Protecting your assets against cyber crime: Three risks worth knowing
If you’ve never heard of ‘credential stuffing’ then this short article is definitely worth your time. The same goes for ‘phishing’, and ‘impersonation attacks’. While it might all sound like a foreign language to you, fear not – we break it down and explain in simple terms why these three things deserve your immediate attention.
Unfortunately, online theft is a growing risk and the relentless nature of the people behind it, makes it worthwhile keeping up-to-speed with their latest tricks, schemes and ploys.
By knowing and by doing a few basic things, it can pay dividends in denying the thieves access to your hard-earned assets.
1. Credential stuffing
The term might be new to you but the sad reality is that you’ve probably either been a victim of it, or have almost been a victim of it.
Put simply, ‘credential stuffing’ is when cyber thieves illegally get their hands on large quantities of stolen username and password pairs, and use the “credentials” to try and break into thousands of websites at a time.
According to Archie Nelson, Operational Requirements Lead at XCyber – a cyber-security company which works closely with some clients at our private bank - credential stuffing is still a major risk as we head into 2022. And it boils down to it being a numbers game.
“Even if the hackers are only successful 0.1% of the time, because of the numbers involved in their targeting which runs into millions upon millions, it still provides a high potential yield,” he explains. “The real problem is if they get into your email – from there, they can intercept invoices and change payment instructions – from house purchases, to making donations, collecting rent, school fees or even buying art.”
If you’re someone who typically uses the same log-in and password combinations across multiple sites, then this is the type of fraudulent activity that could hit you hard. As a general rule, it’s worth mixing up your passwords because the variety can help minimise the threat, should your details fall into the wrong hands.
As we highlighted in an earlier cyber-crime article, a ‘phishing attack’ is now considered the most common form of online fraud. It often involves a victim unwittingly clicking on a malicious email link, and the criminals tricking their victims into giving up sensitive personal data or financial information.
In Archie’s opinion, phishing is a major daily threat. “The big peril is the same as credential stuffing – with the attacker successfully tricking the target into divulging their password and therefore gaining ‘legitimate’ access into the target’s email inbox,” says Archie.
“From there, they can do any number of things – from perpetuating spam, to gathering personal information and launching identity fraud. But again, the golden egg they’re looking for is anything related to payment instructions so they can try to divert and steal your money.”
So what can you do to protect yourself? Amongst other things, it pays to be alert to the style and accuracy of any messages you receive, and to be extra cautious when urgent payment is demanded. Criminals can add a tone of urgency to hurry you into paying them before any doubts surface.
It’s also worth remembering that at Barclays, we will never:
- ask for your full password or PIN
- provide you with details to make a payment, or
- request that you grant us access to your systems or PC
3. Impersonation attacks
Last but not least is this form of cyber crime in which the fraudsters pretend to be you and leverage this to either make money or damage reputations.
“Impersonation is a big problem for high-profile people,” says Archie. “The names of major celebrities are often used in fake endorsement scams, especially cryptocurrency related schemes.
“Sadly, it’s not just famous people who need to be aware of this type of scam, it can also be used against anyone,” he adds.
In another form of the scam, criminals can also pose as someone you trust. The attacker will look to build a relationship with the victim – by posing as either a client or a larger corporation – through a seemingly honest email, or by creating a fake social networking account.
Once trust is established, attacks will soon be deployed – in the hope of tricking you into making security mistakes or giving away sensitive information.
As with all aspects of cyber security, it pays to be cautious. If you don’t trust something or someone, then re-examine the situation carefully. Never divulge personal information if you have even the slightest doubt about whom you’re sharing it with, and stay live to the very real possibility that you might be liaising with a scammer.