There are two really common methods of attack.
The first is social engineering. This is things like phishing attacks that trick people into giving others access they shouldn’t have. This could be clicking on things in an email that they shouldn’t, or trusting someone who phoned them to actually be who they say they are. Education and working with zero trust are great for this.
The second is stuffing attacks on people who reuse passwords. If logged into a weak website with **[email protected]** and password **P@ssw0rd**, and that website got compromised, someone could get the passwords out of it and reuse them on another site, hoping that you use the same username and password combination.
The easiest way to fight that second one is to use a password manager that will allow you use random passwords for every site. Also, where possible, exclusively use an SSO Login with a trusted SSO Provider (like Sign On With Google) instead of even creating a username/password.
Also use 2FA wherever possible, but especially on that SSO account. That means even if the password gets compromised, it can’t be reused even on the same site.
There’s a lot of them and they change over time as newer technologies show up. You as a typical user usually has to worry about:
1. Various forms of phishing/social engineering. This involves someone pretending to be someone else in order to get info from you like a password or answers to security questions. Be very careful and always verify the person you’re communicating with. Never give out a password or temporary codes sent to you as an authorized person would never ask you for these things. Be very careful about any other personal information when asked.
2. This falls under the previous category, but it deserves its own section. Be very careful about any emails you get, including ones that look official. Always verify the sending email and the URL of any links provided. It’s pretty common for spammers to send out official-looking emails with links that take you to a site that looks official. If you try to login on the fake site, they can steal your credentials.
3. Be careful about any ads, including ones that show up on trusted sites like Google. Malicious ads can show up on any trusted platform. They’re usually taken down quickly, but they do show up. This could be an ad that takes you to a site that can breach your browser’s security and infect your computer. Or it could simply be a fake site made to look real so you either try and login or download a malicious file.
4. Leaks from other sites. Sometimes they will get hacked and leak your info. Sites like Have I Been Pwned maintain lists of data leaks and you can search in there to see if you have had your information leaked. This can leave your other accounts vulnerable if you use the same email/password
There are others like spyware and ransomware. But those usually come to infect your computer through one of the above routes. Phishing especially has become an issue with AI generated content since it’s pretty easy for anyone to create fake voices/images/etc.
As far as defenses go, your best options are:
1. Always keep your OS and browser up to date. There are always security vulnerabilities and the safest thing to do is always keep your device updated. Also never use a device that is outside of the security support window. This is particularly an issue for Android phones because they generally have a much shorter support window than something like OSX or Windows. Also note that custom ROMs are not really a replacement as aside from LineageOS, they don’t patch the kernel (core of the OS). And even LineageOS isn’t perfect because they are maintained by the community and rarely pass the massive set of security/stability tests official device patches go through.
2. Be careful about any information you post publicly including social media. Some sites still use security questions and someone determined enough might be able to figure out the answer from your accounts.
3. Don’t reuse passwords. You can never be sure a particular site hasn’t been hacked and leaked your password or password hash. Even better is if you can use a password manager like 1password to generate long and complicated passwords and save them. Keep in mind that this isn’t perfect either as these services can be hacked and leak your passwords.
4. Always check the URL you’re going to and make sure it’s using HTTPS (Most browsers will show a padlock symbol). Malicious actors will sometimes use real-sounding URLs (mymicrosoft.com), URLs of popular sites with typos (raddit.com instead of reddit.com), or special characters that look a lot like the official URL.
Probably the biggest tip is that there is no single way to prevent all attacks. You can do everything right and still get hacked. It’s a game of cat and mouse, and you’re the mouse. Stay vigilant and keep your devices updated are the things you have the most control over and are the most effective.
Latest Answers