Cybercriminals are targeting us every day in our work and our personal lives.
Attackers are using the same tactics while applying different messages to elicit the information they seek. To an attacker, a username and password combination is the basic currency to be gained across all types of attacks. The weakness they exploit most is our passwords.
According to a 2022 identity exposure report, most consumers share the same password across multiple websites. Attackers know this and use a password they’ve stolen elsewhere to access your online banking account, email account, and any other system sharing that password.
For us in the workforce, a username and password combination may allow an attacker to breach a company’s network to access sensitive information. In the worst cases, attackers can elevate their permissions to a system administrator, granting complete access to all critical infrastructure. With administrative access, they can deploy ransomware locking the entire business’s key systems until a ransom payment is made.
Thankfully, there are strategies we can all practice to stay safe online and prevent ourselves from falling victim to these types of attacks.
Good Home Network Security
Securing your home network is often the easiest place to start ensuring your online identities stay safe.
First, select a good Wi-Fi password or passphrase for your home network. This ensures that every device on the network has been authorized.
Next, configure all devices to automatically apply updates. This includes the obvious, like PCs, routers and cell phones. However, the numerous other Internet-Of-Things (IoT) devices on one’s home network can be targeted, including streaming devices, video game consoles, webcams and even smart refrigerators.
Lastly, practice safe web browsing to help ensure a safe home network. Avoid installing free software or clicking on pop-up messages or other banners – especially those claiming your computer is infected. Often, the free software downloads are infected with questionable scripts that at best can render your computer extremely slow, and at worst contain remote access tools or keylogger–software that records your every keystroke.
According to the 2022 FBI Internet Crime Report, tech support fraud often leads to investment account takeovers resulting in billions of dollars in losses per year.
Keep Up with Prudent Password Practices
Access to valuable information and finances is protected by a simple, yet crucial measure: the password.
Safe passwords are broken into three basic parts:
1. Creating a strong password
2. Not reusing a password
3. Not sharing a password with others
The longer the password, the stronger it is, especially those that are twelve or more characters. Also, creating unique passwords for each site makes it more difficult for an attacker to jump from one website to another using your password.
Passphrases are another great tool for creating secure passwords. Passphrases consist of (oftentimes three or more) random words separated by a mix of spaces, symbols and numbers because they are easy to remember, easy to type and extremely difficult to guess.
Passphrase generators, like this one at untroubled.org, can be a useful resource, or look around your house and play eye-spy with three random objects. For example, Mixer.Coffee.Kitty2 is long, random and has plenty of complexity.
Use Multi-Factor Authentication
Sometimes, when logging into secure websites, like that of a healthcare provider or banking institution, users are often required to enter a 6- or 8-digit random pin code sent to their email or cell phone. This prevents an attacker from gaining access to sensitive information with a single password.
Utilizing an extra pin code ensures that there is an additional piece of information required to which only the user should have access. This additional piece of information is called Multi-Factor Authentication. Multi- or Two-Factor Authentication (MFA or 2FA) is an additional layer of protection that requires two of the following: Something you know, something you have or something you are.
• Something you know is your password.
• Something you have is the 6-digit code.
• Something you are, such as your Face ID or Fingerprint.
Instead of choosing to send MFA codes to an email address, it is highly recommended to use SMS or third-party apps, like DUO Mobile or Google Authenticator to receive or generate these random codes. If attackers gain access to an email account using a stale password, they render the extra layer of protection that MFA offers useless.
Learn to Spot Suspicious Messages
Attackers will send text messages, emails or direct messages on social media to convince users to give up their password. These messages often:
• Come from a familiar sender.
• Contain a link to an imposter website.
• Will attempt to cause fear or alarm.
A common example of one of these messages could say, “Someone in Indiana has requested to be linked to your checking account” or “You made an attempt to change your debit card PIN.”
First, check if the message came from a known source. If the sender is unknown or looks suspicious, these messages can almost certainly be regarded as a scam. However, it is easy for attackers to change the name on their email account to resemble that of an authentic company or institution. The next step is to check the email address or phone number. An email address that doesn’t include the same ending as a company’s website address is a red flag.
Scam messages often warn users of a problem, as well as offer a quick and easy solution, typically in the form of a website or tool linked within the message. However, by following the advice of these messages or clicking any accompanying links, users may be walking right into an attacker’s trap. Sometimes, these links lead to copycat websites intended to look authentic, enticing users to enter their usernames and passwords. Once attackers have this information, they will begin to determine how to do the most harm.
The best course of action with a suspicious message is to ignore it and instead reach out directly to the financial institution or company in question. Speaking with customer service can quickly verify the authenticity of any messages regarding one’s account.
By performing these basic tasks, users can protect themselves from most modern attacks. Maintain a secure home network with devices set to auto-update. Use strong passwords, and never use the same password twice. Take advantage of multi-factor authentication apps to add an extra layer of security to your information. Lastly, avoid falling victim to scammers attempting to glean sensitive information. Ignore alarmist messages and never click a link from an unknown sender.
Author: John Stream is the CISO and an information security expert with local IT consulting firm, SwitchThink, which is a subsidiary of Desert Financial Credit Union.