Think you know how to protect yourself from phishing? Think again.
This year kicked off with a sophisticated phishing scam that fooled users and cybersecurity experts alike. Users were giving away their passwords to scammers through a seemingly legit Gmail login page. The scam had all the markers of a legitimate email, including the appearance that it was sent from a known sender.
There are many articles out there about the warning signs of phishing scams. We know the rules: Don’t click on URLs you don’t know, beware of emails that sound urgent or feel pressuring, etc. The reality is that many of these tips aimed to protect against phishing attacks would not have worked in the case of the Gmail attack.
Gmail’s spam filters already capture many emails that display common signs of scamming (formal language, unknown senders, etc.). However, phishing scammers and hackers, in general, are becoming more sophisticated in their techniques. A greater understanding of security will help you keep up with hackers in 2017. Here we’ll dive into the details of what made the Gmail scam so unique and address some sophisticated phishing scam avoidance tips you can start trying out today.
The Sophistication of the Gmail Scam
What made this scam so convincing? Why was it able to fool so many people? Let’s take a look at how the scam works:
- The user receives an email from a family member or friend with an attachment such as a PDF.
- Upon clicking on what looks to be a regular PDF attachment (which is actually an embedded image posing as an attachment), the user is taken to what appears to be a legitimate Gmail login page.
- Thinking they have to log in again, the user enters their password. The hackers capture the password, giving them access to the user’s Gmail account and allowing them to use the duped user’s contact information to find new victims.
The Gmail scam is one of the most sophisticated phishing scams we’ve seen. The image that looks like an attachment can easily fool people who aren’t paying close attention. (Indeed, YouTube star Tom Scott tweeted how he would’ve clicked on it if his screen’s resolution didn’t make the image so fuzzy).
Second, the email appears to be legitimate because it’s coming from an email address the user already knows. We’re all suspicious of emails sent from a supposed United States ambassador in Africa, but what about from our parents, colleagues, or good friends?
Attacks like this show just how complicated technology has become. Sites like Google and YouTube are constantly updating their look and feel, which is great for attractiveness and usability, but poses a challenge when it comes to phishing scams. Let’s say you get an email from one of those companies. You click on the link and arrive at a page of their website that looks unfamiliar. The scam-detection mentality, (“This seems unusual”) is no longer as useful because we’re so used to our favorite sites changing — we can easily dismiss website differences because change is part of the norm. This is good news for scammers, but not for us.
Tried and True Protection Advice
Despite the sophistication of today’s scams, there are some tried and true ways to protect yourself.
Never Use the Same Password
It’s easy and convenient to use the same password across multiple (or even all) of your accounts. However, the convenience won’t trump the stress that comes with being attacked. Using the same password creates a huge vulnerability — if an unwanted person happened to crack your password (or you unintentionally gave it to them through a phishing scam) they would soon discover that they could access all of your accounts with ease. But how do you come up with and remember all those unique passwords? Some strategies include:
- Using a password manager, like LastPass, which can generate long, complex, unique passwords as well as save them for you, safely, so you can access them as needed.
- Using long phases with some tweaks and modifications (e.g., mixing capital letters and adding some symbols and maybe changing a word). This can give you something that is both hard to guess (high enough entropy) and is somewhat memorable.
Long phrase password help: Consider the phrase “to be or not to be” and modify it in various ways like “2B||!twob?” “to BE a bee or not to BE a bee?” “!LoveRomeo2BeNot2Be” etc. The possibilities are endless. Just make sure you don’t use the actual phrase, that you make a number of different kinds of changes, and that you include symbols and mixed case or numbers. This is never as good as a long, random password (which is doable these days if you use a good password manager tool), but may be a good compromise between security and usability for now, depending on how important the account is that you are protecting. (PS: don’t use this exact example as it is now published.)
Think Beyond Passwords
Even if you do manage different, strong passwords for every account, an even better option is to use something in addition to a password or avoid using them altogether. If you have a choice, use two-factor authentication, which requires some type of verification beyond your username and password.
When you log into an app or online account for the first time on a new device, you’re often required to enter a verification code that’s emailed or texted to you. This is considered two-step authentication because it requires you to verify yourself across two separate channels. While not perfect, two-step authentication makes it much harder for hackers to break into your accounts.
Two-step authentication is only one of many verification methods. Some password-free methods include:
- OpenID: Rather than signing into every account you use, simply give OpenID a few pieces of information which is then given to your identity provider when you want to log into a site. User identity is confirmed by this provider to all the websites you visit, eliminating the need to manage passwords. OpenID is flexible so that you could prove your identity via any mechanism: fingerprint, client-side SSL certificate, a RSA security fob, the username and password to another site, etc.
- SQRL: “Secure, Quick, Reliable Login” provides a one-time code that users simply click on to verify their identity. SQRL is easier and more secure than usernames and passwords.
- Authentication through apps installed on your mobile device, such as LaunchKey and Clef. These apps take multi- and two-factor authentication to a new level as they use clever things like your phone’s camera and fingerprint technology to identify who you are.
With each of these options, there may be password to steal. It’s hard or near impossible for hackers to phish for credentials by using an imposter site or web page. With these tools, you can potentially even disable password-based access altogether.
Restrict IP Address and Email Access
If you find you’re receiving messages from people you don’t know or trust, try blocking their IP address or email address. Gmail allows users to create filters to direct emails from certain senders directly to the trash. You can talk to your system administrators about IP address restriction.
Advanced Tips & Tricks to Avoid Phishing Scams
While typical guidelines to detect phishing scams are still valid, the Gmail scam raises questions about the future of email. Do we need to shift our way of thinking about and handling emails?
Targeted phishing (e.g., “spear phishing”) is so convincing nowadays that it’s hard for anyone to avoid falling prey to such attacks unless you follow some of the following steps:
- Only view emails in a plain-text viewer.
- Never open an attachment that you weren’t expecting to receive.
- Never take an action (e.g., download, log in) you didn’t ask for or initiate yourself.
- Don’t follow links received in email messages.
Of course, most people will likely find these steps too numerous or cumbersome to follow consistently, which is why it’s so important to use two-step authentication and try out the other tactics mentioned above.
Choosing the Right Email Provider
It’s no coincidence that Gmail was targeted for this phishing attack. Large public email providers attract scammers due to their enormous user base, opening the potential for big payouts. Instead of joining the flock, you might consider turning to a small email provider (like LuxSci) that’s less likely to attract these large-scale attacks. However, if you do decide to go with a small provider, you’d be wise to make sure their security infrastructure is up to snuff.
Scammers and hackers will always try to steal your information. That’s why you need to stay one step ahead of them. Think beyond basic passwords and poorly-written emails. You now have the knowledge to better secure yourself, and there’s no better time to put it to use than right now.