Most of us are very concerned about data breaches. They have the potential to expose usernames, passwords, and other types of confidential information. (If you’re smart, you’re working with IT cybersecurity professionals to protect your data on every front.)

Unfortunately, the majority of account takeovers actually come from simple phishing attacks, where someone in an organization gets tricked into releasing private credentials and information.

This information comes according to Google, who released the results of a year-long study on the root causes of account takeovers in Nov. 2017.  This study was conducted between March 2016 and March 2017 in conjunction with researchers from the University of California, Berkeley.

The results revealed that phishing is far more dangerous to user confidentiality than data breaches because phishers collect additional information.

Google and the University of California researchers found that people who were tricked into handing over their username, password, and other details to phishers were 400 times more likely to have their accounts hijacked compared to a random Google user. In contrast, those whose credentials were leaked in a third-party breach were only 10 times more likely to have their account taken over.



Image Google


While data breaches are certainly very destructive, Google’s study discovered that phishing is a much more dangerous threat to users in terms of account hijacking.

The research found 1.9 billion credentials that were exposed by data breaches affecting users of MySpace, Adobe, LinkedIn, Dropbox and several dating sites. Most were being traded on private forums.

Despite these numbers, only 7 percent of credentials exposed in data breaches match the passwords used by its billion Gmail users.  In comparison, a quarter of 3.8 million credentials exposed in phishing attacks matched the current Google password.

Phishing victims were 400 times more likely to have their account compromised than a normal Google user.

Once a user’s account is compromised, their credentials are illegally sold underground. “Enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets,” said Kurt Thomas, a member of Google’s anti-abuse research team, and Angelika Moscicki, from Google account security.

Phishing—The Greater Threat

Phishing kits contain prepackaged, fake login pages that imitate popular websites such as Gmail, Yahoo, Hotmail, and online banking sites. Criminals upload them to vulnerable websites to automatically capture and copy a user’s credentials to their accounts.

In addition, the researchers discovered that:

  • 83 percent of 10,000 phishing kits collect victims’ geolocation, and 18 percent collect phone numbers.
  • 41 percent of phishing kit criminals are from Nigeria. The next biggest group of culprits are in the US, and account for 11 percent of all phishing kit usage.
  • 72 percent of the phishing kits use a Gmail account to send captured credentials to the attacker. By comparison, only 6.8 percent used Yahoo, the second most popular service for phishing-kit operators. The phishing kits used were sending 234,887 potentially valid credentials every week.
  • Most victims of phishing were from the US.
  • Gmail users are the largest group of phishing victims, accounting for 27 percent of the total in the study—Yahoo phishing victims follow at 12 percent.


  Image Google


Now That You’ve Seen the Danger, What Can You Do to Prevent Phishing Attacks? Follow These 6 Important Steps to Keep Your Network Secure: 

  1. Be on The Lookout for Phishing Attempts.

Beware of messages that:

  • Try to solicit your curiosity or trust.
  • Contain a link that you must “check out now.”
  • Contain a downloadable file like a photo, music, document or .pdf file.

Don’t believe messages that:

  • Contain an urgent call to action.
  • Express an immediate need to address a problem that requires you to verify information.
  • Urgently ask for your help.
  • Ask you to donate to a charitable cause.
  • Indicate you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

  • Respond to a question you never asked.
  • Create distrust.
  • Try to start a conflict.

Watch for flags like:

  • Misspellings
  • Typos
  • Strange email addresses 
  1. Always Use Secure Passwords.
  • Turn on Two-Factor Authentication if it’s available. (The researchers noted that using this can mitigate the threat of phishing.)
  • Never use words found in the dictionary or your family names.
  • Never reuse passwords across your various accounts.
  • Consider using a Password Manager (e.g., LastPass or 1Password)
  • Use password complexity (e.g., P@ssword1).
  • Create a unique password for work.
  • Change passwords at least quarterly.
  • Use passwords with 9+ characters.
  1. Keep Your Passwords Secure
  • Don’t write down passwords.
  • Don’t email them.
  • Don’t include a password in a non-encrypted stored document.
  • Don’t tell anyone your password.
  • Don’t speak your password over the phone.
  • Don’t hint at the format of your password.
  • Don’t use the “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
  • Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login – where the web browser address starts with http:// instead of https://. If the web address begins with https://, your computer is talking to the website in a secure code that no one can eavesdrop on. There should be a small lock next to the address. If not, don’t type in your password.

If you believe your password may have been breached, you can always change it.

  1. Regularly Backup Your Data Onsite and Remotely. 
  • Maintain at least 3 copies of everything.
  • Store all data on at least two types of media.
  • Keep a copy of your data in an alternate location.

If you haven’t backed up your data, and you’re attacked, it’s gone forever. 

  1. Secure Open Wi-Fi with a
  • Don’t go to sites that require your personal information like your user name or password.
  • Limit your access to using sites with: https://
  • Don’t connect if all the Wi-Fi networks you have ever accessed appear as “Available.”
  1. Hire a Reputable IT Company to Conduct Testing and Security Awareness Training for Your Employees.
  • Conduct a Social Engineering Test
  • Share the Results with Your Staff
  • Debrief and Train Your Users
  • Test Again each Year!

Don’t risk your data to the phishers. Cross Link Consulting can keep your data secure. Our Cybersecurity Experts are trained in the latest security tools and services. Contact us if you have any questions or require guidance on this or other IT subjects: Call (803) 279-1100 or send an email to:


Need A Second Opinion?


Book Your Complimentary IT Review

Sign Up Below

Crosslink will never sell or rent your
contact information. Your info is secure with us.