Working in IT and cybersecurity I see many people compromised by phishing, hacking, or falling for another scam every month. It’s only as of late those numbers of compromised people have increased dramatically.

So what makes these attacks so successful? It’s the human factor. When it comes to social engineering, and things under it’s umbrella like phishing attacks, it’s easier than you think to fall victim to these. The majority of people I help resolve these issues never think they fell for this type of scam. Everyday these scammers are coming up with new methods to find victims. They make their emails, text messages, and websites extremely convincing.

It all starts with the victim getting a message “email, text, or phone call” that looks like it comes from legitimate organizations like Microsoft, Google, Netflix, or banks and so on. The scammer can make these messages look pretty legitimate. The message will likely include a website link for the victim to click that would then direct them to a website the scammer created to fool them into entering their personal info. Ultimately they are trying to get information from the victim like usernames, passwords, bank info, social insurance numbers, and so on.

You probably are aware of a lot of these scams already. With scams like phishing, refund scams, romance scams, tech support scams, and so many more, you really have to pay attention. You might get a phone call one day that shows up on your caller display as a legitimate company, and they claim you have a refund or that your card will be charged for a service; this is the refund scam. The tech support scam differs, as you may get a phone call, or you may be on the internet, and you get redirected to a scam website that says your computer is locked, or that you have an issue that needs to be resolved by support. The website displays a number to call to resolve the issue. These websites try to make it so you can’t easily close the screen, and sometimes even try's to scare you by an audible warning through your speakers. People fall victim to these everyday. You call the number on the screen, and talk to someone claiming to be another company or support of some type, and they get you to go to a website so they can remotely control your computer. Once connected they control your machine, and they try and convince you something is wrong with your computer, and ultimately they get you to buy gift cards for them to fix the issue, and all along there was nothing wrong.

Most people don’t realize they have fallen victim to these scams until it’s to late. So the attacker now has their password, or personal information; so what now?

Once you do realize you have been compromised you must change your passwords immediately! Why passwords you ask, and not just the password you typed into the fake website? Well lets say you divulged your email password, or you have used this password for multiple sites. The attacker now has assess to your email, and has logged in looking for other personal info. You may have other passwords, bills, or even credit card info in your email that the attacker can use to compromise more of your accounts or even steal your identity.

So “I’ve changed my passwords and the attacker no longer can access my accounts, what else can I do to better protect myself?” I recommend setting up Two Factor Authentication “2FA” on your accounts. With Two Factor Authentication it adds another layer of security. Once enabled, you’ll be asked for your password, you’ll then be sent a text message with a code, or you may use an authenticator app on your phone to generator the code. So if an attacker gains access to your password again by a phishing website, they will try to login, but they won’t get the code sent to your phone, and so they won’t gain access.

So “what if someone got into my account, and I’m absolutely certain I didn’t enter my password into a phishing website?” Well you may have a virus on one of your devices that steals your passwords and sends it to the attacker. In this case you need to run a couple different antivirus scans. You should hopefully already be using a reputable anti virus software that is installed and up to date on your systems, however no anti virus program is perfect. Using a free and reputable online scanner like ESET anti virus, and Trendmicro Housecall online scanner will help.

Another way you may have been compromised is that the attacker used software to brute force your password. With brute forcing software, it runs through billions of permutations until it finds your password. “So what can I do to combat this?” Pick long complex passwords that are at least 12 characters long, that contain lower and uppercase letters, numbers, and symbols. Avoid using personal info or names in your passwords. A good example of a password is something like “KlopTop5109!”. Another example of a good password is using passphrases. A passphrase is something easy for you to remember, that is very tough for a brute force password cracker to figure out. A good passphrase is something like “Iboughtapplesonmywaytoworkin2020!”.

I recommended to use a unique password for every account you have, and that you change them twice a year. In fact a lot of business enforce password changes for their employees every 3 months.

People often ask "if you have different passwords for everything, how do you remember all of them?" I type them often so remembering them is easy for me. If you have trouble remembering all your passwords try using a password manager like LastPass, or KeePass to help keep track of all of them. The principle behind password managers is, you remember one complex password to login to it, and once logged in it will show you all your stored passwords in a safe manner. The above mentioned password managers also encrypt your passwords so people can’t get to them. Remember keeping passwords on a sticky note, or in a word document or spreadsheet is never a good idea, because people can easily get access to them.

In summary, I’ve included the primary points below.

• use unique passwords for all your accounts • use complex passwords as outlined above
• use a password manager if you have trouble remembering your passwords
• change your passwords twice a year; add it to your calendar
• use a reputable and up to date anti virus software on your devices
• when in doubt, use a reputable online anti virus scanner as a second opinion
• stay up to date by reading cybersecurity articles to help protect yourself
• take an online cybersecurity awareness course to better protect yourself
• be cautious with email, phone calls, and everything online
• when in doubt contact your IT team