If it looks like an emergency and sounds like an emergency, it’s a trap.
One of the most common devices hackers will use to extract your personal information is phishing — casting a line and seeing which suckers bite. The gig goes something like this: A cyber criminal obtains your email address, perhaps via one of the lists that are sold on Internet black markets. Then, via automated systems, they email everyone on the list disguised as a major company like Amazon, Facebook, Google, or a national bank. The email will likely contain an alarming claim and urge you to act immediately to resolve the situation or risk consequences, for example: "We've detected some suspicious activity on your account. If you don’t reset your password within 24 hours your account will be permanently deleted."
Stay cool. Real Facebook isn’t going to delete your account. If you get an email like this and suspect you’re being phished, here’s what to do.
Perpetrators of phishing usually won’t ask you to send your password in the email text (no one's that dumb!), but they might include a link directing you to a login screen that looks identical to the login screen of the company they claim to be. Don’t be fooled! It’s really just a copy meant to trick you into entering your password so it can be recorded. Checking the URL used to be a reliable way to make sure the site you think you’re on is actually the site you’re on, but now advanced phishers (phisherman?) can actually manipulate that text to look like the URL of the site they’re impersonating.
To stay safe: Don’t enter your password after clicking the link. Open a new tab and type in the URL with your own fingers. If it's actual Facebook, it'll take you to your actual Facebook page — no harm, no foul.
Once someone gets your password, they may try to do a few malicious things with it: They could log into whatever account they just gained access to and try to obtain financial information. They could try to log into any number of other accounts that you might've used the same password for with the help of an automated program. They could message your contacts impersonating you, spreading the web of deceit.
Once you realize your account has been compromised, change your password immediately. If it’s your Gmail account they’ve managed to crack, scroll down to the very bottom of the page and click “Details” under “Last account activity” and sign out all other sessions. Then, check your sent mail and do the Internet walk of shame equivalent of replying-all to whatever message may have been sent from the spammer. Time to think of a good excuse! (A keystroke logger must have been installed on that public computer you used when you were backpacking in Berlin last year…)
How embarrassing! Better to dodge the bullet in the first place with these prophylactic moves.
Really, don’t do this. While it may be tempting, using the same password across multiple sites will increase the chances that your accounts will be compromised. Say, for example, you used the same password for your bank account as for your Gawker commenting account…in 2010, when the site was hacked and 1.5 million email addresses, usernames, and passwords were collected. You could have been doing account recon for months or worse. To mix up your passwords without having to resort to bulk memorization or a collage of sticky notes on the wall, you can download one of the many password managers available.
Or, try my simple trick: Create a basic six-to-eight character pattern (like a square or a diamond) and some combination from the site you’re logging into. Practice drawing that pattern of letters on your keyboard; that’s your base password, and it’s only one thing to remember. Then, pick a component of the site URL you want to make part of your password (e.g. you always add the first two letters of the site to your password: FA for Facebook, GA for Gawker) and the point where you want to insert them in your password. Voila, now you have a different password for every site, and you don’t have to wrack your brain to remember them or keep a written record in a place someone could snoop. This way a hacker running scripts with stolen login info would come up empty-handed if they tried to login to your email account with your Gawker password.
Even with solid varied passwords, your passwords and other personal info could be snooped using keystroke loggers (software that enables outsiders to glean what characters you’ve typed, which is a big risk of public computing stations) or other tactics. On your most valuable accounts, make sure multifactor authentication is enabled so that you need to confirm changes through two or more portals to confirm it’s really you (for example: a text message to your phone and an email confirmation).
Maybe somewhere in Nigeria, there is a stunning prince who is genuinely confused about why his courtship approaches to Western women are going ignored. But, what definitely exists elsewhere in the world are numerous con artists who steal online identities in order to dupe lonely people into falling in e-love with them so they can subsequently mine their bank accounts. If you’re in the online dating game, keep an eye out for the classic emergency scenario where someone really needs help in this moment or harm may come to them or their families. Don’t let them pluck your heartstrings like a guitar — save your emotions for someone worthy in the real world.
When it comes down to it, online privacy is an illusion. Even if you follow all of these tips and more advanced security how-tos to the letter, spend thousands of dollars on security software, and go to extremes to keep your accounts secure, you can’t make the recipients of your transmissions do the same. With myriad anonymous leak sites out there, your next step in career success may prompt secret haters to release whatever ammo they have on you. Furthermore, with growing storage capacities that keep more of your information online for longer as cyber criminal methodologies grow more advanced, it’s only a matter of time before the privacy protocols we used to see as fortress walls will start looking more like cheesecloth. (Yahoo! Mail seemed pretty secure in 1998, didn’t it?) Hackers aside, the NSA can already obtain most of our personal information, and other governmental and legal forces with subpoenas can as well. The only way you can be truly sure your personal information won’t be exposed is to keep your secrets offline.
But, you should still go home and change all your passwords tonight!
Tech Journalist Arikia Millikan — who founded the LadyBits collective in 2013 — has contributed everywhere from Wired to Gizmodo to Vice. So, it's only appropriate that the self-described feminist cyborg has helped launch The Techtress. Here, she's the lady you turn to for smart, personal tech support — whether you're gadget-savvy or not.