lock down your online world. Others won't necessarily respect your boundaries, so make sure you set up your own boundaries."