Attacks on British retailers like Marks & Spencer have highlighted how mistakes can let cybercriminals into online accounts with devastating consequences.
M&S announced on Tuesday it had finally reopened its website weeks after a cyberattack in April that the company blamed on “human error” and it said it would cost around £300m.
The government’s cybersecurity breaches survey, published earlier this year, found 43% of businesses had suffered a security breach in the last 12 months.
But even for ordinary people, it’s still very possible to make mistakes that can lead to criminals gaining access to your account – and then using your details for identity theft or stealing money.
Research by the Global Anti-Scam Alliance found that 10% of Brits had lost money to scams or identity theft in 2023.
Yahoo News spoke to security expert Truman Kain, a security researcher at cybersecurity firm Huntress, about the common mistakes people make – including one which almost all of us have never even thought about.
1. Using your real details in security questions
In security questions on online accounts such as banking, people often put their real mother’s maiden name or the name of a first pet.
But this is a mistake, Kain explains – and instead you should make up a fake name, because hackers can potentially use a security question to reset accounts and gain access, and such information is often easy to find out.
Kain said: “Security questions are a relic. When used as originally intended, they aren’t security, they’re trivia that hackers already know.
“Think of it this way: if you had to, could you answer your friend’s security questions? Yes? Well, so could a hacker. Attackers can typically guess or find your answers to common security questions on your social media or elsewhere online.
“This is how accounts can get taken over even if you do have a strong password. So, treat security questions like passwords… lie! Generate and save fake answers to security questions with a password manager. Never assume that your real answers to security questions are private.”
2. Storing passwords in your browser
Browsers such as Chrome commonly offer the option to save passwords, which can be highly convenient for users – but using this is a mistake.
So are other common ways of storing passwords like notes apps, Word documents or spreadsheets, says Kain.
“Lots of people store passwords in places they shouldn’t: these are a problem, because they can all be quickly scraped by malware or someone with access to your device,” Kain says.
For example, if your PC gets a virus, it can be easy for criminals to find passwords stored in this way.
Instead, Kain advises, you should use a separate password manager app on your PC or smartphone, and generate strong passwords using the app.
Kain said: “If you care about your accounts, use a dedicated password manager. It’s the simplest way to keep your accounts secure. Storing passwords anywhere else is like locking your front door and then leaving the key under the doormat.
3. The ‘Russian roulette’ of reusing passwords
Reusing passwords offers an easy way to log in, for example, when forced to create a password to order on a pub’s menu.
But if you use one password across a lot of accounts, it’s only a matter of time before it leaks online, says Kain, due to the frequency of data breaches.
Kain said: “By reusing passwords, you’re basically playing Russian roulette. A breach at some random site, at any point in the future, can hand attackers the keys to your most important accounts.
“They’ll turn right around and plug those credentials into every major service they can think of… and if you reused, they’re in.”
4. Clicking on links in emails
Kain said: “Today’s phishing attacks aren’t poorly worded emails. They’re polished, look just like the real thing and sometimes even come from real providers like DocuSign or Canva.”
To deal with such attacks, it’s best to be ultra-cautious around links in emails, particularly when they relate to banking or anything similar.
Instead of following the email, use your banking app or navigate to your bank’s website – or if you’re really worried, call.
Kain said: “Today, fake login pages are pixel-perfect and often use legitimate-looking domains. All it takes is one moment of distraction or misplaced trust, and your credentials or sensitive information are compromised.
“Attackers love evoking senses of fear or urgency because those emotions often cause you to act without thinking. So, always take a minute to stop and think: is this legit? Just because a site looks real doesn’t mean it is. Check the URL before entering credentials and navigate to sites directly instead of clicking links in emails or text messages.”
5. Turning off multi-factor authentication
Multi-factor authentication (MFA) bolsters passwords by insisting on a second check (often via text or through a dedicated app) to prove people are who they say they are.
This means that if a criminal finds your password in an online data breach, they still cannot access your account.
Kain said: “MFA is one of the most effective defences you have against account takeovers. However, it’s often ignored because “it’s annoying”, or put off with “I’ll do it later”.
“The reality is that passwords get breached. Phishing works. MFA adds a backstop that makes it much harder for attackers to get in when they inevitably get a hold of your credentials. App-based MFA is ideal, but any form of MFA is better than none.”
