This was originally a post I wrote on Facebook for my friends and family. I had a person close to me get their Facebook account hacked and it caused others who are not technologically inclined to be scared it might happen to them. So, this was my effort to try and answer their questions about it and what they can do.
This is a LONG post. I’m going to try and break it up but it goes into roughly four sections:
- How does someone hack me?
- What do I do if I get hacked?
- What else can I do to protect myself?
Some of you will go “I don’t understand technology” and skip this post. Please don’t. If you have questions, please ask! I guarantee you aren’t the only person with that question. I will answer any and every question on this topic.
First, there should be no stigma around being hacked. It isn't a judgment on you. It isn't something to be ashamed of. As with any security in our lives, if someone has the means and the determination - anyone can be hacked. I have been hacked before.
Second, some of this can be scary. The idea of a hacker stealing their accounts, or money, etc. It is scary. But it is also very unlikely to happen to you. And if you take the steps I talk about, if they do try it, it won’t be easy and they’ll move on.
How does someone hack me?
Now, with that said, let me first explain what happens in these cases, what you can do to make it harder, and what to do if it happens to you.
As with anything I say below. There are exceptions, corner cases, and things I'm either glossing over or don't know. I do know a lot, but I am not a security professional.
When you see someone with a hacked Facebook account, this almost definitely isn't from a virus. It might be, but it is unlikely because the reality is - that method just isn't reliable for things like Facebook. It's certainly possible, but it is a far less frequent occurrence. Antivirus technology has come a long way.
A hacked account is largely due to one of the following means:
- Phishing / Trojan
- Social Engineering
- A reused password was discovered
That's it. There are other ways, but these are by far the biggest threat vectors. The third is, in my estimation, the biggest single cause of these things. Let me go through each of them and I'll talk about how to protect yourself from them.
Phishing / Trojan
This is when you get an email that looks like it's from Facebook (or your email, or your bank, etc) and it makes you click a link to log in. But what is actually happening is that the link you clicked takes you to their server which looks a lot like the expected website, and you enter your credentials. Now that other website has your login credentials and they can log in as you at their leisure.
A trojan does the same thing, except it requires you to have software on your computer or phone and it either monitors and records your login credentials there, or might also act as a mimic and collect them directly.
How do you protect yourself?
If you get an email to log in to a website for some unexpected reason (bank error, facebook message, etc.) - Never click the link in the email and instead go log in directly. Any decent online service will show you the same thing you wanted to see whether you follow that link or log in directly. You might have to check notifications or something on the site, but it should be there. Never download untrusted software. If your computer pops up a “Install this app” or “Download this software” and you aren’t sure why, immediately stop and exit out, or even just do a hard reboot (hold power button, etc.) to get out of whatever website or software you were in.
This is the term for when we get duped personally. You get a phone call from someone saying they are calling on behalf of XXXX bank, or Facebook, etc. They call saying that your account might be suspended, or has an issue, etc. Your phone’s caller ID may even say that the company name is who they say they are. Never trust it. If they are calling you, and it is not an automated message, then it is almost always a scam trying to get the better of you.
How do you protect yourself?
Ask to call them back at the publicly available number and what their extension is. To be clear, don’t take a call back number from them. If they are calling from your bank or credit card, you should be able to call the number on your card or on the bank website and then enter an extension to reach that person. If they can’t do that, then hang up and call your bank directly, tell them you just received a call and ask if the issue they said is real, etc. You would be talking to someone else, but if there is a flag on your account, they will see it. Most non-financial online sites DO NOT EVER call you. If there is a problem with your account, they will simply lock it until and email you until the problem is resolved. They do not call you. They do not proactively try to call you. There are millions of users on their site and hundreds of customer service agents (and that is being generous.) Listen to your gut and when in doubt, hang up. No problem is going to be so big that you hanging up the phone to talk to someone else who is more tech or internet savvy is going to be unfixable.
This is, in my estimation, the single biggest way that you make yourself available to hackers. Out of a desire to make life easier, you use the same password for your email and your social accounts. I get it. But it is by far the biggest point of weakness.
Let’s say you are a fan of old cars. You go online and join “Joe’s Old Car Forum” and use your favorite password “ThunderBird55” or maybe you have had to add characters to it so it looks more secure, “Thunder#Bird^55&” - and when you enter it, the security meter shows green. You think you’re doing good.
But it turns out Joe’s Old Car forum is using outdated software and their server is on a box in his car garage. Someone hacks his machine and downloads everyone’s emails and passwords. So now, through no fault of your own, someone else has your password.
Since you use the same password for your email, they log into “TonyHotrodSuperFan@hotmail.com” with that password and bam - suddenly everything you’ve ever signed up for is at their fingertips. Facebook, banks, etc. They can go to those sites and claim to have forgotten your password, get the email that then lets them go reset the password and then log in as you.
How to protect yourself
Stop reusing the same password. - There are amazing tools called Password Managers. They are apps which are designed to be installed on your phone, tablet, or computer browser etc. I will write another post that explains what they are and how they work later. But if you want to go check them out, my recommendations are BitWarden.com and LastPass.com. If you don’t want to use a password manager, then use the same password for anything that doesn’t matter (that car forum, etc.) but use unique passwords for your email and banking and social accounts. Then you’re only managing 3-10 unique passwords. (But really, just use a password manager, I promise they are easy once you get them set up.) Two-factor authentication applications instead of text - This is when a website or service sends you a text message. The “Two Factor” here means that you’ve provided a password, now it’s confirming you possess (in most cases) the cell phone that can receive your second means of identification. This is an important step in defense, but it is by no means an insurmountable obstacle against would-be hackers. Especially if you get your codes via text message. Better would be to use apps which take a bit more setup (though, some password managers now feature integrated two-factor authentication handling. Again, I’ll talk more about it in another post.)
Your cell phone and email are, in today’s world, considered identification online. Like a drivers license in the real world, possessing these things will allow you to access nearly any online service. The security though is through possessing them, and the technology at play is imperfect. Again, hackers have ways of spoofing phone numbers, and even can make their phone act like your phone to the cell company, such that they could receive a text message meant for you, etc.
It sounds scary, but you should view that as akin to the threat of dying of a shark attack. You are almost certainly not going to be faced with a hacker going after you with that level of effort. No offense, you’re not important enough. And if you are, then you’ve already been taught or told all the things I’m talking about here.
What do I do if I get hacked?
So those are the three biggest threats and how to protect against them. But what do you do in case something goes wrong?
First, as soon as you think you’ve been hacked. Log into your email and immediately change its password. That is always the first thing to do. Even if the account that got hacked has NOTHING to do with it, if you lose control of your email, you lose control of almost everything you have online. It has to be protected first and foremost.
Second, once that is done, try and regain control of the hacked account. If it is a finance account, call them. These things happen and these sites have means of trying to regain control, if they’ve changed your login, they will likely also try and change your email on the account, etc. If it is attached to your phone, you might still be able to regain control directly.
Third, ask for help. I cannot volunteer to be anyone’s technology savior. But I am willing to help and do what I can.
What else can I do to protect myself?
I cover a lot of things in the sections above, but there are also a few other things I wanted to cover.
haveibeenpwned.com - Above I talked about a scenario where your password and info leaked from a car forum. This website is a tool that lets you check if your email or phone were included in leaked information from various sites. It is secure. By entering your info you are not signing up for any marketing emails, etc.
Vigilance! - Security is an active thing we do. It’s the practices we make and it is an ongoing activity.
Did you know that you can sign up for the email newsletter of this blog? Get an email with the day's posts delivered to your inbox! Sign up here.