Jenny didn't think much of it when she left her old phone in her car over the weekend. It was parked in a familiar spot, there had never been trouble before. Her phone didn't have a password—unlocking it every time just seemed like a hassle. But when she returned on Monday, the phone was gone.

A moment of panic, followed by a rush to track it down, but it was already too late. Whoever had taken it was quick. They immediately opened her Cash App and drained the balance.

It didn’t take much—just a few taps, and the money was gone. The security checks all required the passwordless phone that the already thief had. Jenny was left helpless, realizing that something as simple as a password could have protected her from losing hundreds of dollars.

Then there was Nick, who loved to sell his handmade signs on Etsy. He had a good run until one day, he couldn’t log in. His password had been changed by someone else. It wasn’t just his Etsy account, though. He used the same password across many accounts, including his email.

The hacker got into his email and started resetting passwords for all his other accounts. Within minutes, Nick was locked out of his digital life. The hacker demanded money to return access to his accounts. Nick was caught off guard, and it wasn’t until after a stressful and timely ordeal that he learned the importance of unique passwords and multi-factor authentication.

These stories aren’t outliers—they’re increasingly common. You may not think you’re a target, but you are. Attackers use various methods, but a common one is using automated tools to try large numbers of username and password combinations on different websites, capitalizing on the fact that many people reuse the same credentials across multiple accounts.

Understanding the threat is the first step in protecting yourself. Credential stuffing works because of weak or reused passwords. Account takeovers happen when attackers gain access to accounts by guessing or stealing credentials, sometimes through phishing, malware, or even exploiting weak security practices like Jenny’s lack of a phone password.

Use App Security Features

Beyond general security practices like strong passwords and MFA, many apps offer specific features designed to add an extra layer of protection. Take advantage of these options.

Apps like Cash App allow you to set up a PIN or require biometric authentication (like a fingerprint or facial recognition) before completing any transaction. This way, even if someone gains access to your device, they can’t transfer money without your explicit authorization.

Many banking apps and online services also offer features like transaction alerts. These notifications instantly inform you of any activity on your account, allowing you to know something is wrong and get things fixed quickly. When it comes to money transfers, time is of the essence.

Enabling these features can make a significant difference. In Jenny's case, if she had activated Cash App's PIN requirement, the thief would have been unable to access her funds even with her phone in hand.

Secure Password Practices

The first line of defense is ensuring your passwords are long and unique to the website. It’s not enough to just avoid “password123”—attackers are more sophisticated than that.

Avoid single words or predictable sequences. Password managers can be incredibly helpful here, allowing you to generate and store complex passwords without needing to remember them all.

Implement Multi-Factor Authentication (MFA)

If Jenny or Nick had MFA (aka two-step verification) enabled, their stories might have ended differently. MFA adds an extra layer of security by requiring something you know (a password) and something you have (like a mobile device) to access an account. Even if someone gets your password, they’d still need your phone or another verification method, making it significantly harder for an attacker to succeed.

If you’re tech savvy and don’t ever want to worry about getting phished, you can start using Passkeys which can’t be intercepted by a hacker in the middle, the way that even MFA codes can be. Using security features of the phone, you’ll be able to create accounts and sign in to websites with Face ID or your fingerprint - no passwords required.

Preventing account takeovers is a challenge, but it’s not insurmountable. By understanding the scams, using good passwords, and using MFA you don’t need to worry as much. In a world where account takeovers are increasingly common, taking a few simple steps can protect both you and your money from falling into the wrong hands.

‍