I wish you could have been there. 11:43am. I was refilling my ice tea glass when I received an email notification, “I know your password (my password was displayed in all caps.)"
The message said this person had hacked my computer and installed a remote tracking application. If I didn’t pay $2900 in Bitcoin in 24 hours, they would send porn to my contacts.
At first I laughed and then I stared at that password in the subject line. It was an old password, but still...
I called Greg who is in charge of the computer network for a large company. He told me he hadn’t heard of a Mac being compromised before.
In the meantime his wife checked the internet. This scam was spreading across the world and while it had variations - maybe it had taken control of your computer camera, maybe it knew you were on a porn site, maybe it knew your banking information - the subject lines all included a real, but old password. Greg said, “Change your passwords now.” I did.
Two days later I received an email from a grocery store, we’ve noticed suspicious activity on your account, reset your password by clicking here. I declined to click but went to the site and logged in and changed my password; it had been that old one.
On Thursday I received an email looking every bit like it was from Google saying my account had an unsuccessful login attempt from Rio de Janeiro. It told me to click the link to lock down the account and deny access. I declined to click, but all these alerts kept building tension in my life.
How long would this go on and was any of it real?
On Saturday afternoon, came a call, “This is Apple, your iCloud account has been compromised. Do not use it. Select 2 to be connected to a representative who can help you.”
I did not click but called Apple, “Your account is fine, we see nothing suspicious and you have two-factor authorization setup anyway. But we have been getting a lot of calls. Just make sure you never get on a call and give them access to your account as a screen share.”
Why am I sharing this story on my retail blog?
What if that had been your employee who received the call and pressed 2 and gave the imposter access to your computer? What if they had innocently clicked a link in an email?
Security is a serious problem for retailers because without it, customer trust erodes. And customer trust is the foundation of a strong business.
Once customers start to see the repercussions of the hack materialize in their own life, even if it’s years after the hack went public, they will start to reconsider their relationship with the retailer that made their data vulnerable.
I know how much your customers would hate having their data breached because it happened to me. And as more stolen user data is melded together, the scammers are bound to fine-tune their approach.
I’m sharing what I have learned in the past week so you can protect yourself. This is not a matter of if but when it will happen to you.
Here are six ways you can protect yourself and your data:
Change your passwords. Data breaches have happened with Under Armour’s fitness app, Home Depot, Target, Twitter, and a host of other companies over the past ten years. Even though it may have been awhile, it can take years before your information shows up on shady lists; one of my hacked accounts was from nine years ago.
Find out if your information has been stolen. Go here and enter your email address. You’ll be amazed at what you’ll find. Some lists included stolen Email Addresses, Passwords, Usernames, Employees, Geographic Locations, Phone Numbers, Dates of Birth, Education Level, and more. You can assume this is not all of them.
Install a secure password app on your phone. I chose LastPass which sends the password to your sites after you log into it securely. It took a bit to setup and understand, but it generates up to a 13-character password and stores it securely.
Install a call-blocker on your smartphone. When they steal your information, it usually includes your phone number too. If you pickup and answer the phone, that tells the scammer they have a live person and I'm told will increase your robocalls. I downloaded Hiya on my smartphone and can look up any number not in my contacts.
Turn on two-factor authentication. For sensitive sites like your banking or online stores, enable two-factor authorization which will require a text to be sent to your smartphone and entered before proceeding after you enter your password.
Never click a link in an email to go to a site and update your information. Just like the robocalls, when you click a link or reply, you are telling the scammers there is a real person here. They’ll use that to sell to the highest bidder. If in doubt about an email’s authenticity, go to the site independently or call their customer service number. Let your team know as well. (If you personally requested the reset, that's different.)
And if you’re wondering if a smartphone with facial recognition is worth the extra hundreds of dollars, when you use facial recognition, you can unlock your LastPass by looking at your phone, without having to put in the password.
The fear is someone is out there going after you personally.
The reality is it is most likely software playing the odds.
Don’t get caught.
Take this personal story as a cautionary tale. Guard your customers’ data with the same care and attention with which you should guard your own... because your business depends on it.