You guard the keys to your home closely, right? They have their own special spot in your bag or in your front pocket. When your keys go missing, does a slight pit of unease grow in your gut?
Our homes store many sentimental and valuable treasures within their walls. The same goes for your online accounts. Think of your login and passwords as the keys to the cozy home of your date of birth, Social Security Number, full name, and address. When you lose those keys and they fall into the hands of a criminal, the break-ins to your online home can be costly.
In a scheme called credential phishing, online scammers seek to steal the keys to your online accounts: your login and password combinations. Just like you’d protect the keys to your house, so should you guard your online account credentials closely.
What Is Credential Phishing?
Credential phishing is a type of online scam where a cybercriminal devises tricks to gain one type of valuable information: username and password combinations. Once they eke this information from their targets, the thief is able to help themselves to online bank accounts, online shopping sites, online tax forms, and more. From there, they could go on a shopping spree on your dime or pilfer your personally identifiable information (PII) and steal your identity.
There are two common ways a criminal might try to steal online account credentials. The first is through a phishing attempt that asks specifically for usernames and passwords. They may impersonate a person or organization with authority, such as your boss, a bank representative, or the IRS. Phishing attempts often threaten dire consequences if you don’t reply promptly. Handle emails, texts, and social media direct messages that demand urgency with care. If it’s truly important, your bank will find another way to get in touch with you. Additionally, be aware of your notification preferences and communication channels with important organizations. For example, the IRS only contacts people by mail.
A second way credential phishers may try to steal your passwords is through fake login pages. You may get redirected to a fake login page by clicking on a risky link hidden in a phishing message or on a malicious website. An example of credential phishing and fake login pages in action happened to customers of a password storage company. Customers received phishing emails that contained a link to a “login page” that was actually a malicious subdomain that sent the details straight to scammers.1
The One Rule to Foil Credential Phishers
There’s one very simple rule to avoid a phisher stealing your credentials: never share your password with anyone! No matter how authoritative a phone call, text, or email sounds, a legitimate business nor an IT professional nor your boss will ever ask you for your password and username combination.
If you suspect a phishing attempt, do not reply or forward the message. Additionally, do not click on any links. Artificial intelligence content creation tools like ChatGPT can make phishing messages sound convincing, as AI tools often compose messages without typos or grammar mistakes. But if anything in the tone or content of the message strikes you as suspicious, it’s best to delete it and forget about it.
The Importance of Strong Passwords, MFA & Ultimate Secrecy
Ultimate secrecy is a great first step in keeping your credentials a mystery. Practice these other password and online account safety best practices to keep your PII safe:
Choose a strong password. When you create a new online account, the organization is likely to have minimum character count and password difficulty requirements. Remember that a strong password is a unique password. Reusing passwords means that if your credentials are stolen for one website or if one company experiences a data breach, a criminal could use your login and password on hundreds of sites to break into multiple accounts. If you have a hard time remembering all your unique passwords, a password manager can remember them for you!
Enable multifactor authentication. Multifactor authentication (MFA) is an extra layer of protection that makes it nearly impossible for a credential thief to break into your account, even if they have your password and username. MFA requires that you prove your identity multiple ways, often through a one-time code sent to your phone or email address, or a face or fingerprint scan.
Be on the lookout. If you notice any suspicious activity on any of your online accounts, change your password immediately.
Add Another Key to Your Online Protection
To add extra security to your online comings and goings, consider investing in McAfee+, which includes McAfee Scam Protection. McAfee Scam Protection is an AI-powered tool that blocks risky links in your emails, texts, and on social media. This is helpful just in case you accidentally click on a link that would’ve brought you to a fake login page or to another risky site. The more you use Scam Protection, the smarter it gets! And should your credentials and PII ever fall into the wrong hands, McAfee+ has credit and identity monitoring tools that can alert you to suspicious activity.
Consider McAfee as the home security system for your online life. When you log off and lock up, you can relax knowing that McAfee will alert you to breaking-and-entering attempts.
1Cybernews, “LastPass employees and customers targeted in ‘pervasive’ phishing campaign”
The post What Is Credential Phishing? appeared first on McAfee Blog.
More Stories
Friday Squid Blogging: Squid Sticker
A sticker for your water bottle. Blog moderation policy. Read More
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
OpenAI must also initiate a six-month public awareness campaign across Italian media, explaining how it processes personal data for AI...
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
The Security Service of Ukraine has accused Russian-linked actors of perpetrating a cyber-attack against the state registers of Ukraine Read...
LockBit Admins Tease a New Ransomware Version
The LockBitSupp persona said LockBit 4.0 will be launched in February 2025 Read More
Webcams and DVRs Vulnerable to HiatusRAT, FBI Warns
The FBI has issued a warning about the Hiatus RAT malware targeting Xiongmai and Hikvision web cameras and DVRs, urging...
CISA Urges Encrypted Messaging After Salt Typhoon Hack
The US Cybersecurity and Infrastructure Security Agency recommended users turn on phishing-resistant MFA and switch to Signal-like apps for messaging...