Are You a Victim of Spear Phishing?
I’m sure you’ve received suspicious emails. I had several back-to-back last month. These “spear phishing” emails were a new kind in my experience.
Phishing is an illegal practice, and like fishing, those sending the emails are hoping to hook you with something. Phishing scammers are looking for money through extortion or sextortion.
Instead of “casting a net” hoping to snare someone, spear phishing emails are directed to an individual. These scammers were trying to extort money from me. Well, they threw a spear at the wrong person since I’m not hiding sordid secrets. I knew right away the email was a hoax. What was disconcerting, however, is they knew two of my email addresses and four of my passwords. They hope having this information about me will make me believe their threat is real. Of course, it’s not; they don’t have anything to blackmail me about.
What I’m Doing… What You Should Do
My friends at the Help Desk informed me that it’s pretty bad that I’m still using any of these passwords. I also use one of these passwords in many places; I was warned: “that’s really bad.”
So, I’m making my way through many sites to change my user ids and passwords. (This is easy to do because my husband and I use a password manager, SplashId, to keep track of our login information.) I’m changing ALL the ones with the compromised passwords. After that, I’ll create better passwords for some significant sites where I have an account. It certainly won’t hurt to take this extra preventative step.
I’ll also be starting two-step authentication where I haven’t done that yet. (Two-step authentication = responding to a text after entering your username and password on a site as added proof that it’s you.) Read Security Tip: Use Two-Step Authentication for more information.
Here’s a list of services that offer two-step authentication. Clicking on the links for them will take you to the page for how to set up two-step authentication for that service:
These are your steps:
- Report the email to the Help Desk (see below).
- Start using a password manager.
- Change all compromised passwords to passphrases (see part two of this post on Tuesday).
- Start new habits:
- Two-step authentication
- Changing passphrases when alerted to possible breaches
Follow these best practices about emails.
- When in doubt, don’t interact with the email in any way (more about this further on in this post)
- Be careful before clicking on an email or any content in it, including links and attachments. Misspellings are often a giveaway. Look for irregularities in the sender, recipient list, subject line, message, etc. Check the destination of a hyperlink: hover over the link with your mouse (or long-press on a mobile device).
- When an email directs you to a website, look closely at the address in the URL bar. Read Security Tip Series: Check the Web Address and Lock Icon for more information.
You might also click on over to this article on the StaffWeb: Protecting Yourself and the Ministry from Phishing & Spoofing Attacks. This detailed article explains “spoofing” and “phishing” tactics and explains what to look for.
Passwords to Passphrases
(I will explain in my next post on Tuesday about using passphrases instead of passwords.)
Follow these best practices about passwords / passphrases.
- Don’t reuse your Google account password on any other sites. Keep it unique to Google only.
- I recommend unique passphrases for any significant websites.
- Change your passwords and usernames whenever you’re notified about a breach that may affect your account.
- Use two-factor authentication whenever available.
More Help for Cru Staff from Cru’s Help Desk
If you’ve fallen victim to one of these campaigns, please contact Cru’s Help Desk (see below). They’re removing these emails from our Google system when they’re notified. Each time they’re a bit different, though. It’s like a giant game of Whack-a-Mole.
If these emails are not in your spam folder, please report them. Here’s how:
- Instead of forwarding, capture the “original” email and send it to the Help Desk. Doing this helps our staff to find other occurrences of the same email and delete them.
- To “capture”: at the top right of the open message window, click the three dots and then click “Show original”.
- When the new tab opens, click the “Copy to clipboard” button, then open a new message and paste into the message area.
- Send this message to the Help Desk. (Optionally, include a screenshot of the email.)
- Lastly, click the Report Phishing (when available) or Report Spam options in Gmail to alert Google of the mail. The email then moves to your spam folder.
Whenever in doubt about an email, Cru staff should contact the Help Desk at the following email address:
More Help from eQuipping for eMinistry
On Tuesday, I will post part two, on best practices for passphrases (these are now better than passwords). You won’t want to miss this post. If you can’t wait, read this post from TechTalk.
I recommend reading the other related and helpful security posts from eQuipping for eMinistry linked in this post.
- Invitations to view shared documents are a common ploy for attack right now, too. Legitimate shared Google Docs are sent from either firstname.lastname@example.org or the email of the person sharing the document.
- For the current flood of sextortion emails, I recommend reading “How not to fall prey to the latest ‘sextortion’ email threat” (USA Today).
- The image, “Greenlanders Spearing Halibut,” is in the public domain.
Are You a Victim of Spear Phishing? by Sus Schmitt is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.