feature image via Shutterstock.
What is Phishing?
Likely you’ve heard about the massive phishing scam of the week. Some malicious human people targeted users of Google drive — their application, called Google Docs (but not the actual Google Docs), tricked Google users into signing in with their Gmail credentials AND allowing Fake Google Docs access to their email. Once the credentials had been phished and permission granted, the app THEN emails people with your email address, trying to get them to do the same thing. It looked like an actual Google site asking you to sign in normally to view a Google doc sent by a friend, colleague or professor and gave hackers your name and password, and then access to your contact list to trick them into doing the same. Why it was so devious? It used an actual Google page to do the dirty work. By making an app that requested permission to access your Google account, there were fewer opportunities to spot something fishy going down.
You may have heard of this hack from a lot of people this week, because a lot of people fell for it, including journalists, professors, and even IT professionals. Not all phishing looks this way — in essence, phishing is just creating a website or application with the intent of getting to willingly hand over your log-in credentials and other sensitive information. It can look like a mass email from someone at your university; it can look like an email from a company you use asking you to reset your name and password via a link; it can sometimes look like a really obvious hoax page and you can laugh at it; sometimes it’s near indistinguishable from the site or service you use daily.
The reason phishing in the way that it happened this week is so insidious is it preys upon your connection to and trust in other people, real people in your life. If you got an email from a professor during finals, HECK FUCKING YES you’re gonna open that Google doc without thinking. If you get a Google doc link from an editor you’re working with at a publication, OH MAN you bet you’re clicking that. No one is immune. I’ve fallen for a phishing scam once — about three years ago, one of my favorite authors, a professor at an institution that rejected my twice, emailed me a link to a Google doc. I didn’t do ANYTHING to protect myself; my weird lizard-brain screamed OMG WHAT WISDOM ARE YOU IMPARTING ON ME and clicked the link before I could even read how fake the URL was. I put ALL MY SHIT in that form and hit send and THEN realized. If you’ve done that? No worries. This is fixable.
This Sounds Scary — How Do I Know If I’ve Been Phished?
That’s the shitty bit — when your private information has been obtained another way, often there’s a way to check up on that. If a company you use gets hacked, they send an email out to their users. Or you can check Have I Been Pwned to see if your email/username and password has been involved in a data breach or if it’s been posted online somewhere. But when it comes to phishing, often the only time you’ll know something has happened is if you smell a rat after the fact, or if the phishing scam is big enough to make the news rounds, like the Google Docs one did this week.
In the case of this particular phishing attempt, you can head to your Google App Permissions and make sure Google Docs isn’t among the apps allowed to access your Google Account — the real Google Docs has access by default and shouldn’t be in this list.
So How Do I Protect Myself?
Constant Vigilance!
No, it’s not ONLY an excuse to use a Mad Eye Moody gif. Even when you get an email from a friend asking you to do something benign, stop and think. Have you talked about getting the kind of email you’re receiving? Did your professor make an announcement in class? You can call, text or email them separately and ask if the instructions are legit. If you’re part of a larger work or school organization and you receive emailed instructions that seem different than anything you’ve seen before, forward the email to the IT department and have them take a look. When a business asks you to reset a password, check the URL they’re directing you to in order to make sure it’s the real business’s URL — often it will look similar, but have a different TLD (.com, .org, .biz) or have something strange posted up at the beginning. Instead of taking the link’s word for it, Google the name of the company and reset your password the traditional way — through the company’s website and not through the email. If you do find a phishing scam, report it to the entity the hackers are impersonating so they can take steps to reduce harm. If you take all these steps, you’re less likely to take the bait in a phishing attempt (but not immune!) and you’re also protecting other people from getting hooked.
Use a Password Manager
One of the reasons that phishing is lucrative is because people use the same username and password over and over. So yeah, maybe you don’t give two shits about who can sign into your Tumblr, but if your Tumblr password is also your banking password, that’s a problem. Because the recipient of your log-in credentials is just going to run around and stick those keys into different cars until they drive away with your precious personal data. One of the ways to take the sting out of phishing — to make it less profitable to engage in — is to make sure that someone getting your LinkedIn credentials means someone getting ONLY your LinkedIn credentials. We’ve written before about getting a password manager and how you should use a passphrase for it to make it more difficult to crack. Using a password manager means that you can use a unique and difficult to guess password for each and every login you have. If you haven’t done this yet, DO IT. I promise, it seems like a lot of effort now, but in the long run, it’s going to save you time and anguish. Especially do this if you clicked through the Google Docs phishing scam. I use LastPass!
Two-Factor Authentication
This is another thing that you should do ESPECIALLY if you clicked on the phishing scam this week, but that you should also do if you didn’t. Turning on two-factor authentication means that you need to use two separate platforms to let a website or service know you’re you in order to log in. The first factor is actually entering the password; the second factor can be a number of different things: a code that’s texted to you, a code that an automated call reads out, or a code provided by something like Google authenticator, which works with a lot of different apps, not just Google ones. All of these codes are timed, so it makes it more difficult to make use of a stolen password. When I fell for that phishing scam a few years back, turning on two-factor authentication was the second thing I did, after changing my passwords.
Regularly Check Your App Permissions
You should definitely do this if you clicked through on this week’s phishing scam, but you should also, every so often, go make sure you know what all is accessing your Google account, your Facebook account, and your Twitter account. I do this about once a quarter — you may do it more or less frequently. But whatever you do, make time to do it regularly, and revoke access to anything you’re not using. Keep that apps list trim and then, if something does happen, it’ll stick out like a bear in a puddle and you’ll notice it quicker.
Have more tips and tricks for avoiding the bait? Comments, y’all, comments.
This scam hit my school, where students send out lots of Google Docs for surveys/programs. I was shocked at how legitimate it looked, thanks for this article!
Thank you for this! Quick question: Google Chrome is the first thing listed on my permissions: is this okay or is it the same as Google Docs where it already has permission?
Not the author but if you’re not sure, you can always revoke permission and see what happens. Most likely, Chrome will prompt you for permission again, in which case you’ll know it’s legitimate.
You should definitely do this if you clicked through on this week’s phishing scam, but you should also, every so often, go make sure you know what all is accessing your Google account, your Facebook account, and your Twitter account. I do this about once a quarter — you may do it more or less frequently. But whatever you do, make time to do it regularly, and revoke access to anything you’re not using. Keep that apps list trim and then, if something does happen, it’ll stick out like a bear in a puddle and you’ll notice it quicker.