Lately, news headlines have been filled with stories about victims of cyber-attacks who found their bank accounts had been completely drained by hackers. Understandably upset and angry, victims are left wondering how this happened, and what they can do to prevent it from happening again. To effectively protect yourself from these types of attacks, you first must understand how the attack works.
Step 1: Gain access to the victim’s email
The vast majority of today’s cyber-attacks involve email as a springboard for the attack. Since many people are guilty of using the same password for their email as other websites they use, all it takes is one data breach of a service you use, and attackers have your email credentials.
Once in your account, the attacker begins searching your email for social media platforms you use, your cell phone provider, and your bank. Since all these services send frequent emails, it’s pretty easy for the attacker to determine what you use.
Step 2: Gather personal information from social media
Next, the attacker needs to collect some personal details about you that might be used for security questions. Most people don’t think twice about sharing information on social media for their friends and family to see, and it’s a goldmine for attackers. Mother’s maiden name, make/model of your first car, name of your best friend, etc. – these are all very common pieces of information people post on their social media accounts.
Some privacy-concerned people take the extra steps to only make this information available to their friends and family. What happens if a hacker logs into your social media account, though? All that information is readily available to them. Since the attacker already has access to your email, all they have to do is request a password reset link. With a few quick clicks, they have full access to your social media account and all the personal information they need to continue their attack.
Step 3: Gain access to the victim’s phone number
This stage of the attack is what scares most victims since they didn’t know it was even possible. With access to your email, the information needed to answer most security questions, and knowledge of who your cell phone provider is, the attacker contacts your cell provider and asks for help. They tell the cell provider that they lost their phone and they’re trying to set up a new one, but they can’t log in to their account online. The cell provider asks a few identity verification questions and sends a verification email, all of which the attacker has access to. In just a few short minutes, the attacker now has control over your cell phone service.
There are a couple of ways the attacker proceeds from here. But typically, the attacker activates a new phone under your existing plan and phone number. After this activation process completes, all phone calls and text messages stop going to your cell phone and begin routing to the attacker’s phone. This type of attack is referred to as “SIM Swapping.”
Step 4: The final blow – drain the bank accounts
With access to your email, phone number, and personal information, the attacker contacts your bank and asks for assistance accessing online banking. The bank verifies some security questions, sends a text message verification, and sends an email verification. Depending on the bank’s questions, the attacker may struggle a little bit at this step. But, with access to all these verification methods, the attacker can usually gain access within a few minutes.
With access to your bank, the attacker sets up a transfer to another account they control. Even though some banks require an email or text message verification when setting up these types of transfers, the attacker has everything they need to get through the process.
But wait, there’s more
Depending on the attacker and how quickly the victim responds to these attacks, more damage can be done. With a little more time spent investigating your accounts and information, the attacker can activate new credit cards, access retirement accounts, and make online purchases with your frequently shopped sites. The longer it takes you to regain control and lock the attacker out, the more damage they can do.
I’m officially terrified now. How do I avoid becoming a victim of these attacks?
Bad actors are always evolving their techniques, so there is no guarantee that our recommendations will keep you completely safe. They are, however, industry best practices and incredibly effective at stopping this specific attack strategy.
1. Freeze your credit at all three credit bureaus
Unless you are frequently opening new lines of credit, keep your credit frozen at all times. This prevents threat actors from opening credit cards or other taking out loans in your name. Below are links to the credit freeze pages for all three bureaus:
2. Use unique, randomly generated passwords on every website and service you use
People often resort to reusing passwords or coming up with simple passwords because they find it too difficult to remember them all. But you don’t have to remember them. Password management services, like LastPass.com or Bitwarden.com allow you to store all your passwords in a secure vault, and easily fill your username and password into websites and apps.
If updating passwords across every website you use seems too daunting, start with your most vulnerable services: Your email account, social media accounts, cell phone account, and bank accounts.
3. Enable multi-factor authentication (aka: “MFA”or “2FA”) everywhere
Most people have experienced MFA without even knowing it. When you log into your online banking from a new device, you’ll typically receive a text message with a temporary code that you have to enter in addition to your password. This is MFA, albeit a weaker form of it. The general idea is that you must provide something you know (your password) along with something you have (a code from a physical device, like your phone).
One of the stronger methods of MFA to use is an authenticator app, such as Authy. An authenticator app is stronger than text-message verification because it’s not susceptible to the SIM Swap attack. Google Authenticator, Microsoft Authenticator, and Duo are also popular examples of authenticator apps.
Once again, if enabling MFA across every website you use seems too daunting, start with your most vulnerable services: Your email account, social media accounts, cell phone account, and bank accounts.
4. Enable SIM/Port/Number protection on your cell phone account
Every cell phone provider has different names for this protection, but you can enable additional security on your account to prevent the unauthorized transfer of your phone number to a different SIM card, phone, or service provider. Verizon, for example, refers to this as “Number Protection.” If you aren’t sure how to do this, simply call your service provider and tell them you’d like to enable additional protections on your account to prevent SIM Swaps or unauthorized number ports.
5. Be careful what you put on social media
Now that you understand how the information can be used against you, be careful about what you post on your social media accounts. No matter what privacy settings you have set, assume that the entire world can see everything in your account, including the bad guys. Facebook may tell you that setting your mother’s maiden name will help your old friends and family find you. But, it also gives hackers a significant advantage should they ever gain access to your account or this information is leaked in a data breach.
6. Take the time to learn and think security-first
Don’t make it easy for attackers to make you a victim. Do yourself a favor and spend 1 weekend learning how to use a password vault and multi-factor authentication. Implementing those two steps alone significantly reduces your risk of being hacked. Then, make security a focus any time you are setting up new accounts.