Do You Have a Bad Case of Password Exhaustion?

Passwords

You’re not alone! Most people use the same password everywhere – home, work, Twitter, Facebook, email and even for banking. Considering how many passwords we use everyday and are expected to remember them, password exhaustion is a real thing. It is no wonder that when yet another prompt for a password appears, users enter very easily guessed combinations like ‘abcd’ or ‘password’.

Trouble is, even if your password conforms to strict password rules, hackers are taking regular strolls around the internet and collecting logins and passwords, from either leaked details or sites with security flaws.

Then, they will try their luck with that login/password combination on other sites. They know more than half the users only have only one password and email combination, so the chance of gaining access into another one of your accounts is quite high.

As the same password is used elsewhere, one site breach follows another and another until hackers have nothing more to gain. The only way to break this chain reaction is to use a different password for each site.

How to Create Easily Remembered Passwords

Have a system or template for creating your own unique passwords, that you’ll be able to remember, but is not obvious to hackers. For example:

<character><word><something about the site><numbers><character>

Becomes:

 !K1ttyFB75!

At first it might seem complicated, but the above is really just based around the words ‘kitty’ (with an upper case K and a number 1 for the i) and ‘FB’ for Facebook. For other sites change the FB to something else.

What to Do If Your Password Has Been Hacked

You can check to see if any of your accounts have been compromised by entering your email into a site like:

www.haveibeenpwned.com

If it alerts a breach, you will need to change your passwords immediately – all of them. Use the example system above to create a new set. If you’re struggling to remember your set of passwords, consider using a secure password tracker such as LastPass. (http://www.lastpass.com) or Keepass (https://keepass.info)

If you assistance changing your passwords or setting up a secure password system, let us know on (08) 8326 4364 and we will be more than happy to help you out.

Fake Invoice Attacks Are on the Rise – Here’s How to Spot Them

False Invoice Scam

Businesses around the world are being targeted with a cyber-attack that sends victims a fake invoice that looks real enough to fool to most people. It is based on an old scam that used to see invoices faxed or mailed to the victims and now it has made its way into the digital world and instances are on the rise.

You may have already seen some of the less effective attempts – an email advising your domain is expiring (except it’s not from your host and your domain is nowhere near expiration) or others that describe a product or service you would never have purchased.

The new attacks though are much more advanced as they look completely legitimate and are often from contractors and suppliers you actually use. The logos are correct, spelling and grammar are spot on and they might even refer to actual work or products you regularly use. The senders name may also be the normal contact you deal with at that business as cyber criminals are able to ‘spoof’ real accounts and real people. While it is worrying that they know enough about your business to wear that disguise so well, a successful attack relies on you not knowing what to look for.

Here are two types of invoice attacks you may receive:

1) The Payment Redirect

This style of fake invoice either explicitly states that the payment should be made to a certain account (perhaps with a friendly note listing the new details) or includes a payment link direct to a new account. Your accounts payable person believes they are doing the right thing by resolving the invoice without bothering you and unwittingly sends money to a third party. The problem may not be discovered until an invoice from the real supplier comes in or the transaction is flagged in an audit. Due to the nature of international cyber crime, it’s unlikely you’ll be able to recover the funds even if you catch it quickly.

2) The Malware Link

Rather than an immediate cash grab, this style of attack asks your employee to click a link to download the invoice. The email may even look exactly like the ones normally generated by popular accounting tools like Quickbooks, Xero or MYOB. Once your employee has clicked the link, malware is downloaded to your systems that can trigger ransomware or data breaches. While an up-to-date anti-virus should block the attack at that stage, it’s not always guaranteed (especially with new and undiscovered malware). If it does get through, the malware quickly embeds itself deep into your systems and often remains silent until detected or activated.

How to Stay Safe

Awareness is key to ensuring these types of attacks have no impact on your business. As always, keep your anti-virus, firewalls and spam filters up to date to minimize the risk of the emails getting through in the first place.

Secondly, consider implementing a simple set of procedures regarding payments. These could include verifying account changes with a phone call (to the number you have on record, not the one in the email), double checking the invoices against purchase orders, appointing a single administrator to restrict access to accounts or even two-factor authorization for payments. Simple preemptive checks like hovering the mouse over any links before clicking and quickly making sure it looks correct can also help. If anything looks off, hold back on payment / clicking until it has been reviewed. Fake invoices attacks may be increasing, but that doesn’t mean your business will become a statistic, especially now that you know what’s going on and how you can stop them.

We can help increase your security, talk to us today. Call us at 08 8326 4364 or on support@dpcomputing.com.au