Statistics show that more than 70% of internet users employ the same password across some, most or all of their online accounts. Unfortunately, this means that when a cybercriminal can steal a user’s password for one account, he or she can often gain access to a range of the user’s accounts. Along with them, the user’s personal and financial details, as well as his or her actual money and assets, could be compromised.
Of course, the stakes can get even higher when a hacker gains access to a business’s passwords and online accounts or, perhaps even worse, to the business’s internal computer network. To help businesses and their employees recognize and avoid falling victim to hacking attempts, here are four of the top ways today’s cybercriminals attempt to steal users’ passwords along with how to avoid them:
- Phishing: This common tactic, which statistics indicate is used to initiate more than half of all cybercrimes, relies on trickery to get users’ passwords. A phishing attempt typically begins with an email that mimics a legitimate request from a business or institution, often asking that some sort of action be taken to resolve an issue affecting the recipient’s account. Phishing emails frequently use fraudulent links to lead users to a fake website, often disguised to look like the real thing, where cybercriminals attempt to garner personal or financial information. Another variant attempts to get recipients to download malware that can spy in or disable the user’s device.
How to avoid it: The leading way for users to avoid falling victim to phishing attacks is to employ high levels of caution, constantly keeping an eye out for the red flags that often accompany phishing emails. These can include misspelled words, grammatical errors, “too good to be true” deals and offers, extreme levels of urgency, unexpected attachments, unfamiliar senders, and hyperlinks that seem to go to one place but lead to another. (To recognize fake links, users can hover their cursor over them before clicking. If the destination address displayed by the user’s browser is different from the address shown in the link text, it is likely fake.) Also, when an email suggests visiting a website to resolve an issue, users should instead directly type the businesses or institution’s web address into their browser. Users can also verify the legitimacy of an emailed request by contacting the business or institution directly via a phone number or email address listed on its official website.
- Credential stuffing: This tactic, also known as list cleaning or breach replay, sees hackers use stolen usernames and passwords across multiple websites to see if they can find a match and gain access to an account. The credentials the cybercriminals employ for this tactic typically come from data breaches, often from websites with insufficient security measures in place to protect this sensitive information. To speed up the credential-stuffing process, hackers will often use automation tools that allow them to test the stolen usernames and passwords across a broad range of websites very quickly.
How to avoid it: To avoid becoming a victim of credential stuffing, users should refrain from using the same usernames and passwords across multiple accounts. While using varied username/password combinations will not prevent these credentials from being stolen from a website with poor security measures in place, it can keep hackers from being able to access additional accounts using the stolen information. For users who have trouble remembering a long list of different usernames and passwords, employing a password manager can be a big help.
- Password spraying: When employing this hacking tactic, cybercriminals will start with a list of usernames. They will then pair each of these usernames with an array of commonly utilized passwords across a range of websites, checking to see if any of the combinations result in account access being granted. Because most websites will recognize and eventually block repeated unsuccessful access attempts from the same IP address, hackers will often find a way to use multiple (often fraudulent) IP addresses to test more password options. Many cybercriminals will also use automation tools to test a long list of username/password combinations faster.
How to avoid it: The best way for users to avoid falling victim to password spraying is to use unique, hard-to-guess passwords for their accounts. (And of course, users should avoid using any of the most commonly utilized passwords.) This FTC blog article offers helpful advice on creating stronger passwords that are hard for hackers to crack.
- Keylogging: This tactic is a bit more sophisticated than the password-stealing methods outlined above. This is because, to use it, hackers must first gain access to a user’s device, typically via keylogging malware. Once installed on a user’s device (often via the unsuspecting download of a malicious attachment delivered using a phishing email), this spying software allows hackers to monitor a user’s keystrokes. Using this information, a hacker can uncover the usernames/passwords a user types in to access his or her online accounts.
How to avoid it: The best way for a user to avoid a keylogging attack is to install a strong security solution on his or her device that can detect the presence of malicious software. A
Seeking professional-grade cybersecurity services like a managed firewall, advance threat protection, and hosted antivirus & spyware for your business? Visit ftc.net/business to explore all of FTC’s cybersecurity offerings as well as other business-critical services such as Internet, Wireless, Voice and Security. And when you need local, expert IT assistance for your business, help is nearby and easy to reach without the expense of a full-time IT staff. Visit FTC IT Solutions for professional IT help in a tech-related areas, including Managed IT, Cybersecurity, Hosted Services, Point-of-Sale and Hardware Sales.
