Uncategorized

Gone Phishing: Lessons Learned from This Week’s Gmail Attack

As phishing scams go, this one was frightening in its breadth and scope — upwards of a million email accounts compromised, via messages sent via one of the world’s most prominent email services, Google.

For those who fell prey, take heart that you weren’t alone. Journalists for some of the top publications in the country fell for the scam. While Google shut down the problem quickly, the whole scenario offered yet another lesson in how dangerous these schemes can be, how easy it is to fall for them, and how companies can — and should — double-down on their security practices.

What Happened

The attack appears to have begun on Wednesday evening, via an email that purported to share a Google Doc, according to the New York Times. Click on the link, the email encouraged. Users received an alert asking for permission to access the user’s contact list and Drive in Google, the Times notes. According to Gizmodo, the alert box looks exactly like the one Google uses to ask a similar question, and the email looks in every other way like it originated from a legit Google URL. Initial investigations seem to show that the hacker build an app that was registered with Google, another Gizmodo report found. Google apparently shut down the app within 30 minutes, and estimate 0.1 percent of users were hit. But Google’s user base is so large that more than a million people were impacted, even in such a short timeframe.

That access gave the hackers permission to view contacts as well as other information. Among those hit were not just media outlets, but a police station and large corporate enterprises, according to the swift posts launched on Twitter.

After any such attack, the key to minimising damage is to double-down on security. Change passwords. If you haven’t established 2-factor authentication, as Google and other major email players offer, do so as soon as possible. Google and other services typically offer a way to report any suspicious emails — remember, they don’t want this to happen to their clients any more than users do. CNBC offers these, and other tips.

Lessons Learned

Obviously, cleaning up after such an attack falls to IT and cyber risk business departments. But this may be a good time to sound the alarm on how all employees can do their part to keep the company safe. Messages that come from the board, through the C-suite, and on down carry a lot more weight than another message from an IT colleague, so it’s good to get the higher voices behind any communication. A recent case study from Diligent illustrates just how hard it can be to identify if an eMail is a phishing attempt.

“Every single member of a company’s staff who uses email or the Internet is also on the front line,” notes an Entrepreneur article. The author, Dirk Anderson, and other sources, such as this USAToday article, offer several suggestions. First, train all employees on what phishing scams do and what they look like.

For example, they should know that reliable companies will never ask for a user password via email, and that no one should click on a link in an email without verifying who the email came from. In this case, the “To:” field of the email included the address “hhhhhhhhhhhhhhhh@mailinator.com.” That was the only hint, for savvy users who thought to check, that Wednesday’s scam wasn’t the real deal.

Additionally:

  • Ensure employees don’t employ work machines for personal use
  • Don’t use home computers for work reasons. Others might add: unless there is verifiable high security (such as work-supplied Internet access or VPN.)
  • Update all browsers with the latest versions, to take advantage of all security patches
  • Create a process for employees to report any questionable emails or other communication they fear could serve as a risk.

Confirming The “World Wide Web”

For even the most suave web users, this Google attack brought them to their knees – further confirming how weak eMail can be for communication. For board-level communication, locking all communication behind a secure wall can eliminate many of these problems. Using software such as Diligent’s Board Portal keeps all communication about high-level decision-making within the portal, which Diligent monitors more closely than even the industry standard. Board members signing into the portal to retrieve messages from their fellow directors means they aren’t going to mistake a scammer’s email in their company-wide or personal inbox as something from another member of the leadership team.

Because the truth is that everyone is vulnerable. Even the most cautious, cyber-aware Internet user can make a mistake. We’re all only human. The key is to have systems in place that can help prevent any costly mistakes.

Featured Blog