It’s highly likely that you or someone you know has had a personal email or social media account hijacked at some point. Once hijackers gain access, they often then send out messages to your entire contact list to gain control of their accounts too. Such attacks expose a ton of sensitive personal data. Hijackers use a variety of ways to gain access to your accounts to steal your information, your identity, or your money. The most common include third-party breaches, keylogging, and phishing.Keylogging, also called keystroke logging or keyboard capturing, refers to secretly recording the keystrokes on a keyboard. The keylogger can use the information to monitor the user's activity or steal passwords and sensitive information.Third-party breaches have been in the news frequently due to recent large data breaches from household companies that maintain large databases of many customers’ sensitive personal information. A third-party breach is a security breach that results in exposure of some or all of the company’s customer data (think Equifax).Phishing has also been in the news recently, although it’s a decades-old hacker tool. It refers to the use of spoofed emails sent to users in order to lure them into providing sensitive information. There are many versions of phishing attacks.Whether it’s keylogging, third-party breaches, phishing, or another nefarious practice, hijacking accounts has become a big enough problem that Google conducted a study to determine the biggest threat to users. The results show that, although third-party breaches compromise the largest number of accounts, users actually face the highest risk from phishing.
Google’s response
Google was able to immediately use the information it gained from this study to increase protection for its customers. According to its report, as a result of its findings, Google has protected 67 million accounts before they became compromised. Google shared its findings to assist other account-based companies in increasing protection for their users.Google uses a variety of strategies to protect accounts. It also continually updates its security tools. But as the study shows, these methods are not completely foolproof. There are, however, some steps you can take to ensure increased protection of your accounts.
Secure your password
Google suggests using its security checkup tool, turning on two-factor authentication, and using a password generator and manager. This last step is extremely important in securing your account. Google’s study results showed that 7% of exposed Gmail usernames and passwords were valid due to reuse.If you’re reusing passwords, your accounts are extremely vulnerable. Further, if one of your accounts is compromised, all of your accounts are exposed. In other words, you should never reuse a username and password. Password generators and managers make this vulnerability extremely solvable, so just don’t do it.Making your password more secure will help protect you against some type of attacks, but phishing emails can be very convincing. Depending on the type and level of sophistication, it can be impossible to differentiate a phishing email from a legitimate message. However, there are ways of protecting against even the most convincing phishing attacks.
Use email authentication protocols
Through the use of SPF, DKIM, and DMARC (open internet protocols used for securing domains against phishing), companies can protect their brands and their customers from phishing attacks. Here’s how each of the protocols works:
- SPF is a whitelist of emails authorized to send emails for a company.
- DKIM is a system for cryptographically signing emails to ensure the messages are authentic and unaltered.
- DMARC is a protocol for monitoring and controlling email sent from a domain.
Email spoofing can make a phishing email look identical to a legitimate email from an unprotected domain. It’s a company's responsibility to ensure that its domain cannot be used to phish customers. This is especially important for account-based companies that store personal sensitive data for all of its customers.
Know how to identify a phish
As a user, always check the “from” field on emails you receive. If the domain is different than the company’s actual domain (for example paypal.help rather than paypal.com), the email could be a phishing attempt. If it matches, you have to check that domain’s security to see if it’s set up to block phishing attempts. You can check whether a domain has a valid SPF record, whether it’s using DMARC, or both. If the domain has valid SPF and DKIM, and a DMARC “reject” policy, then the email is likely safe. If not, it might be a phishing attempt. Unfortunately, there’s no way to verify an email from an unsecured domain with these protocols.
Fraudmarc can help
Fraudmarc’s intuitive tools lets you manage and monitor a variety of authorized senders and DKIM selectors and provides free DMARC reports. Since Fraudmarc also uses SPF Compression℠, the number of DNS lookups needed to authenticate all of your authorized senders is minimized.