Phishing: Nothing to Fear But Ourselves

In Case of Emergency: Technology in Times of Crisis
April 17, 2013
Coding the Future
May 1, 2013

At first we were going to title this post “How to Stop Fearing the Hack and Learn to Love it” (with appropriate homage to Dr. Strangelove). But nuclear warfare (no matter how wittily referenced) isn’t the vibe we’re going for. In discussing technology vulnerabilities, we want to discourage bunker thinking and focus on actively meeting the challenge: hence our appropriation of Winston Churchill’s famous rallying cry.

In case you missed it, the Associated Press (AP) Twitter account was taken hostage yesterday and falsely reported that the White House had been bombed. Though the AP quickly regained control of its account and took down the tweet, the damage was already done: alarm, confusion, and a hit to the stock market.

Currently we don’t know exactly who originated the “attack” (if that’s the right word) or for what purpose, though some have claimed responsibility. The main thing to realize is that this incident isn’t an isolated one and regardless of the who and why, the fallout is the same. The only difference is that we laughed when Burger King was made to tweet about McDonalds, while hits on trusted news sites and outreach organizations leave us saddened and worried.

But remember, it’s not time to retreat to an analog bunker. In an earlier blog post we wrote about how a lot of the “hacking” we see in the news is actually the result of phishing or social engineering. People receive suspicious emails, click links or enter sensitive information, and viola! Someone gets hacked. In fact, the AP has admitted that’s what happened:

Mike Baker, an Olympia, Washington-based reporter for AP, says on Twitter that his company’s main account was hacked “less than an hour after some of us received an impressively disguised phishing email.” According to a report published Tuesday in the New York Times, a spokesperson for AP also confirms that malware has infected a number of the company’s computers in recent days.

We’re thinking there’s a strong possibility that the phishing email and the malware infection are related incidents. The same thing happened to the New York Times back in February. It happens every time someone doesn’t consider the ramifications of a click.

The best way to combat the problem is to be part of the solution. Twitter itself is rolling out two-factor authentication as a security measure, something Google and Facebook already offer. It requires users to have two methods of authenticating an account: a password and a mobile phone number. That way a person would be alerted when and if a big change is about to occur (like someone changing the password).

That’s good, but it’s certainly not going to prevent a person with both authentication methods in hand from “throwing away the key” via phishing. As the Marketing Pilgrim pointed out, “There is no two-step verification process for not thinking or being a sucker.”

Spam filtering and proper email management go a long way toward keep people from clicking on the bad stuff. But remember that your own friends and family members might accidentally forward spam, and there are even hackers imitating banks and the FBI to garner hits.

That kind of attack requires old school thinking:

  • If it looks suspicious, don’t trust it.
  • If it sounds too good to be true, it probably is.
  • Verify that a message actually came from the source with a phone call.
  • Don’t believe half of what you see and none of what you hear (OK, that last one might be difficult, but it’s still a great song).

Part of the problem comes from people falling asleep at the wheel with social media. Did your business rush to secure all your different social accounts, then forget to look at them for months? Then chances are high you won’t be the one to first recognize a hijack in action. The Triangle Business Journal reported that “People aren’t often watching their own feed very closely, so you’re more likely to get an email or call that alerts you.”

Take immediate action if and when you find out one of your accounts has been compromised. Make sure you can log back in, then change your password and look at what apps have access to your account. Get rid of ones you don’t need or recognize (if it turns out to be important, you can always add it back later).

Also, don’t just delete anything the intruder posted and pretend nothing happened: actively publicize it. Social media is all about conversations and relationships. Use the attack as an opportunity to reach out the same way you would in real life: apologize for anything offensive or too weird, explain what happened and how you’re responding, provide information on how your Followers/Fans can avoid falling victim to the same thing. This Forbes article has some great resources on how to address Twitter corrections.

The longer we go down the road of interconnectedness the more these kinds of things will happen. Our advice is to stop fearing the hackers and be more concerned with actively engaging the medium. We can’t always control our circumstances or the things others do. But we can control our reactions and each do our part to make the new digital world a better place.