Cyber attackers use various tactics to gain access to your passwords and personal data. On this page you will learn how these attacks work, what warning signs to look out for, and most importantly: how to protect yourself. Knowledge is the best defence!
1. Strong passwords: At least 12 characters with
uppercase, lowercase, numbers and special characters.
2. Two-factor authentication (2FA): Enable this extra
protection on email, banking, social media. Even if your password is
compromised, your account stays safe.
3. Password manager: Use services like this website.
It stores secure passwords and also detects phishing!
4. Up-to-date software: Keep your operating system,
browser and antivirus always up to date.
5. Be sceptical: If something looks suspicious, it is
probably an attack. Don't hesitate to question requests.
6. Unique passwords: Don't use the same password
everywhere. If one gets hacked, the others remain safe.
7. Check your accounts regularly:
Review activity logs. Are there any suspicious logins?
What is phishing?
Phishing is a fraud method where attackers pose as a trusted
organisation to trick users into revealing sensitive information such
as passwords, credit card data or personal details.
How does it work?
The attacker sends fake emails that look like they come from PayPal,
your bank or Amazon. These emails contain an urgent reason (e.g.
"Update your password immediately") or lure with promises. A link
leads to a fake website that mimics the original convincingly. When
you enter your data, it goes straight to the attacker.
Examples:
• Bank phishing: "Dear customer, we have detected
suspicious activity on your account. Please verify your identity at
this link: [fake link]"
• PayPal phishing: "Your PayPal account will be
suspended in 24 hours if you do not verify your password."
• Amazon phishing: "There is a problem with your
payment method. Please update your credit card details immediately."
Warning signs:
✗ Suspicious email addresses (e.g. paypal.com-security.fake.net)
✗ Generic salutation ("Dear customer" instead of your name)
✗ Urgent call to action ("Act immediately!", "Account will be
locked")
✗ Suspicious links (hover over them – the URL looks different)
✗ Poor grammar/spelling
✗ Asking for password or PIN (legitimate companies never do this!)
Protection:
→ Check the sender email address carefully
→ Type the website directly into the browser (not via email links)
→ Check that the URL starts with "https://" and shows a padlock
→ Use a password manager – it recognises fake websites!
→ Enable two-factor authentication (2FA)
What is a bruteforce attack?
A bruteforce attack is a method of guessing passwords by
systematically trying every possible combination. The attacker
automatically attempts every possible password combination until the
correct one is found.
How does it work?
Software or a script automatically generates password combinations and
tries to log in with them. In online attacks, a known username (e.g.
email address) is used. The computer then tries logging in with
different passwords until access is granted. In offline attacks (on
encrypted data) this process runs without delays and is much faster.
Examples:
• An attacker knows your email. They use a bruteforce tool to log into
Gmail. The program tries: a, b, c, ..., aa, ab, ac, ... and so on.
After millions of attempts it eventually finds your password.
• A hacker obtains the encrypted passwords of 1 million users. With
bruteforce they try to decrypt them. It takes a long time, but with
multiple computers it works.
• Weak 4-digit PINs (0000–9999) have only 10,000 combinations –
easy to crack!
How long does it take?
• Password "1234": < 1 second
• Password "abcd1234": ~ 1 minute
• Password "aB1!xY9$": ~ 1 hour
• Password "aBcDeF1!2@3#xYz9": ~ millions of years
Protection:
→ Use long passwords (at least 12 characters)
→ The more complex (uppercase, lowercase, numbers, special
characters), the harder to bruteforce
→ Enable two-factor authentication – this stops bruteforce attacks
→ Rate limiting: good websites prevent too many login attempts
→ Use a password manager for complex passwords
What is a dictionary attack?
A dictionary attack is a method of cracking passwords where the
attacker uses a list of common or known words. Instead of trying random
combinations, the attacker tries passwords from a "dictionary
database". This is much faster than bruteforce.
How does it work?
The attacker collects a list of commonly used passwords:
• Simple words (password, hello, sweetheart, 123456)
• Month names, weekdays, seasons
• Common first names
• Previously hacked and published passwords
The program then modifies the words: password → PASSWORD,
Password1, Password123, P@ssword!, etc.
The 20 most common passwords are:
123456 · password · passwort · 123456789 · 12345678 · 12345 ·
1234567 · password123 · 123123 · 1234567890 · admin · qwerty ·
abc123 · ...
Examples:
• An attacker has hacked passwords from Twitter. They use a dictionary
attack tool. Many passwords like "password123", "123456", "letmein"
are identified immediately.
• You use the password "Sweetheart1234". A hacker tries all
combinations from a dictionary list. After a hundred attempts it
works!
• A database of 1 million hacked passwords is cross-referenced with a
dictionary. 80% of passwords are identified within seconds.
Difference between dictionary and bruteforce:
• Dictionary attack: Fast (realistic), but only
successful against weak passwords
• Bruteforce: Slow, but works against any password
(it's just a matter of time)
Protection:
→ Do NOT use simple words (Password123, Sweetheart2024 are
insecure!)
→ Use random passwords with uppercase, lowercase, numbers and special
characters
→ At least 12–16 characters
→ Use a password generator
→ Check haveibeenpwned.com to see if your password has been leaked
→ Enable 2FA – even if the password is cracked, you're protected
What is social engineering?
Social engineering is a method of defrauding people through
psychological manipulation to reveal confidential information.
Attackers exploit human emotions such as fear, trust, curiosity or
helpfulness. It targets the "weakest link" – the human being.
Common methods:
• Pretexting: An attacker poses as IT support: "I'm
conducting a security check. Give me your password."
• Baiting: A USB stick labelled
"Salary_2024.xlsx" is found in the car park. You open it –
malware installs itself!
• Tailgating: An unauthorised person follows you
through a locked door into the office building by pretending to
belong there.
• Authority: An attacker poses as your boss:
"Transfer €5,000 to this account immediately."
• Scarcity: Artificial urgency: "This offer is valid
today only! Order quickly!"
Examples:
• CEO fraud: An email supposedly from the CEO:
"I'm in a meeting. Can you quickly transfer £50,000?" The email
address resembles the real one but is a fake.
• Phone fraud (vishing): An attacker calls: "I'm from
your bank. We've detected suspicious transactions. Give me your PIN
for verification." Real banks NEVER ask for that!
• Fake support chat: "Your Microsoft computer has a
critical update. A technician will contact you." The link leads to
malware.
• USB baiting in company car park: You find a USB
stick labelled "CONFIDENTIAL_2024". You plug it into your computer –
malware infects your system!
Protection:
→ Verify the identity of requests – call the person directly (use a
known number)
→ Legitimate organisations NEVER ask for passwords or PINs via
email/phone
→ Do not accept USB sticks from unknown sources
→ If something sounds too good to be true, it's probably a scam
→ Think before you act – social engineers use pressure and urgency
→ Enable 2FA – attackers can't get in even with your password
What is a keylogger?
A keylogger is a program or device that records every keystroke you
make on your keyboard. This includes everything – passwords, emails,
chat messages, search history and personal data.
Types of keyloggers:
• Software keylogger: A program on your computer
(installed via malware or fake downloads). It runs invisibly in the
background.
• Hardware keylogger: A physical device between the
keyboard and computer. The attacker must later collect it or retrieve
the data.
• Wireless keylogger: A USB device that wirelessly
transmits keystrokes.
Examples:
• Internet café scenario: You log into your bank.
Unknown to you, a hardware keylogger has been installed between the
keyboard and computer. Your password is recorded – the attacker later
steals money from your account.
• Software keylogger via virus: You download a free
app. It secretly installs a keylogger. Now your passwords for all
accounts are being recorded.
• Keylogger on smartphone: A malicious app pretends
to be a game. The keylogger captures your PIN and passwords as you
type them.
Signs of a keylogger:
Unexplained slowdown of the computer
New keyboard cables or USB devices between keyboard and computer
Your password no longer works or your account has been misused
Unrecognised logins to your accounts from unknown locations
Antivirus warnings about suspected malware
Protection:
→ Keep your operating system and antivirus software always up to date
→ Only download from trusted sources
→ Regularly check your keyboard for suspicious devices
→ Use the on-screen keyboard (with a mouse) for sensitive passwords –
keyloggers don't capture that!
→ Use a password manager – it enters passwords directly without you
typing them
→ Avoid public computers for sensitive transactions
→ Enable 2FA
What is Ransomware?
Ransomware is malicious software that encrypts all files on a computer and only releases them after payment of a ransom – usually in cryptocurrency. Even after paying, there is no guarantee of data recovery.
How does it work?
Infection usually occurs via phishing emails or insecure remote access. The malware explores the network, disables backups, then encrypts all reachable files. A ransom note then appears on the screen.
Well-known variants:
• WannaCry (2017): Infected over 200,000 computers in 150 countries within hours.
• LockBit: Uses «double extortion» – data is stolen and encrypted.
• RaaS: Ransomware-as-a-Service – criminals rent the infrastructure, no technical knowledge needed.
Protection:
→ Regular offline backups (3-2-1 rule)
→ Keep software and operating systems up to date
→ Never pay the ransom
→ Learn more: Ransomware →
What is MFA Bypass?
Multi-factor authentication protects accounts with a second factor. MFA bypass refers to techniques attackers use to specifically circumvent this protection – such as push bombing, SIM swapping, or real-time phishing.
Common techniques:
• MFA Fatigue: Attackers send dozens of push requests until the victim approves out of exhaustion.
• SIM Swapping: The phone number is transferred to a foreign SIM – the attacker receives all SMS codes.
• Session Token Theft: After login, malware steals the browser cookie and bypasses MFA entirely.
Protection:
→ Use hardware keys (FIDO2/YubiKey) – phishing-resistant
→ Always deny unexpected push requests
→ Replace SMS-MFA with an authenticator app
→ Learn more: MFA Bypass →
Which attack method is described in each scenario?