How to reduce criminals spying on you

October 3, 2018 — April 9, 2020

computers are awful

Being aware of how people try to get your confidential data and how to avoid it.

Base level.

0.1 Passwords

Do you recycle passwords? You are a danger to yourself to your loved ones and to your colleagues. someone probably has your password, can impersonate you and can use that to trick your friends. You are wilfully spreading crime, mayhem and confusiong. Fix this problem using a password manager, which is easy simple and, unless you have specialised needs, free.

1 General hardening of your computers

Minimising exposure to viruses, malware and foolishness is a starting point. See various guides to that. macOS by drduh, various UK NCSC guides, e.g ubuntu.

2 phishing

How do people get your info? The easiest way for them is to ask you, in a clever way. This is phishing and being aware of how it works is essential, because our systems are broken and this nonsense is much easier for the baddies than it should be.

What kind of idiot gets phished?

Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers.

Spoiler: Everyone is vulnerable to this nonsense.

Level up: Look at how this is done by the pros:


Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. The idea behind gophish is simple — make industry-grade phishing training available to everyone.


Evilginx is an attack framework for setting up phishing pages. Instead of serving templates of sign-in pages lookalikes, Evilginx becomes a relay between the real website and the phished user. Phished user interacts with the real website, while Evilginx captures all the data being transmitted between the two parties.

Evilginx, being the man-in-the-middle, captures not only usernames and passwords, but also captures authentication tokens sent as cookies.[…]

Even if phished user has 2FA enabled, the attacker, outfitted with just a domain and a VPS server, is able to remotely take over his/her account. It doesn’t matter if 2FA is using SMS codes, mobile authenticator app or recovery keys.