This week I received a really disturbing email.
It was a spear phishing scam that contained a password I recognized.
For about 10 seconds, I was really worried—which is exactly what the scammer wanted. Having my email address and a familiar password lent credibility to the scammer’s claims that they had hacked my accounts.
And for a second, I considered sending them the bitcoin that was demanded.
Recognizing the Spear Phishing Scam
I was able to quickly determine that the password that had been compromised was likely stolen during the Target hack.
Thanks a lot, Target!
How do I know this?
Because every online account I have is stored in a password management application, that allowed me to quickly determine where the username and password known by the hacker had been used. Fortunately, I knew it was old and no longer in use.
You see, hackers depend upon you having the same password for multiple accounts and use this to their advantage. They leverage computer bots to try known username and passwords through brute force on any site where they might be able to steal from you if they are successful.
Instead of using “memorable” passwords, I rely on complex, random ones. Because I have a password management application, recalling and using these are simple. I can retrieve my passwords from my computer or my phone, copy my passwords, and paste them. The result is that I rarely have to type a crazy-complex password by hand.
Spear Phishing Scams Are on the Rise
Thanks to following this cybersecurity best practice, I was able to recognize and escape this spear phishing attack.
The problem is, this scam isn’t an isolated event.
My company’s help desk is seeing a big surge in tickets due to these spear phishing emails getting through the anti-SPAM tools we use. Our clients are worried, and understandably so.
So I am here to tell you: Don’t freak out. And please don’t pay.
But there are some things you should consider doing.
I am probably not the first to tell you that there is no such thing as “easy” security on today’s internet. I know changing your password habits will be a pain in the neck. However, the bad guys are stealing more sensitive information (like passwords) every day. Your money and your privacy are at risk.
Huge databases of stolen passwords are available on the dark web. And if you do not start using better habits ASAP, you will eventually get robbed. If you are reading this, please take the following tips to heart.
Tip #1: Do not use the same password for more than one account.
As I said, scammers know that individuals tend to use the same passwords over and over again. Relying on a handful of passwords increases the likelihood that a single breach of someone else’s data could impact you and even your business.
Tip #2: Leverage a password management tool.
Don’t let having a different password for every account create frustration. Avoid headaches with a password management tool that creates unique, complex passwords and securely stores them using encryption.
At Proactive IT, we use a cloud-based, secure password management system that works well for teams and individuals.
Tip #3: Don’t let passwords stay stagnant.
Change the password on important accounts frequently: monthly, quarterly, or as often as you can stomach.
Tip #4: Use two-factor authentication (2FA) wherever possible.
With 2FA, a second layer of protection is in place that helps prevent logins to your account if only a username and password are known. It’s important for all organizations—but especially for financial sites.
If you are interested, this link allows you to check and see if your account may have been compromised: https://haveibeenpwned.com. When I did so, I discovered that, of my three email addresses, only my newest one hasn’t been stolen from someone else’s database yet. How’s that for disturbing?
These aren’t the only actions you should take, but they comprise a good start. I’d also recommend consulting your business’s trusted IT advisor for help.
If you are a business owner located in Charlotte, reach out to me to protect your organization from security hacks and spear phishing attempts.
May safe internet use be with you!