Have you been hacked?

RG2015

Following on from another thread.

Has anyone here had their personal files or online banking hacked through a phishing attack, and if so what  happened?

I am trying to find out how common this is and if anti virus protection is enough to keep me safe.

km1500

Phishing often involves clicking on a link in an email. That takes you to a website where personal details are requested. Antivirus would not protect you.

If the phishing link causes an executable to be downloaded and run, antivirus might help but only if the signature was in their database.

The solution is not to click on a link in an email - ever.

RG2015

Thanks.

So up to date anti virus software and not ever clicking on an email link will keep all of my personal data on my hard drive and in the cloud safe. 

400ixl

Also regularly run an anti-malware application like Malwarebytes to check for other software that may be infecting your device.

Even all of those you still need to be aware. It is possible for bookmarks in your browser to be hijacked / changed to take you to fake sites. Equally fake sights with common typo's exist to trap people. This is why banking apps on phones are often safer than web browser based sites.

Using a password manager like Bitwarden is also a good safety strategy. You can use strong complex passwords that you don't need to remember and they will not show as available to those typo or phishing website addresses.

Also be wary of social engineering and social media as ways to get information from you. Think about the special questions that organisations hold about you. How easily could people find out your mothers Maiden name (They could be friends on facebook which would allow people to get that info). You could have strategies to make sure the questions are answered with information only you would know as they are not factually correct.

km1500

RG2015 said:

Thanks.

So up to date anti virus software and not ever clicking on an email link will keep all of my personal data on my hard drive and in the cloud safe. 

It will help hugely but no, it will not keep.it 100% safe.

born_again

TBH. Only run std windows defender. Have not used any other Anti-Virus software for years. But as above do run malwarebytes on system.

Noting will stop phishing for details, other than personally not filling them in. We get them at work sent out by the security team. Failure to act in the correct way leads to a very boring training course & a black mark on your annual assessment. 

k_man

To add to the above, there is no way to 100% guarantee your data is safe.

But good practice includes the following:

Be mindful of any links or attachments, even from known sources.

Strong unique passwords for each service.
Password managers make this easy, trying this without one is impossible for most people.
Password managers also help reduce risk of phishing, as won't auto-suggest/fill similar named sites

Take care using known or obvious information for security questions, as these become the weak link, and can potentially bypass other good practice.

2FA enable where possible, and ideally not SMS based, albeit that is still much better than no 2FA.

Use upto date AV software (Windows defender is fine).

Use only up to date operating systems and software (e.g browsers, office suites and pdf readers) that are still receiving security updates.
Out of date software or mobile devices can potentially be compromised with little of no interaction by you (e.g just visiting a compromised website, and this has happened to some mainstream websites in the past via compromised advert providers).


Even with all the above, there are still zero-day exploits, that are not found by AV software, and not yet patched by affected software.
However the vast majority of compromised systems is caused by:
Weak or reused passwords and/or no 2FA
User action (e.g. clicking links and ignoring warnings)
Known exploits in out of date software 

born_again

Also do not forget the biggest area of compromised & hacked data if from retailers & other websites where data is stored. 

RG2015

Many thanks for the helpful advice.

I fear that when I said phishing I was thinking of key logging or some similar nefarious attacking method. Also, I fear my advanced years may be making me absent minded.

I hear so much about security and in particular not storing sensitive data on Word or Excel, even if password protected.

To be honest, I do not understand the risk which sounds like scaremongering, and really wanted to know if anyone here had been hacked in any way.

My sensitive files are password protected, I use anti virus software and Malwarebytes and never click on email links.

Do I really need a password manager as well as this seems a bit like overkill?

k_man

What format are your password protected files (e.g. latest Word)?

Do these contain all your passwords?

How do you generate strong and unique passwords (password manager do this too)?

ETA: while the risks may be low, the potential impact is very large, and mitigating actions are easy.

400ixl

Ideally you will use a unique email address for every site and a unique complex password for each site as well.

You would need a password manager to achieve this as the normal human could not remember the passwords without writing them down.

Passwords would be complex such as ^wXFm#G8*eYtpUJa2hus and 4S&e%kEa$R$tTW!xH^7h

Try remembering 50+ of those and which website they belong to.