top of page
  • 2FA (Two-factor Authentication)
    Two-factor authentication. An authentication process in which the user who is authenticating needs to provide more than one type of evidence (factor) to verify their identity. For example, after entering a username and password (one factor), they are prompted to provide a code (second factor) received via email or text message. A two-step MFA.
  • Account
    Online profile associated with a username that allows a user to conduct transactions and a service provider (e.g., a streaming service or online retailer) to manage your experience. For example, you may have an online bank account, an account at a retailer like Amazon, an account at a streaming provider like Netflix, and so on.
  • Actor, bad actor, criminal actor
    The person or entity doing an action or activity. In computing, “actor” is used because it can represent an unknown person (a criminal actor), an organization, or a computer process. In cybersecurity, often used interchangeably with miscreant, criminal, fraudster.
  • API (Application Programming Interface)
    Application Programming Interface. A way for computer programs or software components to communicate with each other. It is a type of software interface, offering services to other software. Modern APIs adhere to specific standards (typically HTTP and REST), which enable APIs to be developer-friendly, self-described, easily accessible, and understood broadly. For example, myNetWatchman offers an API so our clients can augment customer login to check for compromised credentials with a quick and easy API query to our repository of billions of compromised credentials.
  • ATO (Account Takeover)
    Account Takeover. Unauthorized access to a legitimate account. A type or category of fraud in which a bad actor is able to successfully authenticate to or access a legitimate account, regardless of whether the bad actor does any activity in the account.
  • Authenticate, Authenticating, Authentication, Authentication credential(s)
    The action of validating that a user has the rights or permission to access an account (or a requested resource). When you sign in to online banking, you are using your authentication credentials (likely a username and password) in the authentication process.
  • BEC (Business Email Compromise)
    Business Email Compromise. A type of social engineering attack where the criminal poses as a business contact, such as a CEO, lawyer, or vendor, and tricks an employee into taking actions such as wiring funds for false invoices or providing sensitive employee information. The criminal typically uses a "spoofed" email address which mimics a real business email address.
  • Bot, shortened from Robot
    Derived from “robot.” A program on the internet or other network that can interact with systems or users. Bots are autonomous, meaning they run without a human user having to start them or interact with them while they’re running. Cyber security is typically concerned about malicious bots that scrape content, spread malware or spam, or carry out credential stuffing attacks.
  • Breach
    Exposure of information or data that is meant to be confidential. “The company had a data breach and all their customer information was exposed.”
  • Brute force attack
    A type of cyberattack that uses trial and error to guess passwords or login credentials. Bad actors typically use automated software (e.g., bots) to attempt as many guesses as possible in order to gain access to an account. The attackers may know the username and are using brute force techniques to guess the associated password, including the use of dictionary words or variations of common passwords, such as “password123”. The success rate is typically much lower than a credential stuffing attack where bad actors use credentials from a data breach at one company to attempt to login to another company’s service.
  • Card generator
    Software tool or program that generates random card numbers, using the Luhn algorithm to follow the correct format for credit card numbers. Fraudsters use card generators to obtain cards that can be tested on sites that accept payments, hoping to find active credit cards.
  • Compromise, compromised
    Be at risk, or make something at risk of misuse. Usually meaning that a bad actor is attempting to (or has already) obtained some otherwise confidential information. “Your online banking credentials were compromised, and now a bad actor has access to your bank account.” Also used synonymously with ATO as in “My account was compromised,” meaning my legitimate account was accessed by an unauthorized party.
  • Cracking, hacking
    Attempting to access computer systems without authorization. This action is done with malicious intent for personal gain or simply to destroy data. Crackers look for backdoors in programs and systems that can be exploited. Often used interchangeably with hacking, though not technically identical.
  • Credential, cred, credential pair
    That which is used for verification or validation. A username and password is a credential or credential pair when intended for use to log in to a website. A Social Security number is also a credential when it is used for verification of someone’s identity.
  • Credential stuffing
    A type of cyber attack in which username and password pairs (“credentials”) obtained from one source are attempted against other sites and systems. Criminals use bots or scripts to automatically try logging in to various sites with large numbers of credentials, “stuffing” the target site with numerous login attempts in a short time. Their goal is to discover which credentials are valid (successful). Read more.
  • Dark web
    An area of the internet that is only accessible through encrypted networks such as Tor ("The Onion Routing" project) and is not indexed (searchable) by search engines. The dark web provides anonymity and is a haven for criminals to buy and sell personal data, malware kits, access to companies’ networks, and more.
  • EAC (Email Account Compromise)
    Email Account Compromise. A cyber attack where a criminal gains access to a legitimate email account through techniques such as credential stuffing, phishing, or malware. The criminal can then profile the victim using information obtained from contacts and emails and can send emails posing as the victim to commit fraud against other contacts. The criminal can also manipulate the account by changing forwarding rules or permissions. EAC is similar to BEC, but the difference is that the miscreant has access to the email account whereas for BEC, the miscreant is spoofing the email address.
  • Factor
    In cyber security, factors (as used in two-factor authentication or multi-factor authentication), are (1) something you know (e.g., password/personal identification number); (2) something you have (e.g., cryptographic identification device, token); and (3) something you are (e.g., biometric).
  • Fraudster, fraud actor
    Person who has, attempts, or intends to commit fraud. Similar to bad actor and miscreant, but includes that the fraudster’s goal is to commit fraud, while other bad actors may have different types of activities, e.g. distributing malware, as their goal.
  • Hacking, cracking
    The act of exploiting weaknesses in a computer system or network to gain unauthorized access. While hacking can be used for ethical purposes, such as identifying vulnerabilities in a system, it is mainly considered a malicious act. Types of hacking include credential stuffing, phishing, malware, and DDos attacks. Often used interchangeably with cracking, though not technically identical.
  • Hash, hash and salt
    In cryptography, hashing and salting are security practices that are often used to improve the security of passwords. Hashing (creating a hash) converts data into a fixed-size, unique string of characters. Hashing a password doesn’t reveal any information about the password, but the hash can be figured out by brute force or reverse engineering. Salting adds a random, pre-defined set of characters to the input before hashing. This makes the password, for example, much more difficult to determine.
  • Malware, malicious software
    Short for malicious software. Any program or file that is designed to damage or exploit a device or system. Examples include viruses, spyware, adware, and ransomware.
  • MFA (Multi-Factor Authentication)
    Multi-Factor Authentication. An authentication process in which the user needs to provide more than one type of evidence to verify their identity. Banking sites use MFA which could include your device fingerprint, location, and a verification code. Similar to 2FA, but not limited to two factors.
  • Miscreant
    Criminal, bad actor, fraudster.
  • MSSP
    Managed Security Service Provider. A third-party company that offers businesses outsourced security services to help improve their cybersecurity. A subset of MSP (Managed Service Provider) – an umbrella term referring to outsourced IT services. MSPs can offer different IT services like infrastructure management, technical support, hardware & software management, as well as cybersecurity.
  • Mule account
    A bank account that is used by criminals to receive and transfer funds illegally. The account may be opened using a synthetic identity or a mule’s personal information. The “mule” acts as the intermediary to help shield the criminal from law enforcement.
  • OTP (One Time Password)
    One time password. A password that is only available once. An OTP is often used as a second step of authentication in special circumstances. For example, a code sent to a user’s phone as part of 2FA is a one time password. Also referred to as a verification code.
  • Password hygiene
    The concept of following best practices for managing passwords, e.g., change them regularly, use strong passwords, do not reuse passwords, etc.
  • Phishing, smishing, vishing
    A type of scam in which the miscreant attempts to trick the victim into disclosing confidential information, e.g., by typing it into a fake website. Phishing is a form of social engineering, using manipulation and deception to get the victim to do what the attacker wants, whether that be clicking a link, downloading malicious files, or giving away information. Phishing can be an umbrella term for subtypes like email phishing, spear phishing (personalized phishing targeting specific people), smishing (phishing via text or SMS), vishing (voice phishing / phishing via phone), and whaling (phishing targeting high ranking people in an organization).
  • Pig Butchering
    An investment scam where victims are gradually lured into making increasing contributions, usually in the form of cryptocurrency, to a fraudulent cryptocurrency scheme. The term "pig butchering" comes from the analogy of fattening a pig before slaughtering it, referring to the scammers' technique of building trust with victims over time before defrauding them.
  • PII (Personally Identifiable Information)
    Personally Identifiable Information. Examples include: name, social security number.
  • Ransomware
    A type of malicious software (malware) that blocks access to the victim’s data or systems, or threatens to disclose confidential information unless a “ransom” is paid to the miscreant.
  • Social Engineering
    The act of manipulating people so they give up confidential information that is of value to criminals, such as bank information, passwords, or other personal information. Phishing is an example of social engineering.
  • Spear Phishing
    An advanced form of phishing where the attacker targets a specific individual or organization. The messages are crafted to appear to come from a sender known to the recipient. Spear phishers research their victims through social media and other online sources to create a more convincing scam.
  • Static credential(s)
    Credentials that don’t change. Often used in computing as credentials for databases or similar systems so that development teams or automated processes can use the credentials without the disruption of changing them. Also can refer to consumer credentials when the consumer fails to change their passwords. Different from transient / dynamic credentials that change regularly, e.g., a rotating code in an authenticator application.
  • Step-up authentication
    The practice of requiring additional levels of authentication as users progress to higher risk categories. For example, if a call to AllCreds shows a logging in user’s credentials are compromised, companies can use step-up authentication to direct the user to a second form of authentication like a token code or emailed code.
  • Synthetic email
    An email address usually created by a miscreant for the purpose of setting up fake accounts. Often created by script or automation with a pattern, e.g., incrementing numbers. Different from a legitimate address created by an individual for personal use.
  • Synthetic identity
    An identity created by a combination of real and fake personal information. For example, a stolen social security number can be combined with a fake name and address to create a new identity. Fraudsters often use synthetic identities to commit financial fraud such as applying for loans, submitting tax returns, or setting up mule accounts to launder money.
  • Transient credential(s)
    Credentials that change over time. Often used in addition to static credentials as an additional level of authentication, e.g., during step-up authentication or 2FA. Examples: one-time passwords, session tokens, etc.
  • UserID
    Half of a credential pair used for authentication. The other half is the password. Usually synonymous with username.
  • Username
    Half of a credential pair used for authentication. The other half is the password. Usually synonymous with userID.
  • Valid (credential), validity
    A valid credential successfully authenticates to the requested resource. Cred stuffers look for credentials valid at one resource because credential reuse is so common. Validity is the percentage measure of valid credentials. Most credential stuffing attacks achieve a validity rate of 1% or less.
  • Vishing (Voice phishing)
    Short for voice phishing. A type of phishing attack where scammers use phone calls (voice) to trick people into revealing sensitive information. Scammers may impersonate agents from the IRS, a bank, or a utility company with the goal of tricking the victim into wiring money or providing bank account details.
bottom of page