How not to be an easy mark.
Rachel Tobac, CEO of SocialProof Security, recently posted about four specific hacking attacks she sees impacting businesses these days. From her perspective, “phone-call-based” hacking has the highest success rate.
Since her focus is on business, I want to describe those same four techniques from a consumer’s point of view. These techniques have a high success rate among “normal people” as well as businesses.
Let’s identify them, the things you need to watch for, and the steps you need to take to stay safe.
Protecting yourself from a hacker's scams
Hackers trick you by pretending to be someone you trust, asking for your info, or getting into your computer. They might wear you down with 2FA pop-ups or even steal your phone number. Don’t share codes or passwords, don’t allow remote access, and always double-check unexpected requests.
1. Impersonation
You get a call or a text from someone claiming to be from an IT support helpdesk of some sort. It may be vague, or they may claim to represent an online service you use, such as Microsoft, Google, or other popular platforms.
They present a scenario where, for one reasonable-sounding reason or another, you need to give them your password or your two-factor code. Maybe, rather than explicitly asking for these things, they’ll direct you to a link where you can clear up an issue without them needing direct access to anything.
Of course, it’s all a scam. If you give your password or 2FA code to someone, they immediately hack into your account. If you visit the link they give you, you’ll be asked to sign in, and in doing so, you’ll hand over your credentials to a hacker.
Help make it permanent by becoming a Patron.
Related
I Got a Call from Microsoft and Allowed Them Access to My Computer. What Do I Do Now?
A very common scam has people supposedly from Microsoft, your ISP, or other authorities calling to help you with computer problems. Don't fall for it.#4863
2. Remote access
This is a variation of the impersonation scam above. Rather than asking you to take some action, they’ll helpfully offer to take care of it for you by accessing your computer remotely. They’ll ask you to download and run a remote access tool1 and then give them access to it. They then have complete access to your computer.
It’s all a scam. Once in control of your computer, they can install malware, steal credentials, and much, much more. This often happens faster than you can follow and is sometimes hidden behind crafty software they install.
3. MFA/2FA Fatigue
This is a new one to me, and I have to say that I haven’t encountered it personally.
The concept is simple: a scammer attempts to sign in to your account, which is protected by two-factor authentication (2FA) or multi-factor authentication (MFA). The specific type of authentication used means you get a notification — perhaps via email or via another device you’re using. Of course, you decline it since you are not attempting to sign in.
So they repeat it again and again and again, until finally, in exasperation or by accident, you allow it.
The attacker now has control of your account.
4. SIM swap
This is one you can’t see coming.
The attacker calls your mobile provider pretending to be you or your employer. They claim you’ve lost your phone but have a replacement in hand. All the mobile provider needs to do is move (transfer, or “port”) your mobile number to the replacement device.
If they successfully fool the mobile provider’s customer support agent, your phone number is then assigned to the hacker’s phone. They start getting the two-factor codes and other messages needed to access your account.
Related
Why ANY Two-Factor Is Better than No Two-Factor
Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.#70786
Protecting yourself
The steps you need to protect yourself are simple yet easy to overlook.
- Never2 provide sign-in information to someone who calls or texts you.
- Never give someone who calls you remote access to your computer.
- Ignore all 2FA notices that you didn’t initiate yourself. Silence your device if you need to.
- Establish a PIN code with your mobile provider that must be provided in order to make any changes to your account.
Other techniques
Tobac recommends the Be Politely Paranoid Protocol. In other words, be skeptical and paranoid. Politely confirm the veracity of an unexpected request by confirming that they’re legit via another channel (one that is not provided by the requestor). For example, if someone claiming to be from your bank calls you and starts to ask for sensitive information, let them know you’ll need to call them back using a number you already have for the bank. If the caller balks, it’s a strong sign there’s something amiss.
If you have the option, use 2FA techniques that don’t involve your phone number. That means choosing TOTP (Google Authenticator compatible) techniques or a hardware key like a YubiKey, rather than SMS (text)-based 2FA.3
Of course, that assumes you’re using two-factor authentication. 2FA remains the most important thing you can do to protect your online accounts, so be sure to use it if it’s available.
Do this
Security remains your responsibility. Yes, it’s all in conjunction with the security offered by the various services you use, but ultimately, you’re the last link in the chain. Please don’t be the weakest link. 
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Which in itself is a legitimate tool.
2: Of course, never say never; there are rare cases where it might be the right or expedient thing to do. But only if you are absolutely, completely, 100% positive that you know the person you are communicating with and trust them completely.
3: SMS 2FA is still better than no 2FA at all, though.
Wouldn’t a SIM swap only work with an eSIM. I have a nano-SIM card and the only way to do a SIM swap would be to have the mobile provider mail out a new SIM card. My provider would only send to the address they have on file. Theoretically a targeted hack might involve the hacker waiting at my mail box to steal the SIM. Unlikely, unless there’s a large amount of money at stake.
If someon called in to get a new SIM card, the mobile provider would disable the SIM card and the victim woud get in touch with the mobile provider to ask why their phone stopped working.
I read Kevin Mitnick’s the most famous hacker of the 80’s. War games was based on him) book. He said almost all his hacks were human engineering. Phoning people asking tor passwords or gaining physical access to a computer by getting information over rhe phone.
A longtime reader, Ernie (Oldster), came up with the term Cognitive Security. That’s a great term to describe the most important link in computer safety. You are your most important tool in the fight against malware. Think before running or downloading anything.
Very good article and important information to follow. I retired years ago and before that I always worked in an environment where I had an IT department to help and “protect” me in all this. Now retired, and experiencing all myself, I only permit two people I know to do “remote access” – the computer store in my home town and my former boss who is a PC guru and has helped me much since my retirement. Yes, 2FA is frustrating and time consuming to some extend but its better than the alternative. As a “newbe”, please take all that Leo states verbatim and you’ll be so much better off.
Just yesterday I got a call from a scammer pretending to be a security agent from Comcast (Xfinity) my Internet provider.
His “shpeel” was that Comcast noticed that my Router was not getting updated with the new security software that Comcast was attempting to install on my router.
The scammer wanted my help and permission to allow him to connect to my PC so he could “update” my router.
I right away told him that he can go to where the Sun never shines…..he immediately hung up.
Never ever allow anyone calling you cold to be able to connect to your PC remotely. These calls are always from dangerous scammers. You also do not know who the caller really is…..they could be anyone in the world.
Always hang up immediately and if you want to really verify and confirm this issue is to call your needed provider yourself and ask them if what the scammer informed you is accurate. Most of the time it will be false.
Thank you for your article on scams. As an oldie 88 I need constantly reminding to be aware, so there just isn’t too many warnings and advice .
Note I am quite deaf on the telephone so it’s easy to simply say “sorry, I don’t understand” and put the phone down – perfect response.
Thank you for the scam article! ( not just this article….but all articles}
I appreciate ALL that you do to help us!