AARP Eye Center
You log into your banking site and immediately notice something’s wrong, horribly wrong.
Somehow, your account has been compromised and money is missing. At the risk of fearmongering, this isn’t as uncommon as you might think.
AARP Membership — $12 for your first year when you sign up for Automatic Renewal
Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.
Like many Americans, you might have become a victim of bank fraud. And it’s usually tied to a password that has been stolen, guessed or tricked into sharing with cybercriminals.
“Unfortunately, most people use the same credentials for their online bank accounts as they do for social media and online shopping sites,” says Georgia Weidman, author of the book Penetration Testing: A Hands-On Introduction to Hacking. “If one of those vendors is compromised and attackers gain access to the stored credentials, they may be able to reuse them on the online banking site.”
Skepticism is your friend
“Another common attack is phishing, or basically asking the user to attack themselves,” says Weidman, who also founded Bulb Security.
The cybersecurity company is devoted to device vulnerability assessment, training and penetration testing — essentially ethical hackers for hire.
“An attacker might send you an email or text message pretending to be your bank and asking that you validate a recent purchase,” she says. “When you click on the link in the text message, it takes you to what looks exactly like your online bank account, except it is actually a clone controlled by the attacker.”
You might think you’re at capitalone.com, for example, but if you look closely, it’s captial0ne.com.
Some scammers will even call you — yes, by telephone — and pretend they’re from Microsoft, the IRS, your bank, and so on to try to persuade you to give out your personal information to (ironically) protect you.
Don’t fall for it.
“Besides, your bank or other financial institution won’t ask you to confirm these credentials in an email or by an unsolicited phone call,” says global security evangelist Tony Anscombe at ESET, also a technology security company. “When in doubt, contact your bank to see if it was really them. Chances are it wasn’t.”