In its Digital Defense Report for 2022, Microsoft highlighted the need for everyone to take proactive measures to hedge against cybercriminals in 2023. This is coming against the back drop of more and increasing password attacks by cybercriminals and the fact that in 2022 alone, there was about 1,000 password attacks’ per second.
This trend, the report noted, is projected to continue and grow worse in 2023. According to Carey van Vlaanderen, CEO of ESET South Africa, ransomware and spoof emails dominated 2022 and are destined to continue being a top concern for individuals, organizations, and cybersecurity teams in 2023. Emails sent by hackers that convincingly appear to be from someone within an organization create real and significant damage. These kinds of fraud frequently use fear tactics or an appearance of urgency to persuade the victim to comply with the attacker’s demands. Emails asking for speedy payment should be handled carefully since they can be faked to look like valid invoices but include malicious financial information, advises van Vlaanderen.
In the report, Microsoft highlighted the following measures, from the standpoint of risk mitigation, that are essential to give consideration to and focus on:
- Using a trustworthy cloud service provider is a crucial first step.
- Best practices optimization and configuration
- Using the best cybersecurity software available
- Multi-factor identification (which should be standard)
- The use of encryption (which should be employed wherever possible)
- Strict password guidelines
- Changing your passwords from time to time
- Avoid using a public wifi if you have to type in your password or access your account
Other measures to protect your password and your account from hackers and cybercriminals include:
- Refrain from using the same login information for many accounts and from making other typical password errors.
- Use only HTTPS sites when logging in.
- Never open attachments or links in unsolicited emails.
- Use only official app stores to download apps.
- Ensure that all programs and operating systems are running the most recent version.
- Watch out for shoulder surfers in public areas.
- Utilize a password manager to store reliable, distinct passwords for each website and account, making logins quick and secure.
- If a provider alerts you that there may have been a breach of your data, change your password right away.
How hackers and cybercriminals steal your information and password: Through Phishing, Man-in-the-Middle Attack, Brute Force Attack, Dictionary Attack, Credential Stuffing and Keyloggers
Phishing: Phishing is when a hacker impersonating a reliable entity sends you a phony email in the hopes that you will voluntarily divulge your personal information. In some cases, they take you to phony reset your password pages, while in other cases, they download malicious software onto your device. Following are a few instances of phishing:
- Normal phishing. You receive an email requesting you to reset your password from what appears to be goodwebsite.com, but you didn’t read it carefully and it was actually goodwebsite.com. When you reset your password, the hacker takes your login information.
- Spear phishing. With an email that appears to be from a friend, coworker, or associate, a hacker particularly targets you. It hopes you will click on the malicious attachment, which contains a brief, generic text that reads, – Check out the invoice I included and let me know if it makes sense.
- scamming and vying. You get a call from a hacker (voice phishing, also known as vishing) or receive a text message (SMS phishing, also known as smishing) from a hacker informing you that your account has been frozen or that fraud has been discovered. Your account information is entered, and the hacker takes it.
- Whaling. An email that claims to be from a senior member of your firm is sent to you or your organization. You provide private information to a hacker since you didn’t exercise your due diligence to verify the email’s authenticity.
Dictionary Attack: Dictionary assaults, a sort of brute force attack, relies on our propensity to choose “simple” phrases as our passwords; the most popular of these words have been compiled by hackers into “cracking dictionaries.” More complex dictionary assaults use terms that are significant to you personally, such as your birthplace, a child’s name, or the name of a pet.
Credential Stuffing: If you’ve ever experienced a breach, you are aware that your previous passwords were probably exposed and posted on a dubious website. Accounts that never updated their passwords after a breach are vulnerable to credential stuffing. Hackers will test different combinations of the victim’s old usernames and passwords in the hopes that they were never changed.
Keyloggers: Malicious software called keyloggers records each keystroke and sends the information to a hacker. Typically, a user will download the program thinking it is safe, only for it to secretly install a keylogger.
Man-in-the-middle (MitM): Man-in-the-middle (MitM) attacks occur when a hacker or compromised system stands between two uncompromised individuals or systems and decodes the data being passed, including passwords. Jeremy can act as the guy in the middle if Alice and Bob are exchanging notes in class but Jeremy needs to communicate those notes. In a similar vein, Equifax pulled its apps from the Google Play and App Stores in 2017 because they were sending critical data through unsecure networks, making it possible for hackers to steal user data.
Brute Force: A brute force attack is like using a battering ram if a password is like using a key to access a door. When a hacker tries 2.18 trillion password/username combinations in 22 seconds, your account could be targeted if your password is weak.