The Washington Post has a front page story headlined "Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say". The story, which is attributed to anonymous administration sources, says: "According to the report by the FBI and DHS, the hackers involved in the Russian operation used fraudulent emails that tricked their recipients into revealing passwords." It's been widely reported that the same technique was used to get into the email account of Clinton Campaign Chair John Podesta.
[Update: later versions of the story say that the evidence of hacker intrusion was found by the utility on a laptop which was NOT connected to the grid.]
Most of us aren't targeted by foreign spy agencies, but all of us who go online are targeted by those who want our passwords for plain old theft and fraud. The Russian hackers are probably very clever; but phishing is an old (and unfortunately very easy to implement) way to get passwords. Fortunately it's easy to avoid being phished. I wrote the post below more than ten years ago. Phishing hasn't changed much since then ; so, if you're not up-to-date on how to avoid being caught on a phishhook, please read on.
Phishing is a nasty way of stealing your account IDs and passwords. This post is about how NOT to be a phish and contains some secrets about how you can be fooled on the Internet. The email below is an actual illustration of phishing email Mary received.
Note that the email claims to have com from PayPal and shows a return address of email@example.com. Secret #1: Anyone can put any return address he wants on email. Return address is absolutely NOT an indication of where email came from. This one DIDN’T come from PayPal.
Note the link that says Click here to verify your account and the other link which says https://www.paypal.com/us. If you clicked on either one of those, they would take you to a site which pretends to be PayPal. It ISN’T. “But surely,” you say, “I can see where the second link is taking me. It does go to PayPal.” Secret #2: What is visible in a link and where it actually goes DO NOT have to have any relationship to each other. In fact, in the actual email (but not in this post) both of these links would take you to a bogus site whose address is 18.104.22.168:82/login/index.php. I haven’t gone there. I suggest you not go there either.
This site will look like PayPay. It will ask for your ID and Password. It may even ask for some other personal information. Now someone else knows how to get into your PayPal account. You’re a phish.
Just to show you how easy this scam is, if you click on https://www.paypal.com/us or the other link in this post, they will take you to site of my book hackoff.com, not PayPal. But I don’t think I’ll resort to phishing for readers.
Once you know these two secrets, it’s easy not to get caught on a phish hook.
You already know that you can’t trust either the from address or any link to be what they appear to be. You can see what a link actually goes in Outlook email by hovering your mouse over it without clicking it but that’s not the way to handle security. The simple rule is this: Never, Never click on a link in an email to go to any site where you will be asked for your name and password. Never. Don’t do it.
So suppose you get a letter like this and think it may be real, what do you do? First of all, be skeptical. Organizations like PayPal know about phishing so they don’t ask people to click on a link to get to the signin page. But some other vendor might be really dumb.
If you think the email may be real and you do want to get to your account, simply type the login URL – in this case “www.paypal.com” – into the address bar of your browser. Then you know you are going where you think you’re going. DO NOT click on a link in email to get to a signin page. DO NOT copy the link from the email and paste it into your browser; even if it appears to read right, it may have a tiny difference that gets you where you don’t want to go. Type the URL into your browser or use favorites that you have set up in your browser to get there.
That’s all you need to do to safe from phishing.
One note: suppose a friend sends you an email with a link to an interesting website. Should you go there? Well, you won’t get phished if you don’t supply any account number or password. But you also can’t be sure the email is really from your friend unless there is a personal note with content no one else would write. And some websites can be dangerous even if they don’t have phish hooks. Be careful following links.