Email scams are more sophisticated than ever, but Avast tells you how to outwit the tricks criminal phishers like to dangle.
“Dear user, email@example.com just sent you an email inviting you to edit the following document that she shared with you.”
Sound familiar (well, except with your real friend’s name in the From line, of course!)? It’s become commonplace for most of us to be notified by email that our contacts want to share files -- who sends attachments, anymore? So commonplace that this kind of message has become yet another way for hackers to phish for contact information, passwords, and online identities.
Newer phishing attacks dangle more sophisticated bait
May’s massive Gmail phishing attack needed only an hour (between its release and when Google disabled the malicious accounts and fixed the vulnerability) to hit more than 1 million users. While the subject line in this case wasn’t 100% identical to a what you’d see in a genuine shared document email from Google, the View in Docs button looked authentic, easily fooling unsuspecting recipients. And once victims clicked the link, they were taken to a Google log-in page and asked for credentials to give “Google Docs” access to their accounts.
This particularly sophisticated attack relied on the habit most of us have of scanning email header info and instinctively opening messages from a known email address. In this case, to steer clear, you’d have to have noticed that though the message was from someone in your contacts list, the To field was bogus: the emails were all addressed to firstname.lastname@example.org. All the actual recipients (like you!) were in Bcc.
Anyone who clicked on that malicious link gave the hacker access to their entire Gmail account -- contacts, passwords, authentication for other accounts. This is why it spread so quickly. And this type of attack, by generating what’s called an OAuth token (which hit Microsoft, Google, Facebook, and Twitter in 2014), takes advantage of most people’s tendency to remain logged in, across multiple devices, to their email and social media accounts.
Why it’s not just about email, anymore
By now you’re probably familiar with the below tips to avoid malicious emails, and they bear repeating, because following them will protect you from most of the threats out there:
Know how to spot fake emails. Misspellings in the header (the To, From, Cc fields, etc.), in the sender’s or recipients’ email addresses, odd characters … these are all red flags. Beware, too, if you’re only in the Bcc field. Check with the sender via a separate email account (or if at work, with your IT department) to see if the message is legit.
Use two-factor authentication. Think of this as a second layer of protection beyond your use of a strong password. If someone tries to hack into your accounts, two-factor authentication will require identification to both email and your phone.
The sneaky thing about May’s “OAuth” attack, though, is that two-factor authentication won’t keep you safe.
So there’s another practice everyone ought to adopt when using web-based email or any online platform: LOG OFF.
Why logging off is your safest option
To defeat OAuth abuse, log off Facebook, Twitter, LinkedIn, Gmail, Instagram, any service that requires a log-in. And do it every time you’re done using it. To quote Tom’s Guide: “You'll have to log back in next time, which is kind of a pain, but at least you'll know that no one else can steal your token and log in without your permission.”
There’s one more detail you should pay attention if you want feel more secure knowing that your email account is protected against email phishing: Download a strong and reliable anti-phishing software. Avast Internet Security detects email scams by closely monitoring your device to block threats before they happen.
Considering that May’s Gmail attack is unlikely to be the last, overhauling not just your email but also your online platform usage habits should be tops on your to-do list. Just because cyber criminals will continue to find and create new ways to steal your information doesn’t mean you have to take the bait.