Scareware is a type of online scam that displays fake virus alerts or security warnings to trick you into thinking your computer is infected or damaged. The goal is to scare you into calling a fake tech support number, where scammers may try to steal your personal data, gain remote access to your device, or charge you for “repairs” that aren’t needed. A Scareware blocker, like the one in Microsoft Edge, detects these scam sites and warns you before any harm is done.

What Is Scareware?

Scareware is a cyberattack technique that plays on fear. It appears as alarming pop-ups, urgent messages, or fake system scans claiming your device is damaged or under attack. These scare tactics often:

• Warn you of non-existent viruses or critical system errors.
• Push you to call a “support” hotline immediately.
• Redirect you to sites selling fake antivirus software.

Once the scammer has your attention, they may request:

• Remote access to your computer (allowing them to steal files or install malware).
• Payment for unnecessary or fake “repairs.”
• Personal information that can be used for identity theft.

How Does a Scareware Blocker Work?

Microsoft Edge’s Scareware blocker is designed to automatically detect and stop these scams before they cause damage. Here’s how it works:

1. Detection: Edge monitors known tech scam sites and suspicious pop-up behavior.
2. Warning: If you land on a flagged site, a warning message appears.
3. Escape Option: You’re given the choice to leave the page immediately and return to safety.

Why You Should Turn It On

Even experienced internet users can be fooled by realistic-looking Scareware messages. Turning on the blocker can:

• Prevent scammers from gaining control of your device.
• Protect your financial accounts and personal information.
• Save you from paying for fake technical support.

Extra Safety Tips

While the Scareware blocker is a powerful defense, it’s best to combine it with smart browsing habits:

1. Never trust unsolicited tech support calls — real companies like Microsoft or Apple will never call you about security issues.
2. Close suspicious pop-ups using Task Manager or your browser’s “Force Quit” feature.
3. Keep your software updated to patch vulnerabilities.
4. Use reputable antivirus software as an extra layer of protection.

Frequently Asked Questions (FAQ)

Q1: What is Scareware and how is it dangerous?
Scareware is a scam that uses fake alerts to make you think your computer is infected. It’s dangerous because it can lead to identity theft, malware infection, and financial loss.

Q2: How does Microsoft Edge protect against Scareware?
Edge’s Scareware blocker detects known scam sites and warns you before you engage with them.

Q3: Can Scareware install viruses on my computer?
Yes, some Scareware pages try to install malware disguised as security tools.

Q4: What should I do if I see a Scareware pop-up?
Close the browser tab or use Task Manager to exit. Never click buttons inside the pop-up.

Bottom Line

Scareware is one of the most manipulative forms of cybercrime, preying on fear and urgency. By enabling the Scareware blocker in Microsoft Edge and following good security practices, you can browse with greater confidence — and avoid falling victim to these deceptive tactics.

Table of contents

1. What is cybersecurity?
2. Why cybersecurity matters
3. Core attack types (with quick defenses)
4. Emerging threats to watch
5. Modern defense strategies and checklists
6. Cybersecurity for crypto users
7. Cybersecurity for Forex Traders and Market Professionals
8. FAQs on cybersecurity

🔎 What is cybersecurity?

Cybersecurity is the practice of protecting devices, networks, applications, and data from unauthorized access, disruption, or manipulation. It blends technology, processes, and people to reduce risk and ensure confidentiality, integrity, and availability.

• Answer-ready definition: Cybersecurity protects people and systems from digital attacks by preventing unauthorized access and data loss.

⏱️ Why cybersecurity matters

Attackers increasingly use automation and AI to scale phishing, deepfakes, and account takeovers. Hybrid work and cloud adoption expanded attack surfaces. Meanwhile, data stolen today may be decrypted later as computing advances.

• Answer-ready summary: Cybersecurity is critical in 2025 because AI makes attacks faster and more believable, and connected systems multiply the impact.

🧨 Core attack types (with concise defenses)

🔐 51% attack (blockchain)

• What it is: A single entity gains majority control over a blockchain’s compute, enabling double-spends or censorship.
• Defend fast: Prefer chains with strong decentralization, finality checkpoints, alerts for reorgs, and multi‑sig treasury controls.

🎧 Side‑channel attack (energy/EM “listening”)

• What it is: Extracting secrets by observing power usage, electromagnetic emissions, timing, or cache patterns.
• Defend fast: Use hardware wallets with certified shielding, keep devices updated, enable PIN/passphrase, and avoid untrusted peripherals.

⚡ Fault injection (tampering mid‑operation)

• What it is: Glitching voltage/clock/laser to force chips into errors that leak secrets or bypass checks.
• Defend fast: Choose hardware with fault detection, enable secure boot/attestation, and physically secure critical devices.

🧠 Software attacks (inputs and logic abuse)

• What it is: Exploiting code flaws, unsafe input handling, dependencies, or misconfigurations to read, alter, or destroy data.
• Defend fast: Patch rapidly, apply least privilege, use WAF/RASP, SBOM + dependency scanning, and threat‑model critical paths.

🔓 Brute force and credential stuffing

• What it is: Guessing passwords at scale or replaying leaked credentials across sites.
• Defend fast: Passwordless (FIDO2/passkeys), MFA, rate limiting, IP/device risk, credential leak detection, and unique passwords.

🚨 Emerging threats

• AI‑driven social engineering: Deepfake voices, live video spoofs, and synthetic emails that mimic style and timing.
• Supply‑chain compromises: A single vendor/update can infect many downstream organizations.
• Ransomware evolution: Data theft before encryption, leak extortion, and targeted backups destruction.
• “Harvest now, decrypt later”: Adversaries exfiltrate encrypted data today to decrypt in the future.
• CAPTCHA evasion: Bots emulate human behavior; legacy challenges no longer suffice.
• API abuse: Token theft, permissive scopes, and insufficient rate limits expose sensitive data.

🛡️ Modern defense strategies and checklists

Zero Trust essentials

• Verify explicitly (users, devices, services).
• Enforce least privilege and just‑in‑time access.
• Segment networks and apply conditional policies.

Identity and access

• Passwordless + MFA on all critical accounts.
• Admin accounts isolated with hardware keys.
• Automated offboarding and periodic access reviews.

Email and social engineering

• DMARC/DKIM/SPF enforced; banner external mail.
• Phishing simulations and just‑in‑time training.
• High‑risk workflows require call‑backs to known numbers.

Data protection and recovery

• Classify data; encrypt at rest/in transit.
• 3‑2‑1 backups with immutable copies; drill recovery.
• DLP for sensitive exfiltration paths.

Cloud and API security

• CSPM + CIEM; least‑privileged service roles.
• API gateways with authZ, schema validation, and rate limits.
• Secrets management; no long‑lived tokens.

Application and supply chain

• SBOM; pin dependencies; sign builds and artifacts.
• SAST/DAST/IAST + dependency and container scanning.
• Incident playbooks for vendor compromise.

Detection and response

• Centralized logging; UEBA and anomaly detection.
• EDR/XDR with automated containment.
• Tabletop exercises and purple teaming.

🪙 Cybersecurity for crypto users (quick wins)

• Use hardware wallets; enable PIN + optional passphrase.
• Store seed phrases offline on durable media; never share.
• Verify dApp URLs and contract addresses; avoid blind approvals.
• Separate wallets for trading vs. long‑term cold storage.
• Turn on transaction notifications and spending limits.

🧭 Actionable quick checklists

• Personal: passkeys/MFA, password manager, OS/browser updates, encrypted device backups, phishing skepticism.
• Small business: Zero Trust starter, email auth, EDR, backups with drills, vendor risk basics, incident plan with contacts.
• Dev teams: secure SDLC, threat modeling, SBOM, secrets vault, signed releases, API security tests.

❓ Cybersecurity FAQs (featured snippet‑ready)

What is cybersecurity in simple terms?

Cybersecurity is how we protect devices, data, and networks from digital attacks and unauthorized access.

What are the most common cybersecurity threats today?

Phishing and deepfakes, credential stuffing, ransomware, vulnerable third‑party software, and misconfigured cloud or APIs.

How can I improve my cybersecurity quickly?

Turn on MFA or passkeys, update your software, use a password manager, back up important data, and be cautious with unexpected links.

What is Zero Trust in cybersecurity?

Zero Trust means no user or device is trusted by default; everything is verified continuously with least‑privilege access.

Do I need antivirus in 2025?

Yes—use reputable endpoint protection with behavior detection, and pair it with OS hardening and browser protections.

How do I secure my crypto assets?

Use a hardware wallet, protect your seed phrase offline, verify dApps/contracts, and separate hot and cold wallets.

What is credential stuffing?

Attackers try leaked username/password pairs on other sites. Use unique passwords and MFA to stop it.

What is “harvest now, decrypt later”?

Attackers steal encrypted data today, planning to decrypt it in the future as computing power improves.

If you want to use cryptocurrencies, you need a digital wallet or a wallet app to store their private keys and manage them. In this article, I will guide you through the steps of creating and using a popular and user-friendly wallet app called Trust Wallet.

Trust Wallet is a software wallet that supports many different cryptocurrencies, such as Bitcoin, Ethereum, Binance Coin, and more. It also has some features that make it stand out from other wallets, such as:

• The ability to swap some coins and tokens with each other, like an exchange (swap).
• The ability to buy some cryptocurrencies with fiat currencies of several countries, such as US/Canada/Australia dollars, euros, Turkish liras, Chinese yuan, and more. You can use payment methods such as MoonPay and Mercuryo to do this.
• The ability to access the decentralized finance (DeFi) and non-fungible token (NFT) sectors, where you can lend, borrow, stake, or trade your assets in a peer-to-peer way.

To create a Trust Wallet, you need a mobile phone or a tablet with an internet connection. For security reasons, you should disable any VPN or proxy service that you might be using.

Depending on your device’s operating system, you can download the Trust Wallet app from the App Store (for iOS) or the Play Store (for Android). Just search for Trust Wallet and download the official app. Be careful not to download any fake or fraudulent apps that might look similar. The official apps usually have a lot of downloads and user reviews. You can also consult a computer or software expert to help you with this.

After installing the Trust Wallet app on your device, tap on its icon and launch it. Then tap on Create a new wallet to make a new wallet.

On the next screen, you will be asked to backup your wallet. This means that if you lose access to your wallet in the future, for example, if the app is deleted from your device or your device is lost or stolen, you can restore your wallet and recover your cryptocurrencies using a special phrase.

So tap on the box next to “I understand that if I lose my recovery words…” and then tap on Continue.

At this stage, prepare a piece of paper and a pen (a pencil is also recommended) and write down all the words that you see on your device’s screen in the same order and with the same numbers (the number of words may vary in different wallets. Usually you have to write down 12 or 24 words):

This phrase (a set of words) is needed when you want to restore your wallet in the future or when you want to activate or recover your wallet on another device. That’s why they are called recovery words or mnemonic phrase or seed phrase. They are your digital signature in the blockchain world because these words are eventually converted into an encrypted signature similar to this string:

8rtt7v4pcxbvbmcxbvbmjhiod3jhiod345rtghfg9v7mbn265v7bfhjghjm18vb68rthcb68cv76n8cvn5hbn26js8cxbvbmjhiod39pkjdk5uy9u7678rtwe574bn26a54ccxbvbmjhiod3z345vrtfyhtfsasczxvxspcxbvbmjhiod32tghfg9v73rcewt657658bn26r5dcxbvbmjhiod3rg57g¹[1]

This code, which is generated by the mnemonic phrase, is called private key and it is your signature in the digital currency world. Of course, you usually don’t see this signature in your wallet but you can find it by exploring different menus of the wallet.

When you want to send some cryptocurrency to someone else, the wallet signs and sends the transaction with your confirmation. In other words, with this signature, you transfer the ownership of your sent cryptocurrency to the recipient.

Remembering the private key for humans (unlike computers) is almost impossible and reusing the private key for recovering the wallet is also very difficult. Because for security reasons, we are not allowed to copy it! Writing it down is also very tedious and time-consuming and likely to be accompanied by writing errors and spelling mistakes. That’s why cryptography experts invented a method years ago that allows us to generate private keys using a number of words called mnemonic phrase so that writing down and reusing them for humans would be easier, safer and more human-readable.

• To increase the security of your wallet and protect your digital currencies inside it, never take a picture or screenshot of these words from your device’s screen. It is better to use both pen and pencil on regular writing paper.
• To increase the security of your wallet and protect your digital currencies inside it, never copy these words or private key. Because when you copy or duplicate a text or image on an electronic device such as a mobile phone or computer, it will remain in the device’s memory for a while and this information may easily be accessed and exposed to a hacker (a digital information thief).
• Always remember that the mnemonic phrase is the key to enter your wallet and all the cryptocurrencies inside it. So take care of it as you take care of your bank account password. Even more, because your internet banking password can be changed but changing the mnemonic words is not possible!
• No person or company, even the wallet manufacturer, will ask you for these words or inquire about them by any means or through any communication channel. Even if you contact the wallet’s support unit yourself, they will not ask you for these words or inquire about them.
• If any person or company (even the technical service or support unit of the wallet app) asks you for these words, be aware that you are exposed to a hacker or a scammer, even if the request and inquiry is made from their official email, address or phone.
• If these words are lost or forgotten or otherwise unavailable, no one, even the manufacturer or designer or developer team or technical support unit of the wallet, can recover them by any means or under any circumstances. So be careful of greedy people or scammers who might try to deceive you or harm you in any way with tempting offers.

After writing down those vital and very confidential and important words, tap on Continue and on the next screen, use your handwritten notes to select the words in the correct order (see image above) and finally tap on Continue. (This step may vary in different wallets. You may need to write each word in order or with spaces or in empty spaces with the keyboard or keypad of your mobile phone).

If you have selected the words in the correct order, by tapping on Continue, the wallet will be created and you will see the main screen of the wallet.

One of the best ways to write down or store the mnemonic phrase is to write and engrave it on special metal sheets for this purpose. Similar to what our ancestors did: engraving on stone!

After buying these metal sheets, you should also buy a special pen or metal letter stamps or an engraving machine and engrave the mnemonic phrase on the sheet with safety precautions.

Paper may tear, burn or get wet. But there are special steels that are very resistant to fire or moisture. Usually in a fire in a residential apartment, the fire temperature rises up to 500 degrees Celsius, but the sheets and molds mentioned here can withstand higher temperatures.

I myself tested some types of these sheets and molds in an industrial furnace and only recommended those that proved to withstand temperatures above 500 degrees Celsius to my colleagues, acquaintances and students.

From now on that you have joined me, do it right and do not use another method to backup your wallet unless you know what you are doing and what consequences it has. If you have found or invented or chosen a better method, share it with me or your friends or teach it. In the future, these methods and processes or features may change and we have to always keep our information and knowledge up to date.

If you are using another secure method or have a new idea in mind, share it with me and others in the comments section at the bottom of this page.

In business and finance, a whale is a big player, a high-net-worth individual or institution that can move markets at a stroke. However, in cybersecurity, whales and whaling have another meaning. A whaling attack is the targeting of one of those big players, be it a blue-chip company, billionaire, celebrity, or noted institution. The aim of the whale attack cybercriminals is to capitalize on the target’s ability to pay large ransom amounts, knowing that they might do so to protect their reputations or the brands they represent.

While today whaling causes damage to businesses big and small, there is little reason it has to. It’s not difficult to learn to recognize the main indicators of phishing and, for company owners and managers, to educate employees to do the same. Wise executives can implement phishing prevention practices in their companies to forestall attacks, preventing a public relations nightmare and widespread hassle – and potentially saving organizations countless dollars. With education and prevention, whaling can become a futile exercise, an attempted hacking method of the past.

While all attacks by cybercriminals are a crime, no matter if directed at senior executives, small business owners, or just your regular Joe, there are people who consider whaling a controversial subject. That’s because in many cases, whaling attacks are underreported. At first glance, it may seem strange that businesses wouldn’t immediately report a whaling attack, but there is a logic to it: some of these targeted individuals and companies may believe that it is better to keep quiet, giving in to the demands of hackers after a ransomware attack or remaining silent after a phishing scam, rather than admitting that they have been compromised.

Why Are Whaling Attacks Unreported?

As the public faces of huge corporations, executives have a lot to lose if their reputation – or that of their company – becomes tarnished. Their public relations team and their company’s board may feel that paying off the criminal gangs could be less expensive than damaging the company’s brand or causing a drop in stock value after announcing their business has become a victim to a serious cyberattack. While anyone can fall victim to a cyber attack, large, Fortune 500 companies and other big businesses may believe they are above such scams; they may feel they are too smart, too savvy, or too well-protected to succumb to such events.

So while some companies and individuals will try to cover up that they have been scammed, the truth can and often does come out. Companies may decide they need to make a public admission, perhaps driven by the fear that leaks to the media may force them to come clean eventually anyway. In other cases, companies may be obligated to report security or other breaches. In fact, most Fortune 500 and publicly traded companies are required by law to report cybersecurity incidents. The Biden Administration extended this practice by issuing an executive order in 2021 stating that any company doing business with the Federal Government must immediately report a security breach. This is in addition to SEC regulations dating from 2012, which compel public companies to report cyberattacks to regulators and set out the changes they will make to protect themselves and their clients in the future. Businesses that are in countries that are signatories to the European GDPR are also required by law to report certain data breaches. The fine can be up to €10 million (approx. $10.5 million) or 2% of the company’s annual turnover for declining to report such breaches.

But the question remains: If there are laws requiring the reporting of cyberattacks and breaches, why do companies try to cover it up? The answer isn’t simple. On the one hand, it is possible that a company or individual isn’t aware of the duty to report, although this would seem increasingly unlikely. On the other hand, it’s probable that refusing to report cyberattacks is a reputational or financial decision. Stock prices usually decline when there is news of a data breach at a blue-chip company. For example, the Capital One data breach of 2019 saw the stock of the financial services company fall by 6% when the breach was publicly reported, and that figure more than doubled to almost 14% in the weeks after. Studies have also shown that the financial damage to the company’s reputation can be long-term.

However, companies are also playing with fire when they don’t report. In 2017, Uber was found to have covered up a massive data breach that impacted millions of customers worldwide. The ride-share company was also found to have paid off the hackers to the tune of $100,000 to delete the data and keep quiet on the attack. The admission cost Uber’s Chief Security Officer Joe Sullivan his job, and it forced CEO Dara Khosrowshahi to make a groveling apology to customers and investors. The question, therefore, should not be why companies don’t report whaling cyberattack. The question should be: how can companies and individuals stop whaling attacks from happening in the first place.

Hacks and Data Breaches Can Be Embarrassing for Executives

Falling for a scam can be embarrassing for executives and organizations, particularly when it was a CEO or other c-suite member’s actions that led to the incident. Consider, for instance, the case of an Australian hedge fund in 2020, which lost $8.7 million in a phishing attack. The hackers were able to compromise the hedge fund by sending out a fake Zoom invite – a typical phishing tactic during the pandemic. The link was not opened by a careless low-level employee, however – it was opened by one of the hedge fund’s co-founders. The fake Zoom invite allowed hackers to install malicious links software, which, in turn, enabled them to create a series of fake invoices on the hedge fund’s email system. Moreover, there were no alarm bells: Executives at the hedge fund only noticed that their systems had been compromised after checking the fund’s bank account and realizing millions of dollars were missing. It’s a stark warning that all hackers need to gain access is for the proverbial door to be left slightly ajar – and even something as seemingly insignificant as a Zoom link can serve as a door – to kickstart a sophisticated whaling attack.

Oftentimes, when a serious whaling event occurs, the buck stops with the person in charge, such as the CEO or other executives like the CTO or CXO. That was the case in Austria in 2016 when hackers used a scam known as the fake president incident and posed as the CEO of aerospace company FACC in a series of emails. The scammers were able to swindle roughly $47 million out of FACC using sophisticated phishing techniques. After the incident became public, the board voted to fire CEO Walter Stephan.

Targeting Smaller Fish

It is not only large corporations that are at risk for whaling attacks. One unnamed individual went on the record with NPR in 2019. Asking to hide his identity, “Mark” (not his real name) spoke of the embarrassment of being duped by hackers in phishing scams, and how he believed revealing the truth would hurt his Seattle real estate business. This story is an intriguing one, as it explains how hackers patiently watched and listened to correspondence between “Mark” and his business associate, pouncing at the opportune moment to divert $50,000 to the scammers’ account. This is an example of the growing trend of BEC (business email compromise), which uses whaling tactics to target high-profile businesses and individuals via email scams.

Getting Your Money Back – Rare after a Whaling Attack

The question of dealing directly with hackers or alerting the authorities tends to come up time and time again. Interestingly, studies have shown that those paying off criminals after a ransomware attack are likely to be hit by a second attack. Still, there are rare instances where the stars align after a whaling attack, allowing companies to get their money back. This was the case with the toy company Mattel. $3 million was stolen in another fake president incident, this time through an elaborate scheme emanating from China. But through a little luck, Mattel was able to work with the FBI and Chinese authorities to freeze the hackers’ accounts and recoup the money.

Reeling in the Big Ones

But Mattel’s case is, unfortunately, an outlier. While you might forgive a toy company for falling victim to an elaborate scam, it’s worth noting that even the most tech-savvy brands and individuals can see huge amounts of money put at risk through whaling attacks. Such was the fate of networking technology firm Ubiquiti Networks Inc., which lost a whopping $46.7 million due to executive communication phishing. As mentioned earlier, many companies are compelled to report the hacks, and Ubiquiti was one such business. In this case, the company had to report the whaling attack to the SEC in its quarterly filings in the summer of 2015.

Email security should always be one of the top priorities of those organizations that transfer large sums of money such as Fortune 500 companies. As we have illustrated thus far, whale phishing campaigns are typically sophisticated, well-defined, and patiently executed. That was apparent in the 2015 case of commodities trader Scoular, which lost $17 million after an executive was hoaxed by an intricate series of emails purporting to be executing an M&A (mergers and acquisitions) deal. The money then disappeared, as the global-thinking crime gang used a series of fake email addresses throughout Europe and the Middle East, servers in Russia, and a fake bank address in Shanghai.

Whaling Attacks Can Prioritize Data Over Cash

For a variety of reasons, hackers may not always have cash as their primary goal, at least not directly. When Snap suffered a data breach back in 2016, the whaling hackers targeted information not cash when they sought access to the payroll data of many of its employees. This was once again a spoof CEO scam, with hackers pretending to be CEO Evan Spiegel in an email exchange with the HR department. Again, this was embarrassing for a supposedly tech-savvy company like Snap, which was forced to supply all affected employees with two free years of identity theft insurance.

Similarly, in the same year, workers’ data at Seagate, a huge S&P 500 technology company, was obtained by cybercriminals after an employee fell for an email scam. The employee unwittingly sent records of colleagues’ (past and present) W-2 data, which is used for tax purposes. At the time, experts claimed that those affected could be vulnerable to tax refund fraud for years to come.

Big Targets for Big Payoffs – Why Whaling Works

Hackers are anything but stupid. In fact, their understanding of psychology can often help with the success of their whaling attacks. They know, for example, that audacious scams like pretending to be the CEO of a Fortune 500 company can work as employees are less likely to question or challenge “the boss” if they have made strange requests by email or other communications. Moreover, hackers know these companies are likely to be cash rich and accustomed to sending vast amounts of money to clients and partners with a push of a button. It’s one of the reasons that whaling attacks are common, and it’s why some of the most daring scams are pulled off successfully.

Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.

PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

Understanding Personally Identifiable Information

Advancing technology platforms have changed the way businesses operate, governments legislate, and individuals relate. With digital tools like cell phones, the Internet, e-commerce, and social media, there has been an explosion in the supply of all kinds of data.

Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers.
However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. As a result, concerns have been raised over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.

Sensitive vs. Non-Sensitive Personally Identifiable Information

Sensitive PII

Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as:

• Full name
• Social Security Number (SSN)
• Driver’s license
• Mailing address
• Credit card information
• Passport information
• Financial information
• Medical records

The above list is by no means exhaustive. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII, so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.

Non-Sensitive PII

Non-sensitive or indirect PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories. Examples of non-sensitive or indirect PII include:

• Zip code
• Race
• Gender
• Date of birth
• Place of birth
• Religion

The above list contains quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.

However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.

Safeguarding Personally Identifiable Information (PII)

Multiple data protection laws have been adopted by various countries to create guidelines for companies that gather, store, and share the personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information should not be collected unless for extreme situations.

Also, regulatory guidelines stipulate that data should be deleted if no longer needed for its stated purpose, and personal information should not be shared with sources that cannot guarantee its protection.

Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015, the IRS suffered a data breach leading to the theft of more than a hundred thousand taxpayers’ PII.

Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.

How PII Is Stolen

Many thieves find PII of unsuspecting victims by digging through their trash for unopened mail. This can provide them with a person’s name and address. In some cases, it can also reveal information about their employment, banking relationships, or even their social security numbers.
Nowadays, the Internet has become a major vector for identity theft. Phishing and social engineeringattacks use a deceptive-looking website or email to trick someone into revealing key information, such as their name, bank account numbers, passwords, or social security number. It is also possible to steal this information through deceptive phone calls or SMS messages.

Tips on Protecting PII

While it is not possible to fully protect yourself, you can make yourself a smaller target by reducing the opportunities to steal your PII. Experian, one of the top three credit agencies, lists several steps that you can take to reduce your surface area.
For example, a locked mailbox or PO box makes it harder for thieves to steal your mail and removing personal identification from junk mail and other documents makes it harder for identity thieves to associate a name with an address. Also, avoid carrying more PII than you need—there’s no reason to keep your social security card in your wallet.
Likewise, there are some steps you can take to prevent online identity theft. Data leaks are a major source of identity theft, so it is important to use a different, complex password for each online account. Always encrypt your important data, and use a password for each phone or device. It is also a good idea to reformat your hard drive whenever you sell or donate a computer.

Hackers harvest, weaponize and sell corporate and personal passwords in order to obtain financial reward, damage reputations, steal intellectual property, or for other illegal undertakings. According to cyber security researchers, 80% of hacks involve the theft or reuse of employee passwords.

This is in no small part due to lack of employee education and corporate negligence. Within your organization, advocate for a concerted, company-wide effort around password security and password protection. Here’s how. Share the following password best practices with your peers, clients and prospects.

Password security best practices for everyone

This list starts with password fundamentals that most people are acquainted with and gradually transitions into more sophisticated password security best practices.

1. Passwords should be 8-12 characters long. Use a mix of letters, numbers, and symbols.
2. Vary with upper case and lower case letters (in applicable languages).
3. Avoid recycling the same password across multiple accounts.
4. After 90 days, rotate passwords.
5. Consider a password manager. Password managers function as digital books of passwords, locked by a master key. If a cloud-based password manager sounds eerie, consider using a local password storage program on your computer (Roboform or PasswordSafe).
6. Prioritize longer passwords. The longer the password, the stronger the password.
7. Avoid using real words within passwords, as hackers can deploy dictionary attacks, which systematically throw every word in the dictionary against an account’s login portal.
8. Complicate your answers to password security questions; avoid using the name of your spouse, children, relatives or pets, as these answers can often be found on your social media profile or elsewhere online.
9. Check to see whether or not your passwords have previously been stolen. You can use Mozilla’s Firefox Monitor and Google’s Password Checkup tool to determine which of your email addresses and passwords have been compromised in a data breach. Have I Been Pwned is another good password checker option.
10. Secure your phone with a strong password, fingerprint or facial recognition software.

Password security best practices for IT teams

1. Limit incorrect login attempts to 5 or fewer.
2. Allow passwords to be 64 characters long or longer, rather than limiting the length to 10 characters.
3. Apply password encryption. Password encryption offers additional protection.
4. Implement multi-factor authentication. Multi-factor or two-factor authentication prevents hackers from accessing your portals or network after cracking simple passwords.
5. Deploy privileged access management software for employees with access to sensitive data.
6. Ensure that your organization uses up-to-date anti-malware and vulnerability management solutions.
7. Adopt the practice of changing corporate account passwords after an employee leaves the enterprise.
8. Avoid accessing accounts as ‘root’ or ‘administrator.’ Use your own login and switch user (SUDO) or “run as” in order to execute administration commands.
9. Consider disabling root login.Establish password audits. Track your employees’ compliance with the organization’s password security policy. An audit will monitor password modifications in order to ensure compliance. It will also highlight and correct weak access points.
10. Send employees password best practices reminders. Employees usually have good intentions, but may forget to update passwords, or to otherwise comply with an organization’s password policy. Send employees email notifications reminding them of policies, best practices and the need to rotate passwords ahead of their expiration.

In summary

The stakes are high and the security risks are real. With a compromised password, a hacker could instantly halt your business’s productivity, sink profits, crash your stock price, and engender real-world harm.

Applying password security best practices is as much a choice as locking the doors at night. Keep your people, processes, technologies, partners, clients and IP secure by ensuring that everyone puts password security best practices into action.

Operationalizing behavioral changes can be tough for employees and IT teams alike. But the rewards are worth it and portend to a bright future.

What is Passwordless Authentication?

Passwordless Authentication is an authentication method that allows a user to gain access to an application or IT system without entering a password or answering security questions. Instead, the user provides some other form of evidence such as a fingerprint, proximity badge, or hardware token code. Passwordless Authentication is often used in conjunction with Multi-Factor Authentication (MFA) and Single Sign-On solutions to improve the user experience, strengthen security, and reduce IT operations expense and complexity.

The Problem with Passwords

Today’s digital workers rely on a wide variety of applications to perform their jobs. Users are forced to memorize and track a dizzying array of frequently changing passwords. Overwhelmed by password sprawl, many users take risky shortcuts like using the same password for all applications, using weak passwords, repeating passwords, or posting passwords on sticky notes. Bad actors can take advantage of lax password management practices to mount cyberattacks and steal confidential data. In fact, compromised account credentials are a leading cause of data breaches.

Simple authentication methods that require only username and password combinations are inherently vulnerable. Attackers can guess or steal credentials and gain access to sensitive information and IT systems using a variety of techniques, including:

• Brute force methods – using programs to generate random username/password combinations or exploit common weak passwords like 123456
• Credential stuffing – using stolen or leaked credentials from one account to gain access to other accounts (people often use the same username/password combination for many accounts)
• Phishing – using bogus emails or text messages to trick a victim into replying with their credentials
• Keylogging – installing malware on a computer to capture username/password keystrokes
• Man-in-the-middle attacks – intercepting communications streams (over public WiFi, for example) and replaying credentials

Passwordless Authentication Reduces Risk and Improves User Satisfaction

Passwordless Authentication strengthens security by eliminating risky password management practices and reducing attack vectors. It also improves user experiences by eliminating password and secrets fatigue. With Passwordless Authentication, there are no passwords to memorize or security question answers to remember. Users can conveniently and securely access applications and services using other authentication methods such as:

• Proximity badges, physical tokens, or USB devices (FIDO2-compliant keys)
• Software tokens or certificates
• Fingerprint, voice or facial recognition, or retina scanning
• A mobile phone application

Passwordless Authentication is typically deployed in conjunction with Single Sign-On, so an employee can use the same proximity badge, security token, or mobile app to access all their enterprise applications and services. Passwordless Authentication is also often used as part of a Multi-Factor Authentication solution, where users are forced to provide multiple forms of evidence to gain access to enterprise applications and systems. For example, to access a mobile phone app, a remote user might be required to tap a fingerprint sensor and enter a one-time, short-lived SMS code sent to their phone.

The latest MFA solutions support adaptive authentication methods, using contextual information (location, time-of-day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a specific situation. Adaptive MFA balances convenience with security. For example, an employee accessing an enterprise application from a trusted home computer might be required to provide only one form of authentication. But to access the application from a foreign country over an untrusted WiFi connection, the user might also have to enter an SMS code.

Passwordless Authentication Benefits

Passwordless Authentication provides a variety of functional and business benefits. It helps organizations:

• Improve user experiences – by eliminating password and secrets fatigue, and providing unified access to all applications and services.
• Strengthen security – by eliminating risky password management techniques and reducing credential theft and impersonation
• Simplify IT operations – by eliminating the n.eed to issue, secure, rotate, reset, and manage passwords.

What is OwnID?

Rooly Eliezerov is a serial entrepreneur in the digital identity space, currently the Co-founder of OwnID, the passwordless identity platform. Prior to OwnID, Rooly co-founded Gigya, which was acquired by SAP. Gigya leads the Customer Identity and Access Management (CIAM) market, managing over a billion digital identities for the largest organizations in the world. The book ‘The Digital Identity Crisis’ by Rooly Eliezerov was published by Wiley and Sons in March 2018.

In this superb interview, co-founder of OwnID, Rooly Eliezerov, provides a behind-the-scenes look at his new, innovative startup’s smartphone-based, biometric passwordless authentication technology. OwnID aims to transform how people log into their accounts, and to drive advances in the digital identity ownership arena.

Decentralized solutions like OwnID pave the way towards a self-sovereign identity and hyper-personalized user experiences. Discover how the identity management landscape is evolving, and see what the future might hold.

Tell us about the OwnID story

Dor and I, the founders of OwnID, are part of the founding team of Gigya, the Customer Identity and Access Management (CIAM) platform that was acquired by SAP in 2017 for $350 million. After the acquisition we felt that identity management is an unfinished business and that there needs to be a more transformational approach to identity. We joined forces with some other bright minds from Gigya and raised our seed round with the main Gigya investor Mayfield. So, the band is back together for Act 2.

Why biometrics as opposed to another sign-in methodology?

Our concept is that ‘the phone is the key’. In the same way my phone can unlock my car and house door, it can unlock anything else digital. Fortunately, phones are locked with a secure biometric mechanism, and therefore what we have here is frictionless Two Factor Authentication (something you have + something you are). We believe it’s much better than old school auth mechanisms like magic links, SMS code and definitely a password. Better means: easier to use and more secure.

Tell us about the technology behind the product?

We are utilizing WebAuthn and FIDO2. Therefore, our product is completely web based. It enables websites accessing the lock mechanism of the user’s phone (both iPhone and Android). But our product goes beyond the core technology. It addresses many use cases (e.g. phone temporarily not available, phone is lost, phone doesn’t support biometrics, user already has an account with a password etc.)

How do organizations add passwordless to their customer identity processes?

A big advantage of OwnID is the ease of implementation. OwnID is an add-on to a given site’s existing system. Sites that wish to add OwnID’s passwordless can keep their existing registration and login forms, and just add the OwnID button side by side with their password field, which enables the users to authenticate using their phone’s biometrics. If user is browsing their desktop or any other device, when clicking this button, a QR code will be presented, the user will scan it with their phone which will prompt their phone’s FaceID/fingerprint, and the desktop will be logged in.

What impact is the OwnID technology having?

Many more users register and login when they can do it with their phone biometrics. It’s just easier. See how it’s done on Nestle and Delonghi. These two of OwnID’s largest clients report an increase in both registrations and logins to their sites and are constantly deploying OwnID to additional properties around the globe.

What key principles do you think about in protecting your users’ data?

Our key principle is: don’t keep data in a single place, but rather, distribute it. Therefore, we don’t store any user data in our database. We don’t even have a user data base. Our technology keeps the user auth keys on the user’s phone. We place a public key for each user in the database of the website we are serving, and we match a signature that is generated by the user’s phone to the public key. For each website the user has different keys.

What business insights would you like to share with other business leaders?

Our business approach is adoption driven. We believe that elegant solutions are not enough. As a matter of fact, our product strategy is strongly influenced by the go-to-market strategy. This is why we chose to offer our solution as an add-on and not a reap-and-replace solution. We also believe in making everything as frictionless as possible – frictionless for the end-user, frictionless for the developer and frictionless even for the business decision maker. Whatever you offer should be the most sensible thing to do across all parties.

Your perspectives on the future of identity management?

In 2018, Wiley published a book I wrote titled ‘The Digital Identity Crisis’ where I cover all aspects of digital identity and where I think it’s headed. My conclusion is that personal data will continue to expand and create value, but to keep it private we’ll need to have a mechanism that enables each individual to be the owner of their digital identity, so each of us controls and knows exactly how her or his data is being used.

If you set up 2-Step Verification, you can use the Google Authenticator app to receive codes. You can still receive codes without internet connection or mobile service. Learn more about 2-Step Verification.

App requirements

Download Authenticator

INSTALL GOOGLE AUTHENTICATOR

Set up Authenticator

Get codes on new phone

Use Authenticator on multiple accounts or devices