- Do Create a Strong, Long Passphrase – Strong passwords make it significantly more difficult for hackers to crack and break into your accounts. Strong passwords are considered over ten characters in length and made up of both upper and lowercase letters, numbers, and symbols. Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence, perhaps the opening sentence to your favorite novel, or the opening line to a good joke. Complexity is nice, but length is key.
- Do Use a Password Manager - There are several online third-party services that can help you safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If entrusting all your passwords to the cloud worries you, consider using a local password storage program on your computer, such as Roboform, PasswordSafe or Keepass.
- Do Implement Two-Factor Authentication - Two-factor authentication has fast become a standard for managing access to resources. In addition to traditional credentials like username and password, users have to confirm their identity with a one-time code sent to their mobile device. You can find a list of services that use multi-factor (or two-factor or two-step) authentication here: https://twofactorauth.org/
- Don’t Use Easily Guessed Passwords – passwords such as “password,” “abc123”, etc. are typically the first passwords tried by an attacker, who likely has thousands of such passwords in a table ready for a program to try automatically.
- Don’t Use Adjacent Keyboard Combinations - for example, “qwerty,” “asdzxc,” and “123456,” etc. are also likely already in password tables that attackers use to attempt to access your account and are trivial to crack.
- Don’t Use Dictionary Words - even amateur hackers have programs that search through tens of thousands of dictionary words. Avoid dictionary words to help prevent your business from being a victim of a dictionary attack program.
- Don’t Reuse Passwords - Use different passwords for every account. Otherwise, if one account is breached, other accounts with the same credentials can easily be compromised. Your bank password, for example, should always be a password you never use anywhere else.
- Don’t Ever Tell Someone Your Password Over the Phone - Companies never contact their customers and ask for passwords over the phone. Crackers pose as tech support personnel from an ISP and obtain passwords from unsuspecting customers.
What is Phishing?
Phishing is a form of fraud. The attacker pretends to be someone else in order to obtain information such as login credentials. These attacks use various communication channels such as email, text, social networking, phone, and even face-to-face conversations. The attackers employ social engineering techniques to trick the victim into giving up the information willingly.
Spotting a Phishing Attack
- The email (or other form of communication) will often look as if it is from a trusted company (like Netflix) or someone high up in the company you work for (such as the CEO).
- It will often ask for you to do something that requires login credentials and will provide a login link. This link usually directs to a URL that is similar to the real login page, but has changed, added, or removed a character or two. Sometimes they appear to direct you to a subdomain but it is really an entirely different site. The forms found on these pages look like the real login forms.
- Grammatical and typographical errors are often in abundance in these messages and are a hint that you should examine the message closely.
- It is often written in such a way that it invokes a sense of urgency. For example, it might say your Netflix login has been compromised, so your password needs to be changed, and to click the link to begin the process. Or it might ask you to send your CEO a wire transfer using the link. Why is your CEO asking you, specifically, to send a wire transfer?
Avoiding a Phishing Attack
- Check who the message is from. Were you expecting a message from them? Does it make sense for them to be messaging you?
- Check for obvious errors. Many phishing messages contain multiple and easy to spot errors in grammar and typos.
- Do not open attachments in suspicious emails. Phishing emails often contain malicious attachments. These attachments can infect your computer and cause different problems. The attachments often ransomware (or a way of downloading it) that will hold your data captive until you send payment somewhere. Sometimes the attachments contain malware that allows the attacker to gain remote access or view your keystrokes.
- Don’t click links in suspicious messages. It’s always better to login the way you normally do. The links might look right, but they could just be close approximations of the real URL with a character changed in a not-so-obvious manner.
- Check the URL in the address bar. If you did click a link in an email, check the address bar. Be sure the URL is correct and not a fake. Sometimes they even look like a valid subdomain but are really a different top-level domain.
- Consider using a password manager. Password managers, like LastPass, not only help you keep track of all your passwords, they also recognize the URLs and won’t try to fill in the login form on an unrecognized URL. If you know there is a password for the site saved in your password manager, but it isn’t automatically filling in the login form, then be suspicious about that login form and do your due diligence before continuing. Even better, just go to the normal login page.
- Use Multi-Factor or Two-Factor Authentication on your personal accounts. Many sites now offer the ability to enable Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA). When enabled, it adds a second step to the login process that makes it more difficult for phishing attacks to work. Usually this is in the form of a code sent to you via text, email, or app on your phone. It might seem like a pain at first, but a few extra seconds logging in is worth it to avoid being phished, especially on sites with access to sensitive data.