Throughout the COVID-19 pandemic, millions of Americans have been working from home, banking from home, attending school from home, and doing pretty much anything else imaginable from home. But unfortunately, bad actors are capitalizing upon that reality as an opportunity to steal citizens’ private information.
According to Thales, a French company in the cybersecurity business, large-scale spam campaigns are using the coronavirus crisis as a way to spread ransomware, install banking malware, and direct users to fraudulent webpages about COVID-19.
So hackers aren’t slowing down—they’re becoming more savvy. But how can you tell if your information has been compromised, and what are the next steps you should take if you suspect one of your accounts has been hacked?
“I think we are inundated with so much information that sometimes we become numb to the fear, uncertainty, and doubt,” Tiffany Franklin, manager of cybersecurity education for the Denver-based network security company Optiv, tells Popular Mechanics. “It’s not that we need to be fearful of cybercriminals, per se, but we need to understand the risks and better educate ourselves.”
How to Tell If You’ve Been Hacked
How do you know if one of your accounts has been compromised? In many cases, Franklin says, it’s pretty obvious, and you can monitor your accounts for suspicious activity.
In a classic scenario, that could include unusual activity on your bank account, but there’s a good chance you may also receive alerts from Google, Facebook, or Apple that a sign-in attempt has been made on your account. That doesn’t necessarily translate to a hacked account, but it’s certainly a red flag if those sign-in attempts didn’t come from you.
You should try to reset or lock these accounts if you’ve noticed purchases through your Apple ID account that you don’t recognize, seen sent emails that didn’t come from you, or spotted any other suspicious activity on your accounts that you can trace, but can’t account for.
You should absolutely familiarize yourself with your state’s breach notification laws as well. The National Conference of State Legislatures keeps a comprehensive list of enacted legislations for all 50 states on its website.
In Pennsylvania, where Popular Mechanics is based, entities that have control over sensitive personal information “shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system.”
In other words, a company needs to let you know that a breach has occurred, stat. Uber has actually gotten into trouble for this in the past.
Alert Financial Institutions
Once you’ve established that something is up with one or a few of your accounts, you should alert the relevant institutions that host your account. That may mean contacting Apple, Google, your banks, and even the major credit bureaus.
Not only can this help protect you against further damage, or at least serve as a record, but it could also give the organizations a heads up that there could be a larger breach at hand. Consider it a way to not only help others, but pay it forward to your future self, too.
“If someone hacked into your account, [especially with two-factor authentication in place] let the company know—it could be a larger breach,” Franklin says. “Let the company that you work for know, no matter what … and what they do with that is up to them.” You should also contact the local authorities if there’s a financial element to the hack.
Change All of Your Passwords
A 2019 Harris Poll data shows that two in three people recycle passwords across accounts. That’s a terrible idea.
“Level with yourself: For how many accounts do I use the same passwords?” Franklin says.
While anyone who is involved in a hack should update their passwords for various websites and apps—not just those that have already been compromised—the serial password recyclers should especially pay attention to this step. If your password is “Fido123!” on your Gmail account and a hacker gets in, you better believe they’re going to try out that password with your other accounts.
In any case, get into the habit of changing your passwords periodically. Most large organizations make their employees do this, and while individuals don’t have the same financial resources as companies with full-on IT teams, it’s a small thing you can do to hold yourself to that corporate standard.
While you’re at it, figure out if you have any “zombie accounts,” Franklin says. These are accounts you may have signed up for back in, say, 2006, and you haven’t logged into them for the past decade. (Think: AOL, AIM, and Hotmail.) If a cybercriminal gets into one of these accounts and you aren’t actively using it, they can gain access to whatever information is in there, all without your knowledge. Delete them now, and never look back.
Franklin says there’s a common misconception that it’s safe to use something like Google Chrome’s Password Manager tool to keep all of your usernames and passwords auto-stored for your most-visited websites.
Sure, it’s convenient, but it’s a terrible cybersecurity practice. If a criminal gains access to your Gmail account, for instance, they could log into all of those websites, change the passwords, and lock you out. Or, if a burglar steals your device, they could automatically access all of your accounts, since you have all of that data readily available.
Franklin’s advice? “Google search for password management software. You’ll see free and paid tools, some that let you import existing passwords from browsers, and get it into your management software. It just depends on what you’re willing to pay for and the features you want.
Update Your Two-Factor Authentication Preferences
There’s a good chance your two-factor authentication (2FA) choices aren’t the best, Franklin says, especially if you’re using security questions. Consider all of the information about you that’s publicly accessible—and stop using it as an answer to these kinds of questions.
“Only pick questions that can’t be researched or guessed,” Franklin says. “Don’t select your mother’s maiden name, because that can be easily researched. Use something like [your] best friend’s name in elementary school. Maybe you don’t talk anymore, and you’re not connected on social media.”
Better yet, if you have the choice to edit your two-factor authentication preferences to something else, do it. The gold standard is a physical security key, like a Yubico Yubikey. These are small devices that look like a USB thumb drive, and you can easily attach them to a keychain or hide them away in a secret spot. They don’t require a battery or any special software—you just plug them into your device or hold them nearby (depending on the model that you purchase), and it authenticates your identity.