A recent high-level phishing attack compromised a lot of people’s personal security by taking the form of a Google Docs email, notifying the recipient that someone shared a document with them. Click the link and the scam used formal Google processes to acquire the user’s data, then cloned the email attack to everyone in the user’s contacts list. Google was able to put a stop to the attack within an hour of being notified, and reported that 0.1 percent of its 1 billion accounts were affected.
That’s 1 million people successfully fooled.
The base level of advice in detecting phishing attempts is probably good advice universally around the internet: Don’t take what you see at face value. Email addresses and display names can be spoofed. Clickable links may install and run malware. The person we send private information to over an email may not have our best interests at heart. A healthy sense of skepticism goes a long way toward keeping yourself safe online.
Phishing is just one tool a malicious hacker has at his or her disposal, but it’s an effective one. All the antivirus countermeasures in the world won’t save you from returning an email containing your bank account number — staying safe online requires an active mindset. It’s what Dan Guido, CEO of cybersecurity firm Trail of Bits, means when he says, “Security is not an app you can download. Keeping yourself safe on the internet means thinking about what you’re keeping yourself safe from.”
Here are a few simple tips to keep in mind the next time you check or send email.
If an email looks strange but comes from a known person or email address, greet it with suspicion.
Senders’ names and addresses can be spoofed to give the appearance of having been sent by anyone. And major brands care a lot about spelling and clear communication. You can probably easily understand your friends and family when you communicate with them online. If an unusual email would appear to have been written by someone else, avoid it.
Think twice before sending any personal information via email.
It may be completely called for to send a bank account number via email in order to initiate a bank transfer between accounts, but we should be aware that we’re distributing sensitive personal information as we do it. A healthy sense of alarm in communicating any meaningful personal information online — your address, social security number, passwords, and so on — will go a long way in keeping your information out of public light. Replying to an email with any such information should hardly be a reflex, but something we do after verifying that it’s necessary.
Don’t click on the attachment.
We repeat: Do not click on the attachment. This is especially true if it’s any kind of software, which may be equipped to compromise your device any variety of ways once it’s successfully up and running. If you don’t know who the sender is or aren’t expecting something specifically, don’t run or install their attachments.