This is the phishing email used to hack the DNC’s network. (image: The Smoking Gun)
On Tuesday The New York Times published an extensive report
on this year’s cyberattacks on the Democratic National Committee’s
computer systems by hackers working with the Russian government. The
piece is well researched and worth the read. But the most jarring tidbit
from the report is how the hackers gained access to the DNC: a common
email spear-phishing scam.
According to The Times, emails were sent to members of the DNC disguised as notifications from Google’s (GOOG, GOOGL)
Gmail telling them someone had attempted to sign into their account
from Ukraine. The phony messages included instructions for recipients to
click an embedded link in order to change their passwords.
And, it worked.
Employees
clicked the links and essentially handed over the keys to their email
accounts and the DNC’s network. The saddest thing is that by following a
few basic steps, employees might have realized the phishing email was
fake and saved a lot of headaches.
But
phishing attempts are so scary because of how simple they are to pull
off. Just a quick message, a dash of social engineering and you’ve got
an international news story.
“It’s pretty amazing,” Kevin Haley,
director of product management for Symantec Security Response, told
Yahoo Finance. “When you look at those attacks, those are basically the
standard bread and butter phishing attack. Although all of the things
around it are extremely well done.”
Criminals are a bigger threat than foreign governments
Now
before you work yourself into a frenzied panic for fear that a foreign
government is lurking online hoping to crack into your email and steal
your backlog of chain letters from your uncle Ted, it’s important to
note that Google says fewer than 0.1% of users receive phishing emails
from state actors. What’s more, the company says targeted individuals
generally include “activists, journalists and policy-makers.”
If,
however, you receive a phishing email from a foreign government, Google
will provide you with a special warning alerting you to the fact.
Google will provide you with this warning if it believes your email is being attacked by a foreign government.
Unfortunately,
the sad truth about the internet is that there are still plenty of
other criminals and malicious actors who would be more than happy to set
up shop in your email account or break into your computer and hold it
for ransom. Even more likely are attacks aimed at your work email to
attack your company’s systems.
Computer security company Kaspersky Labs reports
that its anti-phishing system was triggered more than 30 million times
in Q2 2015. And that’s just on computers that use Kaspersky software.
So how can you protect yourself against similar attacks? With a little knowledge and some patience.
Staying safe
According to Haley, the biggest giveaway that the email you’re reading is a phishing attempt is if it has typos or poor grammar.
More
sophisticated attackers, though, will ensure their emails are crisp and
typo-free, so you’ll have to do a bit more investigating. Kaspersky
recommends hovering your pointer over any links in emails to preview
them for typos or inconsistencies. If it’s a phishing scheme, the link
preview will point to the wrong site. So if you get an email from Amazon
and the link points you to stealyourstuff.com, you know it’s a fraud.
Better
yet, don’t even bother with the link in your email and go to the
official website named in the message instead. In other words, if you
get a email from FedEx or Google asking you to click the link in the
message to check your account, just go to FedEx or Google’s website
instead.
And
don’t fall for messages urging you to click on any links in your email
immediately. “When you see that kind of urgency of getting you to try to
click on something that’s a big warning sign,” Haley said.
Outside
of links, you’ll also want to avoid downloading any files you’re not
expecting to receive, even if they come from family or friends. There’s
no reason for major companies to ask you to download invoices or order
forms via your email unless they’ve already told you to look out for
them. And while you might think you can trust your friend’s email,
there’s always the chance that it too has been hacked and is being used
to attack others.
Naturally,
one of the best ways to prevent a phishing attack is to install a solid
anti-virus security program on your computer. Many modern AV solutions
offer protection against spam and phishing attempts.
If,
however, you think you’ve already been the victim of a phishing scam,
the best thing to do is disconnect your computer from the internet.
Haley says this can prevent any malicious software on your system from
sending your data back to the criminals. Next, you’ll want to run your
AV program to try to remove any malware that you may have. If none of
that works, Haley suggests seeking professional help to clear out your
system.
