Hackers don’t break in; they log in

8 Apr

When we think of hackers, we tend to visualise clever online criminals who use sophisticated software to decode or crack passwords and gain access to accounts. In most instances this just isn’t the case, as many people unwittingly hand their password over to a hacker without even realising it.

Cybersecurity officials are faced with the same reality: passwords are being stolen and advanced hacking tools are not always needed.

How it happens

So, how does a hacker get access to an employee’s user name and passwords?  We take a look at the most usual hacking methods below:

  • Phishing emails

One of the most common ways for a hacker to get a password without using technology is to ask for it. Yep, it sounds awfully easy, but one thing you need to realise is that for an experienced hacker, it is as simple as that.

Phishing scams are the most prominently used form of password acquisition. It requires no software, but rather involves a hacker pretending to be someone trustworthy or an official person. They usually make contact by email or telephone and make a very convincing story.

The email signature may include the company’s correct telephone numbers and website address, tempting people into trusting the communication.

During a one-on-one conversation about the specific account, the “official” (who is actually an opportunistic hacker) will request bits and pieces of information from you such as your username, your card number, your account number, your ID number and so on.

At some point in the communication, you may receive a link to a website where you are required to input your user name and password. Of course, the hacker now has the user name and password and can then use the employee’s account to send out seemingly trustworthy communications, authorise transactions, and carry out various functions on business systems while flying under the radar.

  • Typosquatting

Typosquatting is a form of phishing that was “big” a few years ago. For quite sometime it fell away, but trends show that cybercriminals are revisiting this type of phishing.

The cybercriminal will hijack a company’s domain by registering website URLs that are very similar to the original website address. If you are attentive to detail you might notice spelling errors in the website address before you click on it! However, if you don’t pick this up and visit the website, it will look almost identical to the official website. At this point you will be asked to log into your account by inputting your username and password, which is how your password is received by the hacker.

  • Spear Phishing

Spear phishing is another type of phishing where the hacker creates fake social media pages or online blogs in the name of their persona. The cybercriminal will put in a considerable amount of effort adding mutual friends and populating the pages in order to make the page look more trustworthy and reliable.

This type of phishing is used to give a persona credibility which then makes it easier for the criminal to communicate with victims and deceive them into sharing personal information.

The Reality

The reality is that sophisticated hackers don’t actually need sophisticated software to get your user name and password. Most often, they rely on clever trickery to get you to unwittingly hand over your password.

In essence, a hacker merely needs to have basic web design skills (to create website log in pages), social media skills (to create credible SM pages), and an educated and well-spoken approach to communicating either online or telephonically.

What Can You Do?

Doing regular data backups to a cloud based service that offers data encryption will keep your sensitive information safe, especially if your device or system is hacked and your data is breached. You should also be aware of:

  • Any emails requesting that you change your user name and password by clicking on a link. In this instance close the email, look up the official contact details of the company (do not use the details listed in the email) and make a personal enquiry into the legitimacy of the email.
  • Link attachments in emails, even if the source seems legitimate. Unsolicited emails might not raise a red flag in your mind, but they should.

Ensure that:

  • You have up to date anti-virus software and firewalls in place to flag suspicious behaviour on the device.
  • You update your software and systems regularly to ensure that any bugs and vulnerabilities are consistently updated and eliminated.

Take responsibility for the safety of your data and take action

Educate your staff members on the risks of cyberattachs, phishing and hackers, and always have an alert and aware approach.

Need more advice and solutions to data safety concerns? Contact Soteria Cloud today.

Comments are closed.