Hacking isn't really a thing most people encounter in their everyday lives. The popular image of someone in a black hoodie bypassing secure systems with a savant level of programming knowledge while 1s and 0s fall from the sky like digital rain, is bullshit.
That person does exist but they're rare and have better things to do than compromise your online accounts. They're likely doing some unholy, unclassified and unconstitutional work with or against three letter spy agencies that'll absolutely send them to hell one day.
The vastly less impressive reality is that most "hacks" are boring account compromises. Clicking a link in a fake email impersonating the site that takes you to a fake copy of the website where you enter your real password. Replying to an SMS asking for a multi-factor authentication code. Installing an app pretending to be something it isn't and using the same password there as you use for your email. Mundane, run of the mill stuff.
The use of lies and deceit to convince people to hand over their password is referred to in the tech industry as phishing and it is by far the most common threat to your online security - not a genius hacker, not a compromised website, not a faulty app - just an opportunistic scammer.
What's The Point of Phishing?
A large portion of phishing attempts originate from low income countries where a few US dollars for days of work is worth it. The barrier to entry is low, with only a basic knowledge of computer security required. There are even kits available that make running a phishing campaign more like baking a cake than operating a master criminal enterprise.
Scammers (a more appropriate name for these types of people than hackers) metaphorically throw millions of fishing lines out into the big ocean that is the internet and if 0.001% of their attempts succeed, they've had a good day. That's how low the stakes are. It's a numbers game. Nothing personal. They don't know you and don't care about you.
Their aim is usually one of the following:
Ransomware - get you to install nefarious software on your device that encrypts all your data, rendering it unusable unless you give them cryptocurrency in return for a code to unlock everything.
Malware - trick you to install software that can remotely control your device without your knowledge and enlist it in bot armies to facilitate annoying stuff like denial of service attacks, credit card scams, ad click fraud and fake reviews.
Social media & online advert accounts - collect a large number of legit accounts that are sold in bulk and then used to like, share and follow other accounts and their content to boost clout online. Sex workers ad listings are popular because they can be taken over and potential clients scammed for deposits, netting the scammer money while the reputation of the sex worker is ruined.
Internet banking/credit card details - if you hand over your internet banking details to someone, they can theoretically drain your account of funds by transferring it away. Same with credit cards and cryptocurrency wallets.
Email accounts - lurking in someone's inbox is a great way to stage further attempts to steal social media accounts, obtain financial information, reset passwords or even impersonate you to others. Think of it like a master key to your entire online presence. Make sure your email has a strong password and multifactor authentication enabled.
Most of the time, phishing is purely random and done to make a quick buck. Occasionally it's on purpose. It might be a personal vendetta by a jealous friend or might be because you're a juicy target that has something someone wants. This is called "spear phishing", as instead of popping a line in the ocean and seeing what nibbles at the digital lure, the scammer tries to bait a specific fish.
How Do People Get Phished?
There are so many ways to get phished, you won't believe all the ways people inadvertently hand over access to their accounts. There’s new methods popping up all the time, but here’s the most common ones so you don’t get caught by them.
Fake emails - it's easy to send an email that at first glance looks like it's from someone else, but instead of a link to "fix an account issue", the link takes you to a fake website or downloads malware. It may even have malware attached that's disguised as an image or PDF. Email is by far the most common way to get someone's attention and get them to click a malicious link, especially if they make you think it is a time sensitive “fix”.
Fake websites - scammers set up full websites impersonating a popular site (i.e: a social media platform or a bank) hoping people log in to their fake site with their real passwords, that they then use on the real site to steal the account. You can be lured in via a phone call, an SMS, a social media DM and emails.
Fake/misleading apps - these are apps set up for something harmless (making memes, collections of wallpapers, discounts) but in the background ask for permission to your accounts, list of contacts, or even ask you to enter passwords directly into the app. Android users are particularly at risk if they're asked to enable "unknown sources" in their device settings and then directed to download an app from a website instead of the Google Play store.
Fake receipts - a new email arrives in your saying thanks for purchasing a $200/month subscription to something you did not purchase, so you contact the company in a panic via the details in the receipt to cancel it, only to have that link take you to a fake website asking for your password. So sneaky.
Fake invoices - if a scammer has access to your email account, they can intercept legitimate invoices you've been expecting before you see them and replace them with the same invoice, but with their bank details and send it to you. They can also send invoices from you, to your customers, but with the bank details replaced with theirs.
Link manipulation - URLs (aka, web addresses, like google.com, microsoft.com, etc) are easy to register in bulk and relatively cheap. There's no need to verify your identity to buy one, so people just make a bunch of them up, put fake websites behind them and try to pretend they're legit.
SMS/iMessage/DM phishing - very similar to fake emails, but sent via instant messages, SMS or direct messages on social media. The goal is the same, get you to click a link that takes you to a fake website, download a fake app, or install malware on your device. Often the attempts try to impersonate a familiar business, friends or the support team from a service you rely on.
Voice phishing - replace the fake email with a phone call and that's "voice phishing". They'll call you, or get you to call them (usually via an email or a social media DM) and try to get you to either hand over your password directly or tell you to install an app like Teamviewer so they can control your device and plant their malware so they can access it again later without your input.
Impersonation - Could be someone pretending to be your bank, cryptocurrency exchange, another social media company, the support team from an online service you use or even a friend asking for something that results in visiting a fake website, installing a fake app or similar.
It's important to note that someone simply guessing your password isn't a hack, nor is it a phishing attempt. A phishing attempt is also not a “hacked” website that’s been compromised.
There are people operating bots that simply try every iteration of password they can think of and if you have a bad password (dictionary words, short, used on a different service), they succeed. It’s not a flaw in the site itself and it’s also not a hack.
The best defence against this type of attack is a good password and the best time to do it is now. You can test passwords with Have I Been Pwned. It collects leaked passwords from previous hacks that are now used by automated guessing bots. If your password is on that list, it’s toast and time for a new one.
The Adult Industry Is Particularly At Risk
To add an extra layer of gross to this already very thick shit sandwich, scammers have additional methods of targeting sex workers and users of adult platforms.
Sextortion - phishing attempts sent via a variety of different ways (email, DM, phone calls, SMS, etc.) to you or your customers, but with the threat that the scammer will reveal your identity or the identity of customers. Usually involves making a payment via cryptocurrency or having to click a link on a website to "remove" the offending content, but actually installs malware.
Impersonation - one of the most common phishing attempts for sex workers is a scammer trying to get access to their online advertisements. They'll impersonate support teams, usually with an urgent request to fix an account issue or be removed from the site, with a link to their fake website that skims a password. Once they have access they'll change the deposit and contact details to theirs and collect deposits from clients straight to their bank account.
Spear phishing - unlike most phishing attempts that don’t aim at anyone in particular, sex workers are singled out as specific targets. The techniques used to phish generally can be made more specific and tailored to individual sex workers that are harder to detect than usual phishing techniques.
Unfortunately, as long as there's a degree of social shame and stigma around sex and sex work, these methods will be used to take advantage of innocent people and remain a soft target for scammers. Like most things in this line of work, extra vigilance is required and all the more reason to support the decriminalisation of sex work.
Tips For Avoiding A Phishing Attack
Most phishing methods seem really easy to avoid, but unfortunately many people become victims. It's why scammers keep on doing it! There is absolutely no shame in getting phished, even cybersecurity "experts" are regularly fooled. Hang around on the internet often enough and it's a matter of when, not if, a phishing attempt succeeds.
While there's no silver bullet to avoid getting phished, there are some techniques to spot attempts and things you can do to limit the damage should a phishing attempt be successful.
Poor Grammar/Spelling - if you’re normally using a service that communicates with you in English, an obvious giveaway if a message isn't authentic is that it sounds like a non-native English speaker wrote it, or contains typos and incorrect punctuation. Even more so if there's just a bunch of random letters and numbers, or not even in English at all. God help us if scammers ever learn to write properly.
Weird URLs - twirter.com, office365.ru, amazzon.co, payap1.com and so on. If there's a typo, an unusual amount of odd characters, or numbers replacing letters, chances are it's fake.
Crappy design - missing images, text in a bizarre font, photos in the wrong aspect ratio, old company logos or page designs and low resolution/fuzzy images are all signs that the site or app you're using is less than reputable.
Unusual errors - tried to log in, but get redirected to a home page instead? Not all the links on a site work like they should? That might be a red flag and worth further investigation (check the URL, are other parts of the website weird?) into whether you’ve been using a fake website.
Verify payment details - when sending money to someone (particularly for large sums of money), try to get the payment details independently from the invoice itself, like from the business's website or calling their public phone number to verify. If it is an individual, contact them to confirm the details.
Check for suspicious links - hover the mouse cursor over links in emails so a small pop up appears above the link to show you the actual destination of the link. If the links are mismatched it is a strong sign someone is trying to trick you.
Urgency - got an email, SMS, DM or phone call stressing how quick you need to act or your account will be closed, terminated, locked, burnt to a crisp or nuked from orbit? That's a classic scammer tactic to get you to do something without thinking of the consequences or questioning the situation.
DNS protection - the computers that tell your computer what google.com means can offer protection against some phishing attempts. They maintain lists of known domain names (i.e: that g00gle.com probably isn't google.com) and if you happen to end up on one of these sites, will give you a big ol' warning to get the fuck out before you do something stupid. NextDNS (which can also block ads) or Quad9 are good options.
Use a password manager - unique and strong passwords limit the fallout of getting phished and are just a good idea in the first place. Using a password manager like 1Password or BitWarden makes handling all those long and strong passwords a piece of cake. Password managers can also bring up an alert if you’re about to enter a password on a website with a different URL than usual.
Enable MFA - as explained in a previous blog post, turning on multifactor authentication is one of the easiest and lowest effort methods of making sure your account isn't taken over if someone does happen to carry out a successful phishing attempt or guess your password. I cannot stress enough how important it is to enable MFA everywhere and even more so on your email account, as email is the easiest way for someone to get access to all your other accounts.
Install an ad blocker - online advertisements are a big source of malicious links to phishing sites. By blocking all advertising not only to get a slight reprieve from the incessant capitalist machine, you also lower your risk of clicking an ad run by a scammer that takes over your computer. uBlock Origin, AdGuard and Wipr are popular.
Healthy Scepticism - with all of the above in mind, take every piece of communication you get from a business hosting any of your online accounts with scepticism. Before doing what the message is asking you to do, go over it closely and look for any of the signs it could be a phishing attempt. There's usually a sign something's not quite right.
Be Proactive & Reach Out - feel free to forward on any weird emails, unusual SMSs, social media interactions or phone calls that seem odd to the support team of the service in question. A quick message asking "Hey, does this look legit to you? I'm not sure!" goes a long way to provide peace of mind and the support team a heads up that someone is pretending to be them. Often it even gives them enough information to take action against the scammers and minimise their reach to others!
Enable MFA Now <3
Phishing is so common and becoming so difficult to detect that the best way to protect yourself against it is to enable multi factor authentication (aka MFA) everywhere. Below is a list of links explaining how to enable MFA for popular online services.
