Ways to Tell if a Website Is Fake

Unfortunately in today’s world, scammers are coming at us from all angles to trick us to get us to part with our hard-earned money. We all need to be vigilant in protecting ourselves online. If you aren’t paying attention, even if you know what to look for, they can get you. There are numerous ways to detect fake sites or emails, phishing, and other scams.

Before we delve into the signs of fake websites, we will first take a closer look at the common types of scam that use websites, what happens when you accidentally access a fake website, and what you can do in case you unknowingly purchased items from it.

What are fake or scam websites?

Fake or scam websites are fraudulent sites that look legitimate while secretly attempting to steal your personal information, money, or account access.

These deceptive platforms masquerade as trustworthy businesses or organizations, sending urgent messages such as popular shopping websites offering fantastic limited-time deals, banking websites requesting immediate account verification, government portals claiming you owe taxes or are eligible for refunds, and shipping companies asking for delivery fees.

The urgency aims to trick you into logging in and sharing sensitive details—credit card numbers, Social Security information, login credentials, and personal data. Once you submit your data, the scammers will steal your identity, drain your accounts, or sell your details to other criminals on the dark web.

These scam websites have become increasingly prevalent because they’re relatively inexpensive to create and can reach millions of potential victims quickly through email and text campaigns, social media ads, and search engine manipulation.

Cybersecurity researchers and consumer protection agencies discover these fraudulent sites through various methods, including monitoring suspicious domain registrations, analyzing reported phishing attempts, and tracking unusual web traffic patterns. According to the FBI’s Internet Crime Complaint Center, losses from cyber-enabled fraud amounted to $13.7 billion, with fake websites representing a significant portion of these losses.

Consequences of visiting a fake website

Visiting a fake website, accidentally or intentionally, can expose you to several serious security risks that can impact your digital life and financial well-being:

• Credential theft: Scammers can capture your login information through fake login pages that look identical to legitimate sites. Once they have your username and password, they can access your real accounts and steal personal information or money.
• Credit card fraud: When you enter your bank or credit card details on fraudulent shopping or fake service portals, scammers can use your payment information for unauthorized purchases or sell these to other criminals on the dark web.
• Malware infection: Malicious downloads, infected ads, or drive-by downloads may happen automatically when you visit certain fake sites. These, in turn, can steal personal files, monitor your activity, or give criminals remote access to your device.
• Identity theft: Fake sites can collect personal information like Social Security numbers, addresses, or birthdates through fraudulent forms or surveys.
• Account takeovers: Criminals can use stolen credentials to access your email, banking, or social media accounts, potentially locking you out and using your accounts for further scams.

Common types of scam websites

Scammers use different tricks to make fake websites look real, but most of them fall into familiar patterns. Knowing the main types of scam sites helps you recognize danger faster. This section lists the most common categories of scam websites, how they work, and the red flags that give them away before they can steal your information or money.

• Fake shopping stores: These fraudulent e-commerce sites steal your money and personal information without delivering products. They offer unrealistic discounts (70%+ off), have no customer service contact information, or accept payments only through wire transfers or gift cards. These sites often use stolen product images and fake customer reviews to appear legitimate.
• Phishing login pages: These sites mimic legitimate services such as banks, email providers, or social media platforms to harvest your credentials. Their URLs that don’t match the official domain, such as “bankofamerica-security.com” instead of “bankofamerica.com” Their urgent messages claim your account will be suspended unless you log in immediately.
• Tech support scam sites: These fake websites claim to detect computer problems and offer remote assistance for a fee. They begin with a pop-up ad with a loud alarm to warn you about viruses, provide you with phone numbers to call “immediately,” or request remote desktop access from unsolicited contacts.
• Investment and crypto sites: These sites guarantee incredible returns on cryptocurrency or investment opportunities, feature fake celebrity endorsements, or pressure you to invest quickly before a “limited-time opportunity” expires.
• Giveaway and lottery pages: You receive notifications with a link to a page that claims you’ve won prizes In contests you never entered, but require upfront fees or personal information to receive them. They will request bank account details to “process your winnings” or upfront processing fees.
• Shipping and parcel update portals: These usually come in the form of tracking pages that mimic delivery services such as USPS, UPS, or FedEx to steal personal information or payment details. The pages ask for immediate payment to release and deliver the packages, or for login credentials to accounts you don’t have with that carrier.
• Malware download pages: These ill-intentioned sites offer “free” but uncertified software, games, or media files that contain harmful code to infect your device once you click on the prominent “Download” button.
• Advance fee and loan scams: These sites guarantee approved loans or financial services regardless of your credit score. But first you will have to post an upfront payment or processing fees before any actual assistance is rendered.

Understanding these common scam types helps you recognize fake sites before they can steal your information or money. When in doubt, verify legitimacy by visiting official websites directly through bookmarks or search engines rather than clicking suspicious links.

For the latest warnings and protection guidance, check resources from the Federal Trade Commission and the FBI’s Internet Crime Complaint Center.

Recognize a fake site

You can protect yourself by learning to recognize the warning signs of fake sites. By understanding what these scams look like and how they operate, you’ll be better equipped to shop, bank, and browse online with confidence. Remember, legitimate companies will never pressure you to provide sensitive information through unsolicited emails or urgent pop-up messages.

1. Mismatched domain name and brand: The website URL doesn’t match the company name they claim to represent, like “amazoon-deals.com” instead of “amazon.com.” Scammers use similar-looking domains to trick you into thinking you’re on a legitimate site.
2. Spelling mistakes and poor grammar: Legitimate businesses invest in professionally created content to ensure clean and error-free writing or graphics. If you are on a site with multiple typos, awkward phrasing, or grammatical errors, these indicate that it was hastily created and not thoroughly reviewed like authentic websites.
3. Missing or invalid security certificate: The site lacks “https://” in the URL or shows security warnings in your browser. Without proper encryption, any information you enter can be intercepted by criminals.
4. Fantastic deals: Look out for prices that are dramatically low—like designer items at 90% off or electronics at impossibly low costs. Scammers use unrealistic bargains to lure victims into providing payment information.
5. High-pressure countdown timers: The site displays urgent messages such as “Only 2 left!” or countdown clocks with limited-time offers that reset when you refresh the page. These fake urgency tactics push you to make hasty decisions without proper research.
6. No physical address, contact information, legitimate business details: The site provides only an email address or contact form. In the same vein, any email address they provide may look strange like northbank@hotmail.com. Any legitimate business will not be using a public email account such as Hotmail, Gmail, or Yahoo.
7. Missing or vague return policy: Legitimate businesses want satisfied customers and provide clear policies for returns and exchanges. Scams, however, cannot provide clear refund policies, return instructions, or customer service information.
8. Stolen or low-quality images: Scammers often steal images from legitimate sites without permission, making their product photos look pixelated, watermarked, or inconsistent in style and quality.
9. Fake or generic reviews: Authentic reviews include specific details and a mix of ratings and comments. On fake websites, however, customer reviews are overly positive with generic language, posted on the same dates, or contain similar phrasing patterns.
10. Limited payment options: Legitimate businesses offer secure payment options with buyer protection. Fake websites, however, only accept wire transfers, cryptocurrency, gift cards, or other non-reversible or untraceable payment methods.
11. Recently registered domain: The website was created very recently—often just days or weeks ago, whereas established businesses typically have older, stable web presences.
12. Fake password: If you’re at a fake site and type in a phony password, the fake site is likely to accept it.

Recognize phishing, SMiShing, and other fake communications

Most scams usually start out from social engineering tactics such as phishing, smishing, and fake social media messages with suspicious links, before leading you to a fake website.

From these communications, the scammers impersonate legitimate organizations before finally executing their malevolent intentions. To avoid being tricked, it is essential to recognize the warning signs wherever you encounter them.

Email phishing red flags

Fake emails are among the most common phishing attempts you’ll encounter. If you see any of these signs in an unsolicited email, it is best not to engage:

• One way to recognize a phishing email is by its opening greeting. A legitimate email from your real bank or business will address you by name rather than a generic greeting like “Valued Customer” or something similar.
• In the main message, watch for urgent language like “Act now!” or “Your account will be suspended immediately.” Legitimate organizations rarely create artificial urgency around routine account matters. Also pay attention to the sender’s email address. Authentic companies use official domains, not generic email services like Gmail or Yahoo for business communications.
• Be suspicious of emails requesting your credentials, Social Security number, or other sensitive information. Banks and reputable companies will never ask for passwords or personal details via email.
• Look closely at logos and formatting. Spoofed emails often contain low-resolution images, spelling errors, or slightly altered company logos that don’t match the authentic versions.

SMS and text message scams

Smishing messages bear the same signs as phishing emails and have become increasingly sophisticated. These fake messages often appear to come from delivery services, banks, or government agencies. Common tactics include fake package delivery notifications, urgent banking alerts, or messages claiming you’ve won prizes or need to verify account information.

Legitimate organizations typically don’t include clickable links in unsolicited text messages, especially for account-related actions. When in doubt, don’t click the link—instead, open your banking app directly or visit the official website by typing the URL manually.

Social media phishing

Social media platforms give scammers new opportunities to create convincing fake profiles and pages. They might impersonate customer service accounts, create fake giveaways, or send direct messages requesting personal information. These fake sites often use profile pictures and branding that closely resemble legitimate companies.

Unusual sender behavior is another indicator of a scam across all platforms. This includes messages from contacts you haven’t heard from in years, communications from brands you don’t typically interact with, or requests that seem out of character for the supposed sender.

Examples of fake or scam websites

Scammers have become increasingly cunning in creating fake websites that closely mimic legitimate businesses and services. Here are some real-life examples of how cybercriminals use fake websites to victimize consumers:

USPS-themed scams and websites

Scammers exploit your trust in the United States Postal Service (USPS), designing sophisticated fake websites to steal your personal information, payment details, or money. They know you’re expecting a package or need to resolve a delivery issue, making you more likely to enter sensitive information without carefully verifying the site’s authenticity.

USPS-themed smishing attacks arrive as text messages stating your package is delayed, undeliverable, or requires immediate action. Common phrases include “Pay $1.99 to reschedule delivery” or “Your package is held – click here to release.”

Common URL tricks in USPS scams

Scammers use various URL manipulation techniques to make their fake sites appear official. Watch for these red flags:

• Misspelled domains: Sites like “uspps.com,” “uspo.com,” or “us-ps.com” instead of the official “usps.com”
• Extra characters: URLs containing hyphens, numbers, or additional words like “usps-tracking.com” or “usps2024.com”
• Different extensions: Domains ending in .net, .org, .info, or country codes instead of .com
• Subdomain tricks: URLs like “usps.fake-site.com” where “usps” appears as a subdomain rather than the main domain
• HTTPS absence: Legitimate USPS pages use secure HTTPS connections, while some fake sites may only use HTTP

Verify through official USPS channels

Always verify package information and delivery issues through official USPS channels before taking any action on suspicious websites or messages:

• Official USPS website: Report the incident directly to usps.com by typing the URL into your browser rather than clicking links from emails or texts. Use the tracking tool on the homepage to check your package status with the official tracking number.
• Official USPS mobile app: The USPS mobile app, available from official app stores, provides secure access to tracking, scheduling, and delivery management. Verify that you are downloading from USPS by checking the publisher name and official branding.
• USPS customer service: If you receive conflicting information or suspect a scam, call USPS customer service at 1-800-ASK-USPS (1-800-275-8777) to verify delivery issues or payment requests.
• Your local post office: When you need definitive verification, speak with postal workers at your local USPS location who can access your package information directly in their systems.

Where and how to report fake USPS websites

Reporting fake USPS websites helps protect others from falling victim to these scams and assists law enforcement in tracking down perpetrators.

• Report to USPS: Forward suspicious emails to the United States Postal Inspection Service and report fake websites through the USPS website’s fraud reporting section. The postal inspection service investigates mail fraud and online scams targeting postal customers.
• File with the Federal Trade Commission: Report the fraudulent website at ReportFraud.ftc.gov, providing details about the fake site’s URL, any money lost, and screenshots of the fraudulent pages.
• Contact the Federal Bureau of Investigation: Submit reports through the FBI’s Internet Crime Complaint Center, especially if you provided personal information or lost money to the scam.
• Alert your state attorney general: Many state attorneys general offices track consumer fraud and can investigate scams targeting residents in their jurisdiction.

Remember that legitimate USPS services are free for standard delivery confirmation and tracking. Any website demanding payment for basic package tracking or delivery should be treated as suspicious and verified through official USPS channels before providing any personal or financial information.

Tech support pop-up ads scams

According to the Federal Trade Commission, tech support scams cost Americans nearly $1.5 billion in 2024. These types of social engineering attacks are increasingly becoming sophisticated, making it more important than ever to verify security alerts through official channels.

Sadly, many scammers are misusing the McAfee name to create fake tech support pop-up scams and trick you into believing your computer is infected or your protection has expired and hoping you’ll act without thinking.

These pop-ups typically appear while you’re browsing and claim your computer is severely infected with viruses, malware, or other threats. They use official-looking McAfee logos, colors, and messaging to appear legitimate to get you to call a fake support number, download malicious software, or pay for unnecessary services.

Red flags of fake McAfee pop-up

Learning to detect fake sites and pop-ups protects you from scam. Be on the lookout for these warning signs:

• Offering phone numbers to call immediately: Legitimate McAfee software never displays pop-ups demanding you call a phone number right away for virus removal.
• Requests for remote access: Authentic McAfee alerts won’t ask you for permission to remotely control your computer to “fix” issues.
• Immediate payment demands: Real McAfee pop-ups don’t require instant payment to resolve security threats.
• Countdown timers: Fake alerts often include urgent timers claiming your computer will be “locked” or “damaged” if you don’t act immediately.
• Poor grammar and spelling: Many fraudulent pop-ups contain obvious spelling and grammatical errors.
• Browser-based alerts: Genuine McAfee software notifications appear from the actual installed program, not through your web browser.

Properly close a McAfee-themed pop-up ad

If you see a suspicious pop-up claiming to be from McAfee, here’s exactly what you should do:

1. Close the tab immediately: Don’t click anywhere on the pop-up, not even the “X” button, as this might trigger malware downloads.
2. Use keyboard shortcuts: Press Ctrl+Alt+Delete or Command+Option+Escape (Mac) to force-close your browser safely.
3. Don’t call any phone numbers: Never call support numbers displayed on the pop-ups, as these connect you directly to scammers.
4. Avoid downloading software: Don’t download any “cleaning” or “security” tools offered through pop-ups.
5. Clear your browser cache: After closing the pop-up, clear your browser’s cache and cookies to remove any tracking elements.

Verify your actual McAfee protection status

To check if your McAfee protection is genuinely active and up-to-date:

• Open your installed McAfee software directly: Click on the McAfee icon in your system tray or search for McAfee in your start menu.
• Visit the official McAfee website: Go directly to mcafee.com by typing it into your address bar.
• Log into your McAfee account: Check your subscription status through your official McAfee online account.
• Use the McAfee mobile app: Download the official McAfee Mobile Security app to monitor your protection remotely.

Remember, legitimate McAfee software updates and notifications come through the installed program itself, not through random browser pop-ups. Your actual McAfee protection works quietly in the background without bombarding you with alarming messages.

Crush fake tech support pop-ups

Stay protected by trusting your installed McAfee software and always verifying security alerts through official McAfee channels such as your installed McAfee dashboard or the official website.

1. Close your browser safely. If you see a fake McAfee pop-up claiming your computer is infected, don’t click anything on the pop-up. Instead, close your browser completely using Alt+F4 (Windows) or Command+Q (Mac). If the pop-up does not close, open Task Manager (Ctrl+Shift+Esc) and end the browser process. This prevents any malicious scripts from running and stops the scammers from accessing your system.
2. Clear browser permissions. Fake security pop-ups often trick you into allowing notifications that can bombard you with more scam alerts. Go to your browser settings and revoke notification permissions for suspicious sites. In Chrome, go to Settings > Privacy and Security > Site Settings > Notifications, then remove any unfamiliar or suspicious websites from the allowed list.
3. Remove suspicious browser extensions. Malicious extensions can generate fake McAfee alerts and redirect you to scam websites. Check your browser extensions by going to the extensions menu and removing any you don’t recognize or didn’t intentionally install.
4. Reset your browser settings. If fake pop-ups persist, reset your browser to its default settings to remove unwanted changes made by malicious websites or extensions, while preserving your bookmarks and saved passwords. In most browsers, you can find the reset option under Advanced Settings.
5. Run a complete security scan. Use your legitimate antivirus software to perform a full system scan. If you don’t have security software, download a reputable program from the official vendor’s website only, such as McAfee Total Protection, to detect and remove any malware that might be generating the fake pop-ups.
6. Update your operating system and browser. Ensure your device has the latest security and web browser updates installed, which often include patches for vulnerabilities that scammers exploit. Enable automatic updates to stay protected against future threats.
7. Review and adjust notification settings. Configure your browser to block pop-ups and block sites from sending you notifications. You could be tempted to allow some sites to send you alerts, but we suggest erring on the side of caution and just block all notifications.

Steps to take if you visited or purchased from a fake site

Be prepared and know how to respond quickly when something doesn’t feel right. If you suspect you’ve encountered a fake website, trust your instincts and take these protective steps immediately.

1. Disconnect immediately: Close your browser by using Alt+F4 (Windows), Ctrl + W (Chrome), or Command+Q (Mac) on your keyboard.
2. Run a comprehensive security scan: If you suspect a virus or malware, disconnect from the internet to prevent data transmission. Conduct a full scan using your antivirus software to detect and remove any potential threats that may have been downloaded.
3. Contact your credit card issuer: Call the number on the back of your card and report the fraudulent charges for which you can receive zero liability protection. Card companies allow up to 60 days for charge disputes under federal law and can refund payments made to the fake store. Consider requesting a temporary freeze on your account while the investigation proceeds.
4. Cancel your credit card: Request a replacement card with a new number to give you a fresh start. Your card issuer can expedite the request if needed, often within 24-48 hours.
5. Document everything thoroughly: Save all emails, receipts, order confirmations, and screenshots of the fake website before it potentially disappears. This documentation will be crucial for your chargeback and insurance claims, and any legal proceedings.
6. Update passwords on other accounts: Scammers often test stolen credentials across multiple platforms, so if you reused the same password on the fake site that you use elsewhere, change those passwords immediately. Enable two-factor authentication on important accounts like email, banking, and social media.
7. Stay alert for follow-up scams: Scammers may attempt to contact you via phone, email, or text claiming to “resolve” your situation through fake shipping notifications, additional payments to “release” your package, or “refunds” on your money in exchange for personal information.
8. Monitor your credit and financial accounts. Keep a close eye on your bank and credit card statements for several months and place a fraud alert on your credit reports through one of the three major credit bureaus—TransUnion, Equifax, and Experian. Consider a credit freeze for maximum protection.
9. Check for legitimate alternatives. If you were trying to purchase a specific product, research authorized retailers or the manufacturer’s official website. Verify business credentials, secure payment options, and return policies before making new purchases.

Report a scam website, email, or text message

• Federal Trade Commission: Report fraudulent websites to the FTC, which investigates consumer complaints and uses this data to identify patterns of fraud and take enforcement action against scammers.
• FBI’s Internet Crime Complaint Center: Submit detailed reports to the ICc3 for suspected internet crimes. IC3 serves as a central hub for reporting cybercrime and coordinates with law enforcement agencies nationwide.
• State Attorney General: If the fake store claimed to be located in your state, consider reporting to your state attorney general’s office, as these have dedicated fraud reporting systems and can take action against businesses operating within state boundaries. Find your state’s reporting portal through the National Association of Attorneys General website.
• Domain registrar, hosting provider, social media: Look up the website’s registration details using a WHOIS tool, then report abuse to both the domain registrar and web hosting company. Most providers have dedicated abuse reporting emails and will investigate violations of their terms of service. If the fake page is on social media, you can report it to the platform to protect other consumers.
• Search engines: Report fraudulent sites to Google through their spam report form and to Microsoft Bing via their webmaster tools to prevent the fake sites from appearing in search results.
• The impersonated brand: If scammers are impersonating a legitimate company, report directly to that company’s fraud department or customer service. Most brands have dedicated channels for reporting fake websites and will work to shut them down.
• Share your experience to protect others: Leave reviews on scam-reporting websites such as the Better Business Bureau’s Scam Tracker or post about your experience on social media to warn friends and family. Your experience can help others avoid the same trap and contribute to the broader fight against online fraud.
• Essential evidence to gather:

• • Full website URL and any redirected addresses
  • Screenshots of the fraudulent pages, including fake logos or branding
  • Transaction details, if you made a purchase (receipts, confirmation emails, payment information)
  • Email communications from the scammers
  • Date and time when you first encountered the site
  • Any personal information you may have provided

• Additional reporting resources: The CISA maintains an updated list of reporting resources while the Anti-Phishing Working Group investigates cases of the fake sites that appear to be collecting personal information fraudulently. For text message scams, forward the message to 7726 (SPAM).

Final thoughts

Recognizing fake sites and emails becomes easier with practice. The key is to trust your instincts—if something feels suspicious or too good to be true, take a moment to verify through official channels. With the simple verification techniques covered in this guide, you can confidently navigate the digital world and spot fake sites and emails before they cause harm.

Your best defense is to make these quick security checks a regular habit—verify URLs, look for secure connections, and trust your instincts when something feels off. Go directly to the source or bookmark your most-used services and always navigate to them. Enable two-factor authentication on important accounts, and remember that legitimate companies will never ask for sensitive information via email. Maintaining healthy skepticism about unsolicited communications will protect not only your personal information but also help create a safer online environment for everyone.

For the latest information on fake websites and scams and to report them, visit the Federal Trade Commission’s scam alerts or the FBI’s Internet Crime Complaint Center.

The post Ways to Tell if a Website Is Fake appeared first on McAfee Blog.

Cybercriminals impersonating financial institutions have targeted individuals, businesses, and organizations of different sizes.

The post Account Takeover Fraud Caused $262 Million in Losses in 2025: FBI appeared first on SecurityWeek.

Chances are, you have more personal information posted online than you think.

In 2024, the U.S. Federal Trade Commission (FTC) reported that 1.1 million identity theft complaints were filed, where $12.5 billion was lost to identity theft and fraud overall—a 25% increase over the year prior.

What fuels all this theft and fraud? Easy access to personal information.

Here’s one way you can reduce your chances of identity theft: remove your personal information from the internet.

Scammers and thieves can get a hold of your personal information in several ways, such as information leaked in data breaches, phishing attacks that lure you into handing it over, malware that steals it from your devices, or by purchasing your information on dark web marketplaces, just to name a few.

However, scammers and thieves have other resources and connections to help them commit theft and fraud—data broker sites, places where personal information is posted online for practically anyone to see. This makes removing your info from these sites so important, from both an identity and privacy standpoint.

Data brokers: Collectors and aggregators of your information

Data broker sites are massive repositories of personal information that also buy information from other data brokers. As a result, some data brokers have thousands of pieces of data on billions of individuals worldwide.

What kind of data could they have on you? A broker may know how much you paid for your home, your education level, where you’ve lived over the years, who you’ve lived with, your driving record, and possibly your political leanings. A broker could even know your favorite flavor of ice cream and your preferred over-the-counter allergy medicine thanks to information from loyalty cards. They may also have health-related information from fitness apps. The amount of personal information can run that broadly, and that deeply.

With information at this level of detail, it’s no wonder that data brokers rake in an estimated $200 billion worldwide every year.

Sources of your information

Your personal information reaches the internet through six main methods, most of which are initiated by activities you perform every day. Understanding these channels can help you make more informed choices about your digital footprint.

Digitized public records

When you buy a home, register to vote, get married, or start a business, government agencies create public records that contain your personal details. These records, once stored in filing cabinets, are now digitized, accessible online, and searchable by anyone with an internet connection.

Social media sharing and privacy gaps

Every photo you post, location you tag, and profile detail you share contributes to your digital presence. Even with privacy settings enabled, social media platforms collect extensive data about your behavior, relationships, and preferences. You may not realize it, but every time you share details with your network, you are training algorithms that analyze and categorize your information.

Data breaches

You create accounts with retailers, healthcare providers, employers, and service companies, trusting them to protect your information. However, when hackers breach these systems, your personal information often ends up for sale on dark web marketplaces, where data brokers can purchase it. The Identity Theft Research Center Annual Data Breach Report revealed that 2024 saw the second-highest number of data compromises in the U.S. since the organization began recording incidents in 2005.

Apps and ad trackers

When you browse, shop, or use apps, your online behavior is recorded by tracking pixels, cookies, and software development kits. The data collected—such as your location, device usage, and interests—is packaged and sold to data brokers who combine it with other sources to build a profile of you.

Loyalty programs

Grocery store cards, coffee shop apps, and airline miles programs offer discounts in exchange for detailed purchasing information. Every transaction gets recorded, analyzed, and often shared with third-party data brokers, who then create detailed lifestyle profiles that are sold to marketing companies.

Data broker aggregators

Data brokers act as the hubs that collect information from the various sources to create comprehensive profiles that may include over 5,000 data points per person. Seemingly separate pieces of information become a detailed digital dossier that reveals intimate details about your life, relationships, health, and financial situation.

The users of your information

Legally, your aggregated information from data brokers is used by advertisers to create targeted ad campaigns. In addition, law enforcement, journalists, and employers may use data brokers because the time-consuming pre-work of assembling your data has largely been done.

Currently, the U.S. has no federal laws that regulate data brokers or require them to remove personal information if requested. Only a few states, such as Nevada, Vermont, and California, have legislation that protects consumers. In the European Union, the General Data Protection Regulation (GDPR) has stricter rules about what information can be collected and what can be done with it.

On the darker side, scammers and thieves use personal information for identity theft and fraud. With enough information, they can create a high-fidelity profile of their victims to open new accounts in their name. For this reason, cleaning up your personal information online makes a great deal of sense.

Types of personal details to remove online

Understanding which data types pose the greatest threat can help you prioritize your removal efforts. Here are the high-risk personal details you should target first, ranked by their potential for harm.

Highest priority: Identity theft goldmines

• Social Security Number (SSN) with full name and address: This combination provides everything criminals need for identity theft, leading to fraudulent credit accounts, tax refund theft, and employment fraud that may take years to resolve, according to the FTC.
• Financial account information: Bank account numbers, credit card details, and investment account information enable direct financial theft. Even partial account numbers can be valuable when combined with other personal details from data breaches.
• Driver’s license and government-issued ID information: These serve as primary identity verification for many services and can be used to bypass security measures at financial institutions and government agencies.

High priority: Personal identifiers

• Full name combined with home address: This pairing makes you vulnerable to targeted scams and physical threats, while enabling criminals to gather additional information about your household and family members.
• Date of birth: Often used as a security verification method, your DOB combined with other identifiers can unlock accounts and enable age-related targeting for scams.
• Phone numbers: This information enables SIM swapping, where criminals take control of your phone number to bypass two-factor authentication and access your accounts.

Medium-high priority: Digital and health data

• Email addresses: Your primary email serves as the master key to password resets across multiple accounts, while secondary emails can reveal personal interests and connections that criminals exploit in social engineering.
• Medical and health app data: This is highly sensitive information that can be used for insurance discrimination, employment issues, or targeted health-related scams.
• Location data and photos with metadata: Reveals your daily patterns, workplace, home address, and frequented locations. Photos with embedded GPS coordinates can expose your exact whereabouts and enable stalking or burglary.

Medium priority: Account access points

• Usernames and account handles: These help criminals map your digital footprint across platforms to discover your personal interests, connections, and even potential security questions answers. They also enable account impersonation and social engineering against your contacts.

When prioritizing your personal information removal efforts, focus on combinations of data rather than individual pieces. For example, your name alone poses minimal risk, but your name combined with your address, phone number, and date of birth creates a comprehensive profile that criminals can exploit. Tools such as McAfee Personal Data Cleanup can help you identify and remove these high-risk combinations from data broker sites systematically.

Step-by-step guide to finding your personal data online

1. Targeted search queries: Search for your full name in quotes (“John Smith”), then combine it with your city, phone number, or email address. Try variations like “John Smith” + “123 Main Street” or “John Smith” + “555-0123”. Don’t forget to search for old usernames, maiden names, or nicknames you’ve used online. Aside from Google, you can also check Bing, DuckDuckGo, and people search engines.
2. Major data broker and people search sites: Search for yourself in common data aggregators: Whitepages, Spokeo, BeenVerified, Intelius, PeopleFinder, and Radaris. Take screenshots of what you find as documentation. To make this process manageable, McAfee Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.
3. Social media platforms and old accounts: Review your Facebook, Instagram, LinkedIn, Twitter, and other platforms for publicly visible personal details. Check old accounts—dating sites, forums, gaming platforms, or professional networks. Look for biographical information, location data, contact details, photos, and even comment sections where you may have shared details.
4. Breach and dark web monitoring tools: Have I Been Pwned and other identity monitoring services can help you scan the dark web and discover if your email addresses or phone numbers appear in data breaches.
5. Ongoing monitoring alerts: Create weekly Google Alerts for your and your family member’s full name, address combinations, and phone number. Some specialized monitoring services can track once your information appears on new data broker sites or gets updated on existing ones.
6. Document everything in a tracker: Create a spreadsheet or document to systematically track your findings. Include the website name and URL, the specific data shown, contact information for removal requests, date of your opt-out request, and follow-up dates. Many sites require multiple follow-ups, so having this organized record is essential for successful removal.

This process takes time and persistence, but services such as McAfee Personal Data Cleanup can continuously monitor for new exposures and manage opt-out requests on your behalf. The key is to first understand the full scope of your online presence before beginning the removal process.

Remove your personal information from the internet

Let’s review some ways you can remove your personal information from data brokers and other sources on the internet.

Request to remove data from data broker sites

Once you have found the sites that have your information, the next step is to request to have it removed. You can do this yourself or employ services such as McAfee’s Personal Data Cleanup, which can help manage the removal for you depending on your subscription. ​It also monitors those sites, so if your info gets posted again, you can request its removal again.

Limit the data Google collects

You can request to remove your name from Google search to limit your information from turning up in searches. You can also turn on “Auto Delete” in your privacy settings to ensure your data is deleted regularly. Occasionally deleting your cookies or browsing in incognito mode prevents websites from tracking you. If Google denies your initial request, you can appeal using the same tool, providing more context, documentation, or legal grounds for removal. Google’s troubleshooter tool may explain why your request was denied—either legitimate public interest or newsworthiness—and how to improve your appeal.

It’s important to know that the original content remains on the source website. You’ll still need to contact website owners directly to have your actual content removed. Additionally, the information may still appear in other search engines.

Delete old social media accounts

If you have old, inactive accounts that have gone by the wayside such as Myspace or Tumblr, you may want to deactivate or delete them entirely. For social media platforms that you use regularly, such as Facebook and Instagram, consider adjusting your privacy settings to keep your personal information to the bare minimum.

Remove personal info from websites and blogs

If you’ve ever published articles, written blogs, or created any content online, it is a good time to consider taking them down if they no longer serve a purpose. If you were mentioned or tagged by other people, it is worth requesting them to take down posts with sensitive information.

Delete unused apps and restrict permissions in those you use

Another way to tidy up your digital footprint is to delete phone apps you no longer use as hackers are able to track personal information on these and sell it. As a rule, share as little information with apps as possible using your phone’s settings.

Remove your info from other search engines

• Bing: Submit removal requests through Bing’s Content Removal tool for specific personal information like addresses, phone numbers, or sensitive data. Note that Bing primarily crawls and caches content from other websites, so removing the original source content first will prevent re-indexing.
• Yahoo: Yahoo Search results are powered by Bing, so use the same Bing Content Removal process. For Yahoo-specific services, contact their support team to request removal of cached pages and personal information from search results.
• DuckDuckGo and other privacy-focused engines: These search engines don’t store personal data or create profiles, but pull results from multiple sources. We suggest that you focus on removing content from the original source websites, then request the search engines to update their cache to prevent your information from reappearing in future crawls.

Escalate if needed

After sending your removal request, give the search engine or source website 7 to 10 business days to respond initially, then follow up weekly if needed. If a website owner doesn’t respond within 30 days or refuses your request, you have several escalation options:

• Contact the hosting provider: Web hosts often have policies against sites that violate privacy laws
• File complaints: Report to your state attorney general’s office or the Federal Trade Commission
• Seek legal guidance: For persistent cases involving sensitive information, consult with a privacy attorney

For comprehensive guidance on website takedown procedures and your legal rights, visit the FTC’s privacy and security guidance for the most current information on consumer data protection. Direct website contact can be time-consuming, but it’s often effective for removing information from smaller sites that don’t appear on major data broker opt-out lists. Stay persistent, document everything, and remember that you have legal rights to protect your privacy online.

Remove your information from browsers

After you’ve cleaned up your data from websites and social platforms, your web browsers may still save personal information such as your browsing history, cookies, autofill data, saved passwords, and even payment methods. Clearing this information and adjusting your privacy settings helps prevent tracking, reduces targeted ads, and limits how much personal data websites can collect about you.

• Clear your cache: Clearing your browsing data is usually done by going to Settings and looking for the Privacy and Security section, depending on the specific browser. This is applicable in Google Chrome, Safari, Firefox, Microsoft Edge, as well as mobile phone operating systems such as Android and iOS.

• Disable autofill: Autofill gives you the convenience of not having to type your information every time you accomplish a form. That convenience has a risk, though—autofill saves addresses, phone numbers, and even payment methods. To prevent websites from automatically populating forms with your sensitive data, disable the autofill settings independently. For better security, consider using a dedicated password manager instead of browser-based password storage.
• Set up automatic privacy protection: Set up your browsers to automatically clear cookies, cache, and site data when you close them. This ensures your browsing sessions don’t leave permanent traces of your personal information on your device.
• Use privacy-focused search engines: Evaluate the possibility of using privacy-focused search engines like DuckDuckGo as your default. These proactive steps significantly reduce how much personal information browsers collect and store about your online activities.

Get your address off the internet

When your home address is publicly available, it can expose you to risks like identity theft, stalking, or targeted scams. Taking steps to remove or mask your address across data broker sites, public records, and even old social media profiles helps protect your privacy, reduce unwanted contact, and keep your personal life more secure.

1. Opt out of major data broker sites: The biggest address exposers are Whitepages, Spokeo, and BeenVerified. Visit their opt-out pages and submit removal requests using your full name and current address. Most sites require email verification and process removals within 7-14 business days.
2. Contact public records offices about address redaction: Many county and state databases allow address redaction for safety reasons. File requests with your local clerk’s office, voter registration office, and property records department. Complete removal isn’t always possible, but some jurisdictions offer partial address masking.
3. Enable WHOIS privacy protection on domain registrations: If you own any websites or domains, request your domain registrar to add privacy protection services to replace your personal address with the registrar’s information.
4. Review old forum and social media profiles: Check your profiles on forums, professional networks, and social platforms where you may have shared your address years ago. Delete or edit posts containing location details, and update bio sections to remove specific address information.
5. Verify removal progress: Every month, do a search of your name and address variations on different search engines. You also can set up Google Alerts to monitor and alert you when new listings appear. Most data broker removals need to be renewed every 6-12 months as information gets re-aggregated.

The cost to delete your information from the internet

The cost to remove your personal information from the internet varies, depending on whether you do it yourself or use a professional service. Read the guide below to help you make an informed decision:

DIY approach

Removing your information on your own primarily requires time investment. Expect to spend 20 to 40 hours looking for your information online and submitting removal requests. In terms of financial costs, most data brokers may not charge for opting out, but other expenses could include certified mail fees for formal removal requests—about $3-$8 per letter—and possibly notarization fees for legal documents. In total, this effort can be substantial when dealing with dozens of sites.

Professional removal services

Depending on which paid removal and monitoring service you employ, basic plans typically range from $8 to $25 monthly while annual plans, which often provide better value, range from $100 to $600. Premium services that monitor hundreds of data broker sites and provide ongoing removal can cost $1,200-$2,400 annually.

The difference in pricing is driven by several factors. This includes the number of data broker sites to be monitored, which could cover more than 200 sites, and the scope of removal requests which may include basic personal information or comprehensive family protection. The monitoring frequency and additional features such as dark web monitoring, credit protection, and identity restoration support and insurance coverage typically command higher prices.

The value of continuous monitoring

The upfront cost may seem significant, but continuous monitoring provides essential value. A McAfee survey revealed that 95% of consumers’ personal information ends up on data broker sites without their consent. It is possible that after the successful removal of your information, it may reappear on data broker sites without ongoing monitoring. This makes continuous protection far more cost-effective than repeated one-time cleanups.

Services such as McAfee Personal Data Cleanup can prove invaluable, as it handles the initial removal process, as well as ongoing monitoring to catch when your information resurfaces, saving you time and effort while offering long-term privacy protection.

Aside from the services above, comprehensive protection software can help safeguard your privacy and minimize your exposure to cybercrime with these offerings such as:

• An unlimited virtual private network to make your personal information much more difficult to collect and track
• Identity monitoring that tracks and alerts you if your specific personal information is found on the dark web
• Identity theft coverage and restoration helps you pay for legal fees and travel expenses, and further assistance from a licensed recovery pro to repair your identity and credit
• Other features such as safe browsing to help you avoid dangerous links, bad downloads, malicious websites, and more online threats when you’re online

So while it may seem like all this rampant collecting and selling of personal information is out of your hands, there’s plenty you can do to take control. With the steps outlined above and strong online protection software at your back, you can keep your personal information more private and secure.

Essential steps if your information is found on the dark web

Unlike legitimate data broker sites, the dark web operates outside legal boundaries where takedown requests don’t apply. Rather than trying to remove information that’s already circulating, you can take immediate steps to reduce the potential harm and focus on preventing future exposure. A more effective approach is to treat data breaches as ongoing security issues rather than one-time events.

Both the FTC and Cybersecurity and Infrastructure Security Agency have released guidelines on proactive controls and continuous monitoring. Here are key steps of those recommendations:

1. Change your passwords immediately and enable multi-factor authentication. Start with your most critical accounts—banking, email, and any services linked to financial information. Create unique, strong passwords for each account and enable MFA where possible for an extra layer of protection.
2. Monitor your financial accounts and credit reports closely. Check your bank statements, credit card accounts, and investment accounts for any unauthorized activity. Request your free annual credit reports from all three major bureaus and carefully review them for accounts you didn’t open or activities you don’t recognize.
3. Place fraud alerts or credit freezes. Contact Equifax, Experian, and TransUnion to place fraud alerts, which require creditors to verify your identity before approving new accounts. Better yet, consider a credit freeze to block access to your credit report entirely until you lift it.
4. Replace compromised identification documents if necessary. If your Social Security number, driver’s license, or passport information was exposed, contact the appropriate agencies to report the breach and request new documents. IdentityTheft.gov provides step-by-step guidance for replacing compromised documents.
5. Set up ongoing identity monitoring and protection. Consider using identity monitoring services that scan the dark web and alert you to new exposures of your personal information.
6. Document everything and report the incident. Keep detailed records of any suspicious activities you discover and all steps you’ve taken. File a report with the FTC and police, especially if you’ve experienced financial losses. This documentation will be crucial for disputing fraudulent charges or accounts.

Legal and practical roadblocks

As you go about removing your information for the internet, it is important to set realistic expectations. Several factors may limit how completely you can remove personal data from internet sources:

• The United States lacks comprehensive federal privacy laws requiring companies to delete personal information upon request.
• Public records, court documents, and news articles often have legal protections that prevent removal.
• International websites may not comply with U.S. deletion requests.
• Cached copies could remain on search engines and archival sites for years.
• Data brokers frequently repopulate their databases from new sources even after opt-outs.

While some states like California have stronger consumer privacy rights, most data removal still depends on voluntary compliance from companies.

Final thoughts

Removing your personal information from the internet takes effort, but it’s one of the most effective ways to protect yourself from identity theft and privacy violations. The steps outlined above provide you with a clear roadmap to systematically reduce your online exposure, from opting out of data brokers to tightening your social media privacy settings.

This isn’t a one-time task but an ongoing process that requires regular attention, as new data appears online constantly. Rather than attempting to complete digital erasure, focus on reducing your exposure to the most harmful uses of your personal information. Services like McAfee Personal Data Cleanup can help automate the most time-consuming parts of this process, monitoring high-risk data broker sites and managing removal requests for you.

The post How to Remove Your Personal Information From the Internet appeared first on McAfee Blog.

Between 2016 and 2021, the suspects defrauded 4.3 million cardholders in 193 countries of €300 million (~$346 million).

The post 18 Arrested in Crackdown on Credit Card Fraud Rings appeared first on SecurityWeek.

I think I could count on one hand the people I know who have NOT had their email hacked. Maybe they found a four-leaf clover when they were kids! Email hacking is one of the very unfortunate downsides of living in our connected, digital world. And it usually occurs as a result of a data breach – a situation that even the savviest tech experts find themselves in.

What is a data breach?

In simple terms, a data breach happens when personal information is accessed, disclosed without permission, or lost. Companies, organisations, and government departments of any size can be affected. Data stolen can include customer login details (email addresses and passwords), credit card numbers, identifying IDs of customers e.g. driver’s license numbers and/or passport numbers, confidential customer information, company strategy, or even matters of national security.

Data breaches have made headlines, particularly over the last few years. When the Optus and Medibank data breaches hit the news in 2022 affecting almost 10 million Aussies apiece, we were all shaken. But then when Aussie finance company Latitude was affected in 2023 with a whopping 14 million people from both Australia and New Zealand, it almost felt inevitable that by now, most of us would have been impacted.

The reality is that data breaches have been happening for years. In fact, the largest data breach in Australian history happened in 2019 to the online design site Canva which affected 139 million users globally. In short, it can happen to anyone, and the chances are you may have already been affected.

Your email is more valuable than you think

The sole objective of a hacker is to get their hands on your data. Any information that you share in your email account can be very valuable to them. Why do they want your data, you ask? It’s simple really – so they can cash in!

Some will keep the juicy stuff for themselves – passwords or logins to government departments or large companies they may want to ’target’ with the aim of extracting valuable data and/or funds. The more sophisticated ones will sell your details including name, telephone, email address, and credit card details to cash in on the dark web. They often do this in batches. Some experts believe they can get as much as AU$250 for a full set of details including credit cards. So, you can see why they’d be interested in you.

The other reason why hackers will be interested in your email address and password is that many of us re-use our login details across our other online accounts. Once they’ve got their hands on your email credentials, they may be able to access your online banking and investment accounts, if you use the same credentials everywhere. So, you can see why I harp on about using a unique password for every online account!

How big is the problem?

There is a plethora of statistics on just how big this issue is – all of them concerning. According to the Australian Institute of Criminology, of all the country’s cybercrime reports in 2024, about 21.9% involved identity theft and misuse. The Australian Bureau of Statistics adds that the identity theft victimisation rate has steadily increased from 0.8% to 1.2% from 2021 to 2024, respectively.

Meanwhile, The Australian Government revealed that at least one cybercrime is reported every 6 minutes, with business email compromise alone costing the national economy up to $84 million in losses. Regardless of which statistic you choose to focus on, we have a big issue on our hands.

How does an email account get hacked?

Hackers use a range of techniques—some highly sophisticated, others deceptively simple—to gain access. It is important to know how these attacks happen so you can stay ahead and prevent them.

• Phishing scams: These are deceptive emails that trick you into entering your login details on a fake website that looks legitimate.
• Data breaches: If a website where you used your email and password gets breached, criminals can use those leaked credentials to try and access your email account.
• Weak or reused passwords: Using simple, easy-to-guess passwords or the same password across multiple sites makes it easy for hackers to gain access.
• Malware: Malicious software like keyloggers can be installed on your computer without your knowledge, capturing everything you type, including passwords.
• Unsecure Wi-Fi networks: Using public Wi-Fi without a VPN can expose your data to criminals monitoring the network.

From email hack to identity theft

Yes, absolutely. An email account is often the central hub of your digital life. Once a cybercriminal controls it, they can initiate password resets for your other online accounts, including banking, shopping, and social media. They can intercept sensitive information sent to you, such as financial statements or medical records.

With enough information gathered from your emails, they can commit identity theft, apply for credit in your name, or access other sensitive services. If you suspect your email was hacked, it’s crucial to monitor your financial statements and consider placing a fraud alert with credit bureaus.

Signs that your email has been hacked

• You can no longer log in. The most obvious sign of an email hack is when your password suddenly stops working. Cybercriminals often change the password immediately to lock you out.
• Friends receive strange messages from you. If your contacts report receiving spam or phishing emails from your address that you didn’t send, it’s a major red flag that someone else has control of your account.
• Unusual activity in your folders. Check your “Sent” folder for messages you don’t recognize. Hackers might also set up forwarding rules to send copies of your incoming emails to their own address, so check your settings for any unfamiliar forwarding addresses.
• Password reset emails you didn’t request. Receiving unexpected password reset emails for other services (like your bank or social media) is a sign that a hacker is using your email to try and take over your other online accounts.
• Security alerts from your provider. Pay attention to notifications about new sign-ins from unfamiliar devices, locations, or IP addresses. These are often the first warnings that your account has been compromised.

Steps to email recovery

If you find yourself a victim of email hacking, these are a few very important steps you need to take. Fast.

Change your password

Using a separate, clean device, this is the very first thing you must do to ensure the hacker can’t get back into your account. It is essential that your new password is complex and totally unrelated to previous passwords. Always use random words and characters, a passphrase with a variety of upper and lower cases, and throw in some symbols and numbers.

I really like the idea of a crazy, nonsensical sentence – easier to remember and harder to crack! But, better still, get yourself a password manager that will create a password that no human would be capable of creating. If you find the hacker has locked you out of your account by changing your password, you will need to reset the password by clicking on the ‘Forgot My Password’ link.

Update other accounts that use the same password

This is time-consuming, but essential. Ensure you change any other accounts that use the same username and password as your compromised email. Hackers love the fact that many people use the same logins for multiple accounts, so it is guaranteed they will try your info in other email applications and sites such as PayPal, Amazon, Netflix – you name it!

Once the dust has settled, review your password strategy for all your online accounts. A best practice is to ensure every online account has its own unique and complex password.

Sign out of all devices

Most email services have a security feature that lets you remotely log out of all active sessions. Once you’ve changed your password, signing out from your email account also signs out the hacker and forces them to log-in with the new password, which fortunately they do not know. These, combined with two- or multi-factor authentication, will help you to regain control of your account and prevent further compromise.

Inform your email contacts

A big part of the hacker’s strategy is to get their claws into your address book to hook others as well. Send a message to all your email contacts as soon as possible so they know to avoid opening any emails—most likely loaded with malware—that have come from you.

Commit to multi-factor authentication

Two-factor or multi-factor authentication may seem like an additional, inconvenient step to your login, but it also adds another layer of protection. Enabling this means you will need a special one-time-use code to log in, aside from your password. This is sent to your mobile phone or generated via an authenticator app. So worthwhile!

Check your email settings

It is common for hackers to modify your email settings so that a copy of every email you receive is automatically forwarded to them. Not only can they monitor your logins to other sites; they can also keep a watchful eye on any particularly juicy personal information. So, check your mail forwarding settings to ensure no unexpected email addresses have been added.

Also, ensure your ‘reply to’ email address is actually yours. Hackers have been known to create an email address that looks similar to yours, so that when someone replies, it will go straight to their account, not yours.

Don’t forget to check your email signature to ensure nothing spammy has been added, as well as your recovery phone number and alternate email address. Hackers also change these to maintain control. Update them to your own secure details.

Scan your computer for malware and viruses

Regularly scanning your devices for unwanted invaders is essential. If you find anything, please ensure it is addressed, and then change your email password again. If you don’t have antivirus software, please invest in it.

Comprehensive security software will provide you with a digital shield for your online life, protecting all your devices – including your smartphone – from viruses and malware. Some services also include a password manager to help you generate and store unique passwords for all your accounts.

Consider creating a new email address

If you have been hacked several times and your email provider isn’t mitigating the amount of spam you are receiving, consider starting afresh. Do not, however, delete your old email address because email providers are known to recycle old email addresses. This means a hacker could spam every site they can find with a ‘forgot my password’ request and try to impersonate you and steal your identity.

Your email is an important part of your online identity so being vigilant and addressing any fallout from hacking is essential for your digital reputation. Even though it may feel that getting hacked is inevitable, you can definitely reduce your risk by installing some good-quality security software on all your devices.

Trusted and reliable comprehensive security software will alert you when visiting risky websites, warn you when a download looks dodgy, and block annoying and dangerous emails with anti-spam technology. It makes sense really – if you don’t receive the dodgy phishing email – you can’t click on it. Smart!

Finally, don’t forget that hackers love social media – particularly those of us who overshare on it. So, before you post details of your adorable new kitten, remember it may just provide the perfect clue for a hacker trying to guess your email password!

Report the incident

Reporting an email hack is a crucial step to create a necessary paper trail for disputes with banks or credit agencies. When reporting, gather evidence such as screenshots of suspicious activity, unrecognized login locations and times, and any phishing emails you received. This information can be vital for the investigation.

• Your email provider: Use their official support or recovery channels immediately. They can help you investigate and regain control of your account. Do not use links from suspicious emails claiming to be from support.
• Financial institutions: If you’ve disclosed sensitive financial information or use the email for banking, contact your bank and credit card companies immediately. Alert them to potential fraud and monitor your statements.
• Friends, family, and contacts: Send a message to your contacts warning them that your account was compromised. Advise them not to open suspicious messages or click on links sent from your address during that time.
• Your employer: If it’s a work email, or if your personal email is used for work purposes, notify your IT department immediately. They need to take steps to protect company data and systems.
• Relevant authorities: For financial loss or identity theft, you can report the incident to authorities like the FBI’s Internet Crime Complaint Center or Action Fraud in the UK. This creates an official record and aids in wider law enforcement efforts.

Check if online accounts linked to your email were compromised

• Prioritize critical accounts: Immediately check your online banking, financial, and government-related accounts. Review recent activity for any unauthorized transactions or changes.
• Review social media and shopping sites: Check your social media for posts or messages you didn’t send. Review your online shopping accounts like Amazon for any purchases or address changes you don’t recognize.
• Enable alerts: Turn on login and transaction alerts for your sensitive accounts. This will give you real-time notifications of any suspicious activity in the future.

Should you delete your hacked email account?

Generally, no. Deleting the account can cause more problems than it solves. Many online services are linked to that email, and deleting it means you lose the ability to receive password reset links and security notifications for those accounts.

More importantly, some email providers recycle deleted addresses, meaning a hacker could potentially re-register your old email address and use it to impersonate you and take over your linked accounts.

The better course of action is to regain control, thoroughly secure the account with a new password and multi-factor authentication, and clean up any damage. Only consider migrating to a new email address after you have fully secured the old one.

Future-proof your email after reclaiming control

• Run a full security scan: Before doing anything else, run a comprehensive scan with a trusted antivirus program on all your devices to ensure no malware or keyloggers remain.
• Double-check security settings: Confirm that your recovery email and phone number are correct and that multi-factor authentication is enabled, preferably using an authenticator app rather than SMS.
• Review account permissions: Check which third-party apps and websites have access to your email account. Revoke access for any service you don’t recognize or no longer use.
• Set periodic reminders: Make it a habit to review your account’s security logs and settings every few months to catch any potential issues early.

• Learn to spot phishing: Be skeptical of unsolicited emails asking for personal information or creating a sense of urgency. Check the sender’s address and hover over links before clicking.
• Keep software updated:Regularly update your operating system, web browser, and security software to protect against the latest vulnerabilities.
• Secure your devices: Use comprehensive security software like McAfee+ on all your devices—computers, tablets, and smartphones—to protect against malware, viruses, and risky websites.

Provider-specific email recovery

Each email provider has a specific, structured process for account recovery. It is vital to only use the official recovery pages provided by the service and be wary of scam websites or third-party services that claim they can recover your account for a fee. Below are the official steps of the major providers that you can follow.

Gmail

1. Go to Google’s official Account Recovery page.
2. Enter your email address and follow the on-screen prompts. You will be asked questions to confirm your identity, such as previous passwords or details from your recovery phone number or email.
3. Once you regain access, you will be prompted to create a new password.
4. Immediately visit the Google Security Checkup to review recent activity, remove unfamiliar devices, check third-party app access, and enable 2-step verification.

Yahoo email

1. Navigate to the Yahoo Sign-in Helper page.
2. Enter your email address or recovery phone number and click “Continue.”
3. Follow the instructions to receive a verification code or account key to prove your identity.
4. Once verified, create a new, strong password.
5. After regaining access, go to your Account Security page to review recent activity, check recovery information, and turn on 2-step verification.

Outlook or Hotmail

1. Go to the official Microsoft account recovery page.
2. You’ll need to provide your email, phone, or Skype name, and verify your identity using the security information linked to your account.
3. If you cannot access your recovery methods, you will be directed to an account recovery form where you must provide as much information as possible to prove ownership.
4. After resetting your password, visit your Microsoft account security dashboard to review sign-in activity, check connected devices, and enable two-step verification.

Final thoughts

Your email account is the master key to your digital kingdom, and protecting it is more critical than ever since many of your other accounts are connected with your email. Realizing “my email has been hacked” is a stressful experience, but taking swift and correct action can significantly limit the damage.

By following the recovery steps and adopting strong, ongoing security habits like using a password manager and enabling multi-factor authentication, you can turn a potential crisis into a lesson in digital resilience. Stay vigilant, stay proactive, and keep your digital front door securely locked.

To add another wall of defense, consider investing in a trusted and reliable comprehensive security software like McAfee+. Our solution will help you dodge hacking attempts by alerting you when visiting risky websites, or downloading questionable apps, and blocking malicious emails with anti-spam technology.

The post What to Do If Your Email Is Hacked appeared first on McAfee Blog.

When you visit almost any website, you’ll see a pop-up asking you to accept, decline, or customize the cookies it collects. Sometimes, it just tells you that cookies are in use by default. We randomly checked 647 websites, and 563 of them displayed cookie notifications. Most of the time, users don’t even pause to think about what’s really behind the banner asking them to accept or decline cookies.

We owe cookie warnings to the adoption of new laws and regulations, such as GDPR, that govern the collection of user information and protection of personal data. By adjusting your cookie settings, you can minimize the amount of information collected about your online activity. For example, you can decline to collect and store third-party cookies. These often aren’t necessary for a website to function and are mainly used for marketing and analytics. This article explains what cookies are, the different types, how they work, and why websites need to warn you about them. We’ll also dive into sensitive cookies that hold the Session ID, the types of attacks that target them, and ways for both developers and users to protect themselves.

What are browser cookies?

Cookies are text files with bits of data that a web server sends to your browser when you visit a website. The browser saves this data on your device and sends it back to the server with every future request you make to that site. This is how the website identifies you and makes your experience smoother.

Let’s take a closer look at what kind of data can end up in a cookie.

First, there’s information about your actions on the site and session parameters: clicks, pages you’ve visited, how long you were on the site, your language, region, items you’ve added to your shopping cart, profile settings (like a theme), and more. This also includes data about your device: the model, operating system, and browser type.

Your sign-in credentials and security tokens are also collected to identify you and make it easier for you to sign in. Although it’s not recommended to store this kind of information in cookies, it can happen, for example, when you check the “Remember me” box. Security tokens can become vulnerable if they are placed in cookies that are accessible to JS scripts.

Another important type of information stored in cookies that can be dangerous if it falls into the wrong hands is the Session ID: a unique code assigned to you when you visit a website. This is the main target of session hijacking attacks because it allows an attacker to impersonate the user. We’ll talk more about this type of attack later. It’s worth noting that a Session ID can be stored in cookies, or it can even be written directly into the URL of the page if the user has disabled cookies.

Example of a Session ID as seen in a URL address: example.org/?account.php?osCsid=dawnodpasb<...>abdisoa.

Besides the information mentioned above, cookies can also hold some of your primary personal data, such as your phone number, address, or even bank card details. They can also inadvertently store confidential company information that you’ve entered on a website, including client details, project information, and internal documents.

Many of these data types are considered sensitive. This means if they are exposed to the wrong people, they could harm you or your organization. While things like your device type and what pages you visited aren’t typically considered confidential, they still create a detailed profile of you. This information could be used by attackers for phishing scams or even blackmail.

Main types of cookies

Cookies by storage time

Cookies are generally classified based on how long they are stored. They come in two main varieties: temporary and persistent.

Temporary, or session cookies, are used during a visit to a website and deleted as soon as you leave. They save you from having to sign in every time you navigate to a new page on the same site or to re-select your language and region settings. During a single session, these values are stored in a cookie because they ensure uninterrupted access to your account and proper functioning of the site’s features for registered users. Additionally, temporary cookies include things like entries in order forms and pages you visited. This information can end up in persistent cookies if you select options like “Remember my choice” or “Save settings”. It’s important to note that session cookies won’t get deleted if you have your browser set to automatically restore your previous session (load previously opened tabs). In this case, the system considers all your activity on that site as one session.

Persistent cookies, unlike temporary ones, stick around even after you leave the site. The website owner sets an expiration date for them, typically up to a year. You can, however, delete them at any time by clearing your browser’s cookies. These cookies are often used to store sign-in credentials, phone numbers, addresses, or payment details. They’re also used for advertising to determine your preferences. Sensitive persistent cookies often have a special attribute HttpOnly. This prevents your browser from accessing their contents, so the data is sent directly to the server every time you visit the site.

Notably, depending on your actions on the website, credentials may be stored in either temporary or persistent cookies. For example, when you simply navigate a site, your username and password might be stored in session cookies. But if you check the “Remember me” box, those same details will be saved in persistent cookies instead.

Cookies by source

Based on the source, cookies are either first-party or third-party. The former are created and stored by the website, and the latter, by other websites. Let’s take a closer look at these cookie types.

First-party cookies are generally used to make the site function properly and to identify you as a user. However, they can also perform an analytics or marketing function. When this is the case, they are often considered optional – more on this later – unless their purpose is to track your behavior during a specific session.

Third-party cookies are created by websites that the one you’re visiting is talking to. The most common use for these is advertising banners. For example, a company that places a banner ad on the site can use a third-party cookie to track your behavior: how many times you click on the ad and so on. These cookies are also used by analytics services like Google Analytics or Yandex Metrica.

Social media cookies are another type of cookies that fits into this category. These are set by widgets and buttons, such as “Share” or “Like”. They handle any interactions with social media platforms, so they might store your sign-in credentials and user settings to make those interactions faster.

Cookies by importance

Another way to categorize cookies is by dividing them into required and optional.

Required or essential cookies are necessary for the website’s basic functions or to provide the service you’ve specifically asked for. This includes temporary cookies that track your activity during a single visit. It also includes security cookies, such as identification cookies, which the website uses to recognize you and spot any fraudulent activity. Notably, cookies that store your consent to save cookies may also be considered essential if determined by the website owner, since they are necessary to ensure the resource complies with your chosen privacy settings.

The need to use essential cookies is primarily relevant for websites that have a complex structure and a variety of widgets. Think of an e-commerce site that needs a shopping cart and a payment system, or a photo app that has to save images to your device.

A key piece of data stored in required cookies is the above-mentioned Session ID, which helps the site identify you. If you don’t allow this ID to be saved in a cookie, some websites will put it directly in the page’s URL instead. This is a much riskier practice because URLs aren’t encrypted. They’re also visible to analytics services, tracking tools, and even other users on the same network as you, which makes them vulnerable to cross-site scripting (XSS) attacks. This is a major reason why many sites won’t let you disable required cookies for your own security.

Optional cookies are the ones that track your online behavior for marketing, analytics, and performance. This category includes third-party cookies created by social media platforms, as well as performance cookies that help the website run faster and balance the load across servers. For instance, these cookies can track broken links to improve a website’s overall speed and reliability.

Essentially, most optional cookies are third-party cookies that aren’t critical for the site to function. However, the category can also include some first-party cookies for things like site analytics or collecting information about your preferences to show you personalized content.

While these cookies generally don’t store your personal information in readable form, the data they collect can still be used by analytics tools to build a detailed profile of you with enough identifying information. For example, by analyzing which sites you visit, companies can make educated guesses about your age, health, location, and much more.

A major concern is that optional cookies can sometimes capture sensitive information from autofill forms, such as your name, home address, or even bank card details. This is exactly why many websites now give you the choice to accept or decline the collection of this data.

Special types of cookies

Let’s also highlight special subtypes of cookies managed with the help of two similar technologies that enable non-standard storage and retrieval methods.

A supercookie is a tracking technology that embeds cookies into website headers and stores them in non-standard locations, such as HTML5 local storage, browser plugin storage, or browser cache. Because they’re not in the usual spot, simply clearing your browser’s history and cookies won’t get rid of them.

Supercookies are used for personalizing ads and collecting analytical data about the user (for example, by internet service providers). From a privacy standpoint, supercookies are a major concern. They’re a persistent and hard-to-control tracking mechanism that can monitor your activity without your consent, which makes it tough to opt out.

Another unusual tracking method is Evercookie, a type of zombie cookie. Evercookies can be recovered with JavaScript even after being deleted. The recovery process relies on the unique user identifier (if available), as well as traces of cookies stored across all possible browser storage locations.

How cookie use is regulated

The collection and management of cookies are governed by different laws around the world. Let’s review the key standards from global practices.

1. General Data Protection Regulation (GDPR) and ePrivacy Directive (Cookie Law) in the European Union.
   Under EU law, essential cookies don’t require user consent. This has created a loophole for some websites. You might click “Reject All”, but that button might only refuse non-essential cookies, allowing others to still be collected.
2. Lei Geral de Proteção de Dados Pessoais (LGPD) in Brazil.
   This law regulates the collection, processing, and storage of user data within Brazil. It is largely inspired by the principles of GDPR and, similarly, requires free, unequivocal, and clear consent from users for the use of their personal data. However, LGPD classifies a broader range of information as personal data, including biometric and genetic data. It is important to note that compliance with GDPR does not automatically mean compliance with LGPD, and vice versa.
3. California Consumer Privacy Act (CCPA) in the United States.
   The CCPA considers cookies a form of personal information. This means their collection and storage must follow certain rules. For example, any California resident has the right to stop cross-site cookie tracking to prevent their personal data from being sold. Service providers are required to give users choices about what data is collected and how it’s used.
4. The UK’s Privacy and Electronic Communications Regulations (PECR, or EC Directive) are similar to the Cookie Law.
   PECR states that websites and apps can only save information on a user’s device in two situations: when it’s absolutely necessary for the site to work or provide a service, or when the user has given their explicit consent to this.
5. Federal Law No. 152-FZ “On Personal Data” in Russia.
   The law broadly defines personal data as any information that directly or indirectly relates to an individual. Since cookies can fall under this definition, they can be regulated by this law. This means websites must get explicit consent from users to process their data.

In Russia, website owners must inform users about the use of technical cookies, but they don’t need to get consent to collect this information. For all other types of cookies, user consent is required. Often, the user gives this consent automatically when they first visit the site, as it’s stated in the default cookie warning.

Some sites use a banner or a pop-up window to ask for consent, and some even let users choose exactly which cookies they’re willing to store on their device.

Beyond these laws, website owners create their own rules for using first-party cookies. Similarly, third-party cookies are managed by the owners of third-party services, such as Google Analytics. These parties decide what kind of information goes into the cookies and how it’s formatted. They also determine the cookies’ lifespan and security settings. To understand why these settings are so important, let’s look at a few ways malicious actors can attack one of the most critical types of cookies: those that contain a Session ID.

Session hijacking methods

As discussed above, cookies containing a Session ID are extremely sensitive. They are a prime target for cybercriminals. In real-world attacks, different methods for stealing a Session ID have been documented. This is a practice known as session hijacking. Below, we’ll look at a few types of session hijacking.

Session sniffing

One method for stealing cookies with a Session ID is session sniffing, which involves intercepting traffic between the user and the website. This threat is a concern for websites that use the open HTTP protocol instead of HTTPS, which encrypts traffic. With HTTP, cookies are transmitted in plain text within the headers of HTTP requests, which makes them vulnerable to interception.

Attacks targeting unencrypted HTTP traffic mostly happen on public Wi-Fi networks, especially those without a password and strong security protocols like WPA2 or WPA3. These protocols use AES encryption to protect traffic on Wi-Fi networks, with WPA3 currently being the most secure version. While WPA2/WPA3 protection limits the ability to intercept HTTP traffic, only implementing HTTPS can truly protect against session sniffing.

This method of stealing Session ID cookies is fairly rare today, as most websites now use HTTPS encryption. The popularity of this type of attack, however, was a major reason for the mass shift to using HTTPS for all connections during a user’s session, known as HTTPS everywhere.

Cross-site scripting (XSS)

Cross-site scripting (XSS) exploits vulnerabilities in a website’s code to inject a malicious script, often written in JavaScript, onto its webpages. This script then runs whenever a victim visits the site. Here’s how an XSS attack works: an attacker finds a vulnerability in the source code of the target website that allows them to inject a malicious script. For example, the script might be hidden in a URL parameter or a comment on the page. When the user opens the infected page, the script executes in their browser and gains access to the site’s data, including the cookies that contain the Session ID.

Session fixation

In a session fixation attack, the attacker tricks your browser into using a pre-determined Session ID. Thus, the attacker prepares the ground for intercepting session data after the victim visits the website and performs authentication.

Here’s how it goes down. The attacker visits a website and gets a valid, but unauthenticated, Session ID from the server. They then trick you into using that specific Session ID. A common way to do this is by sending you a link with the Session ID already embedded in the URL, like this: http://example.com/?SESSIONID=ATTACKER_ID. When you click the link and sign in, the website links the attacker’s Session ID to your authenticated session. The attacker can then use the hijacked Session ID to take over your account.

Modern, well-configured websites are much less vulnerable to session fixation than XSS-like attacks because most current web frameworks automatically change the user’s Session ID after they sign in. However, the very existence of this Session ID exploitation attack highlights how crucial it is for websites to securely manage the entire lifecycle of the user session, especially at the moment of sign-in.

Cross-site request forgery (CSRF)

Unlike session fixation or sniffing attacks, cross-site request forgery (CSRF or XSRF) leverages the website’s trust in your browser. The attacker forces your browser, without your knowledge, to perform an unwanted action on a website where you’re signed in – like changing your password or deleting data.

For this type of attack, the attacker creates a malicious webpage or an email message with a harmful link, piece of HTML code, or script. This code contains a request to a vulnerable website. You open the page or email message, and your browser automatically sends the hidden request to the target site. The request includes the malicious action and all the necessary (for example, temporary) cookies for that site. Because the website sees the valid cookies, it treats the request as a legitimate one and executes it.

Variants of the man-in-the-middle (MitM) attack

A man-in-the-middle (MitM) attack is when a cybercriminal not only snoops on but also redirects all the victim’s traffic through their own systems, thus gaining the ability to both read and alter the data being transmitted. Examples of these attacks include DNS spoofing or the creation of fake Wi-Fi hotspots that look legitimate. In an MitM attack, the attacker becomes the middleman between you and the website, which gives them the ability to intercept data, such as cookies containing the Session ID.

Websites using the older HTTP protocol are especially vulnerable to MitM attacks. However, sites using the more secure HTTPS protocol are not entirely safe either. Malicious actors can try to trick your browser with a fake SSL/TLS certificate. Your browser is designed to warn you about suspicious invalid certificates, but if you ignore that warning, the attacker can decrypt your traffic. Cybercriminals can also use a technique called SSL stripping to force your connection to switch from HTTPS to HTTP.

Predictable Session IDs

Cybercriminals don’t always have to steal your Session ID – sometimes they can just guess it. They can figure out your Session ID if it’s created according to a predictable pattern with weak, non-cryptographic characters. For example, a Session ID may contain your IP address or consecutive numbers, and a weak algorithm that uses easily predictable random sequences may be used to generate it.

To carry out this type of attack, the malicious actor will collect a sufficient number of Session ID examples. They analyze the pattern to figure out the algorithm used to create the IDs, then apply that knowledge to predicting your current or next Session ID.

Cookie tossing

This attack method exploits the browser’s handling of cookies set by subdomains of a single domain. If a malicious actor takes control of a subdomain, they can try to manipulate higher-level cookies, in particular the Session ID. For example, if a cookie is set for sub.domain.com with the Domain attribute set to .domain.com, that cookie will also be valid for the entire domain.

This lets the attacker “toss” their own malicious cookies with the same names as the main domain’s cookies, such as Session_id. When your browser sends a request to the main server, it includes all the relevant cookies it has. The server might mistakenly process the hacker’s Session ID, giving them access to your user session. This can work even if you never visited the compromised subdomain yourself. In some cases, sending invalid cookies can also cause errors on the server.

How to protect yourself and your users

The primary responsibility for cookie security rests with website developers. Modern ready-made web frameworks generally provide built-in defenses, but every developer should understand the specifics of cookie configuration and the risks of a careless approach. To counter the threats we’ve discussed, here are some key recommendations.

Recommendations for web developers

All traffic between the client and server must be encrypted at the network connection and data exchange level. We strongly recommend using HTTPS and enforcing automatic redirect from HTTP to HTTPS. For an extra layer of protection, developers should use the HTTP Strict Transport Security (HSTS) header, which forces the browser to always use HTTPS. This makes it much harder, and sometimes impossible, for attackers to slip into your traffic to perform session sniffing, MitM, or cookie tossing attacks.

It must be mentioned that the use of HTTPS is insufficient protection against XSS attacks. HTTPS encrypts data during transmission, while an XSS script executes directly in the user’s browser within the HTTPS session. So, it’s up to the website owner to implement protection against XSS attacks. To stop malicious scripts from getting in, developers need to follow secure coding practices:

• Validate and sanitize user input data.
• Implement mandatory data encoding (escaping) when rendering content on the page – this way, the browser will not interpret malicious code as part of the page and will not execute it.
• Use the HttpOnly flag to protect cookie files from being accessed by the browser.
• Use the Content Security Policy (CSP) standard to control code sources. It allows monitoring which scripts and other content sources are permitted to execute and load on the website.

For attacks like session fixation, a key defense is to force the server to generate a new Session ID right after the user successfully signs in. The website developer must invalidate the old, potentially compromised Session ID and create a new one that the attacker doesn’t know.

An extra layer of protection involves checking cookie attributes. To ensure protection, it is necessary to check for the presence of specific flags (and set them if they are missing): Secure and HttpOnly. The Secure flag ensures that cookies are transmitted over an HTTPS connection, while HttpOnly prevents access to them from the browser, for example through scripts, helping protect sensitive data from malicious code. Having these attributes can help protect against session sniffing, MitM, cookie tossing, and XSS.

Pay attention to another security attribute, SameSite, which can restrict cookie transmission. Set it to Lax or Strict for all cookies to ensure they are sent only to trusted web addresses during cross-site requests and to protect against CSRF attacks. Another common strategy against CSRF attacks is to use a unique, randomly generated CSRF token for each user session. This token is sent to the user’s browser and must be included in every HTTP request that performs an action on your site. The site then checks to make sure the token is present and correct. If it’s missing or doesn’t match the expected value, the request is rejected as a potential threat. This is important because if the Session ID is compromised, the attacker may attempt to replace the CSRF token.

To protect against an attack where a cybercriminal tries to guess the user’s Session ID, you need to make sure these IDs are truly random and impossible to predict. We recommend using a cryptographically secure random number generator that utilizes powerful algorithms to create hard-to-predict IDs. Additional protection for the Session ID can be ensured by forcing its regeneration after the user authenticates on the web resource.

The most effective way to prevent a cookie tossing attack is to use cookies with the __Host- prefix. These cookies can only be set on the same domain that the request originates from and cannot have a Domain attribute specified. This guarantees that a cookie set by the main domain can’t be overwritten by a subdomain.

Finally, it’s crucial to perform regular security checks on all your subdomains. This includes monitoring for inactive or outdated DNS records that could be hijacked by an attacker. We also recommend ensuring that any user-generated content is securely isolated on its own subdomain. User-generated data must be stored and managed in a way that prevents it from compromising the security of the main domain.

As mentioned above, if cookies are disabled, the Session ID can sometimes get exposed in the website URL. To prevent this, website developers must embed this ID into essential cookies that cannot be declined.

Many modern web development frameworks have built-in security features that can stop most of the attack types described above. These features make managing cookies much safer and easier for developers. Some of the best practices include regular rotation of the Session ID after the user signs in, use of the Secure and HttpOnly flags, limiting the session lifetime, binding it to the client’s IP address, User-Agent string, and other parameters, as well as generating unique CSRF tokens.

There are other ways to store user data that are both more secure and better for performance than cookies.

Depending on the website’s needs, developers can use different tools, like the Web Storage API (which includes localStorage and sessionStorage), IndexedDB, and other options. When using an API, data isn’t sent to the server with every single request, which saves resources and makes the website perform better.

Another exciting alternative is the server-side approach. With this method, only the Session ID is stored on the client side, while all the other data stays on the server. This is even more secure than storing data with the help of APIs because private information is never exposed on the client side.

Tips for users

Staying vigilant and attentive is a big part of protecting yourself from cookie hijacking and other malicious manipulations.

Always make sure the website you are visiting is using HTTPS. You can check this by looking at the beginning of the website address in the browser address bar. Some browsers let the user view additional website security details. For example, in Google Chrome, you can click the icon right before the address.

This will show you if the “Connection is secure” and the “Certificate is valid”. If these details are missing or data is being sent over HTTP, we recommend maximum caution when visiting the website and, whenever possible, avoiding entering any personal information, as the site does not meet basic security standards.

When browsing the web, always pay attention to any security warnings your browser gives you, especially about suspicious or invalid certificates. Seeing one of these warnings might be a sign of an MitM attack. If you see a security warning, it’s best to stop what you’re doing and leave that website right away. Many browsers implement certificate verification and other security features, so it is important to install browser updates promptly – this replaces outdated and compromised certificates.

We also recommend regularly clearing your browser data (cookies and cache). This can help get rid of outdated or potentially compromised Session IDs.

Always use two-factor authentication wherever it’s available. This makes it much harder for a malicious actor to access your account, even if your Session ID is exposed.

When a site asks for your consent to use cookies, the safest option is to refuse all non-essential ones, but we’ll reiterate that sometimes, clicking “Reject cookies” only means declining the optional ones. If this option is unavailable, we recommend reviewing the settings to only accept the strictly necessary cookies. Some websites offer this directly in the pop-up cookie consent notification, while others provide it in advanced settings.

The universal recommendation to avoid clicking suspicious links is especially relevant in the context of preventing Session ID theft. As mentioned above, suspicious links can be used in what’s known as session fixation attacks. Carefully check the URL: if it contains parameters you do not understand, we recommend copying the link into the address bar manually and removing the parameters before loading the page. Long strings of characters in the parameters of a legitimate URL may turn out to be an attacker’s Session ID. Deleting it renders the link safe. While you’re at it, always check the domain name to make sure you’re not falling for a phishing scam.

In addition, we advise extreme caution when connecting to public Wi-Fi networks. Man-in-the-middle attacks often happen through open networks or rogue Wi-Fi hotspots. If you need to use a public network, never do it without a virtual private network (VPN), which encrypts your data and makes it nearly impossible for anyone to snoop on your activity.

Tax season isn’t just busy for taxpayers—it’s prime time for scammers, too. As you gather your W-2s, 1099s, and other tax documents, cybercriminals are gearing up to exploit the flood of personal and financial data in circulation. From phishing emails posing as the IRS to fake tax preparers looking to steal your refund, these scams can lead to identity theft, fraudulent tax returns, and serious financial headaches. 

The good news? IRS scams follow predictable patterns, and with a little awareness, you can spot the warning signs before falling victim. Let’s break down the most common tax scams and how you can safeguard your personal information this filing season. 

Impersonation Schemes

A commonly used tactic involves hackers posing as collectors from the IRS, as tax preparers, or government bureaus. This tactic is pretty effective due to Americans’ concerns about misfiling their taxes or accidentally running into trouble with the IRS. Scammers take advantage of this fear, manipulating innocent users into providing sensitive information or money over the phone or by email. And in extreme cases, hackers may be able to infect computers with malware via malicious links or attachments sent through IRS email scams.

Robocalls

Another tactic used to take advantage of taxpayers is the canceled social security number scam. Hackers use robocalls claiming that law enforcement will suspend or cancel the victim’s Social Security number in response to taxes owed. Often, victims are scared into calling the fraudulent numbers back and persuaded into transferring assets to accounts that the scammer controls. Users need to remember that the IRS will only contact taxpayers through snail mail or in person, not over the phone.

Emails

Another scam criminals use involves emails impersonating the IRS. Victims receive a phishing email claiming to be from the IRS, reminding them to file their taxes or offering them information about their tax refund via malicious links. If a victim clicks on the link, they will be redirected to a spoofed site that collects the victim’s personal data, facilitating identity theft. What’s more, a victim’s computer can become infected with malware if they click on a link with malicious code, allowing fraudsters to steal more data.

Phony CPAs

Scammers also take advantage of the fact that many users seek out the help of a tax preparer or CPA during this time. These criminals will often pose as professionals, accepting money to complete a user’s taxes but won’t sign the return. This makes it look like the user completed the return themselves. However, these ghost tax preparers often lie on the return to make the user qualify for credits they haven’t earned or apply changes that will get them in trouble. Since the scammers don’t sign, the victim will then be responsible for any errors. This could lead to the user having to repay money owed, or potentially lead to an audit.

While these types of scams can occur at any time of the year, they are especially prevalent leading up to the April tax filing due date. Consumers need to be on their toes during tax season to protect their personal information and keep their finances secure. To avoid being spoofed by scammers and identity thieves, follow these tips:

File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.

Keep an eye on your credit and your identity. Keeping tabs on your credit report and knowing if your personal information has been compromised in some way can help prevent tax fraud. Together, they can let you know if someone has stolen your identity or if you have personal info on the dark web that could lead to identity theft.

• Our credit monitoring servicecan keep an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
• Our identity monitoring servicechecks the dark web for your personal info, including email, government IDs, credit card and bank account info, and more—then provides alerts if your data is found on the dark web, an average of 10 months ahead of similar services.​

 

Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Remember: the IRS will not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial info. So someone contacts you that way, ignore the message.

Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.

Use a VPN, especially in public. Also known as a virtual private network, a VPN helps protect your vital personal info and other data with bank-grade encryption. The VPN encrypts your internet connection to keep your online activity private on any network, even public networks. Using a public network without a VPN can increase your risk because others on the network can potentially spy on your browsing and activity. If you’re new to the notion of using a VPN, check out this article on VPNs and how to choose one so that you can get the best protection and privacy possible. (Our McAfee+ plans offer a VPN as part of your subscription.)

Protect yourself from scam messages. Scammers also send links to scam sites via texts, social media messages, and email. Text Scam Detector can help you spot if the message you got is a fake. It uses AI technology that automatically detects links to scam URLs. If you accidentally click, don’t worry, it can block risky sites if you do.

Clean up your personal info online. Crooks and scammers have to find you before they can contact you. After all, they need to get your phone number or email from somewhere. Sometimes, that’s from “people finder” and online data brokers that gather and sell personal info to any buyer. Including crooks. McAfee Personal Data Cleanup can remove your personal info from the data broker sites scammers use to contact their victims.

Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blog.

McAfee threat researchers have identified several consumer brands and product categories most frequently used by cybercriminals to trick consumers into clicking on malicious links in the first weeks of this holiday shopping season. As holiday excitement peaks and shoppers hunt for the perfect gifts and amazing deals, scammers are taking advantage of the buzz. The National Retail Federation projects holiday spending will reach between $979.5 and $989 billion this year, and cybercriminals are capitalizing by creating scams that mimic the trusted brands and categories consumers trust. From October 1 to November 12, 2024, McAfee safeguarded its customers from 624,346 malicious or suspicious URLs tied to popular consumer brand names – a clear indication that bad actors are exploiting trusted brand names to deceive holiday shoppers. 

McAfee’s threat research also reveals a 33.82% spike in malicious URLs targeting consumers with these brands’ names in the run-up to Black Friday and Cyber Monday. This rise in fraudulent activity aligns with holiday shopping patterns during a time when consumers may be more susceptible to clicking on offers from well-known brands like Apple, Yeezy, and Louis Vuitton, especially when deals seem too good to be true – pointing to the need for consumers to stay vigilant, especially with offers that seem unusually generous or come from unverified sources.  

McAfee threat researchers have identified a surge in counterfeit sites and phishing scams that use popular luxury brands and tech products to lure consumers into “deals” on fake e-commerce sites designed to appear as official brand pages. While footwear and handbags were identified as the top two product categories exploited by cybercrooks during this festive time, the list of most exploited brands extends beyond those borders: 

Top Product Categories and Brands Targeted by Holiday Hustlers 

• Product categories: Handbags and footwear were the two most common product categories for bad actors. Yeezy (shoes) and Louis Vuitton (luxury handbags) were the most common brands that trick consumers into engaging with malicious/suspicious sites. 

• Footwear: Adidas, especially the Yeezy line, was a top target, with counterfeit sites posing as official Adidas or Yeezy outlets. 

• Luxury goods and handbags: Louis Vuitton emerged as a frequent target, particularly its handbag line. Cybercrooks frequently set up fake sites advertising high-demand luxury items like Louis Vuitton bags and apparel. 

• Watches: Rolex was one of the most frequently counterfeited brands, with fraudulent sites openly selling counterfeit versions of the brand’s coveted watches. 

• Technology: Scammers frequently used the Apple brand to trick consumers, including fake customer service websites and stores selling counterfeit Apple items alongside unrelated brands. 

By mimicking trusted brands like these, offering unbelievable deals, or posing as legitimate customer service channels, cybercrooks create convincing traps designed to steal personal information or money. Here are some of the most common tactics scammers are using this holiday season: 

Unwrapping Cybercriminals’ Holiday Shopping Scam Tactics 

• Fake e-commerce sites: Scammers often set up fake shopping websites mimicking official brand sites. These sites use URLs similar to those of the real brand and offer too-good-to-be-true deals to attract bargain hunters. 

• Phishing sites with customer service bait: Particularly with tech brands like Apple, some scam sites impersonate official customer service channels to lure customers into revealing personal information. 

• Knockoff and counterfeit products: Some scam sites advertise counterfeit items as if they are real; there is often no indication that they are not legitimate products. This tactic was common for scammers leveraging the Rolex and Louis Vuitton brands, which appeal to consumers seeking luxury goods. 

 With holiday shopping in full swing, it’s essential for consumers to stay one step ahead of scammers. By understanding the tactics cybercriminals use and taking a few precautionary measures, shoppers can protect themselves from falling victim to fraud. Here are some practical tips for safe shopping this season: 

Smart Shopping Tips to Outsmart Holiday Scammers 

• Stay alert, particularly during shopping scam season: The increase in malicious URLs during October and November is a strong indicator that scammers capitalize on holiday shopping behaviors. Consumers should be especially vigilant during this period and continue to exercise caution throughout the holiday shopping season. 

• Wear a skeptic’s hat: To stay safe, consumers should verify URLs, look for signs of secure websites (like https://), and be wary of any sites offering discounts that seem too good to be true. 

• Exercise additional caution: Adidas, Yeezy, Louis Vuitton, Apple, and Rolex are brand names frequently used by cybercrooks looking to scam consumers, so sticking with trusted sources is particularly important when shopping for these items online. 

Research Methodology 

McAfee’s threat research team analyzed malicious or suspicious URLs that McAfee’s web reputation technology identified as targeting customers, by using a list of key company and product brand names—based on insights from a Potter Clarkson report on frequently faked brands—to query the URLs. This methodology captures instances where users either clicked on or were directed to dangerous sites mimicking trusted brands. Additionally, the team queried anonymized user activity from October 1st through November 12th. 

Examples: 

The image below is a screenshot of a fake / malicious / scam site: Yeezy is a popular product brand formerly from Adidas found in multiple Malicious/Suspicious URLs. Often, they present themselves as official Yeezy and/or Adidas shopping sites. 

 

The image below is a screenshot of a fake / malicious / scam site: The Apple brand was a popular target for scammers. Many sites were either knock offs, scams, or in this case, a fake customer service page designed to lure users into a scam. 

 

The image below is a screenshot of a fake / malicious / scam site: This particular (fake) Apple sales site used Apple within its URL and name to appear more official. Oddly, this site also sells Samsung Android phones. 

The image below is a screenshot of a fake / malicious / scam site: This site, now taken down, is a scam site purporting to sell Nike shoes. 

The image below is a screenshot of a fake / malicious / scam site: Louis Vuitton is a popular brand for counterfeit and scams. Particularly their handbags. Here is one site that was entirely focused on Louis Vuitton Handbags. 

The image below is a screenshot of a fake / malicious / scam site: This site presents itself as the official Louis Vuitton site selling handbags and clothes. 

 

The image below is a screenshot of a fake / malicious / scam site: This site uses too-good-to-be-true deals on branded items including this Louis Vuitton Bomber jacket. 

The image below is a screenshot of a fake / malicious / scam site: Rolex is a popular watch brand for counterfeits and scams. This site acknowledges it sells counterfeits and makes no effort to indicate this on the product.  

 

The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks Used to Scam Holiday Shoppers appeared first on McAfee Blog.

If you think your Gmail account’s been hacked, you’ll want to act. And act quickly.

The fact is that your email has all manner of personal info in there. Receipts, tax correspondence, medical info, and so on. With a hacked account, that info might get deleted, shared, or used against you for identity theft.

Luckily, Google has mechanisms in place to restore a hacked Gmail account. We’ll walk through the steps here — and a few others that can keep you secure in the long term after you have your account back.

What are signs that your Gmail account got hacked?

Several things can tip you off, including:

• Discovering sent messages that you didn’t send.
• Changes to the labels or filters that help organize your mail.
• Updates to your security settings.
• You can’t log into your account with your password.
• Your account has been deleted entirely.

With varying degrees of certainty, those are some signs that your account has been hacked.

Also, many people have a Google Account linked with their Gmail password and login. Beyond email, that might include files in Google Drive, photos, a YouTube account, and other features that contain personal info. In those cases, that only increases the potential harm of a hacked account.

Additionally, services like Google Pay and Google Play complicate matters more in the event of a hacked account because they contain financial info.

If you see any unusual changes in those apps or services, that might be a sign of a hacked account as well.

What to do if you can’t access your Gmail account

If you think someone else has changed your password or deleted your account, head to Google’s account recovery page. It’ll take you through a multi-step process to restore your account.

With that, you’ll want to do some quick prep. First, do your best to begin the recovery process with a device that you typically use to access your account. Also, if possible, do it in a location where you typically access your account. This provides Google with identifiers that you are who you say you are.

After that, gather up your Gmail account passwords, old and current. The recovery page will ask for them, along with other questions. Do your best to answer each question the very best you can. There’s no penalty for a wrong answer and the more info you can provide, the better.

If you can access your Gmail account, but you think someone else is using it

If you can log into your account, yet worry it’s been hacked, take these steps:

• Go to your Google Account login page at: https://myaccount.google.com/
• In the menu, select Security -> Recent security events.
• Look for any suspicious activity and mark the events “Yes” or “No” if you did or didn’t do them yourself.
• Next, select Security -> Manage devices.
• If you find a device that you don’t recognize: Select “Don’t recognize a device?” Then, follow the steps on the screen to help secure your account.
• Lastly, select Security -> Your devices -> Manage all devices.
• Select any unfamiliar device and then sign it out.

Next, run a virus scan on your device. Your password might have gotten compromised in one of several ways, including malware. This can remove any malware that might be spying on your device (and your passwords).

At this point, create a new password that’s strong and unique. Use at least 14 characters using a mix of upper- and lowercase letters, symbols, and numbers. Or have a password manager do that work for you.

And finally, set two-factor verification on your account if you aren’t already using it. This makes your account far tougher to hack, as two-factor verification requires a unique code to log in. One that only you receive. And just like with your password, never share your unique code. Anyone asking for it is a scammer.

Looking ahead: Ways you can prevent your Gmail account from getting hacked

By taking the steps we just covered, you’ve done two important things that can protect you moving forward. One is setting up a strong, unique password. The second is using two-factor verification.

The next thing is to get comprehensive online protection in place. Protection like you’ll find in our McAfee+ plans offers several features that can keep you and your accounts safe.

Once again, your password got compromised one way or another. It could have been spyware on your device. It could have been a phishing attack. It could have been a data breach. The list goes on. However, we refer to it as comprehensive online protection because it’s exactly that. In addition to antivirus, our McAfee+ plans have dozens of features that can protect your devices, identity, and privacy.

For example:

• It has the password manager we mentioned above, which can protect all your accounts online with strong, unique passwords.
• Our multi-award-winning antivirus detects and removes malware that tries to steal your personal info.
• It also has protections against phishing attacks and against websites that try to steal passwords and personal info — like our Text Scam Detector and Web Protection.
• Our McAfee+ plans also have identity monitoring, so if your accounts or personal info crop up on the dark web, you’ll get notified.
• And our plans also include Online Account Cleanup. It scans for accounts you no longer use and helps you delete them, along with your personal info, so you’re less exposed to data breaches.

Recovering from a hacked Gmail account

The important thing is this: if you think your Gmail account got hacked, act quickly. You might have much more than just your email linked to that account. Files, photos, and finances might be tied to it as well.

Even if something looks just slightly off, act as if your account got hacked. Log in, change your password, establish two-step verification if you haven’t, and take the other steps mentioned above. Above and beyond your email and all the personal info packed in there, your account can give a hacker access to plenty more.

The post How to Reset Your Gmail Password After Being Hacked appeared first on McAfee Blog.

You crack open your credit card statement and something seems … off. Maybe it’s a couple of small online purchases that make you think, “Hmm, that’s strange.” Or maybe a statement shows up in your mailbox — one for a card that you don’t own at all. That calls for a huge “What the heck???” Sure enough, you’re looking at cases of identity fraud and theft.

And there’s a difference between identity fraud and identity theft. It’s subtle. And because of that, they often get used interchangeably. Each one can really sting but in different ways.

Identity fraud is…

• When someone steals your personal info to tap into an account you already have.
• Examples:
  • A crook gets hold of your debit card info from a data breach and buys a video game console with it.
  • You fall victim to a phishing attack while buying concert tickets. The crooks bundle up your credit card info with the info from thousands of other victims. Then they sell it on the dark web.

Identity theft is…

• When someone uses your personal info to open new accounts in your name — or impersonates you in other ways.
• Examples:
  • A crook uses your personal info to open a new line of credit at a furniture store under your name and buys a couple of massaging recliners with it.
  • A criminal uses your Social Security Number (SSN) to create a driver’s license with their likeness but with your name and personal info.

So, put simply, identity fraud involves stealing from an existing account. Identity theft means that someone used your personal info to impersonate you in some way, such as opening new accounts in your name.

Top forms of identity theft and fraud

Each year, the U.S. Federal Trade Commission (FTC) publishes a data book that collects consumer reports of fraud, identity theft, and other similar crimes. Using the most recent data from the FTC, we can plot what the top forms of identity theft and fraud look like.

Credit cards

By far the top form of identity theft and fraud. As mentioned in the examples above, these can include crooks who string out several small purchases over time. All in the hope that the cardholder will overlook it. It can also include a one-whopper of a purchase for a big-ticket item. Here, the crook knows the card will likely get canceled quickly afterward. It’s a one-and-done deal.

Loans and leases

Second, we have loans and leases. This can range from student loans, personal loans, and auto loans, and to real estate rentals as well. Common across them all is someone impersonating you to take them out or tap into their funds in some way.

Bank accounts

Here, the creation of totally new accounts leads the way in this category. As we described above, that’s a form of identity theft. Yet identity fraud accounts for a noticeable chuck, which includes account takeovers. In these cases, crooks siphon off funds via debit cards, Electronic Funds Transfer (ETF), and other forms of withdrawal and transfer.

ID and government benefits

This covers cases where crooks use stolen personal info to get IDs. That includes driver’s licenses, passports, and other government documentation. Further, this category also encompasses the theft of government-issued benefits ranging from medical assistance to veteran’s pay.

Tax returns

While all forms of identity theft and fraud can pack a punch, this type hits particularly hard because it involves your SSN. Around tax time, scammers with access to SSNs will file bogus returns, all with the aim of claiming the refund for themselves.

Utilities

Largely, this involves people buying cell phones and opening new mobile accounts along with them. Yet it also includes people opening other utilities in other people’s names. Indeed, crooks will scam their way into getting free electricity, water, gas, and yes…cable TV.

Other important forms of identity theft and fraud to keep in mind

Although these forms don’t top the list in terms of reports, they still bear mentioning. They’re serious enough, and they can go undetected for some time before their victims find out.

Medical identity theft

In this form, an imposter receives care, medications, or medical devices in someone else’s name. They might pass off phony documentation to the care provider involved, the insurance company that pays for the care, or a combination of the two. A few things can happen as a result. It can impact the care you can get and the benefits you can use. In extreme cases, the thief’s health info can get mixed in with yours and impact your care. Medical identity theft is a good reason to closely review all the medical and insurance statements you get.

Child identity theft

Imagine your child about to rent a first apartment. The property management company runs a credit check, only to find a horrendous credit rating. But how? An identity thief has been using your child’s identity for years now. After all, what parent thinks, “I really should run a credit report on my kindergartener.” And that’s fair. However, signing up your child for identity is a sound move. It can help spot if your child’s identity got stolen.

Steps to take if you suspect that you’re the victim of identity theft

1) Notify the companies and institutions involved and consider a credit freeze.

Whether you spot a curious charge on your bank statement or you discover what looks like a fraudulent account in your credit monitoring service, let the bank or business involved know you suspect fraud. With a visit to their website, you can track down the appropriate number to call and get the investigation process started.

In the meantime, consider putting a security freeze in place. A security freeze service prevents others from opening new credit, bank, and utility accounts in your name.​ It won’t hit your credit score, and you can unfreeze it when needed. You’ll find this feature in our McAfee+ plans as well.

2) File a police report.

Some businesses will require you to file a local police report to acquire a case number to complete your claim. Beyond that, filing a report is still a good idea. Identity theft is still theft, and reporting it provides an official record of it.

Should your case of identity theft lead to someone impersonating you or committing a crime in your name, filing a police report right away can help you clear your name down the road. Likewise, save any evidence you have, such as statements or documents associated with the theft. They can help you clean up your record as well.

3) Contact the Federal Trade Commission (FTC).

The FTC’s identity theft website is a fantastic resource should you find yourself in need. Above and beyond simply reporting the theft, the FTC can provide you with a step-by-step recovery plan—and even walk you through the process if you create an account with them. Additionally, reporting theft to the FTC can prove helpful if debtors come knocking to collect on any bogus charges in your name. You can provide them with a copy of your FTC report and ask them to stop.

4) Contact the IRS, if needed.

If you receive a notice from the IRS that someone used your identity to file a tax return in your name, follow the information provided by the IRS in the notice. From there, you can file an identity theft affidavit with the IRS. If the notice mentions that you were paid by an employer you don’t know, contact that employer as well and let them know of possible fraud — namely that someone has stolen your identity and that you don’t truly work for them.

Also, be aware that the IRS has specific guidelines as to how and when they will contact you. As a rule, they will most likely contact you via physical mail delivered by the U.S. Postal Service. (They won’t call, nor will they call and apply harassing pressure tactics — only scammers do that.) Identity-based tax scams are a topic all of their own, and for more on it, you can check out this article on tax scams and how to avoid them.

5) Continue to monitor your credit report, invoices, and statements.

Another downside of identity theft is that it can mark the start of a long, drawn-out affair. One instance of theft can possibly lead to another, so even what may appear to be an isolated bad charge on your credit card calls for keeping an eye on your identity. Many of the tools you would use up to this point still apply, such as checking up on your credit reports, maintaining fraud alerts as needed, in addition to reviewing your accounts closely.

Several features in our McAfee+ plans can do this work, and quite a bit more, for you:

• Credit Monitoring helps you keep an eye on changes to your credit score, report, and accounts with timely notifications. Spot something unusual? It offers guidance so you can tackle identity theft.
• Identity Monitoring checks the dark web for your personal info, including email, government IDs, credit card and bank account numbers, and more. If any of it shows up on the dark web, it sends you an alert with guidance that can help protect you from identity theft.
• Our online protection software also offers several transaction monitoring features. They track transactions on credit cards and bank accounts — shooting you a notice if unusual activity occurs. They also track retirement accounts, investments, and loans for questionable transactions. Finally, further features can help prevent a bank account takeover and keep others from taking out short-term payday loans in your name.
• And finally, should the unexpected happen, our Identity Theft Coverage & Restoration can get you on the path to recovery. It offers up to $2 million in coverage for legal fees, travel, and funds lost because of identity theft. Further, a licensed recovery pro can do the work for you, taking the necessary steps to repair your identity and credit.

The post What Are the 6 Types of Identity Theft appeared first on McAfee Blog.

When it comes to identity theft, trust your gut when something doesn’t feel right. Follow up. What you’re seeing could be a problem.  

A missing bill or a mysterious charge on your credit card could be the tip of an identity theft iceberg, one that can run deep if left unaddressed. Here, we’ll look at several signs of identity theft that likely need some investigation and the steps you can take to take charge of the situation.  

How does identity theft happen in the first place?  

Unfortunately, it can happen in several ways.   

In the physical world, it can happen simply because you lost your wallet or debit card. However, there are also cases where someone gets your information by going through your mail or trash for bills and statements. In other more extreme cases, theft can happen by someone successfully registering a change of address form in your name (although the U.S. Postal Service has security measures in place that make this difficult).   

In the digital world, that’s where the avenues of identity theft blow wide open. It could come by way of a data breach, a thief “skimming” credit card information from a point-of-sale terminal, or by a dedicated crook piecing together various bits of personal information that have been gathered from social media, phishing attacks, or malware designed to harvest information. Additionally, thieves may eavesdrop on public Wi-Fi and steal information from people who are shopping or banking online without the security of a VPN.  

Regardless of how crooks pull it off, identity theft is on the rise. According to the Federal Trade Commission (FTC), identity theft claims jumped up from roughly 650,000 claims in 2019 to 1 million in 2023. Of the reported fraud cases where a dollar loss was reported, the FTC calls out the following top three contact methods for identity theft:  

• Online ads that direct you to a scammer’s site are designed to steal your information.  
• Malicious websites and apps also steal information when you use them.  
• Social media scams lure you into providing personal information, whether through posts or direct messages.  

However, phone calls, texts, and email remain the most preferred contact methods that fraudsters use, even if they are less successful in creating dollar losses than malicious websites, ads, and social media.  

What are some signs of identity theft?  

Identity thieves leave a trail. With your identity in hand, they can charge things to one or more of your existing accounts—and if they have enough information about you, they can even create entirely new accounts in your name. Either way, once an identity thief strikes, you’re probably going to notice that something is wrong. Possible signs include:  

• You start getting mail for accounts that you never opened.   
• Statements or bills stop showing up from your legitimate accounts.  
• You receive authentication messages for accounts you don’t recognize via email, text, or phone.   
• Debt collectors contact you about an account you have no knowledge of.  
• Unauthorized transactions, however large or small, show up in your bank or credit card statements.  
• You apply for credit and get unexpectedly denied.  
• And in extreme cases, you discover that someone else has filed a tax return in your name.  

As you can see, the signs of possible identity theft can run anywhere from, “Well, that’s strange …” to “OH NO!” However, the good news is that there are several ways to check if someone is using your identity before it becomes a problem – or before it becomes a big problem that gets out of hand.   

Steps to take if you suspect that you’re the victim of identity theft  

The point is that if you suspect fraud, you need to act right away. With identity theft becoming increasingly commonplace, many businesses, banks, and organizations have fraud reporting mechanisms in place that can assist you should you have any concerns. With that in mind, here are some immediate steps you can take:  

1) Notify the companies and institutions involved  

Whether you spot a curious charge on your bank statement or you discover what looks like a fraudulent account when you get your free credit report, let the bank or business involved know you suspect fraud. With a visit to their website, you can track down the appropriate number to call and get the investigation process started.   

2) File a police report  

Some businesses will require you to file a local police report to acquire a case number to complete your claim. Even beyond a business making such a request, filing a report is still a good idea. Identity theft is still theft and reporting it provides an official record of the incident. Should your case of identity theft lead to someone impersonating you or committing a crime in your name, filing a police report right away can help clear your name down the road. Be sure to save any evidence you have, like statements or documents that are associated with the theft. They can help clean up your record as well.  

3) Contact the Federal Trade Commission (FTC)  

The FTC’s identity theft website is a fantastic resource should you find yourself in need. Above and beyond simply reporting the theft, the FTC can provide you with a step-by-step recovery plan—and even walk you through the process if you create an account with them. Additionally, reporting theft to the FTC can prove helpful if debtors come knocking to collect on any bogus charges in your name. You can provide them with a copy of your FTC report and ask them to stop.  

4) Place a fraud alert and consider a credit freeze  

You can place a free one-year fraud alert with one of the major credit bureaus (Experian, TransUnion, Equifax), and they will notify the other two. A fraud alert will make it tougher for thieves to open accounts in your name, as it requires businesses to verify your identity before issuing new credit in your name.  

A credit freeze goes a step further. As the name implies, a freeze prohibits creditors from pulling your credit report, which is needed to approve credit. Such a freeze is in place until you lift it, and it will also apply to legitimate queries as well. Thus, if you intend to get a loan or new credit card while a freeze is in place, you’ll likely need to take extra measures to see that through. Contact each of the major credit bureaus (Experian, TransUnion, Equifax) to put a freeze in place or lift it when you’re ready.  

5) Dispute any discrepancies in your credit reports  

This can run the gamut from closing any false accounts that were set up in your name, removing bogus charges, and correcting information in your credit report such as phony addresses or contact information. With your FTC report, you can dispute these discrepancies and have the business correct the record. Be sure to ask for written confirmation and keep a record of all documents and conversations involved.   

6) Contact the IRS, if needed  

If you receive a notice from the IRS that someone used your identity to file a tax return in your name, follow the information provided by the IRS in the notice. From there, you can file an identity theft affidavit with the IRS. If the notice mentions that you were paid by an employer you don’t know, contact that employer as well and let them know of possible fraud—namely that someone has stolen your identity and that you don’t truly work for them.  

Also, be aware that the IRS has specific guidelines as to how and when they will contact you. As a rule, they will most likely contact you via physical mail delivered by the U.S. Postal Service. (They won’t call or apply harassing pressure tactics—only scammers do that.) Identity-based tax scams are a topic all of their own, and for more on it, you can check out this article on tax scams and how to avoid them.  

7) Continue to monitor your credit report, invoices, and statements  

Another downside of identity theft is that it can mark the start of a long, drawn-out affair. One instance of theft can possibly lead to another, so even what may appear to be an isolated bad charge on your credit card calls for keeping an eye on your identity. Many of the tools you would use up to this point still apply, such as checking up on your credit reports, maintaining fraud alerts as needed, and reviewing your accounts closely.  

Preventing identity theft 

With all the time we spend online as we bank, shop, and simply surf, we create and share all kinds of personal information—information that can get collected and even stolen. The good news is that you can prevent theft and fraud with online protection software, such as McAfee+ Ultimate.  

With McAfee+ Ultimate you can: 

• Monitor your credit activity on all three major credit bureaus to stay on top of unauthorized use.​ 
• Also, monitor the dark web for breaches involving your personal info and notify you if it’s found.​ 
• Lock or freeze your credit file to help prevent accounts from being opened in your name. 
• Remove your personal info from over 40 data broker sites collecting and selling it. 
• Restore your identity with a licensed expert should the unexpected happen.​ 
• Receive $1M identity theft and stolen funds coverage along with additional $25K ransomware coverage. 

​In all, it’s our most comprehensive privacy, identity, and device protection plan, built for a time when we rely so heavily on the internet to go about our day, whether that’s work, play, or simply getting things done. 

Righting the wrongs of identity theft: deep breaths and an even keel  

Realizing that you’ve become a victim of identity theft carries plenty of emotion with it, which is understandable—the thief has stolen a part of you to get at your money, information, and even reputation. Once that initial rush of anger and surprise has passed, it’s time to get clinical and get busy. Think like a detective who’s building – and closing – a case. That’s exactly what you’re doing. Follow the steps, document each one, and build up your case file as you need. Staying cool, organized, and ready with an answer to any questions you’ll face in the process of restoring your identity will help you see things through.  

Once again, this is a good reminder that vigilance is the best defense against identity theft from happening in the first place. While there’s no absolute, sure-fire protection against it, there are several things you can do to lower the odds in your favor. And at the top of the list is keeping consistent tabs on what’s happening across your credit reports and accounts.  

The post How to Detect Signs of Identity Theft appeared first on McAfee Blog.

Data Privacy Week is here, and there’s no better time to shine a spotlight on one of the biggest players in the personal information economy: data brokers. These entities collect, buy, and sell hundreds—sometimes thousands—of data points on individuals like you. But how do they manage to gather so much information, and for what purpose? From your browsing habits and purchase history to your location data and even more intimate details, these digital middlemen piece together surprisingly comprehensive profiles. The real question is: where are they getting it all, and why is your personal data so valuable to them? Let’s unravel the mystery behind the data broker industry.

What are data brokers?

Data brokers aggregate user info from various sources on the internet. They collect, collate, package, and sometimes even analyze this data to create a holistic and coherent version of you online. This data then gets put up for sale to nearly anyone who’ll buy it. That can include marketers, private investigators, tech companies, and sometimes law enforcement as well. They’ll also sell to spammers and scammers. (Those bad actors need to get your contact info from somewhere — data brokers are one way to get that and more.)

And that list of potential buyers goes on, which includes but isn’t limited to:

• Tech platforms
• Banks
• Insurance companies
• Political consultancies
• Marketing firms
• Retailers
• Crime-fighting bureaus
• Investigation bureaus
• Video streaming service providers
• Any other businesses involved in sales

These companies and social media platforms use your data to better understand target demographics and the content with which they interact. While the practice isn’t unethical in and of itself (personalizing user experiences and creating more convenient UIs are usually cited as the primary reasons for it), it does make your data vulnerable to malicious attacks targeted toward big-tech servers.

How do data brokers get your information?

Most of your online activities are related. Devices like your phone, laptop, tablets, and even fitness watches are linked to each other. Moreover, you might use one email ID for various accounts and subscriptions. This online interconnectedness makes it easier for data brokers to create a cohesive user profile.

Mobile phone apps are the most common way for data brokerage firms to collect your data. You might have countless apps for various purposes, such as financial transactions, health and fitness, or social media.

A number of these apps usually fall under the umbrella of the same or subsidiary family of apps, all of which work toward collecting and supplying data to big tech platforms. Programs like Google’s AdSense make it easier for developers to monetize their apps in exchange for the user information they collect.

Data brokers also collect data points like your home address, full name, phone number, and date of birth. They have automated scraping tools to quickly collect relevant information from public records (think sales of real estate, marriages, divorces, voter registration, and so on).

Lastly, data brokers can gather data from other third parties that track your cookies or even place trackers or cookies on your browsers. Cookies are small data files that track your online activities when visiting different websites. They track your IP address and browsing history, which third parties can exploit. Cookies are also the reason you see personalized ads and products.

How data brokers sell your identity

Data brokers collate your private information into one package and sell it to “people search” websites. As mentioned above, practically anyone can access these websites and purchase extensive consumer data, for groups of people and individuals alike.

Next, marketing and sales firms are some of data brokers’ biggest clients. These companies purchase massive data sets from data brokers to research your data profile. They have advanced algorithms to segregate users into various consumer groups and target you specifically. Their predictive algorithms can suggest personalized ads and products to generate higher lead generation and conversation percentages for their clients.

Are data brokers legal?

We tend to accept the terms and conditions that various apps ask us to accept without thinking twice or reading the fine print. You probably cannot proceed without letting the app track certain data or giving your personal information. To a certain extent, we trade some of our privacy for convenience. This becomes public information, and apps and data brokers collect, track, and use our data however they please while still complying with the law.

There is no comprehensive privacy law in the U.S. on a federal level. This allows data brokers to collect personal information and condense it into marketing insights. While not all methods of gathering private data are legal, it is difficult to track the activities of data brokers online (especially on the dark web). As technology advances, there are also easier ways to harvest and exploit data.

As of March 2024, 15 states in the U.S. have data privacy laws in place. That includes California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire.[i] The laws vary by state, yet generally, they grant rights to individuals around the collection, use, and disclosure of their personal data by businesses.

However, these laws make exceptions for certain types of data and certain types of collectors. In short, these laws aren’t absolute.

Can you remove yourself from data broker websites?

Some data brokers let you remove your information from their websites. There are also extensive guides available online that list the method by which you can opt-out of some of the biggest data brokering firms. For example, a guide by Griffin Boyce, the systems administrator at Harvard University’s Berkman Klein Center for Internet and Society, provides detailed information on how to opt-out of a long list of data broker companies.

Yet the list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt-out.

Rather than removing yourself one by one from the host of data broker sites out there, you have a solid option: our Personal Data Cleanup.

Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically.

If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.

[i] https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/

 

The post How Data Brokers Sell Your Identity appeared first on McAfee Blog.

Almost every day, someone calls me to inquire about how to deal with a compromised identity. It has become so common that I have come to the point of just assuming everyone has had their identity compromised in some way, shape or form after the last few years of large-scale data breaches[1]. In 2018, the […]

The post What Should You Do When Your Identity Has Been Compromised? appeared first on Radware Blog.

A fantastic resource to help organizations train, educate, and help their stakeholders how to avoid scams.

The dark side of the Internet, also known as the “dark web,” is an unregulated part of the Internet. In this way, the dark web can open doors to illegal activity. From credential theft to credit card fraud, there are no limits to what’s possible on the dark web. Luckily, there are steps you can […]