Assume we are targets for hackers, as we have access to loads of (customer) data. With CRM access, it’s easier for them to target people with social engineering.
A known form of this fraud is CEO fraud: https://www.knowbe4.com/ceo-fraud
Using the same password
Make sure you use unique passwords for each website. Let’s say you’re a designer and you use Adobe and Canva. Who cares if someone gets access to my Facebook posts, right? Both Adobe & Canva databases have been leaked (in 2013 and 2019 respectively) source. Hackers buy these databases on the dark web and combine them. It’s easy to lookup in the hacked Adobe & Canva databases ‘which users are in both databases AND use the same password?’ The next easy step is to try and login to Gmail with the same username & password.
If you use the same password on Gmail and Canva, the hacker now has access to your Gmail. From Gmail, they can easily reset your password for LinkedIn & Facebook and gain access to all your social media accounts. Scary right?
In this article, I’ll explain how to protect yourself (as much as possible).
See if your email is in stolen databases
There have been ‘good guy’ hackers that are also buying these lists and you can search for yourself to see if your email pops up in the hacked databases.
Use unique & strong passwords
You can solve MOST problems by having a unique passwords for each tool. Hackers are getting smarter as well. So adding the first letter of the website you’re logging in is not making it unique. So password ‘loginFACEBOOK1’ doesn’t cut it.
Here is an example of a strong password: f3cU#V#hdaoOv7N1qV!5
‘How will I remember?’ You don’t. Save your password in a password manager like Lastpass of 1Password.
Your email account is access to everything else
If someone gets access to your email, they can easily ‘forget password’ and gain access to any other accounts. Your email is the most important asset to protect.
Secure your backup email address as tightly as your primary email
For your work email, you have to give up a restore email. If that is a Gmail or Hotmail account that uses a weak (or same) password, this is still a way in. Lock up your personal / private accounts as well. If a hacker can get in your secondary account, they can ‘forget password’ the primary account.
Solution to stolen passwords: 2 factor authentication
A way to fight against hackers getting access to accounts is setting up 2 factor authentication (’2FA’ from here on). Next to a username and password, you have to give a third code/signal that changes every minute. This makes is (nearly) impossible to hack. In Dutch banking the edentifier is an example of this. Luckily, this is getting more popular and some tools even require this method.
Phishing is a way to steal your password
Unfortunately, phishing happens a lot.
- You get an email that looks like your bank, Paypal or KvK and you login to a fake website
- Someone emails you pretending to be a colleague, like CEO fraud. Always call a colleague to confirm it’s really them. If they usually don’t text on that channel, assume it’s not them.
Some of these website are VERY convincing and hackers create beautiful website that look 95% like the website of your bank or Gmail.
Examples of phishing
- no sender or recipient information;
- a general salutation (without your name for example);
- a spelling error in the email address (for example email@example.com);
- an e-mail address that has nothing to do with the sender;
- an email asking you to click on something (a link) or asking you to download something;
- a pop-up claiming that your computer is encrypted because illegal material has been found.
If you see one of the above signals, do not click on anything and immediately report the suspicious message to your team. Don’t forward the email (because someone else might click on it) - send a print screen of the email to the person responsible for security in your organisation.
If you click on the link and login to the fake website, the hacker has gained access to your strong password. This happens so often that we want to categorically want to protect against it. Assume your password is already stolen, even if it’s a strong & unique password. With a 2FA layer, a hacker still can’t log in and steal data.
Setting up 2FA
2FA basically is a way to secure yourself with a second device. If you log in on a laptop, prove it’s really you on your mobile phone. Examples of 2FA are:
- Face of finger ID to log in to the 2nd device
- Google Prompts on different devices: selecting a number, or clicking ‘Yes, it’s me’.
- Authenticator apps
- Hardware 2FA solutions
Don’t use passwords at all: Google/Apple login
For a lot of tools & apps, login with Google or Apple is the new standard. If you don’t have a password, it also can’t be stolen.
Make sure the Google account is properly secured. Find out how you can improve here: https://myaccount.google.com/security-checkup/2
What you can do to secure your accounts
- Secure your email accounts with a strong, unique password
- Set up 2FA for all email accounts
- Add 2FA on all financial accounts, social media accounts and accounts with data (newsletters, etc.)
- Create & save strong passwords inside Lastpass