Salaries stolen using hacked e-mail addresses
Last week, the Fraudhelpdesk reported hearing of several recent cases of salary fraud. Salary fraud involves a scammer hacking an e-mail account and mailing the account-holder's employer to ask for their salary to be paid into a new bank account. Of course, the account in question is one controlled by the fraudster. Frauds of this kind are possible because lots of people still underestimate the importance of secure passwords. In this article, we explain what happened and give advice on how to avoid falling victim yourself.
The salary fraud came to light when a number of people contacted their employer's payroll department because they hadn't received their salaries. Investigations led to the discovery that the employer had received account-change requests from the employees' e-mail addresses. But the employees hadn't sent the requests; hackers had. A total of ten incidents were reported.
How does this kind of fraud happen?
Hackers often get people's passwords from large-scale data breaches, like the ones involving LinkedIn, Yahoo, Dropbox and others. Many of the people whose data is stolen don't realise that the breach means that a hacker has their passwords. If the same password is used for multiple accounts, the hackers can easily get into the other accounts as well.
Check whether your passwords have been hacked
Visit Have I been Pwned to see whether your data has been compromised by a data breach. The Dutch police also have a tool that makes it easy to check whether you have anything to worry about. If either of the tools flags up an issue, there's a possibility that your passwords are known to cybercrooks. You should therefore change the passwords for all your log-ins: social media, iCloud, e-mail and webshop accounts. You may think that a webshop log-in doesn't matter much, but many accounts have payment information linked to them.
Choose strong passwords
When setting a password, always go for something long and complex. A password like that is hard for a hacker or computer to work out.
Never use obvious words, the names of your loved ones, number sequences (1234) or logical keyboard character strings (qwerty). Things such as welcome1 or words that you can find in a dictionary are also easy to guess.
Your password should have at least ten characters. The more characters, the more secure it'll be.
It's a good idea to use a sentence, e.g. a saying or a song lyric. A sentence is longer and harder to crack than a single word.
Combine the sentence with numbers and special characters, and include both lower-case letters and capitals.
Where possible, use two-factor authentication: a set-up where, after entering a password, you have to verify your identity in order to access your account. Verification is usually on the basis of a code provided by or sent to a different device.
Use a different password for each account. Then, if there's a security breach, the hackers will only get access to that one account.
Tip: use a password manager
It's not unusual to have thirty passwords, without even realising. Unfortunately, though, most people find it impossible to remember that many long passwords. And writing them down or saving them on your phone or in your mailbox isn't secure. The best option is to use a password manager. That's like having a digital safe to lock up your passwords. So you don't have to remember all the log-ins you've dreamt up, just the master password for your password manager. Naturally the password for your password manager has to be really secure. That means having a strong phrase, as described above, and maybe using two-factor authentication. When choosing a password manager, go for one that saves your passwords in encrypted form. Here are some (free) password managers to consider:
Keeping your passwords safe
Keep your passwords to yourself; don't share them with anyone else.
Make sure that no one's watching when you enter your password.
Never save passwords close to where you use them, e.g. on your PC, phone or desk.
If your internet browser asks whether you want passwords remembered, select 'Never'.
If you can avoid it, never include a password in an e-mail. If a password has to be mailed, delete the e-mail straight afterwards.
If a company asks for your password, say 'no'! A reliable company is very unlikely to ask for confidential details, so be wary of anyone who does ask. If in doubt, contact the company to check whether any of their real personnel have called.
Scammers often call people up, pretending to be from a bank or insurance company. So never give your password or PIN to a caller.
If your account does get hacked, change your password straightaway!
Make sure that devices such as laptops, PCs, smartphones and tablets are secured with an access code or fingerprint.