Say what you will about the thieves who ply their trade in the digital realm, you can’t deny they put in a hard day’s work. After all, according to Verizon’s just-released 2016 Data Breach Investigations Report, which analyzed an astounding 100,000 digital security incidents last year, these crooks continue to succeed at stealing corporate and personal data and records by the millions.
And while high-tech trickery and sophisticated technical exploits are certainly employed by some, Verizon’s report suggests that most thieves rely on basic human frailties to do their dirty work. In particular, 63 percent of the successful data breaches studied involved weak, default or stolen passwords, and nearly one-third of the so-called phishing emails (see below) were actually opened by unwitting recipients. The message is clear: Your digital world is more vulnerable than you ever thought. Encouragingly, however, protecting yourself is way easier than you might imagine.
Phishing: A foolproof plan for crooks
There are any number of ways that a motivated thief might attempt to get access to your data, and any number of ways that it can be used — credit scams, identity theft, tax fraud, straight-up pilfering of bank accounts and on and on. But as Verizon’s report shows, the tried-and-true method remains the phishing attack.
While there are a few species, a phishing attack is at its most basic an attempt by a thief to procure sensitive personal info, such as user names and passwords, by masquerading as a friendly or trusted source, or what the pros call social engineering.
Typically an attack would come in the form of an email that seems to be coming from a business or person that is familiar — your bank, Facebook, your email provider. The email may say that you need to update your password, or that your account has been broken into and needs to be updated or some other urgent-seeming and perfectly plausible scenario, and also includes a link you should click to address the issue.
That’s where the trouble comes in. That link will take you to an identical-looking but fake website, where you will input your username and password and, presto, the thief now has instant access to whatever account you gave up, be it your checking account or your Gmail address. Less commonly, the link could instead cause your device to attempt to download and install some form of malware, which can also wreak havoc — it could steal data from your computer, record your keystrokes or be used for denial of service attacks, to name just a few.
The surest anti-phishing protection is also one of the rarest assets around: common sense.
Verizon’s report makes it clear that these attacks have become very sophisticated and consequently very successful. In a test designed to analyze their efficiency, Verizon found that about one-third of recipients actually open phishing emails, and some 12 percent actually click on the links contained in their messages — on average the whole process took under two minutes. (By way of comparison, direct or junk mail is considered wildly successful and it nets just a 4.4 percent hit rate.) Fortunately ,phishing attacks like these are easy to thwart, if you know what to look for; click here for a quick primer on how to spot and avoid them.
How to tell if you’ve been phished
Unlike sprawling corporate enterprises, you likely don’t have a dedicated IT department working 24/7 to keep your tech humming along and addressing any security snags. (If perchance you do: Kudos!) This means it’s up to you to keep a watchful eye over your digital domain. As Verizon’s report highlights, this is often easier said than done. While more than 90 percent of data breaches are accomplished in less than a few minutes, most go undetected for several weeks or even months.
For individuals, there are a few telltale signs to keep an eye out for that might signal you may have been phished and need to take action.
Keep an eye on your monthly transactions on all your accounts, and, if your lifestyle allows it, consider setting low transaction limits. If you see something amiss, say something to your banking institution, quickly. Credit freezes aren’t foolproof, but are another line of defense worth considering.
Likewise, thieves aren’t just going after your banking passwords, and have realized they can leverage social network messaging to lure other potential victims. As such, keep an eye out for posts in your timeline or direct messages that you didn’t create.
Note that while the above may signal you have been phished, depending on your logins it may simply indicate that your email account has been compromised, which is typically far less dire.
Hook removal: How to fix the damage
Should you discover that you’ve been the victim of subterfuge, in reality it’s going to be a pain — but you aren’t helpless. The first step is to run an anti-virus sweep on your computer to make sure you aren’t using an infected machine.
Once you’re sure you’re clean, then go to any and all of the sites and services you use, especially financial and social ones, as well as email, and change the password to a new, secure one. (Click here for tips on how to create truly secure passwords.) This will hopefully limit the damage the offending phisher may be able to cause.
Reach out to your financial accounts to give them a head’s up to look for funny transactions and establish notifications via phone or text if possible.
Finally, go to all your subscription services, such as iTunes, Google Play, Netflix, etc., and perform device lockouts, then establish a new password. That will deauthorize anyone from using your accounts to make purchases, and force them to log in again to gain access.
It should go without saying (but I’ll say it anyway) that for basic security it’s crucial to keep your devices’ software updated, which means known security holes are plugged, and of course to run anti-virus software. Beyond that, though, the surest anti-phishing protection is also one of the rarest assets around: common sense. No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.