The Wall Street Journal
Hackers have us figured out.
They know we're busy. We're burning through email, texts and posts about squirrels in lederhosen, too distracted to notice every little click. So they've made a racket out of fooling us into handing over valuable information. It happens faster than you can say, "No, no, no, no—what did I do?!"
Online cons are called phishing. If you're sure you already know all about them, think again. Those grammatically challenged emails from overseas "pharmacies" and Nigerian "princes" are yesterday's news. They've been replaced by techniques so insidious, they could leave any of us feeling like a sucker.
Just ask John Podesta, Hillary Clinton's campaign manager. Last spring, he got snared by an email appearing to be from Google asking him to reset his account. When he did, hackers gained access to his email archive. The rest is history.
The past year's phishing catastrophes also included employee identity theft at Snap Inc. and lost W-2 tax forms at dozens of companies. About 97% of all cyberattacks start with phishing, says Oren Falkowitz, chief executive of Area 1 Security. "It's the biggest risk anyone faces."
Still don't think it could happen to you? Try to spot a warning sign in this recent Gmail con: You get an email from someone you know with a normal-looking attachment. Clicking on the attachment opens a browser window with a normal-looking Google sign-in that shows "accounts.google.com" in the address bar. Go ahead, type your login. Congratulations, hackers now own your account.
What happened? That attachment was just a picture that launched a login window on a phishing site. The only clue was a snippet of code reading "data:text/html" in the address bar:
It's never been easier to be fooled online. That doesn't mean we're defenseless. But the old rules of how to spot and stop these attacks are no longer enough.
What They Want
"Most bad guys are working folks trying to make a buck," says Mike Hanley, senior director of security at security firm Duo. "Phishing is easy, and very profitable work."
Some phishermen try to trick you into clicking a link or attachment that installs ransomware, locking your data until you pay them. Others want to get you to type in your username and password—particularly for a corporate account—so hackers can slip in unnoticed. There's a vibrant black market for that info. A login for a big corporation starts at $50, says Alex Holden of Hold Security.
Sometimes phishers send out thousands of emails hoping to snag a few victims. The Anti-Phishing Working Group, an industry association, says 2016 broke records, with some 5,000 new phishing sites popping up every day last spring. It's a game of Whac-A-Mole: When one site gets shut down, another pops up.
Spear phishing is when phishers go after a specific person. We've made their jobs easier by publishing so much about ourselves on social networks. During tax season, phishers pose as a CEO asking HR for employee records. The brunt of the damage is felt by workers whose information gets exposed to identity theft.
How They Get You
Phishing usually happens via email, with alluring links or attached files. Lately, it's also branching out to phones, text messages, WhatsApp chats, Facebook pop-ups and search engines. I once got phished by clicking an ad that downloaded malware to my computer.
In the past, typos, odd graphics or weird email addresses gave away phishing messages, but now, it's fairly easy for evildoers to spoof an email address or copy a design perfectly.
Another old giveaway was the misfit web address at the top of your browser, along with the lack of a secure lock icon. But now, phishing campaigns sometimes run on secure websites, and confuse things with really long addresses, says James Pleger, security director at RiskIQ, which tracked 58 million phishing incidents in 2016.
The faster you're working, the more likely you are to click. Duo sends faux phishing emails to employees to educate them. In test runs at more than a thousand companies, 26% of recipients clicked on emailed links, and 14% typed in their credentials.
Phishing is all about psychology—social engineering. "The techniques are always changing, but they're all preying on people's confidence," says Daniel Ingevaldson, the CTO from Easy Solutions, a security software company.
They exploit your sense of urgency, your desire to be responsible, or your relationships with the important people in your life.
What You Can Do
It always pays to be vigilant. If an email doesn't feel right, pick up the phone before you open an attachment or click a link. Or even better, don't click at all: If you're told to sign in to, say, Google or Verizon, type the address into a browser or open the app.
But curbing phishing is a lot like preventing auto deaths—training us to stay alert only goes so far. "Demanding perfection from people doesn't make a lot of sense. Technology can fill that gap," says Mr. Falkowitz, whose firm makes anti-phishing software.
These days, known phishing websites are blocked automatically in web browsers including Edge, Chrome, Safari and Firefox, though it can take time for them to be discovered. A relatively new internet mail standard called DMARC makes it harder for phishers to spoof email addresses, though it isn't yet widely deployed. Developers are using machine learning to cut off risky emails and websites before they reach us. And big internet companies including Google, Microsoft and Facebook automatically challenge logins that look suspicious, and ask for additional verification.
Humans can help, of course—primarily by keeping software up-to-date: That scary Gmail trick I mentioned has been squashed in the latest version of the Chrome browser. (Check yours by going to Settings > About.) We can also make ourselves less valuable to phishers by using different passwords everywhere—which only Rain Man could do without the aid of a password manager. (Dashlane and LastPass are good options.) It's particularly important to protect your email account, which can be used to reset other passwords if someone takes it over.
Most of all, do this: Turn on an extra layer of security called two-factor authentication (aka 2FA, two-step verification and login approval). It's not foolproof, but it makes your password less valuable if stolen. These systems, already used by many corporations, usually ask for a code sent via text message or generated by an app or security dongle.
Two-factor is available from Google, Facebook, Apple, Microsoft, LinkedIn, Twitter and many other services. Though only a fraction of people turn it on, it ought to be automatic for everyone with a smartphone. Sure, logging in can be slow at times, but in an age of aggressive phishing, I wouldn't be caught online without it.
This article was licensed through Dow Jones Direct.
Dow Jones & Company, Inc.
Tagged in: industry news
Learn how FIS can help you stay on top of industry trends and address your business challenges.Contact us