Stop Hackers in Their Tracks! Simple Strategies for Solopreneurs using Mac

Teaser

Hey, my fellow solopreneur, have you ever wondered how you can keep your online accounts safe from hackers?

Today, I will reveal three attack vectors and share essential tips to safeguard your accounts and keep your business running smoothly.

Stay tuned till the end because we will also cover a real-life story where a business lost millions due to a surprising new technique.

I will unpack all of this after the intro.

Welcome

Hello, hello and welcome to episode 104 of the Macpreneur podcast. Whether it’s your first time or you’re a long-time listener, I appreciate that you carve out some time in your busy solopreneur schedule. I have created Macpreneur to help as many solopreneurs as possible save time and money running their businesses on their Macs.

Now, in order to give you the most relevant Mac productivity tips and information, I need to know how well you’re currently dealing with the three killers of Mac productivity, namely unnecessary clicks, repetitive typing, and file clutter.

For that, just visit macpreneur.com/tips and answer a few questions, which will take you less than two minutes. After submitting your answers, you will receive personalized time-saving tips based on your results. 

Once again, visit macpreneur.com/tips and start boosting your efficiency today.

Introduction

As busy solopreneurs, we know the risks of getting hacked are out there, but let’s be honest, between client calls, content creation, and trying to have a life, who has time to become a cybersecurity expert?

The problem is not knowing where an attack could come from and how to protect ourselves can leave our businesses vulnerable to attacks, which could cost us time, money, and reputation.

The good news is, you don’t need a computer science degree to safeguard your online accounts. And we will cover some straightforward, effective strategies that even the busiest solopreneur can implement. Think of it as your digital shield against the dark arts of hacking.

Now, I’ve split this episode into three parts.

First, I will quickly recap episode 103, which covered why solopreneurs can be targets of cyberattacks. Then, I will explain the three main attack vectors, and finally cover six security best practices that will help you protect your online accounts.

Why Solopreneurs Are Targets

Okay, let’s start by reminding ourselves why solopreneurs are targeted in the first place.

Among the six motivations that we discussed in episode 103, money is by far the biggest, accounting for between 60 and 75% of cyber attacks. And the way that they can do that is by compromising your e-banking credentials, your online payment processor, your online store or website, your online ad platforms, your social media accounts, your business email and email marketing service, and lastly your cloud storage account.

If you missed this episode, you can check it out by visiting macpreneur.com/episode103.

Attack Vector 1: Cloud and Online Service Providers

Now that we’ve refreshed our memory about why we are potentially targets, let’s explore three attack vectors.

The first vector doesn’t involve you at all, as it’s the cloud or online service provider you use that is attacked directly, and that may leak your username, password, and any other personal information that they have about you.

Here’s a scary fact. In the first half of 2024, 1 billion, with a B, of online records have already been stolen, and it’s a little bit more than half of that when Ticketmaster got hacked.

And according to Wikipedia, there are 35 companies that have lost more than 100 million records through data breaches, some of them multiple times.

The main causes are poor security practices. Their server got hacked, misconfiguration of some sort that accidentally makes data publicly available, or they lost a computer or digital media, or it has been an inside job.

You can double-check whether any of your online accounts have been compromised in a breach by visiting Have I Been Pwned? So there are no spaces and PWNED at the end. haveibeenpwned.com.

It might seem that matters are completely out of your hands here, but it’s not true. At the minimum, you can make sure that your online accounts use unique usernames and passwords to minimize reusability in case of a data breach.

Attack Vector 2: Internet Connection Vulnerabilities

The second vector is your connection to the internet.

As solopreneurs, we use multiple devices all day long, whether from home, a coworking space, cafe, hotel, or conference room when we travel.

So the question is, how safe is it to connect our Mac, iPhone, and iPad to a Wi-Fi access point?

Well, the answer is that the less control we have over it, the less safe it is to use.

Even the Wi-Fi router in your house is susceptible to getting compromised, especially if it doesn’t automatically check for and install critical security updates.

And for all other Wi-Fi access points, it’s important to realize that there are many design and implementation flaws in all Wi-Fi protocols, including the latest one, WPA3.

Some have been discovered in 2021 by a Belgian researcher named Mathy Vanhoef, who demonstrated that some flaws allow anyone near a Wi-Fi access point to inject and intercept traffic without knowing the Wi-Fi password. And they can even redirect all internet queries through their own server.

The main issue here is that intercepting the traffic between your device and the online account that you connect to potentially allows sophisticated attackers to steal what is called the session cookie.

It’s a small file that is attached to each web request and that authenticates you.

For instance, if someone got hold of your Instagram session cookie, they could log into Instagram as you without needing to even know your password and bypassing any multi-factor authentication that you might have put in place. 

Yes, it is that bad.

Attack Vector 3: Social Engineering

The third and last vector is you.

One way or another, attackers manage to induce you to make a mistake that allows them to compromise your online accounts.

At a high level, we call that social engineering, and it comes in many forms.

The most prevalent one is called phishing, which starts with “PH,” and consists of tricking you into providing personal information such as passwords or credit card information.

This is usually done by enticing you to click on a link sent by email, via SMS, instant messaging, in social media posts, or even via direct messages.

In the previous episode, I mentioned that one of my clients lost access to his business Facebook page and subsequently had his credit card maxed out after the attacker ran ad campaigns from the stolen page.

Well, the attacker posed as a Facebook support person and posted a comment on my client’s Facebook page. This comment contained a specially crafted link that transferred ownership of the page to the attacker’s account. After clicking on the link, my client was invited to enter his password and then the six-digit code, which is a standard procedure, but he failed to realize what was really happening. He contacted me a few days later, but it was already too late.

Similarly, clicking on a specially crafted link allows attackers to get hold of the session cookie.

This happened to my daughter, who thought she was joining a lottery to win free Robux, which is the currency in a game called Roblox. When instead, she gave the attacker her Roblox session cookie. It was in the evening; then she went to bed, and in the morning, all her Robuxes were gone.

Luckily, I had created a parental lock pin that prevented the attacker from changing the password. In other words, she had only “quote unquote” lost money and managed to keep control of her account.

This allowed me to deactivate all active session cookies to log out the hacker from her account afterward.

In some cases, the link directs you to a malicious website that exploits known browser vulnerabilities, allowing them to install malware on your computer. In other cases, you might download a specially crafted document, like a PDF, or Microsoft Office, or an iWork document, that also aims to exploit a known vulnerability either in the associated application or at the operating system level.

Once malware is running on your device, attackers can monitor everything you do, including when you enter usernames and passwords, and catch them at that moment.

They can also redirect traffic for certain websites, again with the aim to exfiltrate the session cookies, for instance.

Six Best Practices for Online Security

So, to minimize the risk of getting your online accounts hacked, here are six best practices.

Number one, robust authentication. But what do I mean by that?

First up, let’s talk passwords. 

I know, I know, it’s not the most exciting topic, but hear me out. 

Imagine that your password is like the lock on your front door. 

You wouldn’t use the same key for your house, your car, and the safe in your office, right? 

The same goes for your online accounts.

So, use a password manager to create and store unique, complex passwords for each account. It’s like having a super secure keychain that does all the remembering for you. 

And yes, if you’re thinking: “But I will never remember all those passwords!” 

Well, that’s the point.

You only need to remember one master password.

Next, enable two-factor authentication wherever possible. It’s like adding a security guard to that locked door. Even if someone guesses your password, they would still need your phone or another device to get in.

A pro tip, if you can, use unique usernames for different accounts too. It makes it even harder for the bad guys to piece things together.

Now to keep this episode short and sweet, I will cover this topic in much more detail in the next episode, episode 105.

Email Safety

Number 2, let’s talk about your inbox. Now it’s not just for client communications and newsletters, it’s also a potential gateway for hackers.

First, make sure that you have good spam filtering in place. Now, if you’re using Gmail or Outlook, you’re in luck because they have pretty solid filters built in.

For Apple Mail users, do not forget to enable junk mail filtering by visiting the Mail menu in the top left corner, then Settings or Preferences, and then the junk mail tab.

But what about those pesky attachments? Well, they could be hiding malware too.

Again, Gmail and Outlook have your back with automatic malware scanning. For Apple Mail on your Mac, unfortunately, there is no such automatic mechanism.

One thing that you could do is manually upload the attachment to VirusTotal at virustotal.com and get it scanned by more than 60 different security vendors. And the good news is, it’s totally free.

Now, if you’d like email attachments to be scanned as soon as they land in the inbox on your Mac, then you might want to consider a third-party anti-malware tool.

Sophos Affiliate Promotion

And if you’re still looking for a low-cost protection for your Mac, I wholeheartedly recommend you to consider Sophos.

With a paid plan, you can protect up to 10 computers, Macs or PCs, and everything is configured through an intuitive web portal. 

And if you have kids, you can also easily configure some web browsing rules that they won’t be able to circumvent.

You can try Sophos for free for 30 days using my affiliate link: macpreneur.com/sophos. 

Download and install Sophos, then create an account, no credit card required. 

And if you end up becoming a Sophos customer after using my affiliate link, I will get a small commission at no cost to you. 

It’s like a virtual high five for recommending stuff that I love and that I use.

So thanks in advance for supporting me and the Macpreneur podcast. Once again, visit macpreneur.com/sophos to start your 30-day free trial today.

Back to email safety.

Remember when in doubt, do not click on suspicious links and do not open unexpected attachments. 

It’s better to ask the sender to resend or confirm rather than risking your entire business.

URL Awareness

In some cases, and this is where best practice number three comes in, you might be able to spot the issue by yourself, which is why being able to properly read URLs is a skill that every solopreneur should master.

For instance, would it be safe to click on a link directing you to facebook.com.login.page/home? Hmm.

At first glance, it would seem that we are heading to the login page of Facebook, but unfortunately, this is far from reality.

Why? Because unlike traditional English, which reads from left to right, URLs need to be read from right to left. And the first thing to check is called the top-level domain, which is the word between the last dot and the first slash.

In this case, it would be “page” and not “com”.

And from there, going left until the previous dot, we get the main domain name, which is “login” in this example.

So, in other words, someone has registered the domain “login.page”.

Anything before that is called a subdomain. For instance, “www” is a subdomain.

And in this example, “facebook.com” would be the subdomain. 

Now, Facebook cannot prevent that simply because the owner of “login.page” has full control of the subdomains and they can create as many as they want, however they want.

So, always double-check URLs before entering any sensitive information.

Now, if you receive shortened URLs, like those created with Bitly for instance, you can submit them to VirusTotal, which will expand them multiple times if needed and then give you a security score for the final destination URL.

Browser Hygiene

Now, number four, let’s talk about browser hygiene. It’s probably open right now, isn’t it?

Here’s a quick tip: install a content blocker. It’s like a bouncer for your browser, keeping out unwanted advertisements and potential threats.

For Safari, I’m using Ka-Block!, available for free on the Mac App Store. And for other browsers, namely Chrome, Firefox, Edge, Opera, and any Chromium derivative, I am using uBlock Origin. It is free and open source.

Also, get into the habit of manually signing out of your critical business account, especially when you’re traveling or there’s a high risk that someone could have physical access to your devices. Closing the browser tab is not enough.

You need to actually hit that sign out button to clear your session cookie.

You could also empty the browser cache, but it’s much more complicated than signing out.

A pro tip: when using someone else’s computer or device, launch a private browsing or incognito session. Not only will it prevent any history from being saved, but closing the window for such a browsing session will clear the session cookie automatically, even if you forget to sign out.

Update everything

Number 5: Keep your applications and devices, including your internet router, up to date.

I know, I know, these update notifications can be annoying, but they are crucial.

Keeping everything updated is like patching holes in your digital fence. Set aside some time, at the minimum, once per week, to check for and install updates. Your future self will thank you.

Using VPNs

And finally, number six, use a VPN, which stands for Virtual Private Network, when you are connecting your Mac or iPhone/iPad to an untrusted Wi-Fi access point, like in a cafe or a coworking space.

Theoretically, a VPN encrypts all the traffic between your device and a server on the internet that is controlled by the VPN provider. This makes it impossible for anyone on the same Wi-Fi network as you to intercept your traffic. Without a VPN, attackers could change the URL that you visit, or they could grab your session cookies.

However, in May 2024, security researchers reminded everyone that a serious implementation flaw exists for some VPN providers and affects some devices more than others.

This flaw has been dubbed Tunnel Vision, and when exploited, it forces the victim’s machine to ignore the VPN and redirects the traffic through their own machine.

Android devices are immune to that flaw, and some VPN providers mitigate the issue by detecting whether the VPN tunnel is bypassed or not, informing the user of the problem.

Based on my research, it seems that iPhones and iPads are the most susceptible to it because Apple doesn’t give app developers enough visibility, preventing them from detecting any problem.

Whichever VPN provider you choose or already use, check their website and look for a security advisory linked to Tunnel Vision. If they didn’t provide any advisory, I’d recommend switching to another provider.

AI Threats

Before concluding this episode, there is one more thing I’d like to mention.

Social engineering is much more difficult to detect and fight against because of the rise of artificial intelligence.

With the right tools, it only takes a few seconds of video and a static image for anyone with bad intent to create a deepfake video of you.

And when the potential gain is high, I mean millions of dollars high, check this real-life story that was reported in February of 2024: a multinational company lost about 25 million dollars after a finance worker in Hong Kong got tricked during a live Zoom call.

Yes. Apart from him, everyone else in the meeting was a deepfake version of colleagues from the UK headquarters, including a fake chief financial officer.

So the person who got tricked had doubts after receiving the initial email, but during the call, he recognized colleagues that he had already interacted with in the past, so he proceeded with the bank transfer.

It’s so sad to say, but nowadays we need to treat all digital communications with utmost caution and suspicion, while avoiding irrational paranoia at the same time. It’s a very tricky exercise for sure.

Recap

So to recap, we have quickly reviewed the main points covered in episode 103, then explored three attack vectors: the cloud, the connection between your devices and the internet, and finally, social engineering. Then we covered six best practices to keep your online accounts safe.

First, use unique, strong passwords and two-factor authentication. Be cautious with emails and attachments, double-check URLs, and use content blockers. 

Sign out of important accounts manually, keep everything updated, and use a reputable VPN when using public Wi-Fi. Implement these steps, and you will be well on your way to a more secure online presence for your business.

Mac Security Checklist

As explained earlier, it’s only half the battle against cyber threats. The other half is keeping your devices secure, and most importantly, your Mac.

How? 

By going through the checklist that I covered in Episode 99. 

So, if you haven’t downloaded it yet, remember to visit macpreneur.com/msc for Mac Security Checklist.

And if you need help going through the checklist, just listen to or watch Episode 99.

Your future self and your clients will thank you later for taking proactive steps against cyber threats.

Conclusion and next

If you enjoyed this episode, please share it with a fellow solopreneur and tag me on Instagram. My handle is @macpreneurfm.

So that’s it for today. 

In the next episode, I will dive deeper into the topic of strong authentication, including creating and managing passwords, which I know is a pain in the neck for many solopreneurs.

So, make sure to subscribe or follow this podcast to get it automatically next week.

And until next time, I’m Damien Schreurs, wishing you a great day.

Thank you for listening to the Macpreneur Podcast. If you’ve enjoyed the show, please leave a review and share it with a friend right now.