Blog: Consumer Advice
Help, my accounts have been hacked! What should I do?
I run staff security awareness sessions for a huge variety of organisations. Regardless of where I am the most common question I get asked is “How do I recover from being hacked at home?”.
For businesses, we have some simple advice, but what about everybody else?
A client contacted me. One of their employees had been compromised at home and didn’t know what to do. I wanted to help. Surely there must be a ton of sensible advice online that I can simply email to them? Yet, oddly, there wasn’t much that fitted the bill. It was either too detailed for the average user, or it simply missed the mark. Hence this post.
Being scammed, phished, having your email hijacked, having your bank account drained, being extorted online are all scary things to happen to a person. You can feel violated, especially if you have lost money. The key is not to panic. Take some critical steps to not only recover, but also to prevent future attacks.
How bad is it?
First you need to work out how bad it is. What has actually happened to make you suspect foul play?
Has a friend received email purporting to be from you? Has one of your social media or email accounts been hijacked?
These are by far the most common issues and they require urgent action
Less common is having your computer compromised. Sometimes a visit to a rogue web site can be all it takes to end up with malware running on your machine. Were you scam called into installing some software?
…or was the first you knew about it a bounced payment because your bank account had been emptied or a payment misrouted?
How did it happen?
The most common form of account compromise is enabled by ‘credential stuffing’. Do you re-use passwords on different accounts? Hackers breach other sites, find your password and email address, then immediately try it on your email account.
Receiving Spam email is not really a breach, its annoying, but is unlikely to have any impact. A good place to start is to look at all of your online accounts, see if you can see any ‘last logon’ information and see if there are any logons you don’t recognise.
This isn’t always possible though. Some services will email you if you have had a logon from a location you don’t commonly logon from. Check your email – assuming that’s not been compromised.
Although this breach is unlikely to feature, use the awesome https://haveibeenpwned.com to check if you have been breached on other sites already, change your password on the breached site and anywhere else you have used the same password.
For some breaches law enforcement may need to be involved. One example is a push payment fraud attack. This is where you unknowingly or unwittingly send money to third parties.
If the amount sent is significant enough the police should be notified. Equally if someone has already committed identity theft and are actively using your identity then its sensible to involve the police as any crimes committed using your identity could be attributed to you.
Cleaning up the mess
There are eight steps you can take to get back on an even keel.
1. Contact your provider
First thing to do is contact the provider that you have discovered the breach on. With Facebook for example, contact their support pages. Big online services like that don’t always have phone numbers you can call, but you can use their online support tools to try to regain access to your account.
2. Check your insurance
It may also be worth checking your home insurance cover, as some insurers now cover domestic cyber loss.
3. Inform your bank / credit agency
If you have had money stolen from your bank or credit card phone the company straight away so they can put extra controls in place and begin to try and recover money, if they can. Do this for all financial institutions you have accounts with just to be safe, unless you are 100% certain that you have not used the same login details across different services.
4. Password review and triage
The next step is to change your password on the service that’s been compromised and, on any services where you have used the same login details.
The passwords need to be different for each of the sites as this will thwart future credential stuffing attacks. It’s a good time to refresh some other key sites, such as your email service, social media, shopping accounts, Apple ID/GoogleID, phone company, etc. even if they haven’t been breached.
5. Start using a password manager
Managing passwords safely across all your personal service accounts is hard / impossible. They need to be unique to each account or service, and they need to be strong.
So, to make your password life significantly easier and more secure I STRONGLY recommend using a password manager.
Each has pros and cons, but it’s better to use one to prevent you from sabotaging yourself.
It’s not inconceivable that if home cyber loss insurance becomes the norm, claims might only be paid if you can demonstrate that you have been taking appropriate precautions.
6. Set up two factor authentication
While changing passwords, set up two factor authentication on the same services. As a minimum you should do it on email, AppleID/GoogleID and places with personal data or financial information.
https://twofactorauth.org/ will help work out how to set it up. Search for what site you want to set it up on and if it’s available there will be a link to the support pages. Often there is a choice of method for the second factor, try to avoid SMS as it is a weaker method, but if it is the only method it is more secure than just a password.
7. Use Anti-Virus, update your devices
On your home computer, run Windows update or Apple Mac update and ensure it is running the latest version with all the updates available applied. Install and / or update your Anti-Virus (including using one on your Mac). It’s advisable to purchase the best available from the well-known vendors, Symantec/Sophos/Kaspersky/McAfee/FSecure, etc.
They all come with plenty of features, and will protect your computer and your data much better than the basic free ones. Once you have it installed, run a full scan of your computer to check there are no known viruses on your computer.
You should also update any other applications you have installed e.g. Adobe Reader or Oracle’s Java. When you have a lot of apps this can be cumbersome, but it’s critical that you do. There are tools that help you manage updates and patches, and they’re easy to use.
A useful one is ‘Patch my PC Updater’ and its free for home users. There’s also ‘Ninite updater’ for $9.99 a year.
It’s worth checking your Anti-Virus too as it may have a built-in version.
8. Set up credit monitoring services
This is really important as the attackers may try to steal your ID at some point in the future. You can use Credit Expert, it will alert you immediately there is a change or a search of your credit file, there is a monthly charge for the alerting though. I use Clearscore this is free, but you only get an alert once a month to check your file and review any changes, so a bit more manual, but free none the less.
Preventing it happening again
Along with the password manger and two factor authentication advice above consider installing extra security in your internet browser.
Adverts are annoying, but importantly they are also a common way for malicious software to be installed. One way to avoid them is to install an adblocker in your browser. They’re all free, so there’s no excuse ?:
- Chrome https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom?hl=en-GB
- Edge on Windows 10 https://www.microsoft.com/en-gb/p/adblock/9nblggh4rfhk
- Firefox https://addons.mozilla.org/en-GB/firefox/addon/adblock-for-firefox/?src=search
- Safari https://apps.apple.com/us/app/adblock-for-safari/id1402042596
You could even consider setting up a PiHole on an old Raspberry PI or one of the other supported platforms, although this is slightly more technical in nature. However, once installed correctly you can block ads on your entire network, including your phone and any devices you use.
Ensure you keep your phone up to date as well, using the built-in update feature. Vulnerabilities are discovered in phones as well as computers, and they are fixed by those updates. EVERY update fixes bugs. Even if it looks like it’s just giving you a new ‘dark mode’ or ‘adaptive brightness’, there will also be a ton of behind-the-scenes fixes.
Although the benefits are minimal now with later versions of Android, if you use an Android phone or tablet install Anti-Virus, again from the more well-known brands, you may have the option to install a version that came free with your paid computer Anti-Virus, if so, do that. There is no Anti-Virus on iOS available.
Another really sensible thing to do on your phone is to set a strong passcode, even though you will probably use biometrics to unlock your phone, there is a backup password, this will usually be a 4 or 6 digit PIN.
The benefit of biometrics on your phone is to allow you to set a stronger back up passcode. As you rarely need to enter it gives you the convenience of both having a strong password and not needing to enter it. Change your PIN to a much longer number, or better still an alphanumeric word.
Finally, be aware you will probably have been added to target lists. You are extremely likely to be targeted again, be that through SPAM or phone calls and so you need to adopt different, more secure behaviours.
Be MUCH more challenging and aware. You may get more spam to your email address trying to compromise other accounts, you may get scammers phoning you up, you may get people trying to break into your online accounts.
Some words of comfort: It’s not impossible, but it is extremely unlikely you will have related physical attacks at your home.
Trust, but verify
Take a simple approach, ‘trust, but verify’. For example, if someone rings you saying they are from Microsoft or some other trusted online entity and they have detected a virus on your computer, don’t think “well I was hacked so that’s probably right”.
Your answer should be, “thank you for letting me know I will get my PC seen to by someone local” and hang up. Then verify their claim by asking for assistance from someone local. With phishing emails, instead of clicking the link in the email, open your internet browser and go directly to the website, if it is genuine the site will tell you that you need to do something.
I wish you the very best of luck. The not knowing what has and hasn’t been hacked is one of the hardest parts. Methodologically going through the steps above will enable you to recover and move on.