“Open, Sesame!” or the strength of a password

“Open, Sesame!” or the strength of a password

You get a message on IM from your 13-year-old son at work. He asks you to send him a BLIK code (a one-off, 6-digit code for instant money transfers). He’s just found his dream shoes in a store; they are on sale but there’s only one pair left. Some time ago you set up a child bank account for him, and you regularly transfer pocket money into that account. Unfortunately, he doesn’t have enough savings – he needs PLN 100 more, and the bargain is really good. So, your son wants to withdraw the missing amount at the ATM to pay for the shoes he put away at the store. He promises to return this money as soon as possible. You are absolutely snowed under with work, so without thinking much, you agree to lend him the amount needed. You send the code, confirm the operation using the app, get a notification to withdraw money from the ATM. You come home and ask your son to show off his new shoes but he has no clue about any purchase, he insists he never asked you for any money. How could this happen?

How do we fall for phishing?

Both of you have just fallen victim to phishing – an online scam that involves impersonating well-known institutions, offices, and even loved ones in order to extract money or personal information. Let’s walk through this particular case step by step.

1. Your son – let’s call him Antek – uses Facebook. Also, playing online games is his way of beating boredom. While browsing the web, he came across an advertisement for a new game available for free. Convincing pictures and promises of an interesting gameplay prompted him to create a profile for the game. The game’s website informs users that it is possible to share real-time gameplay progress with friends on Facebook, so the player will need to sign up by logging into their FB account.

2. In the newly opened window, Antek, seeing the familiar login panel, enters the login and password to his Facebook profile. As of now, he can access the game on his smartphone.

3. The son missed one important thing – the login panel was fake. Although it looked identical to the Facebook page, it was actually copied by a hacker and hosted on a different server. If Antek had checked the website address and SSL certificate before providing his login credentials, he would have known it was a scam attempt. Unfortunately, he didn’t.

4. All the data provided by Antek went to the criminal instead of Facebook. This provided the hacker with an access to Antek’s Facebook profile, including the messages he sent and received.

5. The criminal logged into Antek’s account. It is true that Antek received an email notification from Facebook about a new login attempt on an unknown device, but he ignored it – after all, he had received such emails several times before, for instance when logging into his account at school.

6. The hacker carefully tracked all of Antek’s conversations: how often and with whom he chats, the language he uses. That’s how the hacker found out that Antek uses e-banking, and that you transfer money to him that way.

7. By now you’ve probably guessed it – the message you read came from a hacker impersonating your son. The BLIK code you sent went to a criminal who took the money out of an ATM located on the other side of Poland.

Safety is not a game.

Unfortunately, we can’t turn back time. You should now report the matter to the police and your bank as soon as possible, as well as change all your passwords. However, all this could have been avoided if we had followed e-safety rules. Phishing is an increasingly common scam – it affects not only adults but now children as well. To a large extent, it is up to us whether we let ourselves fall prey to it.

Remember that the primary security for our accounts is the password. We often downplay this issue by setting easy-to-remember passwords. If we set the same password for all our accounts, it’s as if we left the door to our house unlocked.


1. The password cannot be simple or formulaic (e.g. password1234, password, Alice2002, etc.). Avoid your name, date of birth, or other simple data easy to associate with you.

2. Use upper- and lower-case letters, numbers and special characters. The longer and more complex the password, the harder it is to crack. Passwords of at least 8 characters (of various types) are considered secure.

3. Do not use the same password for several different accounts. If your email account is hacked, the hacker will be able to tell the services you use based on your incoming messages. With your password, the hacker will be able to hack all of your accounts.

4. Do not write down your password or PIN codes anywhere! Notes on your phone, files in hidden folders, post-it notes in your wallet, backpack or behind your phone case – all of these items may fall into unauthorised hands. The best way to store a password is to memorise it.

5. If you’re worried that you won’t be able to memorise a few dozen tough-to-guess passwords, there are some tricks that will help you remember them. One recommended method is to encrypt simple associations. For example, if your name is Victoria and you were born in November, the password “VictoriaNovember” would be the worst option. However, all you need to do is replace a few letters from your password with numbers and special characters that will remind you of those letters. “V!kt0ri@N0v3mb3r” is already much harder to guess.

The principle of limited trust

However, a strong enough password is not enough. Be careful when logging in. Every time you have to enter a login and password, check that the page that appears is not “fake”, as in Antek’s case described above. The easiest way to check this is to verify the address of the page in the address bar (there may be intentional typos there to mislead us or the address will not comply completely with the content of the page). Check the SSL certificate by clicking on the padlock next to the address. A certificate proves a secure connection, but it must be issued to the portal you actually want to use.

If a website offers traditional login or login using data from, using, e.g., Facebook or Google, and you are not sure how to verify that the login panel is not fake, choose the traditional login using the security rules described above. If you provide data on the fake panel, you give criminals a treasure trove of knowledge about you (remember how much of your data Google can have – emails, addresses, photos, etc.).

Never leave a session open if you walk away from the device. Anyone who approaches your computer will be able to gain access to your account. The consequences can range from taking over your game progress, as in the video below, to losing your life savings.

Let us be aware

What if you receive a message from someone close to you or a little further away asking for financial help? Don’t make rash decisions based solely on a text message or instant messaging. Remember that the sender’s account may be taken over. Before you decide to make a transfer or send a BLIK code, make sure it is not the case. Verification by asking “trick questions” will not always be a good option. A hacker, doing research on a seized account, will be able to answer, for example, a question about a dog’s name or date of birth. It is best to simply call the person and ask if they actually need help at the time.

Learn more about online safety rules and how to teach yourself and your mentees to protect themselves from phishing in our free Data Security and Phishing Protection webinars on 24 January and 9 February at 4:00 p.m. Our new simulation game “What will it be like on the Internet?” will help you learn to use the Internet consciously. We will present this educational tool at workshops on 22 February and 1 March at 3:00 pm. You can sign up for webinars and workshops here. You’re invited – the number of available spots is limited!