Not a single day passes without hearing about people being hacked or scammed and having their life saving stolen as well as their private details. This happens to the most careful people and the most secure companies (lately Nvidia, Samsung and Microsoft). This happened to me as well with hackers trying to take control of my family’s Microsoft accounts and my credit card charged with thousands of dollars.
So don’t think it only happens to others and that you are safe. You’re not. It’s only a matter of time before someone tries to hack into your accounts and tries to steal from you.
All you can do is to make it harder for hackers to get to you and follow some best practices to ensure you get your accounts back if you do get hacked. In this section we will talk about:
- Passwords: why the best password is one that you even don’t know. Let a password manager do it for you.
- Two factor authentication (2FA): even if a hacker has your password, 2FA will require a second code that only you can provide
- Security tips and products: Follow good security practices. Do you need a third party security product?
- SIM Swapping: how someone can steal your phone number and ruin your life
- Online payment: minimize the risk of your credit card details being stolen
Before going into the details, let’s review some important concepts:
Social Engineering and Phishing Scams
Social engineering is a manipulation technique that exploits human error to gain personal, confidential information. These schemes attempt to lure unsuspecting people into exposing data or giving access to restricted systems. Scammers strive to understand what motivates their target, then use that information to deceive the target into providing access to assets, whether information, financial or other.
Social engineering scams can happen online, over the phone, or in person. It relies heavily upon acquiring the trust of their targets by mimicking a real person or organization, then appealing to strong emotions, including a sense of urgency and fear.
Phishing is a social engineering technique in which scammers attempt to fool you into acting in response to an email, encouraging you to share sensitive information or click on malicious links or attachments.
For example, a scammer may send an email from a seemingly reputable source requesting account information. Often these emails suggest immediate action is required to resolve a serious problem. When users respond with the requested information or action, scammers use it to gain access to the accounts.
The following are some indicators that you may be a target of phishing:
- Hoaxed email – Check the email addresses. If the email appears to come from a legitimate organization, but the actual address appears to be from a suspicious domain, this is likely an attack. Check the “TO” and “CC” fields. Is the email being sent to people you do not know?
- Intimidation or Sense of Urgency – Be suspicious of any email that requires “immediate action”, has some sort of time out, or creates a sense of urgency. This is a common technique to rush people into making a mistake.
- Hoaxed Links – Be careful with links, and only click on those that you are expecting. Hover your cursor over any link before clicking on it, this shows the true destination. If it appears suspicious or does not match with what is shown in the email the link may be malicious.
- Dear Customer – Be suspicious of emails that use some generic salutations. If a link takes you to a login screen be immediately suspicious before submitting your login information.
- Request to Open an Email Attachment – If you receive an email attachment that you weren’t expecting or has an odd file name or extension; begin searching for other red flags to determine if the email is malicious before downloading said attachment.
- Request for Confidential or Sensitive Information – If an email makes such a request this should already raise a red flag.
- Spelling Mistakes and Bad Grammar – Be suspicious of grammar or spelling mistakes, most businesses proofread their messages carefully before sending them.
Make sure to connect to legitimate sites over an encrypted connection
Data exchanged between you and a web server is secure ONLY IF the web server is using an encrypted system called HTTPS . To check if this is the case, look at the address of the web server in the address bar of your browser and if you see a little lock like this one 🔒 then it certifies that the server has a legitimate address and that only you and the server can see the data exchanged. If the lock is not present then you should be careful about providing sensitive information as it can easily be intercepted. See more information here. Luckily the large majority of web sites are now using encryption and data exchanged cannot be read by third parties.