How to Outfox Hackers and Their Phishing Malware
- Dan Lautman
- February 27, 2017
You can’t trust everything in your inbox, no matter how legit an email looks.
- Last year, phishing attacks increased by 55%, while ransomware attacks increased by 400%.
- Phishing emails were responsible for more than 90% of cyberattacks.
Hackers no longer need technical chops. The automated software (‘exploit kits’) they use to spread malware via emails and websites are widely available and can be rented for as little as $500 a month.
Why hackers want to get into your association’s network
The point of phishing is to trick you into revealing sensitive information or exposing your computer (and your association’s network) to malware.
Hackers deploy malware to:
- Steal credentials to access your personal accounts and/or your association’s accounts, network, and systems—as well as any data, money, and information lying within.
- Deploy ransomware that holds a computer, network, and data hostage until an organization pays ransom to unlock their files.
- Surreptitiously hijack computers and servers to use in attacks on other
- Install a keystroke logging program that harvests sensitive information from a computer, unbeknownst to the user.
Phishing puts your personal information, computer, organization’s network, and member data at risk.
Last year, several users of the World Anti-Doping Agency’s (WADA) database were sent a phishing email that looked as if it came from WADA. The email asked recipients to click on a link to the database and enter their credentials. Someone fell for it. As a result, hackers got into the agency’s database and leaked the medical data and test results of dozens of Olympic athletes.
How hackers use phishing emails to steal credentials
We’re all on heightened alert when it comes to cybersecurity—or we should be—because the news is full of stories about security breaches. Knowing this, hackers create realistic-looking emails about supposed security threats to try to scare you into taking action. These emails are designed to look just like emails from Google, PayPal, and other service providers, complete with logo and other branding, as well as phony incident date, time, IP address, and source location.
Here are three real-life examples of phishing emails:
- A legit-looking email says your account details may have been stolen or advises you to reset your password. Beware. John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, fell for this one. He received an email supposedly from Google saying hackers had tried to access his Gmail account. He was instructed to log in and change his password. He clicked on the fraudulent link and ‘logged in’ using his Gmail username and password. The hackers got his Google credentials and access to the 60,000 emails in his Gmail inbox.
- Hackers often rely on a sense of urgency to spur you to action. GoDaddy customers were told they couldn't receive any more email because their storage had reached capacity. Their account would be suspended if they didn’t upgrade storage within 24 hours. Once again, the link led to a fraudulent login page where hackers stole credentials.
- Then there’s the familiarity approach: you receive an email from someone you know. What you don’t know is hackers have already hijacked their account. The email includes an image of an attachment from the sender’s account. When you click on the preview image, a new tab with a URL containing “accounts.google.com” opens and you’re prompted to log in again. If you do, hackers get your Google credentials and have access to your account too.
How you can detect a phishing email
Hackers also use phishing emails to trick you into clicking on links that lead to sites hosting malware or opening attachments that download malware.
Before clicking links or opening attachments in the emails you receive, take a moment to review the email, sender, and request.
Examine the email subject line and text for typos, awkward syntax, poor grammar, or just plain weirdness. Is the message unexpected or unusual? Is it strangely abrupt or vague in its instructions? If you’re at all suspicious, ask the sender if they really sent the email. Don’t hit ‘Reply.’ Instead, call them.
Remember, reputable service providers like banks, cable companies, website and domain hosts, or other online platforms will never send you an email asking for your account information, username, or password. Never. What they might do is send you a link that requires you to authenticate. Beware.
Make sure the website is authentic. Look carefully at the URL. Check for typos. Is every single letter correct? Does it contain additional text? For example, you may think you’re going to delcor.com. Don’t click if you see a URL instead like this:
None of those addresses will actually take you to delcor.com. Check the sender’s email address for the same type of irregularities. It could be off by just one missing or incorrect letter.
Even if the email address is correct, it could be spoofed. Open the email header (sometimes called ‘original’) and look at the code. Make sure the email address you see in the email’s ‘From’ field matches the ‘Return Path’ field. Your mail client may use different header terms—when in doubt, search for information on how to view headers for your specific client.
Never click on any email links asking you to log in—even if the email looks legit—unless you requested the email link, for example by clicking “forgot my password” on the company’s website. If you didn’t request the email, your antennae should immediately go up. In phishy emails, hackers will mask a URL’s true destination to trick you into revealing your credentials. Bottom line: if you didn’t request the account-related email, always go directly to the company’s website to log in.
Beware the dangers of web browsing
Be careful out there. Don’t blindly trust anything online. Even Google search was compromised! A malicious ad (malvertising) appeared on the top of the Google search results for “amazon.” Anyone who clicked on it was taken to a fake page warning them about their operating system. This malicious ad was fairly benign—it only froze the victim’s browser and computer—but it could have been worse.
In 2016, online ad networks unknowingly distributed malvertising to several news and entertainment websites, including the New York Times, BBC, and Newsweek. If someone clicked one of these ads, their computer was hijacked by ransomware—a good argument for installing an ad blocker on your computer.
Beware pop-ups, especially those warning you about security or software updates. Don’t click on links in a pop-up screen. Don’t copy pop-up URLs into your browser. Don’t enter sensitive information into pop-ups. Immediately close the page that produced the pop-up.
Don’t believe any web page warnings that your browser, Java, Adobe, or other software or plug-in is out of date or needs updating. Close that page immediately.
Set your web browser and other software for automatic updates. At work, your IT department should do this for you, but at home, you’re on your own. You need these updates because they contain security patches, but to avoid confusion, rely on automatic updates.
Don’t download free tools unless you’re absolutely sure they’re from a reputable source. When in doubt, come out of the shadows and ask your IT department.
When entering sensitive data, like credit card numbers, look for the closed padlock icon in the status bar and https:// in the URL bar. Click on the padlock icon to verify that the ‘Issued to’ name matches the site you’re on. If not, you could be on a spoofed site.
Be security savvy on social media
Watch out for shortened URLs on social media platforms. Use a URL preview tool to see where the shortened link wants to take you. A shortened link from someone you follow might not seem suspicious, but Twitter malware compromises accounts and tweets out links to malware-hosting websites.
Check your Twitter settings occasionally to make sure only legitimate apps have permission to access your account. If anything looks phishy, revoke its access immediately and then change your Twitter password.
Practice smart security habits online
Two online habits will help you outfox hackers who phish: using two-factor authentication and a password management tool.
If you’ve ever had to enter a code sent to your mobile phone when logging in to a website, you’ve used two-factor authentication. The two ‘factors’ needed to log in are:
Something only you know—your username and password
Something only you have—a code sent to your mobile phone
If you aren’t using two-factor authentication, you’re in the minority. According to Pew Research, 52% of online adults use it on at least some of their accounts. Most online platforms offer two-factor authentication to their users.
For example, if you have two-factor authentication on your Google account and somebody tries to log in to your Gmail, they will be prompted to enter the code sent to the mobile phone number associated with your account. Unless the hacker has your phone in hand, they won’t be able to access your account.
Password managers generate strong passwords, sync them across your devices, and autofill them when needed. They protect you from interacting with fake sites because they only autofill your username and password when you are on the real site, not a fraudulent phishing site trying to pass itself off as the real thing.
With a password manager, you don’t have to worry about remembering passwords. And you can stop using the same passwords on multiple sites. Here’s why that’s a risky habit: if hackers use software to guess one of your regular passwords, it gives them access to all the places you use it.
Like any habit, improving your phishing detective skills takes practice. Find out how well you can identify phishing emails by taking a phishing quiz. If you score less than perfect, keep honing your skills—the security of your personal and your association’s information, money, and data depend on it.
Phishing is a wiley way for hackers to get their paws on your data—but it’s not the only one. Download our free infographic, Is Your Association Protected from Cyberattacks?, to assess other possible vulnerabilities.