Phishing email is frightening and annoying. They flood our inboxes, hoping to catch us off guard so that we'll fall for their tricks and hand over our private information. It seems like a never-ending battle against these hordes of hackers and scammers.
For so many years I have warned you about how to spot a phishing email. Look for typos. Check the domain where the email originates. Don’t believe it if you suddenly get an email claiming your account was hacked.
I spent time researching exactly how Hillary Clinton’s campaign chairman John Podesta's email account got hacked. I was curious, not from a political stance and what the emails contained, but rather purely from a computer security position.
Did they hack into his computer and if so, how? Did he use an open Wi-Fi network? Did he use a common password and they just guessed it? Did they access his router and then have complete access to all resources on the network? Did they send him a keylogger in the form of a software download or system update?
What the news sites are reporting
From what I can see from the various news outlets, it appears to be a common means of using phishing email to hack into a person's account. An article posted on CNN is reporting that the additional batch of emails belonging to Podesta released this past Friday includes one particular telling email from March.
This email has the subject line, "Someone has your password." Did he really fall for that? Yikes!
Delving deeper into the report, the password phishing email looked like it came from Google.com in the sender field. The email went on to say that someone located in the Ukraine had tried to access Podesta’s email account. Okay, that would be concerning to anyone.
Here’s the kicker: The email sender field was clearly “Googlemail.com,” not Gmail.com or even Google.com. This is a big red flag that the email was bogus, but even more obvious was the link contained in the email itself.
Never click on a shortened link
CBS News says that an IT staffer on the Clinton campaign declared the phishing email "legitimate" and subsequently advised Podesta to change his password. Now, the staffer did do something correct. The staffer told Podesta to use the password update page at Google.com. But Podesta did not do that.
In the phishing email, there was a big bold link in all capital letters that said, "CHANGE PASSWORD."
But it was a shortened link that used the service Bitly. Hackers and scammers often use these link shortening services to conceal the real link. Apparently, Podesta fell for the bait and signed into a fake mail site handing over his username and password.
Once that happened, the hackers had full access to his account.
Set up 2FA now on your accounts
Don't let the fancy name "two-factor authentication" throw you. It just means that to login to your account, you need two ways to prove you are who you say you are. It's like the bank or DMV asking for two forms of ID.
Most major services and companies, such as Amazon, Google, Facebook, Microsoft and Apple, offer two-factor authentication. It’s essential to set up.
This way, no one can access your account if your password is compromised. Some sites ask for your cell number, so they can text supplemental access codes if a password reset is enacted. You can also get alerts every time your account is accessed from an unfamiliar browser or device. And this is exactly what Podesta needed.
If only Podesta had set up two-factor authentication on his Google account, none of this likely would have happened.
When Podesta clicked the bad link in the email and entered his password, he would have been alerted at the exact moment that the hackers signed into his account. The hackers would have also needed the one-time access code sent to Podesta's phone to sign in to his account.
Click here to learn how to secure all your online accounts with 2FA. It's the smart thing to do, really. And it only takes a few minutes.
Test your wits against the phishing scams
It's crazy to think that all it took was a phishing email to hack into this high-profile account. And also, how easy it was to prevent it from happening in the first place.
Could you spot a fake phishing email? Click here to take a test to see for yourself.