This is NOT Fraud Advice--Cookies

Hello, everyone! Welcome back to Not Fraud Advice, where we expose how internet fraudsters operate, all in the name of keeping you informed (and maybe just a bit paranoid).

There is a new cookie monster in the world of digital fraud. The FBI announced last week that cybercriminals have used "remember me" cookies to bypass MFA checks and take over your account.

What’s a “Remember Me” Cookie?

Imagine logging into your email or favorite shopping site and seeing that helpful "Remember Me" checkbox. You click it, thinking you're saving a few seconds of future logins. But here's the catch: the "Remember Me" button generates a "cookie" that stays in your browser for up to 30 days, keeping your session active without re-entering your password or MFA code.

Here's where it gets dicey: cybercriminals are laser-focused on stealing these cookies because if they can grab one, they don't need your username, password, or even that second layer of protection provided by MFA. All they need is a single click, and they're in, masquerading as you.

How They Do It: The Phishing Hook

Cybercriminals can snag cookies in several ways, but one of their favorite tactics is the old bait-and-switch. They lure unsuspecting users into visiting shady websites or clicking phishing links that download malicious software onto the computer. Once that malware is installed, it's just a matter of time before it scoops up your cookies, handing the fraudster a skeleton key to your accounts.

How to Stay Safe: It’s Not All Doom and Gloom

Before you go clearing all your cookies and refusing every "Remember Me" checkbox, here are a few practical tips to make sure you aren't handing over your data to cookie crooks:

1. Clear Your Cookies Regularly: It's a pain, but wiping your browser clean every so often helps to reset those sessions and reduce the chances of an attacker getting in.
2. Think Twice Before Clicking "Remember Me": I know it's convenient, but skipping this option is safer for any particularly sensitive account.
3. Only Click on Trusted Links: Phishing attacks often start with a fake link. If it looks suspicious, don't click it. Check if the site is secure (look for "HTTPS"), especially when logging into sensitive accounts.
4. Monitor Your Login History: Most accounts show recent logins under your settings. Keep an eye out for any unfamiliar devices or locations.
5. Passkeys: You all know that passkeys are one of my favorite topics. Footprint is fully committed to passkeys; we believe they will replace passwords in the future. Passkeys are unphishable credentials that can protect you and your online identity.

The cookie-stealing trend is just one example of how attackers innovate to get around the protections we rely on. If you're worried about the gaps in your security, it might be time to look into more sophisticated identity verification tools. We know a team that's good at this sort of thing.

BTW - do not forget to register for our webinar next week! We will be chatting through the evolving fraud landscape: https://us06web.zoom.us/webinar/register/7217307474143/WN_-qd6UEALT3SBFBuf2XGcMQ