One of the primary ways that identity thieves steal from your online accounts such as your online banking is by luring you with phishing emails or more targeted spear phishing emails to either click on links that download keystroke logging malware that will search your computer for the passwords to your accounts or by prompting you to click on a link that takes you to a phony, but legitimate looking website that appears to be that of your bank or some other company where you have an account where you are instructed to insert your password. Mere passwords have not proven to be a particular secure method of authentication. Many people use simple to guess passwords and even what may appear to be complex passwords can often be identified by sophisticated hackers using password cracking software. Regardless, however of how strong your password is, if you provide it to an identity thief, the criminal will be able to access your account. It is for this reason that many companies require dual factor authentication, by which when your password is used to access your account, a special code is sent to your smartphone by text message that must be used in order to complete access to the account. This provides dramatically enhanced security. While this may seem to be inconvenient, some dual factor authentication protocols do not require it to be used when you are accessing your account from the computer or smartphone that you usually use, but only require its use if the request to access the account comes from a different device.
Now, however reports are surfacing of a scam where you are tricked into going to a phony website and inserting your password. The identity thief then uses your password to attempt to log in to your account which prompts your company to send you the special one time code, which the phony website asks you to provide. If you provide this to the identity thief through the phony website, you will have given access to your account to an identity thief.
Passwords are just too vulnerable to be the sole method of authentication for important apps or accounts. Whenever you are able to use dual factor authentication for a particular website, account or app, you should do so. However, you should recognize the vulnerability of even dual factor authentication. If your dual factor authentication only sends a code if access is being attempted from a device that is not your usual phone or computer, it is a red flag if you are sent a one time code when you are accessing your account from your own phone or computer because this is an indication that the website you are on is a phony one and that someone is using the information you provide to access your account from another computer or phone. As always, remember my motto, trust me you can’t trust anyone. Don’t click on links unless you are absolutely sure the email or text is legitimate and don’t provide passwords in responses to emails that may direct you to sign-in pages. If there appears to be some sort of emergency to which you must respond, you should either contact the company by phone directly or go to the website of the real company at an address that you know is correct.
If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and click on the tab that states “Sign up for this blog.”