Man-in-the-Middle Phishing Scams

Preview:

Man-in-the-middle phishing scams involve fraudsters intercepting communication between a victim and a legitimate site, such as a bank, to steal login credentials. Here is how to protect yourself.

As you know, phishing scams are phony contacts made by
hucksters who try to trick users into revealing information that enables the huckster to steal from the victim. It is an electronic con game. A man-in-the-middle phishing scam is one where the con man inserts himself between the victim and his bank or other secure place. The victim believes he is logging into his bank or credit card site but is at a fake site that looks identical to the real site.

When the victim enters their username and password, those go to the miscreant, who passes them on to the real site. The phony site then acts like the real site. Even if two-factor authentication is turned on, it doesn't help. The victim gets the text or email and enters the 6-digit code into the phony site, which passes it to the real site.

Now, the huckster can control the actual account.

How to protect yourself

Here are three ways to protect yourself. Notice that "Be vigilant and careful” is not on the list. The problems with the general "Be smart” command are twofold.

We cannot always be smart. We get tired or careless occasionally.
The hucksters can fail 1,000 times, but we cannot fail even once. A single mistake against professional con men, and we are compromised.

It is a good idea to "be vigilant and careful,” but it is not enough.

1. Never click on any email link.

This is the best rule you can follow. Never click on any link in any email from a bank, credit card, or other "trusted” site you sign into. When the bank emails you asking you to check your new credit rating, or the credit card has your new statement, do not click on the link!

The con men can make their email look exactly like a real email. Even the rules about hovering over the links and seeing where they go require that you don't get fooled or make a mistake. Do not create situations where a mistake is costly if you don't need to.

2. Use a password manager and go to the site from the password manager.

Go to your password manager, and use the address you have in that entry to link to the website. This way you know you are going to the correct place.

Why not use the bookmark in your browser? That works fine. It will get you to the correct site. But then you'll still need to use your password manager to log into the site.

3. Don't use your browser to handle your passwords

You can let the browser manage your passwords. It is better than a piece of paper at your desk but less than half as good as a real password manager. They do not have robust random password generators. They also don't have solid encryption. Firefox, for example, has two files in the profile folder that include your encryption key and passwords. I've used it to move all the passwords from one computer to another for a client. It could be used for nefarious purposes as well.

Not having the ability to generate strong random passwords is a critical deficiency. You should not create the password on the site and have your program copy it to your passwords. That can fail. Always create the username and password in your password manager and then copy them into the new website.

Always use long, unique, and random passwords for websites. Don't use things you can remember. Have your password manager on your desktop, tablet, and phone. Live with the inconvenience.

The two password managers I recommend are KeePass and Bitwarden. KeePass does an excellent job handling your passwords on your computer. It is less perfect, however, keeping your phone, tablet, laptop, and tower all synced up together. If you just need a password database on your computer, it is excellent. It has the advantage that it is only on your computer and nowhere else.

However, if you want to keep multiple devices in sync, Bitwarden is better. It stores them in the cloud, and you access them from there. The important thing is to be certain you have an excellent password to Bitwarden. It will do the encryption and decryption on your device. No one at Bitwarden will be able to access your key or data. They are frequently audited and open source, so many fine programmers check their code. It is solid if you have a strong password. But remember, they can't help you if you forget it.

An extra benefit

A cloud-based password manager, like Bitwarden, would recognize that the bad web address was incorrect. They would not bring up the password for it, so you'd be warned about the phony site.

Date: September 2025

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Man-in-the-Middle Phishing Scams Preview: Man-in-the-middle phishing scams involve fraudsters intercepting communication between a victim and a legitimate site, such as a bank, to steal login credentials. Here is how to protect yourself. As you know, phishing scams are phony contacts made by hucksters who try to trick users into revealing information that enables the huckster to steal from the victim. It is an electronic con game. A man-in-the-middle phishing scam is one where the con man inserts himself between the victim and his bank or other secure place. The victim believes he is logging into his bank or credit card site but is at a fake site that looks identical to the real site. When the victim enters their username and password, those go to the miscreant, who passes them on to the real site. The phony site then acts like the real site. Even if two-factor authentication is turned on, it doesn't help. The victim gets the text or email and enters the 6-digit code into the phony site, which passes it to the real site. Now, the huckster can control the actual account. How to protect yourself Here are three ways to protect yourself. Notice that "Be vigilant and careful” is not on the list. The problems with the general "Be smart” command are twofold. We cannot always be smart. We get tired or careless occasionally. The hucksters can fail 1,000 times, but we cannot fail even once. A single mistake against professional con men, and we are compromised. It is a good idea to "be vigilant and careful,” but it is not enough. 1. Never click on any email link. This is the best rule you can follow. Never click on any link in any email from a bank, credit card, or other "trusted” site you sign into. When the bank emails you asking you to check your new credit rating, or the credit card has your new statement, do not click on the link! The con men can make their email look exactly like a real email. Even the rules about hovering over the links and seeing where they go require that you don't get fooled or make a mistake. Do not create situations where a mistake is costly if you don't need to. 2. Use a password manager and go to the site from the password manager. Go to your password manager, and use the address you have in that entry to link to the website. This way you know you are going to the correct place. Why not use the bookmark in your browser? That works fine. It will get you to the correct site. But then you'll still need to use your password manager to log into the site. 3. Don't use your browser to handle your passwords You can let the browser manage your passwords. It is better than a piece of paper at your desk but less than half as good as a real password manager. They do not have robust random password generators. They also don't have solid encryption. Firefox, for example, has two files in the profile folder that include your encryption key and passwords. I've used it to move all the passwords from one computer to another for a client. It could be used for nefarious purposes as well. Not having the ability to generate strong random passwords is a critical deficiency. You should not create the password on the site and have your program copy it to your passwords. That can fail. Always create the username and password in your password manager and then copy them into the new website. Always use long, unique, and random passwords for websites. Don't use things you can remember. Have your password manager on your desktop, tablet, and phone. Live with the inconvenience. Two Password Managers I Recommend The two password managers I recommend are KeePass and Bitwarden. KeePass does an excellent job handling your passwords on your computer. It is less perfect, however, keeping your phone, tablet, laptop, and tower all synced up together. If you just need a password database on your computer, it is excellent. It has the advantage that it is only on your computer and nowhere else. However, if you want to keep multiple devices in sync, Bitwarden is better. It stores them in the cloud, and you access them from there. The important thing is to be certain you have an excellent password to Bitwarden. It will do the encryption and decryption on your device. No one at Bitwarden will be able to access your key or data. They are frequently audited and open source, so many fine programmers check their code. It is solid if you have a strong password. But remember, they can't help you if you forget it. An extra benefit A cloud-based password manager, like Bitwarden, would recognize that the bad web address was incorrect. They would not bring up the password for it, so you'd be warned about the phony site. Date: September 2025 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk

Keeping clients' computers safe and profitable for over 30 years