The Biggest Mistake People Make After Getting Phished

The Worst Thing You Can Do After Getting Phished (And Almost Everyone Does It)

Your coworker forwards you what looks like a routine IT email. Password reset required, click here, takes thirty seconds. You click it, type in your credentials, and nothing happens. The page just... sits there. You refresh, shrug, and move on with your day.

Three weeks later, your company's finance team gets a wire transfer request — supposedly from your account — for $47,000.

That gap between the click and the consequence is where the real damage happens. Not in the phishing email itself, but in the silence afterward.

The Mistake Isn't Clicking the Link

Here's the thing most people get wrong: they think the phishing email is the attack. It's not. The email is just a door. What happens after you walk through it determines how bad things actually get.

The biggest mistake — by a significant margin — is doing nothing. Not because people are careless, but because they genuinely don't know they've been phished until it's far too late. Or they suspect something felt off, feel embarrassed, and quietly hope the problem resolves itself.

It won't.

The Silence Window

When a criminal gets your credentials, they don't immediately ransack your account. They're patient. They log in quietly, look around, set up forwarding rules on your email so they receive copies of everything you send and receive. Then they wait — sometimes for weeks — learning your communication style, your contacts, your ongoing deals.

According to the IBM Security X-Force Threat Intelligence Index, the average time between a breach occurring and it being detected is measured in months, not days. That's months of an attacker sitting inside your digital life while you carry on completely unaware.

This is why the embarrassed silence is so catastrophic. Every day you don't report it is another day they're reading your emails and building a more convincing impersonation of you.

What You Should Actually Do in the First Hour

If your gut says something was wrong about that link you clicked — trust it. You don't need certainty to act. Here's a direct sequence:

First, don't touch the device. Stop what you're doing. If you're on a work computer, don't try to "fix" anything yourself. Don't run antivirus, don't delete files, don't clear your browser history. You could be destroying forensic evidence your IT team needs.

Second, call someone — out loud, on the phone. Not email. Not Slack. If the attacker already has access to your account, anything you type in those channels could be monitored. Pick up the phone and call your IT or security team directly.

Third, change your password from a different, clean device. Not the one you clicked the link on. Use your phone, or a colleague's computer. Change the password for the account you typed credentials into, and then change it for any other account that shares that password or email address.

That last step matters more than most people realize.

The Password Reuse Bomb

Here's the counterintuitive part that almost no article talks about honestly: the phishing site you landed on probably wasn't even after that specific account.

Attackers know that most people reuse passwords. So when they harvest your credentials from a fake Microsoft login page, they're not just trying to get into your Microsoft account. They're running those credentials through dozens of other services — your bank, your Amazon, your Gmail — in an automated process called credential stuffing.

According to the Verizon Data Breach Investigations Report, stolen credentials are involved in a significant majority of web application breaches. The phishing site is often just the collection point. The actual crime happens somewhere else entirely, using the same username and password you gave up without realizing it.

This is why "just change the hacked account's password" is dangerously incomplete advice. You need to treat every account that shares that password as compromised.

The Emotional Tax Nobody Talks About

Getting phished carries a shame that makes people handle it badly. There's a feeling — especially in professional settings — that admitting you clicked a suspicious link means admitting you're not smart enough to spot a scam.

But modern phishing attacks aren't the obvious Nigerian prince emails from fifteen years ago. They're cloned login pages with valid SSL certificates. They're text messages that know your name and your bank. They're emails that quote your actual recent transactions.

Anyone can get phished. The intelligence failure isn't clicking the link — it's the silence that follows.

If you manage a team and someone comes to you having just clicked a phishing link, your reaction in that moment will determine whether your company survives the next one. Because people who are punished for reporting mistakes will quietly bury the next incident until it's uncontrollable.

After the Immediate Crisis: What Sticks

Once you've done the urgent steps, there are two things worth setting up that genuinely reduce long-term damage:

The first is a password manager. Not because it makes you feel more secure, but because it makes password reuse physically impossible. You stop reusing passwords because you no longer need to remember them. One strong master password, everything else is random gibberish.

The second is hardware-based two-factor authentication where available — a physical key like a YubiKey. According to Google's own security research, physical security keys block 100% of automated phishing attacks in their studies, compared to SMS codes which can still be intercepted or socially engineered around.

These aren't dramatic transformations. They're boring infrastructure changes that quietly make you a much harder target.

The Honest Caveat

None of this guarantees you won't be phished again, or that acting quickly will prevent all damage. If an attacker had access to your account for even a few hours before you caught it, they may already have what they needed. A fast response reduces the blast radius — it doesn't always stop the explosion.

The uncomfortable truth is that much of your security depends on systems outside your control: whether your company stores your password in plain text, whether a site you trusted got breached without telling you, whether your bank catches the fraudulent transfer in time.

You can do everything right and still get hurt. Doing everything right just makes it less likely, and less bad when it happens.

That's the actual promise of good security habits. Not invincibility — just better odds.

Sources:

IBM Security X-Force Threat Intelligence Index
Verizon Data Breach Investigations Report
Google Security Blog — New Research: How Effective Is Basic Account Hygiene

What Hackers Do With Stolen Passwords In The First 60 Seconds

Your friend texts you at 2 AM: "Did you send me a weird link?" You didn't. By the time you see that message in the morning, the damage is already done — and it happened faster than you'd think possible.

Most people imagine hackers hunched over keyboards, slowly and deliberately cracking into accounts. The reality is almost the opposite. The moment your password lands in a criminal's hands, everything that follows is automated, fast, and completely indifferent to who you are.

The First Thing That Actually Happens

Here's what most articles skip: your password probably isn't tested against your account first.

The attacker feeds it into a tool that checks whether you've used that same password — or a close variation — on dozens of other sites simultaneously. This is called credential stuffing, and it runs at machine speed. We're talking thousands of login attempts per minute across Netflix, PayPal, Gmail, Amazon, bank portals, and whatever else sits in a pre-loaded target list.

According to Cloudflare, credential stuffing attacks are responsible for billions of login attempts every month, and they succeed precisely because most people reuse passwords. The attackers don't need to be clever. They just need you to have used "Summer2021!" on more than one site.

The 60-Second Window

Once a valid login is confirmed, the clock becomes critical — not for the attacker, but because of you. They need to act before you notice.

In that first minute, automated scripts do three things almost simultaneously:

Scrape your profile data — full name, phone number, address, any payment info stored in the account
Lock you out — change the recovery email and phone number so password resets go to them, not you
Pivot inward — check your inbox or account activity for clues about what else you own (other accounts, linked services, subscription confirmations)

The lockout step is the one that catches people off guard. You try to reset your password and realize the recovery email is now one you've never seen. At that point, proving you own the account is a customer service nightmare that can take days.

What They're Actually After

Here's the counterintuitive part: most of the time, they don't actually want your account.

They want what your account can get them. A hacked Gmail is valuable not because of your emails, but because it's the master key to everything else — you've used Google to log into dozens of services. A compromised Amazon account means a one-click purchase shipped to a reshipping address. A hijacked social media account gets sold to spam networks or used to scam your contacts, who trust the message because it appears to come from you.

According to Verizon's Data Breach Investigations Report, credentials are the single most common entry point in data breaches — used in over 80% of hacking-related incidents. The password itself is just the door. What's through the door is the actual prize.

The Market on the Other Side

Some stolen passwords don't get used immediately. They get sold.

There are markets — you don't need to know exactly where — where stolen credentials are traded in bulk. A fresh batch of verified logins to a popular streaming service might sell for less than a dollar per account. Financial account credentials go for more. The point is that your login might sit in someone's inventory for weeks before being activated.

This is why you sometimes hear about a breach and think, "nothing happened to me" — and then eight months later, something does. The delay isn't a glitch. It's the supply chain.

What You Should Actually Do Differently

The standard advice you've heard a hundred times — use a password manager, enable two-factor authentication — is correct but incomplete. Here's the more specific version:

On two-factor authentication: Not all 2FA is equal. An SMS code sent to your phone is better than nothing, but it can be intercepted through SIM-swapping attacks, where a fraudster convinces your carrier to transfer your number to their device. Use an authenticator app (Google Authenticator, Authy) or a hardware key if you're protecting anything sensitive. The inconvenience is real; so is the difference in protection.

On password managers: The fear people have — "what if the password manager gets hacked?" — is legitimate but misplaced. According to the Electronic Frontier Foundation, the risk of reusing weak passwords across many sites is statistically far greater than the risk of a well-designed password manager being compromised. You're trading a certain risk for a much smaller one.

On breach alerts: Go to haveibeenpwned.com right now and enter your email. It's free, it's run by a legitimate security researcher, and it will tell you exactly which known breaches your email appeared in. Set up alerts so you know within hours, not months.

The one thing most people don't do: After you change a compromised password, check every account that uses "Sign in with Google" or "Sign in with Facebook." Those linked accounts are invisible to most breach-checkers but very visible to attackers who've gotten into your primary account.

One Honest Limitation

None of this is foolproof, and it would be dishonest to pretend otherwise.

If your password is exposed through a breach at a company you trust — and that company doesn't tell you for six months, which happens more often than anyone admits — the automated tools described above have already run their course before you ever had a chance to respond.

You can do everything right and still get caught in someone else's failure. What the steps above actually do is reduce how much damage that failure causes, not eliminate the possibility of it happening. That's a frustrating answer, but it's the true one.

Sources:

Cloudflare — What Is Credential Stuffing
Verizon Data Breach Investigations Report
Electronic Frontier Foundation — Creating Strong Passwords

How To Tell If Your Webcam Has Been Hacked

Your Webcam Is Watching. But Is Someone Else?

A friend of mine — smart, careful, not the type to click sketchy links — noticed something odd one afternoon. The little green light next to her laptop camera flickered on while she was just reading a document. No video call. No browser open. Just her, a spreadsheet, and a light that had no business being on.

She assumed it was a glitch. It wasn't.

The Light Isn't the Whole Story

Most people think the indicator light is the definitive sign. If it's off, you're safe. This is wrong, and it's the most dangerous assumption you can make.

Some malware — particularly older RATs (Remote Access Trojans) — can disable the indicator light independently of the camera itself. According to Johns Hopkins researchers, this was demonstrated on MacBook cameras as far back as 2014, where firmware could be rewritten to activate the camera without triggering the LED. The hardware hasn't fundamentally changed in ways that eliminate this risk.

So if you're using the light as your only check, you're trusting a warning system that can be switched off by the same person trying to hide from you.

What Actually Happens When Someone Gets In

Webcam hacking isn't usually a dramatic heist. It's quiet and patient.

The most common path is a RAT installed through a phishing email, a fake software update, or a cracked app download. Once it's running, the attacker typically has access to far more than your camera — your files, your keystrokes, your microphone. The webcam is often just one tool in a larger surveillance setup.

The second path is less understood: misconfigured or compromised smart home cameras and baby monitors. These aren't your laptop — they're internet-connected devices that often ship with default passwords nobody changes. According to the FBI's Internet Crime Complaint Center, compromised IoT cameras are a consistent and growing vector for home surveillance intrusions.

Signs That Deserve Your Attention

Forget the generic list of "watch for unusual activity." Here's what actually matters:

The light flickers when nothing should be running. Open your Task Manager (Windows) or Activity Monitor (Mac). Look for processes you don't recognize consuming CPU or network bandwidth. A camera application running silently in the background will show up here.

Your storage is being eaten. Some RATs record footage locally before uploading. If your hard drive is filling faster than your usage explains, that's a flag — especially if temporary folders contain video files you never created.

Network traffic spikes at odd hours. You can check this with a free tool like GlassWire on Windows or Little Snitch on Mac. If data is being sent out at 3am when your computer should be idle, something is running that you didn't authorize.

Your antivirus was quietly disabled. This is the one most people miss. Before hijacking your camera, sophisticated malware will often kill your security software first. If you open your antivirus and it's off — and you didn't turn it off — treat that as a serious incident, not an error.

The Counterintuitive Part Nobody Tells You

Here's what most "webcam safety" articles won't say: physical tape works better than almost any software solution.

This sounds absurd, almost embarrassingly low-tech. But it's what security researchers actually use on their own machines. A small piece of electrical tape or a purpose-made webcam cover costs under two dollars and cannot be bypassed by any firmware exploit, any malware, or any zero-day vulnerability. It is, technically, unbreakable protection against visual surveillance.

Software-based camera controls can be circumvented. Physical obstruction cannot. Mark Zuckerberg famously had tape over his laptop camera in a 2016 photo — and that wasn't paranoia theater, it was correct operational security.

The software version of this — disabling the camera in Device Manager — is better than nothing, but a sufficiently privileged piece of malware can re-enable it without your knowledge.

What To Do Right Now

If you're uncertain whether your webcam is clean, start here:

Audit your running processes. On Windows, open Task Manager and look at the Processes tab. Search anything unfamiliar before you dismiss it. On Mac, use Activity Monitor and sort by CPU usage.
Run a dedicated malware scanner. Your regular antivirus may have already been compromised. Download Malwarebytes (the free version works for this) and run a full scan from a separate, trusted machine if possible.
Check camera permissions. On Windows, go to Settings → Privacy → Camera and see which apps have access. On Mac, go to System Settings → Privacy & Security → Camera. Revoke access for anything you don't actively use.
Change every password on a separate device. If you suspect an active compromise, do not change passwords on the infected machine — the keylogger will capture them as you type.
Cover it physically. Do this now, before you finish reading. A Post-it note works. You can buy a proper slider cover for a few dollars online. According to CISA (Cybersecurity and Infrastructure Security Agency), physical controls are among the most reliable mitigations for device-level surveillance risks.

The Part I Won't Pretend Away

Here's the honest limitation: if a sophisticated attacker — state-sponsored, well-resourced, specifically targeting you — has decided to compromise your system, most of what's in this article won't fully protect you. Advanced persistent threats operate at a level where they can hide from standard scanners, exploit unknown vulnerabilities, and persist through factory resets by embedding in firmware.

For the vast majority of people, this isn't the threat model. The realistic danger is commodity malware, opportunistic attackers, and misconfigured devices — all of which the steps above address effectively.

But if you're a journalist, activist, lawyer handling sensitive cases, or someone who has reason to believe a powerful entity is interested in you specifically, consumer-grade advice has real ceilings. At that point, you need dedicated threat modeling, not a checklist.

The tape still helps though. Even for them.

Sources:

Johns Hopkins University – iSeeYou: Disabling the MacBook Webcam Indicator LED
FBI Internet Crime Complaint Center (IC3) – Public Awareness
CISA – Securing Network Infrastructure Devices

Why Public USB Charging Ports Are A Security Trap

The Airport Outlet That Stole Someone's Life

A friend of mine — sharp guy, works in finance — spent three hours at O'Hare waiting for a delayed flight. His phone was at 8%. He spotted a charging kiosk near the gate, plugged in, and spent those three hours answering emails and scrolling. Normal Tuesday.

Two weeks later, his corporate email credentials showed up in a breach notification. The IT team traced it back to that window of time. He hadn't clicked anything suspicious. He hadn't downloaded anything. He just needed to charge his phone.

That story might sound extreme. It isn't.

What Actually Happens When You Plug In

Here's the thing most people don't know: a USB cable doesn't just carry power. It carries data too. That's the whole point of the standard — it was designed to do both simultaneously.

When you plug into a wall socket at home, you're connecting to a "dumb" charger that only pushes electricity. When you plug into a public USB port — at an airport, a hotel lobby, a coffee shop charging station — you have no way of knowing what's on the other end of that port.

It could be a normal charger. It could also be a small computer running software designed to talk to your phone the moment you connect.

The FBI's Denver field office actually warned about this publicly, recommending people avoid public USB ports entirely and use AC power outlets with their own adapters instead. That warning isn't theoretical — it reflects real investigative patterns.

"Juice Jacking" Is a Stupid Name for a Real Problem

The attack even has a name: juice jacking. Coined around 2011 by security researcher Brian Krebs, it describes exactly this scenario — a compromised charging port that uses the data channel in your USB connection to either pull files off your device or push malware onto it.

Your phone does have a defense. When you plug into an unfamiliar device, it usually asks: "Do you trust this computer?" Most people tap "Trust" without reading it. Some newer phones default to "charge only" mode, which helps. But that setting isn't universal, it can be overridden in certain conditions, and not every user has updated their phone recently enough to have it.

According to the Cybersecurity and Infrastructure Security Agency (CISA), attackers can load malware onto public charging stations that damages mobile devices or exports data and passwords directly — and victims often don't realize anything happened until well after the fact.

The delay is the dangerous part. You plug in, nothing seems wrong, you leave. Weeks later something surfaces and you have no idea where to start tracing it.

The Counterintuitive Part Nobody Talks About

Here's what most security articles skip: the threat isn't limited to sketchy kiosks in airports you've never heard of. Branded, professional-looking charging stations at major hotel chains, conference centers, and airports are exactly the high-value targets, because that's where high-value people charge their phones.

A cybercriminal who compromises the charging kiosk at a random gas station gets random people. One who compromises the kiosk in the business lounge of an international airport gets executives, lawyers, government employees, and journalists — people with credentials worth stealing.

The more legitimate and polished the charging setup looks, the more it might be worth targeting. Counterintuitive, but it follows the logic of where the money is.

What You Can Actually Do

The honest answer is simple, if slightly inconvenient:

Carry your own battery pack. A decent portable charger costs $25–40 and eliminates the problem entirely. You never need a public USB port if you're not starting at 8%.

Use AC outlets, not USB ports. Plug your own charging brick into a standard electrical outlet. The outlet delivers power; your brick handles the USB conversion. Nothing unknown touches your device's data channel.

Get a data-blocking USB adapter. These are small, cheap dongles — often called "USB condoms" by people who find that funny, and "data blockers" by people who have to order them on a corporate card. They physically cut the data pins in the USB connection and let only power through. According to Norton, using a charge-only cable or a USB data blocker is one of the most effective ways to neutralize this specific attack vector.

If you're buying one: look for brands like PortaPow or Privise. They're small enough to live on your keychain and cost less than a airport sandwich.

Turn your phone off before charging in public. Many juice jacking attacks require an active, unlocked device to work. A powered-off phone presents a much harder target.

What If You Already Plugged In?

If you've been using public USB ports for years and nothing obvious has happened, you're probably fine — but "probably" is doing real work in that sentence.

Go to your phone settings and revoke USB access permissions for any devices you don't recognize. On iPhone: Settings → General → Transfer or Reset iPhone → Reset → Reset Location & Privacy (this clears trusted computer permissions). On Android, it varies by manufacturer, but look for Developer Options → Revoke USB debugging authorizations.

Change passwords for anything sensitive you accessed during or shortly after the charging session. Not because you were definitely compromised, but because it costs you ten minutes and eliminates a real variable.

The Honest Limitation

None of this is foolproof. A sophisticated, state-level actor with access to your device's firmware can do things that a data blocker won't stop. If someone really wants what's on your phone and has the resources to pursue it, plugging into a wall outlet instead of a USB port isn't what saves you.

The realistic threat most people face is opportunistic — criminals who set up compromised ports and harvest whatever walks by. Against that, a $12 data blocker works. Against a targeted operation by a well-funded adversary, your best protection is not being interesting enough to target.

That's not a satisfying ending. But it's the accurate one.

Sources:

CISA
Norton – What Is Juice Jacking

The Most Dangerous Apps You Probably Have On Your Phone Right Now

A friend of mine — sharp guy, works in finance — handed me his phone once to show me something. I noticed he had a flashlight app. Not the built-in one. A third-party flashlight app he'd downloaded years ago and never thought twice about. That app had access to his microphone, his contacts, and his precise location. For a flashlight.

That's not a freak case. That's Tuesday.

The Problem Isn't the App You're Afraid Of

Most people worry about shady apps from unknown developers. The uncomfortable truth is that some of the riskiest apps on your phone are ones you use every day — apps you trust, apps with millions of downloads, apps made by companies with marketing budgets bigger than most countries' GDP.

Take free VPN apps. The whole pitch is privacy. You're protecting yourself. But According to the Australian government's cybersecurity center (ACSC), many free VPN providers log your activity and sell that data to third parties — the exact thing you were trying to prevent. You handed your entire browsing history to a company you know nothing about, in exchange for a false sense of security.

That's not irony. That's the business model.

The Apps Sitting in Your Drawer

You know that category of apps you downloaded once, used for a weekend trip or a single project, and then forgot about? Those are quietly dangerous in a way that gets almost no attention.

Old apps stop getting security updates. A vulnerability discovered in 2022 might still be sitting, unpatched, in an app you haven't opened since 2021. But the app still has permissions. It can still run in the background. It's a door you left unlocked in a house you forgot you owned.

Go check your phone's app list right now. If you see apps you haven't opened in six months, ask yourself: does this thing still have access to my camera? My files? My location? For most people, the answer is yes.

The Surprising One Nobody Talks About

Here's where it gets counterintuitive: your keyboard app might be the most invasive app on your phone, and it's one people almost never consider.

Third-party keyboards — the ones with extra themes, emoji packs, or swipe-to-type features — sit between you and everything you type. Every password. Every bank account number you've ever entered. Every private message. The keyboard processes it all before it goes anywhere else.

According to the Electronic Frontier Foundation (EFF), some third-party keyboards transmit keystrokes back to their servers, often to improve autocorrect but with no real limit on what gets collected. If you're using a keyboard made by a company you've never researched, you are trusting that company with the most sensitive data stream on your device.

Switch back to your phone's built-in keyboard. It's not exciting, but excitement isn't what you want from the thing logging everything you type.

Social Media Apps: The Obvious One, With a Twist

Yes, you already know social media apps collect a lot of data. But most people think of this as an abstract privacy concern — some algorithm learns you like hiking, you get hiking ads, fine, whatever.

The real risk is more concrete. Social media apps frequently request permissions they don't functionally need — access to your contacts, microphone, camera, and precise GPS location. According to Mozilla Foundation's Privacy Not Included guide, many apps share or sell this data with dozens of third-party brokers, and once it leaves the app, you have no visibility into where it goes.

That data can end up in background check sites, targeted phishing campaigns, or data broker databases that anyone can pay to access. You're not just feeding an algorithm. You're populating a profile that exists long after you delete the app.

What You Can Actually Do

None of this requires becoming a technical expert. Here's what moves the needle:

Start with a permission audit. On iPhone, go to Settings → Privacy & Security. On Android, go to Settings → Privacy → Permission Manager. Look at which apps have access to your microphone, camera, and location. Ask yourself if that access makes any sense. A recipe app with microphone access does not make sense.

Delete what you don't use. Not archive. Delete. The permissions go with it.

For VPNs, pay for one or use none. The business model of a free VPN is not charity. Mullvad and ProtonVPN are two that have passed independent audits. They cost a few dollars a month. That's the actual product.

Replace your third-party keyboard. This one simple switch closes a significant data exposure most people have never thought about.

Check app update history before downloading anything new. If an app hasn't been updated in over a year, the developer has likely abandoned it. An abandoned app is an unpatched app.

The Part Most Security Articles Skip

Here's what I want to be straight with you about: even if you do everything above, you're not fully protected.

The data that was already collected — before you read this, before you thought to check — is already out there. You can limit future exposure, but there's no retroactive delete button for data that's already been sold, shared, or breached. The best security writing often ends with a clean call to action, as if doing the right thing today erases yesterday. It doesn't.

What it does do is make tomorrow better. That's worth doing, even without the tidy ending.

Sources:

Australian Cyber Security Centre (ACSC)
Mozilla Foundation – Privacy Not Included

How To Know If Someone Is Spying On Your Internet Connection

Someone Was Watching My Internet Traffic — Here's How I Found Out

A friend of mine runs a small café. Last year, she noticed something odd: customers kept complaining that their bank apps weren't working on her Wi-Fi, but worked fine on mobile data the moment they stepped outside. She assumed it was a router glitch. It wasn't. Someone had set up a rogue hotspot with the same name as her café network and was sitting two tables away, intercepting traffic.

She had no idea for three weeks.

That story isn't rare. It happens in hotels, airports, libraries, and yes, home networks too. The problem is that spying on an internet connection leaves almost no obvious fingerprints — which is exactly why most people never notice it.

Your Router Is the Front Door Nobody Watches

Before checking anything else, log into your router. Type 192.168.1.1 or 192.168.0.1 into your browser address bar — one of those will open your router's admin page (the password is usually on a sticker on the device itself). Once in, look for a section called "Connected Devices" or "DHCP Clients."

You're looking for strangers.

Every device on your network shows up here — your phone, laptop, smart TV, everything. If you see a device you don't recognize, especially one with a generic name like "Unknown" or a string of random letters, that's worth investigating. Write down the MAC address (the unique hardware ID listed next to each device) and run it through a lookup tool like macvendors.com to see what manufacturer made the device. A "Raspberry Pi Foundation" device you never bought is a serious red flag.

The Speed Test Trick Nobody Mentions

Here's something counterintuitive: your internet feeling slower than usual at odd hours — specifically late at night when you're barely using it — can be a symptom of someone leeching your connection or running traffic through your network.

Run a speed test at fast.com at 11am on a Tuesday. Then run it again at 2am on a Friday. If the 2am result is dramatically lower, and no one in your house is streaming anything, that asymmetry deserves attention.

This isn't definitive proof of spying. But surveillance tools and data exfiltration often run on schedules — automated, quiet, designed to avoid peak hours. The speed drop is the shadow they leave behind.

What "Man-in-the-Middle" Actually Looks Like

The attack my friend's customers experienced has a name: a man-in-the-middle attack. Someone positions themselves between you and the internet, reading everything that passes through. According to the Electronic Frontier Foundation, unencrypted connections — anything that starts with http:// rather than https:// — hand your data to an interceptor on a silver platter.

Check the address bar right now on any site you're using. No padlock icon, or a warning that the connection isn't private? Treat everything you type there as potentially visible to a third party.

The subtler version of this attack happens on networks you trust. Someone on the same Wi-Fi as you can use freely available tools to redirect your traffic through their device without you noticing anything except, occasionally, a slightly slower connection. Your browser won't warn you. Your antivirus won't catch it.

Check What's Actually Leaving Your Computer

Passive surveillance sometimes runs on your device rather than between your device and the internet. A monitoring program quietly installed — through a sketchy download, a phishing email attachment, or physical access to your machine — can send your activity outward continuously.

On Windows, open Command Prompt and type netstat -ano. On Mac, open Terminal and type netstat -an. What you'll see is a live list of every active network connection your computer is making right now. It looks intimidating, but you're scanning for connections on port 4444, 1337, or other non-standard ports connecting to unfamiliar IP addresses.

According to CISA (the Cybersecurity and Infrastructure Security Agency), remote access trojans — software designed specifically to spy on users — frequently communicate on unusual port numbers as a way to avoid detection by standard security software. If you see connections you can't explain, paste the IP address into abuseipdb.com and check whether it's been flagged.

The VPN Misconception

A lot of people hear "use a VPN" and think they've solved the problem. Here's the uncomfortable truth: a VPN protects your traffic from your internet service provider and from anyone watching the network you're on — but it does nothing if the surveillance is already on your device. If someone installed monitoring software on your laptop before you turned on your VPN, the VPN is irrelevant. The spy is already inside.

VPNs are useful and worth using, but they're a layer of protection against network-level snooping, not a cure-all. Treating them as a complete solution is the kind of false confidence that makes the actual problem worse.

The Browser History You Didn't Delete

Your internet service provider sees every domain you visit — not the specific pages, but the destinations. According to the Electronic Frontier Foundation's Surveillance Self-Defense guide, ISPs in many countries are legally permitted to log and sell this browsing data. In the US, that's been legal since 2017. This isn't a hacker spying on you — it's your internet provider doing it openly, with no warning.

The fix here is DNS-over-HTTPS, which encrypts your domain lookups so your ISP can't read them. You can enable it in Firefox under Settings → Privacy & Security → Enable DNS over HTTPS. It takes forty seconds and most people have never heard of it.

One Honest Caveat

Everything above gives you signals to look for — not certainties. A strange device on your network might be your neighbor's phone that accidentally connected years ago. Slow speeds at 2am might just be your ISP throttling. netstat output looks alarming to almost everyone the first time they see it, and most of it is harmless.

The hard truth is that a sophisticated, targeted surveillance operation — state-level, professional — is genuinely difficult to detect without specialized tools and training. If you have specific reason to believe you're being targeted at that level, consumer-grade detection methods aren't enough. You'd need professional help. For everyone else, the steps above catch the vast majority of real-world threats you're likely to actually face.

Sources:

Electronic Frontier Foundation
EFF Surveillance Self-Defense
CISA Cyber Threats and Advisories

What To Do Immediately After Your Password Gets Leaked

Your Password Just Leaked. Here's What to Do in the Next 60 Minutes.

You're scrolling through your email when you see it — a notification from some service you barely remember signing up for. "We've detected unauthorized access." Your stomach drops. You close the tab, tell yourself it's probably nothing, and go make coffee.

That instinct to ignore it is exactly what gets people into serious trouble.

I've watched this play out enough times to know the pattern: someone gets a breach notification, does nothing for a few days, and then wakes up to find their email account locked, their bank doing fraud review, or their social media posting things they never wrote. The breach itself isn't always the disaster. The inaction after it is.

So here's what you actually do — starting right now.

Step One: Find Out What Got Exposed (Before You Panic)

Not all leaks are equal. A breach that exposed your username and an old hashed password from 2019 is annoying. A breach that exposed your current plaintext password, your phone number, and your home address is a completely different problem.

Go to Have I Been Pwned and enter your email address. It will show you exactly which breaches your account appeared in and what type of data was involved. This isn't guessing — it's pulling from an actual database of verified breach data.

According to Have I Been Pwned, the site currently holds records from over 13 billion compromised accounts across hundreds of breaches. That number should tell you something: this is common, not shameful. Treat it like a fire drill, not a moral failing.

Step Two: Change the Leaked Password — But Not Just on That Site

This is where most people stop after one fix and feel like they've handled it. They haven't.

The real danger with leaked passwords isn't the breached site itself. It's that most people reuse passwords across multiple accounts. Attackers know this. They take a leaked credential — say, your email and password from a fitness app — and automatically try it on Gmail, PayPal, Amazon, and your bank. This is called credential stuffing, and it's largely automated and fast.

If you used that same password anywhere else, change it everywhere. Yes, everywhere. This is tedious. Do it anyway.

Step Three: Lock Down Your Email First — Everything Else Flows From It

Here's the counterintuitive thing most breach guides don't tell you: your email account is more valuable to an attacker than your bank account.

Why? Because your email is the master key. Every "forgot my password" reset link goes to your inbox. If someone controls your email, they can reset every other account you own — including your bank. Securing your email matters more than securing your bank directly.

Enable two-factor authentication (2FA) on your email immediately if it isn't already on. Use an authenticator app like Google Authenticator or Authy, not SMS text messages if you can help it. According to CISA (the U.S. Cybersecurity and Infrastructure Security Agency), SMS-based 2FA is significantly weaker than app-based 2FA because phone numbers can be hijacked through SIM-swapping attacks.

Step Four: Set Up a Password Manager (For Real This Time)

You've heard this before. You've nodded and done nothing. I understand — it feels like extra friction added to your life for some abstract future threat.

Here's the practical reality: you cannot remember 80 unique, strong passwords. No one can. A password manager like Bitwarden (free), 1Password, or Dashlane generates and stores them for you. You remember one strong master password. The manager handles the rest.

The part people miss: most breaches succeed specifically because of password reuse. A password manager eliminates that attack surface almost entirely. It's not a luxury security tool — it's basic hygiene at this point.

Step Five: Check for Active Session Intrusions

Changing your password doesn't kick out someone who's already logged in.

On Gmail, scroll to the bottom of your inbox and click "Last account activity." On Facebook, go to Settings → Security → Where You're Logged In. Most major platforms have something similar. If you see a session from a device or location you don't recognize, terminate it immediately.

This step gets skipped constantly. Someone changes their password feeling secure, while an attacker is already inside reading their messages with an active session that the password change didn't invalidate.

Step Six: Watch Your Other Accounts for the Next 30 Days

The effects of a credential breach don't always show up immediately. Attackers sometimes wait weeks before using stolen credentials, especially if they're selling them in bulk to other actors first.

Set calendar reminders to check your bank statements, credit card activity, and email login history over the next month. If your Social Security number or financial data was part of the breach — which you'll know from the Have I Been Pwned details — consider placing a credit freeze with all three major bureaus: Equifax, Experian, and TransUnion. According to the Federal Trade Commission, a credit freeze is free and prevents new credit accounts from being opened in your name without your explicit unfreeze.

A credit freeze doesn't affect your existing accounts or credit score. There's no real downside to doing it.

The Honest Caveat

Here's what no article about breach response should pretend: doing all of this correctly reduces your risk significantly, but it doesn't eliminate it. If your data is already in a criminal's database, it may be sold and resold for years. Your email address, phone number, and old passwords become part of phishing lists used in future attacks.

You cannot un-leak data. What you can do is make yourself a harder target than you were before — and most attackers are opportunistic enough to move on to easier prey. That's the realistic ceiling of what individual action can accomplish here.

The breach already happened. What happens next is still partly up to you.

Sources:

Have I Been Pwned
CISA: Multi-Factor Authentication
Federal Trade Commission: Credit Freezes and Fraud Alerts