Recommendations for end users concerned about account breach and fraud
You’ve received an email, a text, or even a message on social media that someone’s hacked your account, or your credit card has been exposed, or that your computer is under active attack. It’s scary and enough to make your stomach hurt, and you want to do something about it right away.
While the nature of our business at Cequence Security isn’t focused on helping consumers with breaches, we do have lots of experience and advice to help you through this tough time.
How to handle an urgent message you’ve received online.
- First, don’t panic. Your credit card company has got your back, and your accounts aren’t going to vanish in an instant. Take a deep breath and take a moment to consider the situation carefully. Many times, the message urging you to action isn’t legitimate and it’s counting on your panic to do something in a rush that may make things worse.
- Don’t click on links. Scam emails or messages look like they may be from a vendor you know and trust but actually come from bad guys who want you to give up your personal information. One of the most common ways they do this is by including links in the message that take you to a site that looks like Amazon, your bank, or other legitimate site but is really the bad guy’s site. When you put in your name and password, or even other personal info like your credit card number, you’re just handing it over for them to use.
- Go directly to the vendor website instead, and contact the vendor directly via phone if possible. Instead of clicking on a link in a message, open your web browser and go directly to the website that the message is about. There, you can see if the vendor has any messages about issues they are having, or you can use the “contact us” link to call or chat with the vendor directly. They can help you determine if the message was legitimate, and will have recommendations for next steps.
- What if you’ve clicked on a link? If you clicked on a link in a message, put in your login information or other personal information, and later you’re concerned it might have been a scam, follow the instructions below for updating your account. You should also go directly to the vendor’s website and contact them directly (via phone or chat) to let them know that you think your account has been hacked – they will help you with next steps.
- Get help if you’re unsure. This stuff is really scary and feels embarrassing, but it’s really not your fault. If you’re unsure, ask someone you trust for help. At the least, they can provide a second pair of eyes to see what happened and help you figure out what to do next. Remember, you always have time to consider next steps and you really don’t need to rush.
What to do if you think your account has been hacked or your password exposed
- Update your password. Open a web browser and go directly to the vendor’s website. Follow the instructions there to change your password. Make sure you use a strong password (click here for helpful instructions), and be sure you don’t use a password that you’ve used anywhere else.
- Turn on “two-factor authentication” or “two-step verification” if it is available. If the vendor offers the additional security of a second verification, use it. Many vendors offer the option of verifying you’re you before letting you into your account by sending you a text message or an email message with a numeric code, and using this second step makes hacking your account much more difficult. (Curious about who offers additional security like this? (Check out https://twofactorauth.org/)
- Contact the vendor. It’s never a bad idea to contact the vendor directly by calling their support line and letting them know what happened. They may have more suggestions about how to secure your account and what to do next.
- Think carefully about where else you might have used that password. Many of us use the same password on multiple accounts to make it easier to remember. The problem with password re-use is that the bad guys count on it. They use a technique called “credential stuffing,” where once they have stolen a username and password for one site they will try it on lots of others, hoping that the user used the same password. If you think you’ve used the same password elsewhere, it’s time to update the password on all of those sites, too (and make sure they are all unique!).
- See if your account has been compromised in other attacks. Go to https://haveibeenpwned.com/, enter your email address, and see if your account information may have been exposed. There, you can find out about past breaches and sign up for notifications of new ones.
- Begin using a password manager. Once your heart rate is back to normal, begin using a password manager. These tools help you manage your wide range of logins while eliminating the use of poor passwords (e.g., password123, etc.) which is a common vector for account compromise.
What to do if you think your credit card, bank information, or retail account has been compromised
If you suspect that your credit card information has been stolen, call your credit card company. You can usually find a toll-free number on your credit card, or check your credit card statements. Your credit card company will help you determine if there is an issue and will reverse charges and send you a new card if necessary. Similarly, if you think your bank account information has been compromised, call your bank.
Keep in mind that if you store your credit card information in other retail or service accounts, the bad actor most likely doesn’t have access to the credit card number, but could make purchases using your account and saved credit card.
If you receive a notice in the mail that your credit card or bank account information was exposed in a breach, it may provide you with information about how to sign up for credit monitoring or even a credit freeze. (Note that it would be very unusual for this to come to you in an email or a text message, so be very careful and contact the vendor directly if you get a message this way.) Signing up is up to you, and you will need to reach out to the credit monitoring company to set up the service based on the instructions you receive from the vendor. You always have the option of contacting the credit agencies (in the US, go to https://www.usa.gov/credit-reports for more information) and setting up alerts or freezes yourself.
You know you need unique passwords for all of my accounts, but how do you manage them?
It’s critically important to use unique and strong passwords for all of your accounts, but managing that can be a nightmare. Most of us have dozens of different logins. Here are some ideas for how to manage the challenge:
- Best practice: Use a password manager. There are a number of tools available to help you manage and securely store your passwords. They will help you to generate (or update) unique and strong passwords for each of your accounts and then can fill in your username and password automatically when you go to the website on any device or browser (or even in an app). (They also can help you by not filling in your information if you go to a scam website, and they will warn you if they think the site is not legitimate.) Password managers can also store other personal data safely and securely so you can use it to store and later recall info you may need, like bank account numbers or PINs. Don’t worry – all of the reputable password managers use strong encryption to protect your data from hackers (after all, that’s their job!). Password managers also work across all of your devices, so you can use your phone to look up a password or a PIN if you need to.
- Use your browser’s password manager. Browsers can be used to remember your passwords, filling them in for you when you go to a website. Some also have plugins that can help you generate new, unique passwords. Browser password management can be tied to a single computer and usually does not work on your other devices (or other browsers), however, so it’s not as useful or universal as a password manager. Still, the passwords are stored securely, and it can be very helpful.
- As a last resort, write them down. We all remember being yelled at about not writing down passwords, but the fact is, if you’re not comfortable with using any of the above methods, physically writing down your good and unique passwords in a password book and then storing that in a safe place away from prying eyes is not the worst idea (but please don’t do this for your work devices or accounts!). The fact is, attackers are never going to break into your home to steal your passwords when it’s so much easier to do it online.
Where can you learn more?
SANS is an organization dedicated to research and education about computer security, and they have a monthly security awareness newsletter they call OUCH! Here are some newsletters you may find informative:
You can find a full list of the newsletters at https://www.sans.org/security-awareness-training/ouch-newsletter.
You can check to see if you have an account that has been compromised in a data breach at https://haveibeenpwned.com/, a website that keeps a database of breach information and provides notification of new breaches.