A: Phishing scams, password hacking and social engineering are most commonly used to gain illegal access to your personal information.
Phishing scams are attempts to steal your identity. Usually, the scammer uses fraudulent e-mail messages, appearing to come from legitimate businesses (e.g., eBay, PayPal or Best Buy), that may fool you into divulging account numbers, passwords, credit card numbers and Social Security numbers.
For example, in 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. The message included a hyperlink to an “eBay web page” where customers could re-register. Customers were told to provide credit card data, ATM personal identification numbers, Social Security numbers, dates of birth and their mothers’ maiden names. However, eBay hadn’t sent the original e-mail, and the web page didn’t belong to eBay.
One password-hacking technique involves repeatedly guessing a password based on knowledge of certain limited data sets about you. In 2016, Facebook CEO Mark Zuckerberg had a number of his accounts hacked. Because he’d used the same, overly simple, password (“dadada,” referring to his new child) for multiple accounts, the hackers accessed many accounts with one correct guess.
Another technique employs software that repeatedly churns out various word/number combinations in an attempt to crack your password. To address this, many sites now limit the number of password attempts that can be made. Failure to gain access after a few attempts locks you—and any other unauthorized persons—out of your account.
Social engineering involves use of the phone or impersonation to manipulate individuals into performing actions or divulging confidential information. For example, a hacker may use an office building’s lobby phone to get passwords by claiming to be performing a backup or security scan of an employee’s computer. The employee, seeing the familiar number, is fooled by the criminal’s false identity and gives the criminal access to the company’s network.
Or, you may receive a call, purportedly from “your bank.” By verifying your name, date-of-birth, and Social Security number to the caller, you’ve already provided most of the information a criminal needs to harm your identity.
Q: How can I protect myself from these hacking methods?
A: To avoid a phishing scam, remember that legitimate businesses will NEVER ask you to send personal information via e-mail. If verification is needed, a link will send you to the business’s website, and you will be asked to answer a series of questions to verify your identity. Before clicking on a website link, however, review the URL carefully. If you question its legitimacy, call the company!
Protect yourself from password hacking by choosing a password that is eight digits or longer and uses a variety of letters, symbols and numbers. Use a different password for every website you use, and try not to reference personal information.
Protect against social engineering techniques by using caution when asked for personal information. A legitimate vendor will usually verify your information and ask you to answer security questions you’ve pre-chosen (e.g., mother’s maiden name). Also, you will rarely be asked to provide identifying information unless you have placed the call, or more than the last four digits of your Social Security number. If you received the call and are suspicious, ask for a number to call the vendor back and verify it first. You might also independently verify the number as belonging to the vendor by checking its website.
Q: What is the latest hacking technique?
A: “Ransomware,” the newest technique, involves encrypting the data on the victim’s computer so that the victim cannot access the data without paying a fee or “ransom.” If you boot up your computer and see a large image demanding that you pay $300 to an unknown party in the next 48 hours or risk losing all the data on your computer, you’ve become a ransomware victim. This likely happened because you opened an untrustworthy attachment or clicked on a bogus link contained in a phishing email, which allowed the malware to download on your PC.
Ransomware has been extremely successful because it is nearly impossible for individuals to retrieve their data without paying, and because hackers actually send the key to unlock data when individuals pay the ransom. Therefore, anxious individuals and organizations have been willing to pay these fees.
The solution? Back up your data often, and disconnect the backup drive from your central processing unit to prevent it from also being infected. If your computer becomes compromised, it is best to wipe it entirely and re-load your data from your backup. Or, if your antivirus vendor has a fix for your specific type of ransomware, you can clean your computer. If neither option is possible, you must decide what your data is worth. The FBI has advised consumers not to encourage this behavior by paying the ransom, but large numbers of individuals and organizations (including hospitals and local police departments) are choosing to pay. Use the tools suggested above and you may never have to face such a decision.
Contents of this article provided by the Ohio State Bar Association. It was prepared by Milton Sutton, an attorney in the Columbus office of Frost Brown Todd LLC. Articles appearing in this column are intended to provide broad, general information about the law. It is not intended as legal advice. Before applying this information to a specific legal problem, readers are urged to seek advice from an attorney.