For companies, data breaches—loss or theft of sensitive information—are becoming part of doing business. As of mid-June, more than 700 such breaches were reported this year, affecting more than 10.5 million records, according to the Identity Theft Resource Center.
Businesses are an increasingly attractive target for hackers, who trade stolen data on the black market for identity fraud and other illegal purposes. But individuals may also be unknowingly exposing themselves to online risks such as identify theft.
One of the most common attempts to steal personal information is through phishing—deceptive communications through email, social media or other electronic means used to get a person to click on a malicious attachment or website link.
Typically, these communications appear to come from legitimate sources, like a friend or a reputable company. They’re often so cleverly executed that they deceive even the most experienced computer users.
“[Phishing] involves spoofing the identity of a person you may have a relationship with,” said Thad Dickson, a Key Peninsula resident and CEO of Xpio Health, a Gig Harbor company that provides security and compliance services to health care organizations. “A common one on the Key Peninsula is Microsoft IT help.”
That’s where a computer becomes infected with malware (a malicious program) and brings up a blue window that looks similar to that of Microsoft’s free Security Essentials antivirus. It tells the person the computer is infected with a virus and directs the user to call a fake tech-support number.
“They ask for a credit card number, put a tracking bot on your PC and charge you $300 to $500 for an ‘antivirus program,’” Dickson said.
The purpose of phishing scams varies from extracting money to stealing banking credentials or passwords.
“If you get an email from your ‘bank’ asking you to click and change the password, it’s very likely a phishing attempt,” said Shannon Smith, the state’s senior assistant attorney general and chief of the Consumer Protection Division.
Amazon.com or Costco card giveaways, UPS shipment tracking information, IRS refunds—the variations on the phishing emails are endless. Phishing can also take the form of social media links, text messages on your mobile phone and even advertising links on legitimate websites.
“If something seems too good to be true, it always is,” Dickson said. “In computer land, just like on the street corner, a fundamental psychological premise a scammer uses is the vulnerability of their mark.”
Passwords Another Top Risk
Weak and reused passwords are another way for cybercriminals to access other people’s information. Because many people reuse their login credentials for multiple accounts, the cyberthieves sell the stolen password databases on the dark web, where other bad actors buy them to access other websites and services.
One recent example is Yahoo, which disclosed last year that as many as 1 billion accounts were compromised in a 2013 breach. That’s on top of another breach affecting 500 million accounts that Yahoo disclosed just three months earlier. Those kinds of massive databases then end up in the wrong hands—a few years ago, a cybersecurity company found that one Russian gang alone had amassed more than 1.2 billion login records.
Dickson has mixed feelings about secure “password keepers,” but feels that the risk of reusing a password is greater than storing all passwords in a secure management system.
“Those companies are subject to being a (hacking) target but because they’re in the business of encrypting and managing passwords, the hope is that they offer a relatively high bar for stewarding the data,” he said.
If a company offers two-factor authentication—such as texting a secure code you must enter in addition to your password—it’s a good idea to enable it. This adds a layer of security since the chances are slim a hacker will have physical possession of your mobile phone.
Be vigilant in the physical world, too, Smith advises. For example, she encourages people to never give out their credit card information over the phone, even for a charitable donation, unless they initiated the call. And if you’re not clear on why someone needs your Social Security number, don’t hesitate to ask why.
“It’s always OK to ask someone how they’re safeguarding your data,” she said.