Subscribe

Fraud | September 2024 How to defend your business against password theft

How to defend your business against password theft 

The widespread use of email, text messaging, and messaging apps has opened a virtual door for criminals looking to commit cyberfraud. But first, fraudsters must breach the sign-in systems that protect your computer network. They often try two primary methods: password theft and password attacks.

Key concepts

In this article, you’ll learn how to:

  • What makes password theft different from password attacks
  • How companies protect their systems from unauthorized access
  • Strategies you and your employees can use to keep passwords—and networks—safe

Video: An introduction to password theft

Component ID : "accordionGridLayout-791023577"
Model : "disclaimer"
Position : "left"

[Fraud prevention 101: Password theft] [Truist logo]

[Password theft: Set companywide guidelines to make sure passwords are harder to compromise.]

Narrator: Password theft happens when hackers get username and password combinations from less secure sites, then use these passwords to make purchases, move money, or steal data.

[Password theft: /Ꞌpas•wərd theft/ noun 1. The action or crime of stealing someone’s electronic credentials.]

Narrator:

Strong password security defenses keep your employees and company safe.

Promote best practices by requiring teammates to create secure, unique usernames and passwords for every online account they use. 

[Create secure, unique usernames and passwords for every online account.]

[Best practices are key to your company’s security.]

 

Truist [logo]

Contact your Truist relationship manager or treasury consultant for more information on fraud protection.

Truist Bank, Member FDIC. © 2024 Truist Financial Corporation.

Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.

Password theft versus password attacks

If someone’s looking to steal passwords, they’ll likely try theft, attack, or both. And although the results are similar—a breached network—it’s important to understand how these methods differ so you can set up the proper defense and response.

Password theft happens when fraudsters use social engineering tactics like corporate phishing to trick your staff into providing sign-in credentials or clicking on malicious links. With this method, your employees are the target, and training them to spot and avoid scams is the best defense.

On the other hand, password attacks happen when hackers use automated programs to crack sign-in credentials and infiltrate authenticated sites. Hacker software can try 2.18 trillion password/username combos in just 22 seconds.Disclosure 1 With this method, your company’s gated systems are the target. 

Good news: Multifactor authentication can thwart password attacks.

81% of hacking-related breaches start with weak or stolen passwords. For companies that rely on passwords alone to secure their networks, this is a sobering statistic. Fortunately, there are proactive solutions. Multifactor authentication (MFA) adds a strong layer of defense to stop would-be attackers in their tracks. In fact, up to 99.9% of modern automated cyberattacks can be blocked by MFA.Disclosure 2

How are companies protecting access to their systems?

  • 58% use password-username combos
  • 47% use mobile push-based MFA
  • 31% use biometrics like fingerprint or face recognitionDisclosure 3

Case study: Meta develops innovative privacy-enhancing technology for stronger password protection.

Meta’s Enterprise Center is rolling out cutting-edge password security. Its private data lookup (PDL) automatically cross-checks all user-proposed passwords against a set of passwords previously exposed in data breaches. If a user suggests a password that’s been compromised in the past, the system provides an alert and prompts them to choose a different one.Disclosure 4 This prevents users from choosing exposed or overly common passwords.

Best practices and prevention

When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Here are some proactive ways to protect yourself and your employees against password theft and other password attacks.

Educate staff on password theft tactics and how to respond.
Since social engineering is one of the most common password-stealing techniques, train your employees to spot, dodge, and report phishing attacks. Also, provide clear instructions on what to do if they suspect their password has been compromised so they can act quickly when it counts.

Encourage strong password hygiene across your organization.
How do you create gold-standard passwords that would take more than 481,000 years to crack?Disclosure 5 Mix uppercase and lowercase letters with numbers and unique symbols, choose passwords 18 characters or longer, and exclude personal information like a pet’s name. Also, don’t reuse passwords, change them regularly, and prohibit single-access credentials for company sites.

Monitor suspicious activity on all your accounts.
Stay alert for unauthorized attempts to access computers and mobile devices. Watch out for IP addresses that aren’t associated with known employees. Attempted logins from strange locations and unknown machines are a major indicator that a password attack may be underway.

Implement multifactor authentication.
Multifactor authentication (MFA) strengthens your cybersecurity by requiring one or more forms of login verification such as one-time codes, security questions, or biometrics. With MFA in place, stealing an employee’s password won’t be enough for criminals to gain access to your systems.

Provide your employees with a secure password manager.
Password managers are automated programs that generate, store, and track passwords. Secure ones use heavily encrypted databases to protect the passwords they store for you and your team. When your employees don’t have to remember every password they use, they’re less likely to reuse the same ones across multiple services.

FAQ on password theft

Component ID : "faq-1301646222"
Model : "faq"
Position : "left"

Phishing is the most frequent tactic for password compromise, followed closely by brute force attacks.Disclosure 1 Other regularly deployed methods include dictionary attacks, password spraying, and credential stuffing. 

A brute force attack uses specialized, automated tools to systematically crack users’ login credentials. These tools are quick, persistent, and sometimes sophisticated enough to avoid incorrect-password lockouts.

Virtually any business with valuable information—like corporate credit cards, online bank accounts, or trade secrets—can be the target of password compromise schemes.

Turn to professionals for protection.

To learn more about cybersecurity threats and the various types of fraud facing your organization, connect with one of Truist’s relationship managers.

Purple PaperSM

The power of partnership

Uncover the value of Truist Business Lifecycle Advisory.

Download the Purple Paper (PDF)
Client Success Stories

Supporting a future-focused advisory firm through accelerated growth

Helping a repair service entrepreneur flip the switch on business transition

Paving the way to growth for an infrastructure innovator

See all Client Stories

Related resources

    {0}

    {0}

    {2}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {6}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}
    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Contact us

    Helpful links

    Business Insights
    Truist Business Lifecycle Advisory
    Business Resource Center
    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option
    Component ID : "accordionGridLayout-1396148670"
    Model : "disclaimer"
    Position : "left"

    Disclosure 1Six Types of Password Attacks & How to Stop Them,” OneLogin, accessed June 10, 2024.

    Disclosure 217 essential multi-factor authentication (MFA) statistics [2023],” Zippia, February 6, 2023.

    Disclosure 3Like It or Not, Passwords Are Here To Stay,” Keeper Security, October 12, 2023.

    Disclosure 4How Meta is improving password security and preserving privacy,” Engineering at Meta, August 8, 2023.

    Disclosure 5How Long Does It Take for a Hacker to Crack a Password?,” Tech.co, July 14, 2023.

    Disclosure 6The 8 Most Common Types Of Password Attacks,” Expert Insights, April 23, 2024.

    Disclosures

    Truist Bank, Member FDIC. © 2024 Truist Financial Corporation. Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.

    Equal Housing Lender

    Investment and Insurance Products:

    • Are Not FDIC or any other Government Agency Insured
    • Are Not Bank Guaranteed
    • May Lose Value

    TRUIST is a service mark of Truist Financial Corporation (Truist) and its affiliates.

    Services provided by Truist Financial Corporation (Truist) affiliates: Banking products and services, including loans and deposit accounts, provided by Truist Bank, Member FDIC. Trust and investment management services provided by Truist Bank. Securities, brokerage accounts and /or annuities offered by Truist Investment Services, Inc., an SEC registered broker-dealer, and member FINRA and SIPC, and a licensed insurance agency. Investment advisory services offered by Truist Advisory Services, Inc. and GFO Advisory Services, LLC, SEC registered investment advisers. Some insurance products offered by Truist Investment Services, Inc. Other insurance products offered by McGriff Insurance Services, LLC (McGriff), Kensington Vanguard National Land Services, LLC (Kensington Vanguard) and Crump Life Insurance Services, LLC (Crump). Truist Life Insurance Services (TLIS) is a division of Crump, Arkansas License #100103477. Variable insurance material is for broker-dealer or registered representative use only. Variable products distributed by P.J. Robb Variable (PJRV), LLC, Arkansas License #100110185. Member FINRA.

    McGriff, Kensington Vanguard, Crump, TLIS, and PJRV are not affiliated with Truist Financial Corporation or any of its subsidiaries.

    Truist Securities is a trademark of Truist Financial Corporation. Truist Securities is a trade name for the corporate and investment banking services of Truist and its subsidiaries. All rights reserved. Securities and strategic advisory services are provided by Truist Securities, Inc., member FINRA and SIPC. Lending, financial risk management, and treasury management and payment services are offered by Truist Bank.

    Mortgage products and services are offered through Truist Bank. All Truist mortgage professionals are registered on the Nationwide Mortgage Licensing System & Registry (NMLS), which promotes uniformity and transparency throughout the residential real estate industry. Search the NMLS Registry.

    Comments regarding tax implications are informational only. Truist and its representatives do not provide tax or legal advice. You should consult your individual tax or legal professional before taking any action that may have tax or legal consequences.

    "Truist Advisors" may be officers and/or associated persons of the following affiliates of Truist, Truist Investment Services, Inc., and/or Truist Advisory Services, Inc. Truist Wealth, International Wealth, Center for Family Legacy, Business Owner Specialty Group, Sports and Entertainment Group, and Legal and Medical Specialty Groups are trade names used by Truist Bank, Truist Investment Services, Inc., and Truist Advisory Services, Inc.

    Applications, agreements, disclosures, and other servicing communications provided by Truist Bank and its subsidiary businesses will be provided in English. As a result, it will be necessary for customers to speak, read and understand English or to have an appropriate translator assisting them. Truist offers the following resources for consumers that have Limited English Proficiency:

    • Multilingual teammates available at our Multicultural Banking Centers
    • Materials for some products and services are available in Spanish, Korean, Vietnamese, Mandarin, and other languages spoken in the communities we serve.
    • Phone assistance in Spanish at 844-4TRUIST (844-487-8478), option 9. For assistance in other languages please speak to a representative directly.

    New York City residents:

    Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at http://www.nyc.gov/dca.

    • Limited English Proficiency Support
    • New York City residents

    Borrowers with Limited English Proficiency (LEP) needing information can use the following resources:

    Site footer

    Footer Navigation

    Banking products
    About Truist
    Resources
    Support

    © 2024, Truist. All Rights Reserved.