As a result of being compromised, it is compromised, via messages sent via one of the world’s most prominent email services, Google.
For those who fell prey, they were not alone. Journalists for some of the top publications in the country coat for the scam. While this can be done, and how-do-you-can-do-it-do-it-yourself, they can and should – double-down on their security practices.
The attack has begun on Wednesday evening, via email that purported to share a Google Doc, according to the New York Times . Click on the link, the email encouraged. Users received an alert for accessing the user’s contact list in Google, the Times notes. According to Gizmodo , the alert box looks exactly like the one Google uses to make a similar question, and the email looks like a Google URL. Initial investigations seem to show that the hacker build an app that was registered with Google, another Gizmodoreport found. Google shut down the app within 30 minutes, and estimate 0.1 percent of users were hit. But Google’s user base is so large that more than a million people were impacted, even in such a short timeframe.
That access gave the hackers permission to view contacts as well as other information. These were not just media outlets, but police stations and large corporate enterprises, according to the swift posts launched on Twitter.
After any such attack, the key to minimizing damage is to double-down on security. Change passwords. If you have not established 2-factor authentication, Google and other major email players, do so as soon as possible. Google and other services typically offer a way to report any suspicious emails – remember, they do not want this to happen to their clients any more than users do. CNBC offers these, and other tips.
Obviously, cleaning up after an attack on IT and cyber risk business departments. But this may be a good time to sound. Messages that come from the board, through the C-suite, and on down carry a lot more than another message from IT colleague, so it’s good to get the higher voices behind any communication. A recent case study from Diligent shows how to do it.
“Every single member of a company’s staff who uses email or the Internet is on the front line,” notes to Entrepreneur article. The author, Dirk Anderson, and other sources, as this USAToday article, offer several suggestions. First, train all employees on what phishing scams do and what they look like.
For example, they would like to say that they do not want to miss a password. In this case, the “To:” field of the email included the address “firstname.lastname@example.org.” That’s the only hint, for those who want to check that Wednesday’s scam was not the real deal.
- Ensure employees do not use work machines for personal use
- Do not use home computers for work reasons. Others might add: unless there is verifiable high security (such as work-supplied Internet access or VPN.)
- Update all browsers with the latest versions, to take advantage of all security patches
- Create a process for employees to report any questionable emails or other communication they fear could serve as a risk.
Confirming The “World Wide Web”
For even the most effective web users, this Google attack brought them to their knees – further confirming how weak. For board-level communication, locking all communication can eliminate many of these problems. Using software such as Diligent’s Board Portal keeps all communication about high-level decision-making within the portal, which diligent monitors more closely than even the industry standard. Board members signing up for their interview with their team members. They are not going to make a mistake.
Because the truth is that everyone is vulnerable. Even the most cautious, cyber-aware Internet user can make a mistake. We’re all human only. The key is to have a system that can help prevent any costly mistakes.