Monday, September 12, 2016

Another Email, Another Victim

Almost every week I get an email from someone I know and it's pretty clear their email account has been hacked. How does this happen to intelligent people? It happens all the time and in a variety of ways, but one of the most frequent ways is through phishing scams. Here are a few attempts that came through my inbox this week that prompted this post. Take a moment to read and hopefully next time you receive one of these, and you will, you'll be smarter.

You receive an email from your bank, Google, Apple, or another business that you do business with. Although logic tells you there's no good reason for them to be contacting you, you read on. Almost all of these emails have a few if not all of these flags.

  1. Action Required
  2. You are asked to log in
  3. Look for grammatical mistakes in the email.
  4. Check the link, but NOT BY CLICKING ON IT.
  5. Even if you do click on the link, it's not usually the end of the world. The damage is usually only done when you enter your logon credentials, that's what they are after. 
  6. Even if you see the name of the bank or legitimate site in the URL, that does not mean it is legitimate. 
Below is one email I received from a not real "Bank of America." The next graphic is an email I found in my SPAM folder. It is from a not real "Apple Store." It is exactly the same. 

Image Source:
Now that you know how it important it is not to fall for these scams, it is also important for you to use different passwords for different sites. Here's why its important. Let's say I'm a scammer and I send you a Phishing email from Google telling you your Google email account has had a suspicious login attempt and your account will be frozen unless you login and confirm your identity within the next 24 hours... and I provide you a convenient link to do so. When you click the link, you go to a page that looks just like the Google login page (easy enough to create) and you enter your Google username and password. Once you do, you realize you were not on the real Google site, but you aren't sure what to do, so you take a few minutes to figure it out. You even go get a cup of coffee while you search for how to change your password in Google. While you enjoy your latte, I've got your username and password to Google Mail. I also now have access to your address book, so I'm sending all your friends phishing emails, that look like they are coming from you. Because they trust you, most are opening the emails. Now, since I'm really smart, I don't need to do all this myself at a computer, instead I've programmed software to take your username and password and start trying to log in to sites like Apple, banks, Amazon, Walmart, Starbucks, Sears, etc. because I know you are using that same username and password on other sites. By now, you've probably changed your Google password. Good job! But, what about all those other sites, that I've probably already hit? I do this with hundreds of thousands of users and I only need to hit the jackpot a handful of times.

Don't be a victim.

  1. Understand how to identify phishing emails.
  2. Use complex passwords (P@$$w0rds @r3 e@sy 2 Cr3@t3 1F yu0 u2e PhR@s3$)
  3. Enable 2-step authentication ("Send me a text message with a unique code anytime I try to login).
  4. Use a password manager like to securely store all your passwords. You can access on your phone or from any computer.

No comments: