Have you ever tried to phish yourself? It’s an odd question, right? There is a benefit to trying it though. By now, you have likely read our blogs on Security and how to stay safe online. You are likely using a password manager with MFA enabled. If you are not using a password manager, strongly consider using one. There are a plethora of password managers out there, some of which are even free for basic users. By using a password manager, you will not have to remember your login and password for all websites, with the added benefit of preventing password reuse.
However, think for a minute as an attacker. If an attacker wants to get into your accounts, how would they go about doing so without potentially knowing your username and password for those accounts? There is that pesky little ‘Forgot Password’ link on nearly every website which may be an entryway into your account(s). Even though YOU know your username and password, an attacker may not and that is a good starting point.
Consider this scenario: As an attacker, I want access into your bank account. There is even a likely chance that you follow your bank on social media or you have corresponded with your bank via email previously (digital bank statements as an example). But your social media profile is locked down to only trusted friends, so you are safe, right? Not necessarily. You are only as safe as your most insecure friend’s credentials. If your friend gets compromised, the attacker can see all your posts, followers, etc., and can likely gain some foothold into the services you use. That is what reconnaissance is all about and one of the first phases of hacking (ethically of course!).
If an attacker can get access to your email, they essentially have the keys to the kingdom. How many of us delete emails in the Sent folder? Sure, Inbox Zero is great but in this digital age where storage is cheap and you “may” need that email from 5 years ago that you archived, but we often overlook specific email folders. Even then, let us assume that as an attacker, I cannot obtain access to your inbox. What if I went to your bank’s website directly and attempted a Forgot Username or Forgot Password? How far could I get?
This is where you, as a digital expert in online security come in! If you were the attacker and clicked the ‘Forgot Username’ link on the website, what information is required? Is it just an email address, phone, or some other security questions that likely everyone knows? Fluffy always was my favorite cat, by the way. Try it out yourself and see how far you can get with information that may be public knowledge or even easily guessed.
You may say, ‘But I have MFA enabled on the website, so I am safer, right?’ The answer is yes and no. If the website allows an end-user to reset their username or password as a fail-safe through SMS even with MFA enabled, you are still susceptible to SIM swapping at your wireless carrier. If you can put a PIN on your wireless carrier account to prevent this, do so immediately. It’s not foolproof but it helps.
Remember, everything you do online leaves a digital breadcrumb that if someone wanted to follow and use that against you in this case, it is possible. Staying secure online sometimes requires thinking like the adversary and trying to compromise yourself with the knowledge, or lack thereof, that you may be able to find out through various means.