How to Avoid Being Hacked, Part 1 – Email
Hacking is a common occurrence these days, but it’s good to know that hacking targeting you specifically because of who you are is far less common than scattershot hacking. Additionally, taking advantage of your online data is much more common than taking control of your computer.
Most people don’t understand their computers or operating systems deeply. There’s no shame in that. No one really understands everything about computers. But that makes it easier for those types who are forever trying to make an illicit buck with some new way they have to separate you from your stuff, or some tool they’ve bought to apply leverage to an unprotected digital niche. Furthermore, the digital world changes quickly and it’s much easier for those providing software and hardware to sell insecure wares rather than to take the extra time (and loss of market share) to make them very safe.
So it remains up to us to be more conscious in our behavior online, on the phone, and with our purchased equipment. Some of these conscious behaviors apply across the board to computers, tablets, and phones; others are specific to certain platforms.
Email – Phishing
I got an email from Apple, referencing a recent purchase and asking me to verify it. I clicked on the link and my browser went to Apple’s website, but something didn’t seem quite right. I stopped a moment to think: I had made a purchase online from Apple the previous day, but the email didn’t reference the specific item. I dropped off the website and took a look at the email. I hovered my cursor over the link and sure enough, it didn’t even mention Apple in the link. This is super-common – phishing emails designed to get you to go to some official-looking but bogus website (like the Apple website I’d thought I was on) and enter in your credentials which then give the hacker free access to your online account. And because many people use the same password and login for many of their online accounts it can give the hacker control of your digital life in short order. This happens to people who should know better and even almost happened to me, who also should know better!
But how did they know I had just bought something from Apple, or in other bogus emails – how do they know I just bought something on eBay, or what bank I’m with? How do they even know my email address?
The short answer is – they probably don’t. They send that same email to a million likely email addresses – either from a list they bought, email addresses they harvested online, or just randomly generated by a program (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, etc) . It costs almost nothing to send an email and it doesn’t cost much more to send a million. It’s easy enough to add an official logo snagged off a corporate website to an email, and it’s similarly easy to make an official-looking website. In fact, one could just snatch the code off an official website and replace the official links with bogus ones that steal your login credentials. Furthermore, a link isn’t always what it appears to be. For instance, if I say to click here to WinAMillionBucks.com you’ll see that it goes to a site that may save you some money, but won’t win you a million bucks.
It can be enlightening to hover (without clicking) your cursor over a given hyperlink like the one above, and see what pops up. Or if nothing pops up, right-click (on a single-button mouse, [ctrl]-click) to reveal the link.
The short form answer to not being taken in like this is: DON’T click on links in emails. Type the desired URL into a browser. Or copy the link, paste it into a text document, and see if it is actually your bank, or Apple, or eBay or where you really wanted to go.
Coming up in part 2: Two-Factor Authentication, Passwords, and Giving Away the Form.