Last night I received an email from Google with the subject "Resolve 1 security issue found on your Google account." Many Gmail users have received a similar email over the past week. I was immediately skeptical, as the email had all of the aspects of a classic phishing scam: urgency, a link to a login page, vague yet alarming.
In other words, the email is designed to get us to click. Google ran months of tests and determined that this specific alert had the best engagement and the highest click rates, so it is not surprising that this email resembled a phishing scam. Fortunately, this email from Google is legitimate and I have resolved the security issues related to my Google account.
It could have been something worse: a phishing attack. A phishing scam is a mass broadcast, usually an email, that is used to steal user data such as login credentials and credit cards. An attacker, masquerading as a trusted entity, tricks a victim into opening a message and/ or clicking a malicious link, which can lead to malware being installed or sensitive information being revealed.
Armed with your personal information, hackers can then make unauthorized purchases on your credit cards, transfer your online account balances to themselves, or even steal your identity. There are a lot of examples of high-profile phishing attacks, but perhaps the biggest cautionary tale is Walter Stephan, CEO of plane part manufacturer FACC. He was fired after he responded to an email that called for a "secret transaction"… and cost the company $57 million.
Most of us know not to click on some of the more obvious phishing scams, such as emails from a Nigerian prince. The problem is that sophisticated phishing attacks are designed to mimic actual emails from real organizations and will use the same phraseology, fonts, logos, and signatures as real emails to make the messages appear as if they are real.
These are some basic strategies to use in order to detect and protect yourself against phishing attacks.
- Be skeptical: Be wary of any emails that create a false sense of urgency. Make sure there is a reason you should be receiving that email. If you are unsure, separately call/email the sender to confirm that they sent the email.
- Check the credibility of the link: You should never click on a link contained in a suspicious email; instead, copy and paste it into a new browser window. You can then check the spelling of the link (most fraudulent sites will be slightly misspelled) and make sure the link is secure (all secure sites will start with "https").
- Use two-factor authentication: Most sites will provide the option for two-factor authentication (2FA) which is an email or a text with a code you have to enter before being able to successfully login to the site. With 2FA, login credentials and a password alone are insufficient to gain entry. 2FA can be a bit cumbersome, especially when you are in a hurry, but the added security is well worth the small hassle.
- Employ password management: Using the same password for all of your logins leaves you susceptible to hackers. For example, an attacker might get the password for your fantasy football league, then use that same password to login to your online banking. Similarly, simple passwords (names, birthdays, phone numbers, etc.) are relatively easy to hack. Using a password manager such as LastPass that creates unique passwords for every site can help mitigate the damage in the event of an attack.
- Use antivirus software: There are a number of software options on the market. McAfee is the most well-known. The few dollars spent upfront can save you thousands in the long run.