On Tuesday The New York Times published an extensive report on this year’s cyberattacks on the Democratic National Committee’s computer systems by hackers working with the Russian government. The piece is well researched and worth the read. But the most jarring tidbit from the report is how the hackers gained access to the DNC: a common email spear-phishing scam.
According to The Times, emails were sent to members of the DNC disguised as notifications from Google’s (GOOG, GOOGL) Gmail telling them someone had attempted to sign into their account from Ukraine. The phony messages included instructions for recipients to click an embedded link in order to change their passwords.
And, it worked.
Employees clicked the links and essentially handed over the keys to their email accounts and the DNC’s network. The saddest thing is that by following a few basic steps, employees might have realized the phishing email was fake and saved a lot of headaches.
But phishing attempts are so scary because of how simple they are to pull off. Just a quick message, a dash of social engineering and you’ve got an international news story.
“It’s pretty amazing,” Kevin Haley, director of product management for Symantec Security Response, told Yahoo Finance. “When you look at those attacks, those are basically the standard bread and butter phishing attack. Although all of the things around it are extremely well done.”
Criminals are a bigger threat than foreign governments
Now before you work yourself into a frenzied panic for fear that a foreign government is lurking online hoping to crack into your email and steal your backlog of chain letters from your uncle Ted, it’s important to note that Google says fewer than 0.1% of users receive phishing emails from state actors. What’s more, the company says targeted individuals generally include “activists, journalists and policy-makers.”
If, however, you receive a phishing email from a foreign government, Google will provide you with a special warning alerting you to the fact.
Unfortunately, the sad truth about the internet is that there are still plenty of other criminals and malicious actors who would be more than happy to set up shop in your email account or break into your computer and hold it for ransom. Even more likely are attacks aimed at your work email to attack your company’s systems.
Computer security company Kaspersky Labs reports that its anti-phishing system was triggered more than 30 million times in Q2 2015. And that’s just on computers that use Kaspersky software.
So how can you protect yourself against similar attacks? With a little knowledge and some patience.
According to Haley, the biggest giveaway that the email you’re reading is a phishing attempt is if it has typos or poor grammar.
More sophisticated attackers, though, will ensure their emails are crisp and typo-free, so you’ll have to do a bit more investigating. Kaspersky recommends hovering your pointer over any links in emails to preview them for typos or inconsistencies. If it’s a phishing scheme, the link preview will point to the wrong site. So if you get an email from Amazon and the link points you to stealyourstuff.com, you know it’s a fraud.
Better yet, don’t even bother with the link in your email and go to the official website named in the message instead. In other words, if you get a email from FedEx or Google asking you to click the link in the message to check your account, just go to FedEx or Google’s website instead.
And don’t fall for messages urging you to click on any links in your email immediately. “When you see that kind of urgency of getting you to try to click on something that’s a big warning sign,” Haley said.
Outside of links, you’ll also want to avoid downloading any files you’re not expecting to receive, even if they come from family or friends. There’s no reason for major companies to ask you to download invoices or order forms via your email unless they’ve already told you to look out for them. And while you might think you can trust your friend’s email, there’s always the chance that it too has been hacked and is being used to attack others.
Naturally, one of the best ways to prevent a phishing attack is to install a solid anti-virus security program on your computer. Many modern AV solutions offer protection against spam and phishing attempts.
If, however, you think you’ve already been the victim of a phishing scam, the best thing to do is disconnect your computer from the internet. Haley says this can prevent any malicious software on your system from sending your data back to the criminals. Next, you’ll want to run your AV program to try to remove any malware that you may have. If none of that works, Haley suggests seeking professional help to clear out your system.
More from Dan:
Email Daniel at email@example.com; follow him on Twitter at @DanielHowley.