100.000.000 Phishing Attacks every day !!!!!
How you will become their next victim and how to prevent it in 6 easy steps.
A while ago I downloaded a new App for renting Bixi Community Bikes in Montreal. As part of this I was asked to sign up for a new account. So I used my eMail address and my "medium security password" , you know the one I always use cause it is a bit more complex. Sounds familiar? Well then keep reading and see what happened next. The app displayed the following message:
"This password cannot be used as it is associated with your email address and was previously used on another compromised website( not ours). Please use a new password. "
WOW that was a wake up call. I though I was doing well with my passwords. How wrong I was.
85% of all data breaches in the world are because somebody somewhere got access to a password and it spiraled out of control from there. How did that happen and why it will happen to you keep reading.
Here is how it starts: You receive a mail from your bank that states:
Now when you follow this link you will get to a page that will be identical to your regular bank login page. The detail is in the URL in your browser. Instead of saying
https://www.onebigbank.com/login it may look like this
https://onebigbank.businessdiv.com/login THIS IS NOT A DOMAIN BY THE BANK BUT A FAKE DOMAIN MASQUERADING AS YOUR BANK.
On the login page you are likely to enter all your banking login information and hit ENTER . BANG your login info has been compromised.
But it does not end here. The site will now say: Sorry we could not authenticate you please use one of our partner logins to sign in. Then they give you the choice of GMAIL, FACEBOOK and TWITTER.
So you fill out the GMAIL sign in with the message: Sorry we could not authenticate, please use Facebook Login Authentication. And so on. At the end you will get a message that states “Sorry you are having trouble. Please try again later.”
At this point you have compromised all your access info to your most vital and mission critical accounts.
Now the TROUBLE REALLY STARTS:
First they will get access to your eMail which allows them to see who you are doing business with. They will send emails about “fraudulent bank transactions" to all your contacts thus gaining more access.
Then they will send malicious files from your eMail address to all your friends containing fake documents, enticing them to click on them. These files of course contain either programs to allow remote access or keystroke recorders that send all your keystrokes (passwords, user IDs and related websites) to them. If your friends respond and ask if this is for real they will respond from your eMail address ( using a set up autoresponder that is reacting to the original subject line) to say “ yes this is real please to check the attached document as soon as possible” Remember they control your email account.
Access to your eMail will allow them to further increase the number of data breaches they can cause.
With your banking information they can access your bank and eMail money out until it is gone.
With access to Paypal they start buying things until your account and credit card attached to PayPal is maxed out.
They will get all the detail info on your credit cards which can then be used to sell the data on the dark web.
They will apply for more Credit Cards in your name and eventually completely compromising and stealing your ID.
NOT A GOOD DAY FOR YOU. ALL FROM ONE EMAIL THAT GOT ACCESS TO YOUR PASSWORDS !!!!!
Remember the same can happen to your employees at work using business accounts and business eMaIl. The financial damage to business is even bigger.
HOW DO YOU PREVENT THIS FROM HAPPENING TO YOU ?
Follow these simple steps starting today! DO NOT POSTPONE A SINGLE DAY !!!!!
1. USE A COMMERCIAL VIRUS/MALWARE PROGRAM
Install a commercial Virus/Malware Program on ALL your devices. I tried out many and I ended up with Bitdefender (Bitdefender.com) interestingly even the worst ones you buy are better than the FREE ones like Mircrosoft Defender. Don’t rely on those! This will catch most of the malicious mails and warn you about already installed Malware , Trojans and Keystroke Recorders.
2. USE A PASSWORD KEEPER PROGRAM OR APP
Get a commercial “Password Keeper Program”. I use and recommend Keeper (keepersecurity.com) but Others like “LastPass” are great as well. DO NOT get a FREE Password Vault especially from the Google Play Store for Android. These ones are likely made by Eastern European or Chinese Hackers and instead of securing your passwords they go straight to them. Definitely worth spending some money here. All you need to remember now is ONE GOOD PASSWORD to get into the Encrypted vault.
3. MAKE ALIST OF ALL MISSION CRITICAL ACCOUNTS.
Make a list of all you mission critical accounts (email, banking, government, social, etc.) and make sure NONE has the same password !!!!!
4. DON”T USE THE SAME PASSWORD EVERYWHERE!
OMG I can’t remember all my passwords as it is. You are right but that is because no one has ever told you how to do it. Here is my recommendation for ALL YOUR PASSWORDS FROM NOW ON. You create a password system that you need to remember.
First of all passwords need to be at least 8 characters including Numbers, Capitals and Special Characters.
Here is an easy sample system you can use:
a. Start with a Special Character like # (always the same)
b. Add a Number like 3 (always the same)
c. Add a Capital like H (always the same)
d. Add the name of the website omitting first and last character i.e aceboo (add* if less than 4 characters)
e. End with a Special Symbol like “!”
Your passwords could look like this: Facebook: #3Haceboo! Twitter: #3Hitte! Gmail: #3Hmai*!
With this system you have complex passwords that are different for every site and you can remembers them if you can remember your system.
5. USE 2-FACTOR-AUTHENTICATION !
Most reputable websites now offer 2 Factor Authentication. This may have to be turned on in the security settings. 2-Factor –Authentication requires you to supply a special login code in addition to your User ID and Password. Once you enter the ID and password the website will send a text to your phone (or an APP like Google Authenticator) that you will need to enter in addition to your User ID and password. Many sites will authenticate a device the first time so you don’t have to do it every time. The important part of this is that IF SOMEBODY HAS BOTH YOUR USER ID AND PASSWORD and tries to log into one of your accounts you will suddenly get an authorization request. You know it wasn’t you and it tells you that somebody has both your ID and Password to trigger the authorization. It tells you that your password has been compromised somewhere. Here is a link where you can find ALL sites that offer 2-Factor-Authentication: https://twofactorauth.org/ If you can, avoid using any sites that don’t offer this.
6. THINK BEFORE YOU CLICK
Assume that many mails you receive are phishing attempts even from people you know. See above example), Think before you click if that person would really send you a certain document. Their account may be compromised. Remember they may respond to a previous mail with a previously legitimate subject line. If you are not sure don’t just reply to the mail without changing the subject line as they could respond from their eMail address. Better call or TXT that person to confirm.
If you follow these steps you will not be one of the 85% of people who have been hacked already and are in danger of having their Identity and money stolen.
Share this with your friends.
Certified Digital Consultant