The months-long espionage campaign against US political targets allegedly orchestrated by hackers working for the Russian government hinged on a simple, yet effective, hacker trick: booby-trapped emails.
In some cases, such as with the hack on John Podesta or Colin Powell, the phishing emails were designed to look like Gmail alerts containing a Bitly link that led to a fake webpage to harvest the victim’s password. Podesta and Powell were fooled, but don’t think only baby boomers aren’t good at spotting malicious emails.
In fact, one in two people click on phishing links, according to some estimates. And, of course, some look more credible than others.
For example, you probably wouldn’t click on this email I got a few weeks ago, even if it contained the name of your mother, as it’s the case here.
Last week, the journalists who work for the independent investigative project Bellingcat received a series of messages that looked like legit Google security alert emails. They didn’t click on them, but would you have been able to spot that they were malicious?
This one used Google’s own style and look for a security alert. To a distracted or untrained eye, there would be no difference between this and the real thing. Imagine you get this in the middle of the day, while you’re stressed at work. Would you have clicked on it? Would have spotted that the hackers misspelled “Montain View” and “Amphithaetre”?
The hackers actually used three different types of phishing attempts, in an attempt to fool the targets. All of them prompted the would-be victims to change their passwords, and enter them in a website under the control of the hackers.
Ask yourself: would you have clicked on these emails?
Luckily, if you’re worried about phishing emails like that, and you don’t trust yourself, there’s an easy way to make these attacks much harder to pull off. Turn on two-factor authentication on Gmail or your webmail provider of choice (and do it for your social media accounts too).
With two-factor or two-step authentication, even if you click on a booby-trapped link and then give up your password to the hackers, they still can’t get in, unless they have hacked your phone too or have control of the phone network—something not all hackers can do.