First off, I probably wouldn’t pose as a Nigerian Prince. Despite the fact that it has an incredibly high chance of success when marketed correctly.

But I would start with a phishing email.

What’s phishing? It’s an email scam that works by getting the recipient to click on a link or view an attachment. The link will either download some malicious software (malware) or try and trick you into giving up your username and password for a particular service. The reason why the latter is so powerful is that so many people re-use their passwords across multiple sites. That’s the reason why Disney+ was “hacked” on the day it launched.

Here’s a screenshot of a Netflix phishing email

netflix phishing example

Why would this work? Well people love Netflix and don’t want to lose access to their accounts. The people who would fall for this email are people who have a credit card nearing its expiry date or they’ve had some sort of recent payment problems (i.e. credit card is maxed out).

So this type of phishing attack might look like I’d be after your credit card information – but I’m not, I’m after your username and password.

What’s the value in having someone’s Netflix account details?

Because people are lazy. As I mentioned above, the Disney+ hack wasn’t really a hack. The bad guys merely tried “account stuffing” already lost credentials into Disney+. Every account that worked they then sold on the black market (Darkweb) so people could use the accounts at a discounted rate.

Here’s a fake netflix logon page.

It looks very similar to the real Netflix logon page – but check out the URL: login.netflix-activate.com/Files/Login.php – that doesn’t look right

Success! I have your Netflix details

Thanks for handing those over. Now what?

netflix and chill

I’m going to stuff your credentials into as many sites as possible. I might get access to your Amazon account, ebay and perhaps your email account. Your email account is the crown jewel in all of this. Why? Because if you’ve used a different password for some of your online accounts I can just use the “Forgot Password” link to give me access to any other account.

The below infographic shows how you can hack into anyone’s accounts by just taking previously hacked databases and stuffing the credentials into other services.

credential abuse account stuffing

I’m in! What will I do first?

Well if I have access to your email account what can’t I do?

The easy money is in bank accounts and systems like PayPal, so I’d look to withdraw as much cash into my secret bank accounts as possible. I’d send out emails to all of your contacts saying that you’d fallen on hard times and could they send through some money to your PayPal account. The email would be coming from your legitimate email address so there’s a chance some less savvy recipients would transfer some money. I’d also then post out something similar via your Social Media accounts.

I’d then look for more universal items like rewards points and vouchers and trade them in for untraceable gift cards.

Next I’d move onto identity fraud so I’d need to look through all of your data for your personal data and start applying for credit. At some online institutions I need your last two payslips and some identification objects and I’m on my way to getting a credit card or loan.

All I really need is your date of birth and home address in order to call your bank. I can then reset pins or set up different sub accounts as I please.

identity theft infographic

Wait – what if banks have updated their security questions to include vague stuff like what was your first car or pet’s name? Easy, you’ve already given that information up.

You get the picture and it’s not pretty.

What makes things worse is that it’s the old and young who are the real targets here.

How to protect yourself against Identity Theft

  • Don’t have Personal Identifying Information (PII) just because someone asks for it. Online accounts sometimes request your date of birth to verify you’re old enough to use the service – but do they verify that you’re telling the truth or not? Make up a birthday when signing up for things online!
  • Pay attention to billing cycles so that you know when to expect a bill
  • Use multi-factor authentication to better secure your online accounts
  • Use a unique password per account
  • Always review your credit card statements for fraudulent activity

What about help for your business?

Managed IT Services for business is the key to getting on top of your Cybersecurity concerns. MSP’s are highly experienced operators who have many people with specialised skills to help deal with Cybersecurity threats such as those mentioned in this article. You should feel at ease with the right IT Company that can design a technology strategy to match your business strategy.