Google’s Online Security Blog today released the results of a fascinating study into so-called manual hijackings – when a human being hacks an online account. They’re not common, especially when compared to attacks by bots and automated programs, but the damage caused by them can be incredibly devastating. Bank accounts can get taken over; money can be stolen; sensitive pictures can get copied and worse, all depending on the hacker’s whim.
Knowing more about how manual hijackings work and how hackers operate can be an incredibly beneficial tool for avoiding becoming a victim yourself. First, understand that most of these attacks start through a phishing attack – that is, where an email pretends to be from your bank or Facebook account just to trick you into telling them your password. Just about anyone can fall victim to well-designed phishing attack. Some fake websites that were examined had tricked people 45% of the time. On average, 14% of those who visit a phishing page wind up submitting information, with even the worst sites turning 3% of visitors into victims.
Typically, once a hacker (most typically, someone from China, Ivory Coast, Malaysia, Nigeria or South Africa) has your email account details, he’ll work quick to exploit them. Approximately 20% of hijacked accounts get accessed within the first 30 minutes. Once inside, the hacker will just spend over 20 minutes changing your passwords, stealing credentials to other accounts and locking you out of every account of yours he can get his hands on.
Arguably the worst part of a so-called manual hijacking is how it often puts the people you care most about at risk. Scammers will often send emails from your account, pretending to be you, to try and get inside your email contacts’ accounts too. Google found a scary statistic here: Those contacted by a hacker in this manner are 36 times more likely to become victims themselves.
How do you stay protected?
Always treat emails requesting information about your login, password, bank account or other personal data with a high degree of suspicion. If you still believe the email to be genuine, don’t follow any embedded links inside. Type your bank’s URL in your browser if necessary instead.
Google also recommends securing your accounts with two-step verification wherever possible. It’s simple to set up with a physical USB key or by linking your smartphone to your Google account. If someone tries logging in to your account from an unfamiliar location, they’ll be prompted for that key or a code from your phone. This makes your account exponentially more difficult for hackers to get into, and isn’t very intrusive to use on your end.
[Internet criminals and theft via Shutterstock]