Q: What protective measures can be taken to avoid having email hacked like what happened in the [John] Podesta case?
There are many lessons that can be learned from the recent, high-profile email hacks of several public figures.
The most important lesson is that people, not security measures, are the easiest to compromise.
The weakest link
As anyone in IT security will tell you, no matter how sophisticated the cyber security system may be, the humans using the system are always the weakest link.
In most cases, hackers employ what’s called “social engineering” to trick users into divulging critical information that allows them to be exploited.
In the Podesta case, a spear-phishing email claiming the password had been stolen convinced both the users and the IT person that it was a legitimate warning from Google.
Spear-phishing refers to a more targeted exploit because the hackers know that you use a specific online service.
In this case, since the recipient’s email address ended with @gmail.com, they created a stolen password alert that appeared to be from Google.
Telltale signs
As with most phishing messages, a close examination of the punctuation and grammar would have tipped off an observant reader.
The lack of commas in appropriate places, the relative vagueness of the message and the fact that they ended the message with “Best, The Mail Team” are clear red flags.
The reason social engineering tricks work so well is that the anxiety created by the message causes most people to focus on the salacious subject line and scary claims instead of the message in its entirety.
Another way to sniff out suspicious messages is to use the hover method as described in this video:
Thoroughly read messages
The IT person fell for the fake message as well, but in their defense, they replied with a specific link to use to change the password, which the frantic user didn’t use.
Instead, they went back to the original message and clicked on the button that said “Change Password,” which sent them right where the hackers wanted them.
Had they followed the instructions from the IT person, even though the message was a fake, they would not have been compromised.
Stolen password protection
Another important step that the IT person suggested in his response was to make sure that two-step verification was turned on, which would have kept the hackers out even with the password.
Two-step verification creates a second layer of protection in the event someone steals your password.
With it turned on, whenever the site detects a valid login from an unknown location or device, it sends a special code via text message to your smartphone.
Without the code, the person that has your password won’t be able to get in, and you will have been alerted that your password has been compromised.
Never click links
We’ve all heard the “never click links in email messages” a million times, but cleverly crafted messages can scare people into taking immediate action.
Even when you think a warning is legitimate, avoid the links and manually type in the address of the service in question to see if the same warning comes up when you log in.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.
