As tech services and consumers get better at blocking and ignoring phishing attacks designed to scam you, scammers are developing new techniques to socially engineer you out of your log-in credentials.
One of the latest techniques, says Markus Jakobsson, chief scientist at anti-fraud security company Agari, is to scare users into giving away their password reset codes. Instead of sending an email with a link to a fake Google, Facebook, or Amazon log-in site, scammers are generating authentic password reset emails, then phishing their victims for the one-time access code those emails contain.
The email addresses scammers target with these authentic-looking phishing attacks are largely publicly known email addresses, often acquired through databases traded on the Dark Web, and often used in credential-stuffing attacks.
The scammers choose an email to target, then submit it several times in the password reset fields that services as big as Amazon and Apple, and as small as local news site forums, offer to users who have forgotten their passwords.
“Go to the site directly. Don’t click on links in emails.”—Mike Wilson, CEO and co-founder, PasswordPing
This prompts the service to send multiple password reset emails in a row, each containing a new one-time account access code. Just as the target becomes alarmed that someone is trying to hack into his account, the scammers send the target a phishing email with a link to an authentic-looking site that asks prompts them to enter the most recent access code.
If a target clicks on that link and enters the most recent access code, the scammer can then use the code to access the account—a potentially disastrous scenario for a victim, Jakobsson says, if the hacked account links to his credit card, bank account, or a digital-payment site like Venmo or PayPal.
“What this does is use legitimate infrastructure to deceive the user,” he says. The phishing technique is so new that it doesn’t have a name yet, he says, but he calls it “an order of magnitude more convincing” than currently popular phishing techniques.
Of course, not all password reset emails are illegitimate. Sometimes, as was the case with workplace-messaging service Hipchat last month, online services sometimes reset customer passwords to protect them after a database has been compromised. Figuring out which password reset emails are authentic and which ones are phishing attacks will help make you safer online.
While Jakobsson says the kind of attack described above has not yet become widespread, phishing attacks in general are on the rise. In addition to Wednesday’s Google Docs scam, phishing attacks increased 65 percent in 2016 over the previous year, according to the Anti-Phishing Working Group, an international coalition of organizations dedicated to combatting online crime. In 2015, they cost large companies $3.7 million, on average, according to a Ponemon Institute report.
“These attacks put individual users in an uncomfortable position,” says Josh Horwitz, the co-founder and chief operating officer of compromised credential and breach notification services provider PasswordPing, “where you’re forced to evaluate an email designed to trick you.”
The first thing to do if you get a password reset notice, he says, is to look for telltale signs of forgery, such as broken English, including spelling and grammar mistakes. If you’re on a desktop or laptop computer, mouse over links in the email without clicking on them to see if the link is trying to misdirect you. If you’re on a phone or tablet without mouse access, switch devices, or copy the link, and paste it into a note-taking app.
Some scammers will use typographic tricks to fool phishing email recipients, such as replacing the lowercase letter “l” in Google with the number “1”. In some fonts, the two characters look identical, making it doubly challenging to tell if you’re being scammed.
In order to avoid clicking the link even accidentally, Horwitz and Mike Wilson, the CEO and co-founder of PasswordPing, advise not clicking on any links in the email.
“Go to the site directly. Don’t click on links in emails,” Wilson advises, and manually type the site URL into your browser. “When you go to the site, it’ll ask you to reset your password.”
If you’re at work, and you do click on the link, or even follow through by providing your log-in credentials, tell your IT administrator immediately, computer security analyst Kathryn Sweet advises.
Once you’ve successfully changed your password to one you haven’t used before, a commonsense deterrent to credential stuffing attacks, Horwitz recommends setting up two-factor authentication for all your major online services and to start using a password manager. You can also check to see if your credentials have been included in the “Have I Been Pwned” database, which contains more than 1 billion records.
The U.S. National Institute of Standards and Technology guidelines published in December advise that companies password databases off of the Dark Web and scan them for their customers’ credentials—and if they are included to notify them and possibly reset their passwords. Facebook revealed in November that it has already started doing this.
As much as companies are responsible for protecting their users, some just won’t move quickly to protect consumers, Jakobsson says.
“It’s important to get the word out and make people understand: The attacks are not all just one thing,” he says.