Hacking has made the news several times in the past few years from the Yahoo attacks, to the hacks of LinkedIn and Equifax to the breach of Target back in 2013.
Hackers, however, are not the biggest threat to your online security. Phishing is.
A new study from Google, in partnership with UC Berkeley, has found that “phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”
The researchers found 4,069 separate phishing kits — largely out of African and East-Asian countries — and most of them targeted Gmail, Yahoo and Hotmail login pages. The study identified a total of 2,335,289 phishing victims that were Google users. Of that total, 578,434 had valid passwords; a match rate of 24.8 percent.
Overall, researchers identified 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing and 3.3 billion credentials taken in third-party breaches.
Although the study focused on Google’s services, the password stealing tactics employed by attackers pose a risk to all online services that offer user accounts.
In third-party data breaches, 12 percent of the exposed records included a Gmail address, username and a password, although only seven percent of the passwords were actually valid. Phishers and keyloggers often target Google accounts with a 12 to 25 percent success rate.
“Because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity,” Google said in a blog post. “We found 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model.”
One of the best ways to protect yourself from attack is by making use of the two-factor authentication Google offers. The tech titan also recommends using Security Checkup to ensure you have recovery information associated with your account, such as a phone number, and permitting Chrome to automatically generate passwords for your accounts that are then saved via Smart Lock.