5 On Your Side

Friends, family fooled by phishing emails

Posted January 23

Would you know how to tell if the email you received is real or a dangerous scam?

Hackers are now posing as major companies like Netflix and Gmail to trick users into handing over sensitive information.

Most people get so many emails in a day, from friends, work and spam, that they mindlessly click on links without giving it a second thought.

The hackers know it.

Now, their scams are so sophisticated that they can send an email that looks like it came directly from a friend or corporate address and include a link to redirect the user to answer questions designed to cherry-pick personal information.

In one current scheme, hackers are targeting Netflix users with fake emails that look like they came directly from the company. They ask the user to update their billing address, credit card information, even their social security number. It looks so real, unsuspecting customers are fooled into handing over that sensitive information.

In another example, an email arrives in the Gmail inbox with an attachment shared by a friend. When the user clicks the attachment, it asks him to log back into his account. The hackers are then able to watch the user's keystrokes to steal passwords and other information.

Jim Stickley, a cyber security expert, was able to target a reporter's own mom and dad.

"I've told them a thousand times, they know what I do for a living, they watch me on television, I say, 'Don't open attachments. Don't open links if you don't know exactly who it's from," said NBC national investigative correspondent Jeff Rossen.

Just minutes after Stickley created and sent the fake email, Rossen's mother had opened it and clicked the link it contained.

While the experiment was innocuous, Stickley said bad guys can use the same process to put ransomware on a computer, to take over a computer, or even to turn on a webcam to watch the user.

When Rossen visited his parents, mom couldn't even remember clicking the link.

"We actually had a computer expert send that to you, and this is what the hackers use to link into. We could have had full access to your computer," Rossen told his parents.

Rossen's father said they acted without thinking too much about it.

"You're used to pressing buttons. We use the phones all the time, so we casually click it without thinking," he said.

For a second experiment, Rossen asked Stickley to send a link to his NBC News producers that appeared to come from the company. The link asked them to enter an address, phone number and social security number.

"They should notice the address isn't a real NBC account," Rossen said.

"This is what criminals do. They send an email out that looks like it came from the company you work for, only, it's not really them."

Three NBC producers not only clicked the link, but they entered personal information as requested.

"Haven't I taught you anything?" Rossen asked.

"You have produced stories about this, about checking email addresses and not opening attachments and putting in information, but all three of you did."

Experts suggest that email users be skeptical about any link or attachment. When in doubt, pick up the phone and call a business, friend or colleague to confirm they sent the link.

Any secure link will start with https. The "s" means secure, denoting that the site is safe.

2 Comments

Please with your WRAL.com account to comment on this story. You also will need a Facebook account to comment.

Oldest First
View all
  • Paul Vail Jan 23, 2017
    user avatar

    Good basic article, but the authors' last lines, "Any secure link will start with https. The "s" means secure, denoting that the site is safe.", is very, very wrong-headed. It does not take much effort to create a criminal website that would have a secure certificate (what makes that whole https:// function), and then have a fake login for impersonating the proper website. Capturing the graphics of a legit site -- Netflix, your bank, Google Gmail -- whatever, is a trivial process. Recreating a 'secure' (https://) page wherein the victim doesn't realize what they are viewing is also easy for the most novice of web designers.

    Better advice is to NEVER trust a link in an email that was not just requested. Always go to the desired website manually, or from a clean trusted bookmark to sign in. Never open an attachment, even from a known sender, unless that file is expected.

    Identity theft, ransom ware, viruses and scams can ruin a life - treat these tools with respect.

  • Betty Schmenks Jan 23, 2017
    user avatar

    Isn't this how Podesta and others in the Clinton campaign got exposed?