Published: May 24, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
Before blaming your password manager for getting hacked, there are some things you should know. Cybercriminals “spoof” password manager websites that trick you into giving up the master password. When that happens, scammers get unfettered access to stored passwords and the accounts they protect. So, before you fire your password manager, learn how easy it is to fall for a spoofed site and how to help keep it from happening to begin with.
Using a password manager isn’t for everyone. Some users love having strong, unique account passwords created and stored for them. Others feel keeping passwords in one place could be big trouble, if it gets hacked. It’s up to users to decide which path they’re most comfortable with.
Website spoofs aren’t new, and that’s one reason they work so well. Given time, cybercriminals improve what works for them. And when graphics and content exactly mirror a legitimate site, it’s virtually impossible to tell a spoof from the original. That is, unless you know what to look for…
Keeping it Real
Clues pointing to a spoofed site are few and close attention to detail is required. Hackers use subtle changes to a URL spelling, hoping users won’t notice and they’re usually right. The sneaky, fake URL goes to a spoofed password manager login page. The page looks identical to the legitimate one and once you enter the master password, the hacker has access to every secret it holds.
To help avoid URL spoofs, carefully check the URL spelling. Type it in yourself whenever possible and don’t follow links – hackers spoof them too. Changing just one character in the URL or manipulating it in a subtle way takes you to the spoofed website. Consider bookmarking the legitimate site for easy access.
Other basic security steps help reduce getting spoofed. Regularly changing passwords helps keep online accounts safer, and never reuse passwords for other accounts. If MFA (multi-factor authentication) is available, use it. MFA adds layers of identity verification keeping anyone who’s not you from accessing your accounts. Make each password strong, which means including a difficult-to-decipher combo of letters, numbers, and special characters.
For now, it seems spoofed websites are here to stay, and the best answer to a landing on the legitimate password manager website is you. Now you know the signs of a spoofed site and the steps to help keep it real. So, remember to use them, you’ll be glad you did!
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org