You're Not Too Small to Hack — You're the Perfect Target
My neighbor called me last year, panicked. Someone had drained $1,200 from her bank account overnight. She couldn't understand it. "I'm nobody," she kept saying. "Why would anyone bother with me?"
That question breaks my heart every time I hear it, because it contains exactly the wrong assumption — that hackers are like burglars casing mansions, skipping the small houses. They're not. They're more like combine harvesters. They don't choose. They just sweep everything in their path.
The Numbers Game You Don't Know You're Playing
Here's the thing about modern cybercrime: it's almost entirely automated. A human being is not sitting somewhere deciding whether you specifically are worth their time. Software is scanning millions of accounts simultaneously, testing leaked passwords against banking and email logins, flagging anything that works.
According to the Identity Theft Resource Center, over 353 million people were affected by data compromises in 2023 alone. That's not corporate espionage. That's your neighbor, your cousin, your mom.
When a company gets breached — and they get breached constantly — your email and password combination gets dumped into a database that criminals buy for a few dollars. Then automated bots test those credentials against PayPal, your bank, Gmail, Amazon. This is called credential stuffing, and it requires zero human effort after setup.
You're not a target. You're a row in a spreadsheet.
What They Actually Want From You
Companies have security teams, lawyers, and incident response budgets. You don't. That asymmetry is the whole point.
Here's what makes regular people so valuable:
- Your tax refund. Filing a fraudulent return in your name before you do is a low-risk, high-reward crime that's surprisingly common.
- Your identity as infrastructure. Criminals don't just steal your money — they use your clean credit history to take out loans they never repay, leaving you to untangle it for years.
- Your device as a soldier. Your laptop or phone can be hijacked to attack other targets or mine cryptocurrency without you ever noticing, beyond slightly slower performance.
The counterintuitive insight most articles skip entirely: your data is often worth more to criminals than your actual money. Selling a verified identity package — name, Social Security number, date of birth, bank login — can net a criminal $1,000 to $2,000 on dark web markets. Your $400 checking account balance is a one-time score. Your identity is a recurring revenue stream.
The Password Problem That's Actually Solvable
You've heard "use strong passwords" so many times it's become noise. Let me be more specific about why it matters and what actually works.
The reason your password strength matters isn't brute force — movies love that image of hackers trying every combination. In reality, most account takeovers happen because you used the same password somewhere that got breached, and now that password is sitting in a criminal's database with your email attached to it.
According to Google's Security Blog, reusing a password across multiple accounts is the single biggest predictor of account compromise. Not weak passwords. Reuse.
The fix is genuinely unsexy: a password manager. Pick one — Bitwarden is free, 1Password costs about $3/month. Let it generate a different 20-character gibberish password for every site. You only remember one master password. The rest is handled.
This isn't a vague tip. This is the specific action that removes the most common attack vector against regular people. It takes one afternoon to set up.
The Call That Almost Fooled Me
A few years ago I got a call from someone claiming to be my bank's fraud department. They had the last four digits of my card, they knew my recent transactions, they were professional and calm. They asked me to confirm my full card number "to verify my identity."
I caught it. But barely.
This is social engineering — using scraped personal data to manufacture enough trust to extract the one piece they're missing. The data they already had probably came from a previous breach. They weren't guessing. They were completing a puzzle.
The rule that saved me: any inbound call that asks for information is automatically suspicious, regardless of who they claim to be. Hang up. Call the number on the back of your card yourself. That's it. That's the whole defense.
Two-Factor Authentication Is Not Optional Anymore
Two-factor authentication (2FA) means that even if someone has your password, they need a second thing — usually a code sent to your phone — to get in. According to Microsoft's Security research, enabling 2FA blocks over 99% of automated account attacks.
That number is almost offensively high. It means nearly all the automated credential stuffing attacks that sweep through millions of accounts fail immediately on a 2FA-protected login.
Turn it on for your email first. Email is the master key — whoever controls your inbox can reset every other password you own. Then your bank. Then anything that has your payment information.
Authenticator apps like Google Authenticator or Authy are more secure than SMS codes, if you want to go further.
The Honest Caveat
Here's what I won't pretend: none of this makes you immune. A sufficiently motivated attacker with your specific details as a goal — say, an estranged family member or someone with a personal grudge — can work around most of these defenses with enough patience.
What these measures actually do is raise your cost-to-attack high enough that automated systems move on to easier targets. You're not building a fortress. You're making yourself the house on the street with the visible alarm system, so the opportunistic thief tries the next door instead.
That's not a perfect ending. But it's an honest one, and honest is more useful than reassuring.
Sources:
- Identity Theft Resource Center
- Google Security Blog
- Microsoft Security Blog