Friends, family fooled by phishing emails
Posted January 23
Would you know how to tell if the email you received is real or a dangerous scam?
Hackers are now posing as major companies like Netflix and Gmail to trick users into handing over sensitive information.
Most people get so many emails in a day, from friends, work and spam, that they mindlessly click on links without giving it a second thought.
The hackers know it.
Now, their scams are so sophisticated that they can send an email that looks like it came directly from a friend or corporate address and include a link to redirect the user to answer questions designed to cherry-pick personal information.
In one current scheme, hackers are targeting Netflix users with fake emails that look like they came directly from the company. They ask the user to update their billing address, credit card information, even their social security number. It looks so real, unsuspecting customers are fooled into handing over that sensitive information.
In another example, an email arrives in the Gmail inbox with an attachment shared by a friend. When the user clicks the attachment, it asks him to log back into his account. The hackers are then able to watch the user's keystrokes to steal passwords and other information.
Jim Stickley, a cyber security expert, was able to target a reporter's own mom and dad.
"I've told them a thousand times, they know what I do for a living, they watch me on television, I say, 'Don't open attachments. Don't open links if you don't know exactly who it's from," said NBC national investigative correspondent Jeff Rossen.
Just minutes after Stickley created and sent the fake email, Rossen's mother had opened it and clicked the link it contained.
While the experiment was innocuous, Stickley said bad guys can use the same process to put ransomware on a computer, to take over a computer, or even to turn on a webcam to watch the user.
When Rossen visited his parents, mom couldn't even remember clicking the link.
"We actually had a computer expert send that to you, and this is what the hackers use to link into. We could have had full access to your computer," Rossen told his parents.
Rossen's father said they acted without thinking too much about it.
"You're used to pressing buttons. We use the phones all the time, so we casually click it without thinking," he said.
For a second experiment, Rossen asked Stickley to send a link to his NBC News producers that appeared to come from the company. The link asked them to enter an address, phone number and social security number.
"They should notice the address isn't a real NBC account," Rossen said.
"This is what criminals do. They send an email out that looks like it came from the company you work for, only, it's not really them."
Three NBC producers not only clicked the link, but they entered personal information as requested.
"Haven't I taught you anything?" Rossen asked.
"You have produced stories about this, about checking email addresses and not opening attachments and putting in information, but all three of you did."
Experts suggest that email users be skeptical about any link or attachment. When in doubt, pick up the phone and call a business, friend or colleague to confirm they sent the link.
Any secure link will start with https. The "s" means secure, denoting that the site is safe.