As Halloween approaches, horror fans will line up to be terrified by men in masks, creepy dolls, slashers, monsters, and everything ghoulish and gross. Meanwhile, a more sinister threat lurks in your inbox.

October is National Cyber Security Awareness Month, where public and private companies alike come together to spread awareness and encourage policies that stop attacks in their tracks.

“So what?” you might say. Getting scammed or hacked is dangerous, but it only happens to huge companies or the most tech illiterate, right? Wrong. For the spookiest month of the year, we’ve prepared three cyber security horror stories that will chill your blood.

Or, at the very least, make you change all your passwords. (Password1? Come on, guys!)

Story #1: The Good Samaritan (Who Makes You WannaCry)

The Legend

It’s a dark and stormy night (of course), and you’re at home. You know the risks of cyber crime. You’ve got antivirus software, your data backed up, and you update regularly. That’s when you get a message from Microsoft confirming your worst fears.

You’ve been hit with ransomware.

A notification pops up and urges you to call tech support. You dial the numbers, the sound of your heartbeat pounding in your ears. Someone picks up and you explain the disaster.

The woman on the other end puts your fears to rest. She’s here to help. She walks you through setting up some anti-ransomware software for $300. It’s a bit much but worth it to save your data.

Reluctantly, you fork over the fee and give her remote access to your computer. After a few minutes, she thanks you and assures you your computer is ransomware-free.

One week later, you’ve nearly forgotten the incident. During your morning coffee, you turn on the news and see a story about a local scam. Your eyes widen in horror.

That’s when you realize you were never hit with ransomware. The woman you talked to wasn’t from Microsoft. She was a scammer. And you let her into your computer.

The Reality

According to UK’s fraud and cybercrime center, Action Fraud, criminals have been exploiting fears around WannaCry by offering tech support after they fake a ransomware attack. During their “tech support,” they charge ridiculous amounts of money and can even install malware on your computer.

“It is important to remember that Microsoft’s error and warning messages on your PC will never include a phone number. Microsoft will never pro-actively reach out to you to provide unsolicited PC or technical support. Any communication they have with you must be initiated by you.”

Action Fraud

And this isn’t limited to computer users. Some Android apps like, “WannaCry Ransomware Protection,” promise safety but instead install buggy adware on your phone that will expose you to a ton of annoying and potentially dangerous ads. They’re available on Google Play and even have high star ratings.

What can you do? First, know that Microsoft, or any other big organization, will never send you a tech support number in an error message. They will likely not reach out to you unless you’ve asked them first. Second, do your research before you install anything on your phone or computer. Check out these articles for tips on how to avoid fake virus & malware software and learn how to recognize fake virus warnings.

Okay, that was a pretty mild story compared to some. From here on out, it gets worse. Are you ready?

Story #2: Let the Right One In

The Legend

It’s a lazy Wednesday afternoon in the office. You’re in charge of supplier relations at a company that buys and resells wholesale products. It’s your job to make sure big orders come and go without hassle. The clock is striking 2 pm and your mid-morning coffee buzz has worn off.

You’re debating whether or not a Snickers is technically cheating on your diet (it is) when you get an email from a vendor. It’s a company you regularly work with. They tell you they’ve received over $20,000, but weren’t sure what you ordered. They want your account info so they can sort it out.

Your heart jolts. You’ve got deadlines to meet and if you don’t get this out, you’ll be in big trouble. You click the attachment and scan the invoice, confirming they have your account and some of your bank info. You send them an email with payment info so they can sort it out.

They respond promptly. It’s been taken care of. You breathe a sigh of relief, happy you’ll be able to tell your boss you’ve already fixed the problem.

A few weeks later, you get a strange call. One of your clients is complaining their order never came. That’s strange, you’re sure you remembered. You dig back through your inbox to find the email.

That’s when you take a closer look at the invoice. You’re used to working with this company, but you thought for sure their name was spelled differently.

That’s when it hits you. This isn’t from your vendor. You’ve given an enormous amount of money and your company’s banking info to a scammer. By opening the pdf with your account information, you’ve also exposed your company’s entire network to heaven only knows what.

And there’s nothing you can do to stop it.

The Reality

While we associate Nigerian phishing scams with sketchy deposed kings and poor grammar, cyber attackers continue to adapt in more serious and pernicious ways. One such scam targets suppliers, customers, commercial organizations, and delivery services who have data access to a greater pool of victims.

Nigerian phishers would send a legitimate-looking invoice and ask recipients to clarify product pricing or goods. They’d even register similar domain names to the companies their victims worked with. Then, they’d send their victims attachments with trojan-spies or backdoors.

“Using the newly registered domains, the cybercriminals are able to carry out a man-in-the-middle attack: they intercept the email with the seller’s invoice and forward it to the buyer after replacing the seller’s account details with the details of an account belonging to the attackers. Alternatively, they can send a request on behalf of the seller for an urgent change of bank details in addition to the seller’s legitimate email containing the invoice.”

Securelist, Kaspersky Lab Security Experts

This type of attack is an especially big risk for industrial companies that buy from wholesalers and resell. They lose out on the money the scammer stole and have to deal with replacing the order that didn’t go out.

What can you do? The best advice in this situation is to always, always think twice before clicking. The difficult thing about these attacks is they appear to come from people you know. Ask yourself, how well do I know the source? Am I expecting this information? Make sure to double check the spelling of the sender’s address and name against previous emails from them. And, of course, make sure all your data is backed up. Strengthen your network, and, if you think your computer has been compromised, shut it down immediately.

If you think that’s bad, just wait. We saved the worst for last.

Story #3: Destroying Your Digital Life

The Legend

You get home after a long day. You sit down, happy to spend some time with your one-year-old daughter. As you play, you realize your iPhone shut down. Since you’re expecting a work call, you plug it in.

Instead of bringing up your familiar lock screen, it takes you to the setup display you saw when you first bought it. Weird. And annoying. You figure it’s probably just a bug and, luckily, you’ve backed everything up on the iCloud. You hook your phone to your laptop so you can enter your Apple ID and restore your data. When you open it, a message pops up letting you know your Gmail information is wrong. It asks for a four-digit pin.

But, there’s just one problem… you never set up a four-digit pin.

A twisted, burning hole in your stomach confirms it before you can even think it. You try your laptop. No luck. In horror, you start checking your other accounts. Your Google account is gone. Your Twitter has been hacked and is sending out an ugly stream of racist and homophobic tweets.

Fearing for your household network, you shut down the laptop and disconnect your router. You call Apple support. During your call, you think of everything you could lose. It’s bad enough that you’ll have to recreate all your work, notes, data, and maybe even create new online accounts. What’s even worse is that you realize almost every picture you’ve taken of your daughter’s first year on earth was on that hard drive. That can’t be replaced.

On your tech support call, they mention this is the second call you’ve had with them today. But that doesn’t make you sense, you insist. It’s the first time you’ve called them today.

That’s when you realize. The first call to tech support was from the hacker, posing as you. It took them less than an hour to destroy your entire online existence. You have no idea what to do next.

The Reality

This is exactly what happened to tech journalist and Wired.com writer, Mat Honan. In the space of an hour, his Google account was deleted, Twitter was commandeered, and all data from his iPhone, iPad, and MacBook was erased.

Mat, a tech journalist, revealed that the scale of the devastation was due to the fact that information from one account let the hacker get into his other accounts.  A hacker got his address and the last four digits of his credit card from the support staff at Amazon. From there, they got into his AppleID, his Google account, and his Twitter.

[pexyoutube pex_attr_src=”https://youtu.be/CgKUd36xCrs”][/pexyoutube]

Fortunately for Honan, the hacker wasn’t interested in his bank account or the people on his contact list. So why did this hacker ruin Mat’s digital life?

For his Twitter handle.

The hacker was interested in Mat’s rare three-character Twitter handle. For that reason, they laid Mat’s data to waste.

Fortunately for Mat, the team at the Apple store managed to restore over 75% of his hard drive, including the photos of his daughter. It didn’t come cheap at a hefty fee of $1,690. Not everyone has the time or the resources to retrieve memories like the one below.

What can you do? First of all, two-factor authentication is your best friend. This links your accounts to a phone number. Every time you log into a new device it will ask you to enter a code that’s sent to your phone. It will also send you an email to let you know when and where someone logs into your account. Second, back up everything. The cloud gives us a false sense of safety. Sure, it backs up all your data, but if it’s hacked you will lose everything. An external hard drive could be your savior.

Protecting Your Data

Whether it’s at home, work, or even across your devices, cyber attacks can affect even the most tech-savvy among us. It could be as simple as opening an attachment or setting up accounts for convenience rather than security.

Though ghosts and ghouls will haunt many nightmares this month, cyber security is a real and present danger we face every day. For most, the best offense is a good defense. The National Cyber Security Alliance provides online safety tips and has info on the ever-evolving world of online fraud, theft, and crime.

If you’re interested in joining the fight in a more hands-on way, there’s never been a greater need for talented pros. By 2019, there will be a global shortage of two million cyber security professionals. Even now, employers are struggling to fill 40,000 information security analyst positions and over 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek.

If you’re interested in a career fighting hackers with unparalleled job security, we offer cyber security training courses whether you want to protect networks, keep information safe, or use white hat hacking to fight hackers.

So this month, stay safe! Don’t let your regime fall by the wayside or you could end up in your own cyber security horror story.

Image credits: Glenn Carstens-Peters, Peter Forster, and Markus Spiske.