Following my three rules stops sinister ‘credential’ attack that allows criminals to ‘help themselves’ to your bank
A SINISTER type of online attack could let criminals shop on your dime.
Cyber crime experts are warning users over “credential phishing,” which is easy to avoid – but can be devastating if you don’t.
Your “credentials” are what give you access to online apps and services.
Typically – but not always – it’s the pairing of a username and password.
Crooks target these as they’re often very easy to acquire from victims and can grant quick access to all of your accounts.
“Credential phishing is a type of online scam where a cybercriminal devises tricks to gain one type of valuable information: username and password combinations,” explained McAfee’s Jasdev Dhaliwal.
“Once they eke this information from their targets, the thief is able to help themselves to online bank accounts, online shopping sites, online tax forms, and more.
“From there, they could go on a shopping spree on your dime or pilfer your personally identifiable information (PII) and steal your identity.”
How credential phishing tricks you
According to Jasdev, there are two main ways that your credentials might be phished.
The first is simply by tricking you into sending it directly to a scammer.
This would usually involve a crook pretending to be someone from a business or authority.
For instance, a crook might pretend to work at your bank, a tax authority, or a service like Netflix.
You might be targeted over email, text, or social media.
Usually, a message will threaten you with some kind of cost or account shutdown, or offer a prize or reward.
Typically you’ll either be threatened or warned of a deadline that means you have to act fast.
A second tactic involves getting you to click a fraudulent link.
This will take you to a fake login page for a service that looks highly convincing.
Once you enter your login details, they’ll be scooped up by crooks and used to break into your accounts.
Three rules to stay safe
There are four very simple rules for staying safe from credential stuffing, Jasdev explains.
The first is to simply never share your password with anyone else.
Even if the person texting, emailing, or calling you is very convincing, it’s best to just ignore the request.
It’s extremely unusual that any legitimate authority would demand your username and password over the phone out of the blue.
“If anything in the tone or content of the message strikes you as suspicious, it’s best to delete it and forget about it,” Jasdev said.
The second is choosing a strong and unique password.
By doing this, it means that even if crooks get access to one account, they won’t be able to break into your other logins through re-used passwords.
Thirdly, make sure you enable multifactor authentication.
That’s when you receive a text or authentication code that allows you to log in.
It’s an extra layer of security so that even if someone manages to get your password, they can’t log in without your code.
And fourthly, always “be on the lookout,” Jasdev said.
“If you notice any suspicious activity on any of your online accounts, change your password immediately.”
This is important: if you fall victim to credential phishing, you can act quickly and save your account before anything serious goes wrong.