Stop Hackers With These Cybersecurity Tips
/granite-web-prod/08/60/08608032fac24a9b8365309a995bfe87.jpeg)
The internet is an important work tool these days, but it also can be a criminal's paradise. In 2020, there has been a sharp uptick in cyberattacks, hacking, phishing and other cybersecurity intrusions. With remote work here to stay, so too are the scammers and thieves who deal in 0s and 1s.
Knowing how to spot and prevent cyberattacks is an essential part of working in the 21st century. But how can you make sure your cybersecurity measures are working?
Let's take a look at 10 different types of cyberattacks:
- Password attacks
- Phishing attacks
- Ransomware attacks
- Trojan horse attacks
- Cross-site (XXS) scripting attacks
- Man-in-the-middle attacks
- Artificial intelligence (AI) attacks
- Eavesdropping attacks
- Spear phishing attacks
- Credential stuffing attacks
Then, learn how you can protect yourself.
Password Attack
/granite-web-prod/8d/6f/8d6f9149b13142c88e0477e092464030.jpeg)
A password attack is when a hacker attempts to guess your password, almost always by using an automated program.
According to The Zebra, eight in 10 security breaches are due to compromised passwords.
Note: These cybersecurity tips are from the insurance comparison company The Zebra to guard against rising cyberattacks.
What Password Attacks Do
/granite-web-prod/11/a0/11a010e9a85640ddbaab34fcceb0e39e.jpeg)
The most common type of password attack is the brute force attack. A brute force password attack is when a hacker uses a program to guess thousands upon thousands of possible passwords, one letter at a time, until one works.
Another version of the password attack is the dictionary attack, which is like the brute force attack except it cycles through common words rather than letters.
How to Protect Against Password Attacks
/granite-web-prod/3f/8f/3f8f44bed6444e55b993729eb532aec9.jpeg)
The best thing you can do is to use a secure password. There are several methods to make a secure password, but it should be difficult to guess, have upper case and lower case letters, and numbers.
Two-factor authentication (2FA) is a good way to prevent password attacks. Two-factor authentication is a two-step process that requires a second verification before the site will let you access it. This is typically done via a confirmation code sent via email or text. It can also be a biometric verification, which is when the device requires your fingerprint or voice to unlock it.
Companies are now three times more likely to hire remotely than they were before the pandemic, so it's important to protect all of your passwords while working remotely.
Phishing Attacks
/granite-web-prod/d9/2b/d92b6a61d2f34deb81547774e8e824fd.jpeg)
Phishing attacks set out to steal personal data, including passwords, social security numbers, bank account information and other sensitive data.
What Phishing Attacks Do
/granite-web-prod/61/06/6106cb08797e485a866e5128f38e10a6.jpeg)
Scammers who employ phishing attacks will attempt to trick you into giving them your personal information. These attacks are cast with a wide net, meaning they're sent to thousands of users.
Usually, a phishing attempt is an email that looks like it's from a trusted company, like PayPal or Amazon, often asking you to "update your account" or a fake notification about payment authorization of some kind.
If you click the link given it will redirect you to a shell site that looks very similar — sometimes even indistinguishable — from the real thing. But once you log in with your credentials, they'll have all the info they need.
How to Prevent Phishing Attacks
/granite-web-prod/c7/d9/c7d99e6d524841658a8d851a48f541db.jpeg)
In the United States, people lost $57 million in just one year due to phishing attacks. Heck, the "Nigerian prince" scheme still takes in $700,000 a year. Phishing is a serious problem.
To protect yourself, don't open suspicious emails. If you receive an email claiming to be from a company you use, take a good look at the email address it came from. Many scammers try to mask their fake email with an official-sounding name, but there's always something off.
Secondly, if any company tells you to log in to your account for any reason, do not click the link they provide for you. If you want to visit the company's site, do so manually, like normal.
See the FTC's website for more tips and prevention measures about phishing.
Ransomware Attacks
/granite-web-prod/7a/06/7a06f636ab5d4655b853c41387f6b0df.jpeg)
Ransomware attacks will lock up your files, data or entire device.
Scammers then demand payment for it to be released.
What Ransomware Attacks Do
/granite-web-prod/a8/ed/a8ed2aa90a574ce5a206e147974fd525.jpeg)
Typically, ransomware needs to be downloaded. This most commonly occurs via a link or attachment in an email, but software can also be downloaded from a link on a website, or a direct download anywhere on the internet.
Hackers then steal or encrypt information you need for business or sensitive information about you.
They'll hold this information ransom, and only return it to you if you pony up the cash.
How to Prevent Ransomware Attacks
/granite-web-prod/cc/09/cc090d78be0a41afa264eb4086327e9c.jpeg)
Scammers particularly like to target businesses with ransomware, because business owners will be more likely to pay the ransom rather than have their sensitive files locked up for days or deleted. For example, in 2016, a hospital in California paid $17,000 to ransomware hackers who held its computers hostage because it was the "most efficient" thing to do.
Businesses need to have a "what if" plan in place and proper security measures. But workers shouldn't solely rely on the business to protect itself. As an employee — and as someone who just doesn't want some thief stealing their personal information — there are some relatively easy ransomware prevention measures to follow:
- Use only company-approved software and devices.
- Install anti-virus software and keep it up to date.
- Back up your data.
Trojan Horse Attacks
/granite-web-prod/d5/d9/d5d919aa8af3422ea24b20b33c24f4cd.jpeg)
Trojan horses are programs that are designed to look legitimate and harmless, but they will damage or compromise your device.
What Trojan Horses Do
/granite-web-prod/c6/43/c6434d36b9954f77ae399f514188a8d4.jpeg)
They're named after the mythical Trojan Horse from Greek mythology, where the Greeks gifted a large wooden horse to the Trojans. Thinking the big statue was a commendation for winning the war, the Trojans took it behind their gates, where later that night, Greek forces exited the horse and opened the walls, letting the Greek army in to sack the city.
Trojan horse attacks are aptly named. They may create hidden backdoors — places where hackers can easily access your files —or spy on your computer activity, waiting for you to enter a password so they can steal it.
Hackers can also gain control of your device.
How to Prevent Against Trojan Horse Attacks
/granite-web-prod/ab/52/ab52cc212dc341ac9ede49374aca91b0.jpeg)
Since Trojan horses can sneak in without you knowing, run your anti-virus software at regular times, or be sure to keep background scanning on. Regular full scans are recommended, as they check more places than quick scans, which scan the most common places a virus may lurk.
Like ransomware prevention, only download programs from trusted sources. Don't download anything that isn't company-approved when using company devices. Even things that look like PDFs can be a Trojan horse.
Cross-Site Scripting (XXS) Attacks
/granite-web-prod/6b/a0/6ba06d108b46437ab2b9071d1a8129fa.jpeg)
Cross-site scripting, or XSS, is an attack made through a compromised webpage.
It is typically done with Javascript, although other code can be used to execute the attack.
What Cross-Site Scripting Attacks Do
/granite-web-prod/66/21/66217d51fb4e48cf81d35dc45c8b3571.jpeg)
XXS attacks are malicious script attacks that can occur when a person visits a website. The main purpose of XXS attacks is to steal cookies, click a malicious link in an annoying popup, or steal login information.
XSS attacks are the most common form of attacking and hijacking a website.
How to Prevent Against Cross-Site Scripting Attacks
/granite-web-prod/6b/ba/6bbafe2ffd844470b39347e4b4ed9b31.jpeg)
XXS attacks have to be prevented by web developers.
To hedge your bets against encountering one of these infected sites, don't go to any weird websites on your work computer (or even home computer).
Main-in-the-Middle Attacks
/granite-web-prod/86/da/86dab748552d4156b5eddfcc1d7f67b4.jpeg)
Main-in-the-middle attacks intercept communication between two parties and stealing sensitive data being sent.
Man-in-the-middle attackers can use a variety of means to do this.
What Man-in-the-Middle Attacks Do
/granite-web-prod/bd/16/bd164e6424d344bca6ae108d40e1b8a1.jpeg)
Have you ever seen a movie where a hacker sits in a van, hacking into a target that's nearby? This is sort of like that.
One type of MitM attack is when a hacker gains access to a Wi-Fi router, allowing them to look for vulnerabilities, capture transmitted data and use it for their own gain.
While it's possible that some routers can be hacked remotely, hackers typically have to be within the network's area to commit such an attack.
How to Prevent Man-in-the-Middle Attacks
/granite-web-prod/99/aa/99aac9dcd2a848c894580b789f956ddc.jpeg)
Man-in-the-middle attacks are more likely to happen in a public network, which is why some companies discourage their employees from working in public places and using the free Wi-Fi.
If you are using public Wi-Fi, use a VPN for an extra layer of protection. It's also important to only use websites with an S at the end of their http (https) to ensure the connection is encrypted.
At home, change the password on your router. Even new routers can come with easy-to-guess passwords that are meant to be changed, but many people don't bother.
Artificial Intelligence Attacks
/granite-web-prod/fd/34/fd34216e8974442d9654b4249d02c540.jpeg)
Artificial Intelligence (AI) attacks are also known as botnet attacks.
This is where bots attack a server over and over again to steal information.
What Artificial Intelligence Attacks Do
/granite-web-prod/e0/b6/e0b65ddfcfbe4f249a5cd4d123580f37.jpeg)
AI attacks are commonly denial-of-service (DDoS) attacks, where hundreds, thousands, or even millions of AI-scripted bots flood servers with internet traffic, knocking them offline.
These bots are powered by computers and other devices that have been, unbeknownst to the user, infected with malware programs.
These programs can run in the background, silently. The user may never be aware that their computer is spamming the target.
How to Prevent Against AI Attacks
/granite-web-prod/3c/34/3c34ee2005974ff895546191a50938ea.jpeg)
Regular virus scans and being diligent about the links you click and the software you install are the best ways to prevent your computer from being compromised. But nobody's perfect.
If you're on Windows, open up Task Manager to see if there are any suspicious programs running. However, this is not totally reliable as better malicious software can mask itself or appear invisible in your Task Manager.
If you want to see if your IP has been used in a botnet attack, Kaspersky and SonicWall instantly run your IP against a list of known bot attacks to see whether or not your computer has been used in a botnet account without needing to install any software.
Passive Eavesdropping Attack
/granite-web-prod/07/55/07556b6bfe2a4d078dd768e314147be5.jpeg)
While a man-in-the-middle attack typically requires the hacker to be within the vicinity or active during the hack, a passive eavesdropping attack can be a program within a network path that records information.
The hacker does not need to be within the network's area.
What Passive Eavesdropping Attacks Do
/granite-web-prod/7b/32/7b32ac993a064e2ea8d364ae402431b2.jpeg)
In a passive eavesdropping attack, a hacker would put a piece of software somewhere on a network path that records information.
Later, that software and all the captured data is retrieved, analyzed and stolen.
Another kind of passive eavesdropping attack is a Voice over IP (VoIP) eavesdropping attack, where the attacker infiltrates a VoIP device and listens in on a call.
How to Prevent Eavesdropping Attacks
/granite-web-prod/45/a0/45a0ad9021a24f48a78c32f0fa6c35fb.jpeg)
Passive eavesdropping attacks can be difficult to spot, but it's not impossible.
Using a VPN to encrypt data is a good idea, as it encrypts connections. If you have an IP phone, be sure to change the password to something more secure.
Be sure to keep all devices updated, including your phone and router firmware, and keep your firewall up.
Spear Phishing
/granite-web-prod/69/0a/690a60b916b249a8ac032a7317dbe5c5.jpeg)
Spear phishing is like phishing, only its personal and tailor-made for you.
It's a direct attack on an individual, hence the "spear."
They're not casting a wide net.
What Spear Phishing Attacks Do
/granite-web-prod/b7/93/b793aaa1fa1a479c9c35ff2daa5a8601.jpeg)
A spear phisher will contact you directly. This could happen by phone, text or email. They'll use certain kinds of information about you that they've taken from an account associated with your name or even information posted to social media.
Attackers can also masquerade as another person within the company requesting sensitive information or a direct deposit from company funds for a reason that sounds business-related. They can also pretend to be someone from the bank you use.
The attacker will usually try to persuade you to give them money directly, or tempt you with a reason to give them your banking account information under the guise of sending you money. They can also be trying to trick you into downloading malware so they can then perform another type of attack.
How to Prevent Spear Phishing Attacks
/granite-web-prod/57/0c/570c727afdb349679dcd21921c6680c0.jpeg)
First and foremost, spear phishing requires common sense. If someone is asking you for money, is this normal? Does the email address look right? Scammers will spoof email addresses to look similar to the email you're familiar with, but something will be off — a zero in place of an "o" or a lower-cased "L" in place of an upper-cased "i."
Verify with the person immediately using another channel —text, phone call, social media direct message, another email address — before even responding. Double-check with higher-ups about software sent to you via email.
If the person is pressing you with a "ticking clock" element ("we're going to lose this sale if you don't send me the money right now!"), that's a red flag. Scammers want to create a sense of urgency so you don't look too closely at what's really happening.
Credential Stuffing Attacks
/granite-web-prod/e4/05/e405873caa3c4e79aeb0381238d4baf1.jpeg)
Credential stuffing is a password attack that uses information about you that has been gained by data breaches on other sites.
What Credential Stuffing Attacks Do
/granite-web-prod/b6/48/b6481ef0e2f44d92a2f3567611bb8311.jpeg)
If a website you use has had a data breach, hackers may know your email and password used for that site.
They would then try the same login info on other sites where your banking or other sensitive information could be stored.
They're essentially stuffing your credentials into as many sites as possible to see which ones work.
How to Prevent Against Credential Stuffing Attacks
/granite-web-prod/76/3d/763d07fe500d4f76b88f456467ee8cbe.jpeg)
First, you'll want to know if a site you've been using has been breached.
Check HaveIBeenPwned to see if your email is associated with any breaches that have occurred. Additionally, all states have a law on the books requiring that a company notify anyone affected by a data breach. News outlets will also run stories about large data breaches.
To prevent credential stuffing attacks, don't use one password for each and every site. Instead, use several strong passwords and enable 2FA.