Staying safe online beyond national cybersecurity awareness month

Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.

So let’s start by identifying some of the biggest threats to personal accounts —  phishing, SIM swapping, and database leaks.

Phishing

By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows.

Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.

SIM Swapping

SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.

Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000.

Database Leaks

A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of data breaches we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password.

You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.

Our Advice

You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.

Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!

10 Steps from Yubico to Protect Your Personal Accounts 

1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)

2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, Outlook.com or other supported email services)

3. Remove SMS 2FA from your email account(s)

4. Call your mobile service provider, and request a security PIN

5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)

6. Register your YubiKeys as a second factor for your password manager

7. Store all of your account passwords in your password manager

8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)

9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)

10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts

Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.

iPassword logo
“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.”  Jeff Shiner, CEO, 1Password

Dashlane logo
“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.”  Emmanuel Schalit, Co-Founder & CEO, Dashlane

DSX logo
“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.”Mike Rymanov, CEO, DSX

Fastmail logo
“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”Ricardo Signes, CTO, Fastmail

Keeper logo
“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson
  • The rise of AI-driven phishing attacks: What to know and how to be secureAs businesses continue learning the benefits that artificial intelligence (AI) assisted computing tools provide, we’re continuing to see rapid interest and adoption of the technology – especially within the enterprise. Most conversations up until recently have revolved around ChatGPT, but now another new AI-powered large language model tool – DeepSeek – is creating a lot […]Read more
  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions