The most dangerous email I opened last month came from a close friend. Or at least I thought it did.
The email had her photo, appeared to come from her address and mentioned personal details only she would know. It hit my inbox early on a Tuesday morning. My coffee was cold and the meeting was dry. I was bored and my guard was down. I tapped my phone, mindlessly. I tapped the link in her email. Then the world fell apart: I was hacked.
Or at least I would’ve been hacked — if the cyberattack was real. My colleague Graham Kates and I had enlisted the firm Cofense to hack us.
Here’s what that involved: For two weeks in January we were attacked by a group of professional hackers who targeted our email and social media accounts with malicious messages designed to trick us into handing over sensitive information.
The tactic is called spear-phishing and it’s one of the most common methods hackers use to breach accounts. According to Cofense, one out of every seven emails sent to professionals is a phishing message. (CBS is a customer of Cofense.)
Any site that requires an email address and login password is vulnerable to spear-phishing hacks. Determined attackers research a victim’s friends, family and interests before sending a barrage of finely-crafted messages. The software used to deploy the attacks is so good it can mimic the sender’s email address, name, photo and other identifying details. Each message is designed to trigger an emotional response and prompt the target to click a link embedded in the email.
In the case of the email from my “friend,” the attackers were able to access sensitive information including my email messages and contacts.
For, the cost of phishing can be high. During the 2016 presidential campaign, Russian hackers sent phishing messages to dozens of Clinton campaign staffers, . He received an email on March 19, 2016, that appeared to be sent from an automated Google company account, prompting him to change his password. But when he entered his username and password, he wasn’t actually fixing his account. He was giving the information to Russian attackers who were able to download his messages and, according to U.S. law enforcement, give the data to WikiLeaks.
The hack, and a similar one of several top Democratic National Committee staffers, fueled a stream of revelations that would become one of the dominant themes of the campaign’s final months.
Tonia Dudley, Cofense’s security solutions advisor, said that even though the primaries are still a year away, candidates should already be prepared.
“They should absolutely at this point … take precautions to look at the email controls that they have,” Dudley said.
The high stakes related to phishing hacks are exactly why Graham and I asked Cofense to attack us. The professional hackers crafted stunningly realistic notes that appeared to be sent from colleagues, friends, PR representatives and the human resources department at CBS. One particularly crafty message closely mimicked the look and feel of a Google Docs invitation.
They got us. They got us good.
Here’s what happened, and what we learned from our mistakes.
Graham: The first attempted phish I received was an email telling me there was a problem shipping me a package. Emails like this are pretty common, and I know not to click. I didn’t. But further attempts over the next two weeks weren’t so easy to discern.
My first strike came with a PR pitch. The writer said she worked for a beer and food festival. “Mmmm,” I thought.
The email said my former coworker, who did freelance design work for the festival, recommended they reach out to me. The research they did about him was personal and detailed. I should have texted him to determine the email’s authenticity. I didn’t. I was sold and I wanted to see his latest work. I’d also like to assure you that when I clicked the link I wasn’t interested in access to food and beer. I’d like to assure you that…
Dudley said her researcher learned about us through social media.
“I think she found that on LinkedIn (and) that person had commented on something [a recent tweet I made], and she just dig a little deeper,” Dudley said. “If they are out to get you, they will dig and dig and dig to find that information.”
The hackers sent Dan and me a lot of emails designed to appear like typical outreach to journalists. The one below purported to invite Dan to participate in a technology podcast:
Dan: The email was urgent, insisting that my Twitter account had been hacked. I panicked and clicked the link. Then I realized I’d been duped — again.
We all know we’re not supposed to click on strange links or download unknown files. But when you’re targeted by a persistent hacker it’s nearly impossible not to fall for a phishing email. Which is what makes them so dangerous.
Dudley said the goal of a phishing email is to get you to act without pausing to think about what you’re doing.
“An attacker would try to get that fear emotion to get you to click quickly.” Dudley said.
Graham: The web is an amazing place. If someone wants to pose as a corporate employee, for example, the information they need is out there. A good hacker will locate the mundane policies and corporate announcements you’re used to receiving and copy and paste their exact language, verbatim. But maybe they’ll also include an attachment in an email to you, promising more information the company “needs” you to review.
In general, if you don’t recognize the sender, or something about the email seems off, consider some basic vetting: ask your nearest coworker, “Did you get this email from HR, too?” Or, “Hey, have you ever heard of someone named Larry in HR?”
Consider: do they normally send you attachments? If so, are those attachments usually Word documents or PDFs? Make sure everything adds up. Maybe even contact the department the sender is from and to check that they sent an email with an attachment.
I didn’t do those things. In the case of one corporate-looking email, I clicked the attachment.
Had it been a legitimate phish, malicious code could have affected not only my computer, but the company’s entire network.
“In the background there is something happening, you just can’t see it,” Dudley said.
When the experiment was over, I was demoralized. And so was Dan. But we learned a lot. You might go through hundreds of emails a day, but it only takes one mistake to get into trouble. Think before you click, we learned. Ask yourself: does this seem right? Would the sender make this typo or include this kind of attachment?
Cofense recommends verifying that an email actually came from the person it claims to be from. If you weren’t expecting to hear from someone, give them a call or shoot them a text to make sure.
Also examine links, Dudley said. Hovering over a link on your computer or holding a link on your phone will show the address. If the link purports to go to a particular website, make sure it actually goes there.
“Be skeptical of each and every message, especially when you are busy or rushed,” Cofense advised.