Phishing is the easiest way for criminals to find out your username and password; they simply ask you for it.
Many password thieves send emails pretending to be from your bank, Facebook or PayPal, among others. These messages explain that a problem exists with your account and include a request that you “verify” your username and password. Once you enter the information, you will be directed to a different site while your username and password is used to break into your legitimate account.
In some cases they’ll ask for a return email message; others will link to a site pretending to be the sending organization. In many of the “nicer” attacks, after you submit the information, you are redirected to the real site you thought you were going to, and even to the same page. From your perspective as a user, it just seems like there was an error in entering your data. When you enter it again, this time on the real site, you get the real experience you are used to, removing doubts you may have had if the experience didn’t end with success.
Unfortunately, you need to approach any email you receive from a “legitimate” source with a touch of suspicion. Prevention and awareness are the first steps to protection.
Your company or ISP should preferably be using an anti-spam, anti-malware, web protection service from a reputable vendor. This will proactively prevent almost all spam scams from ever reaching your mailbox. (If your organization does not use good enough technology – although it should, awareness of standard spam scams is especially critical.)
The easiest accounts for hackers to break into are the standard email services, such as Gmail, Hotmail and Yahoo. While they may not be able to deduce your password from your publicly available information via a standard search, they may be able to figure out the answer to your security question. For example, if you are a public member of your high school alumni group, they can easily answer the question “What high school did you attend”?
Within these accounts you probably have received emails containing other usernames and passwords from your bank, PayPal, Amazon, and other commonly used sites, allowing the scammers to enjoy life on your account.
Of course, breaking into your personal email account provides them with added bonuses. Once they have broken into your email account, they can then highjack your address book, sending spam, malware, key loggers, and other fun email messages directly to your friends, who are likely to open them more than other spam messages as they know and trust you.
What can you do?
1) Change your password frequently, using a specific pattern you can easily remember but one that is hard to guess and contains letters, numbers and special characters.
2) If you see strange activity within your account like strange emails you didn’t expect or if the “last-accessed-time” doesn’t make sense to you, reset your password and look for indications that you may be have been compromised.
3) Sometimes changing your password isn’t enough. There are many ways to lose (and for attackers to gain) your password, such as key logging software and other malware on your machine or another machine you used. If the hackers have inside technology following your moves, they’ll keep getting your passwords regardless of how complex they are or how frequently you change them. Always and only access your accounts from machines you trust are secure.
4) Maintain your PCs so they do not have malware (reputable and updated anti-virus, anti-spam and URL filtering to make sure the sites you visit are well maintained)
5) Use password management software (there are many free ones). Install it on a removal medium you can use only when needed, such as a disk-on-key. Every time you get a new name or password from a commonly used site, print out the email and delete it from your email system. Don’t save that email on your computer directly, because you never know whether the email account might be hacked.
6) Be aware that these scams are out there and increasing in both numbers and cleverness. Although you may think your email isn’t very interesting, it is often the first step in causing a lot of pain, such as a full identity theaft.