Your email contains your digital crown jewels, and as such, you need to protect them.
Information about you, what you buy, what you read, the sites you visit (the list could go on and on) flows in and out of your inbox each day.
Now think of all the information you send and receive each day in the hands of a nefarious villain twirling his mustache while spending all your money on ropes to tie innocent women to railroad tracks. All he needed was access to your email to be able to use your credit card information to shop on Amazon.
It’s an uncomfortable, almost-violated feeling. Just ask the more than 1 billion people whose Yahoo accounts were hacked in 2013. Or those Chase customers who received notices of a breach in 2011.
Some of the compromised email accounts are the result of user error. A couple of cybersecurity experts let me in on some bad email habits that leave you more vulnerable to being hacked and having your credit card information stolen.
1. You don’t use multi-factor authentication.
You should be using as strong an authentication process as possible on any account that could be connected to your credit card – but especially on your email, said Michael Kaiser, executive director of the National Cyber Security Alliance.
“If the site allows you to use a multi-factor authentication, that should be something that you use,” Kaiser said. “You should be using it on your email to protect against – if your email got hacked – people going in and resetting those passwords for (credit card and connected) accounts.”
Multi-factor authentication – a several-step process for verifying the identity of the cardholder – should include something you know (like a username and password), something that you have (such as a security token or smartphone) and something that you are (for example, voice-based verification or your fingerprint). That’s according to Ruoting Sun, security product marketing manager with Duo Security, a cybersecurity company that offers a platform for multi-factor authentication programs
2. You create accounts for a gazillion different websites.
Does that website that sold you the pituitary gland plush really need all your information to have and to hold?
Kaiser said creating accounts that require your email address increase your risk for credit card fraud.
“If you’re going to make a one-time purchase from a website, you can often consider whether you should just open an account there, or whether you should just do checkout as a guest,” Kaiser said.
If you choose to open an account, “then you have another account that you have to maintain, that you have to think about,” Kaiser said.
That rarely used account, which probably has a weaker password for easier recollection, holds your credit card information. And of course, the site is going to send you emails about their stuffed pancreas and eyeball.
3. You click on links in emails from legitimate-looking sources.
Phishing is the easiest way a fraudster can get your username, password and, yes, even your credit card information. Phishing might be one of the oldest tricks in the scammer’s book, but people keep falling for it.
“The rate of success for target phishing attacks is still incredibly high. The numbers are pretty startling,” Sun said.
For example, Duo found that of 60,000 recipients in simulated phishing campaigns, about 26 percent of people clicked the link in the faux phishing emails and 14 percent entered their credentials.
Phishing emails typically look legitimate (as if they are from sites and services you use), and invite you to click on a link. Once users click on that link, they’re asked to put in their username and password, and sometimes their credit card information.
Sometimes just clicking on the link, even if you don’t enter any data, puts all your sensitive information at risk.
“It jeopardizes your device right off the bat because if you click a link and it goes to a site that you don’t really want to be on, malware can get installed on your laptop,” Sun said.
“That can install key logging applications that record every keystroke that you make. If you actually type in your username and password, at that point the attacker already has it.”
So, throw your digital crown jewels in a box, use a multi-factor padlock to be extra careful, and bury that box underground. Because if you keep falling for phishing emails, opening accounts on random websites and signing into your own accounts, including email – all willy-nilly – you could have to rush in and perform some heroics to save your hostage credit cards.
See related: Crooks’ new target: your rewards points