Phishing Emails: What ‘You Gonna Do When They Come For You!.
Gone are the days when scammers need to spend actual time trying to hack your account because why spend time and effort trying to obtain a person’s credentials when they can willingly give you it and with a smile on their face?
I had touched on how scammers are upping their game with near-legitimate landing pages that give you the feeling of “I’ve been there, done that so let’s get it over with” so you willingly type in your credentials. Plot twist, the page you typed your credit is the masterpiece work of a scammer to steal your credentials. Yes, the scammers won’t spend a lot of time just to get your credentials, they spend the time to design a campaign to steal as many credentials as possible.
The thing you need to seriously consider is, if you use your credentials for other services like your online banking, work email, personal email, …etc. That means if your credentials are compromised chances of the scammers gaining access to other accounts skyrockets. You might not use the same credentials for other services, but do you use your email address for other services? Scammers can reset your password and use your email to do so (they already have access to it) to authorize the change.
A few days ago, I received an email regarding my Office 365 account. It required that I sign in. Like any sane person who does 90% of his work online would do, I clicked the link. Yes, I clicked the link and typed an email and password. Let’s circle back to how a person writing about security would fall for that, I didn’t really. I clicked the link in a controlled and isolated environment (I used Windows SandBox: an amazing feature of Windows 10) and typed a non-existent email and password combination. They try to make it look real. The page looks immaculately real. It felt like I was on the Office 365 login page (apart from the incorrect web address). I typed an email and a password. To add to the realistic feel, it refused my first password indicating it was “incorrect”. I typed another password and was able to go through! Here’s a recording of what happened (quick 42 second video).
If you are ever tricked into providing your credentials you must notify your IT department or provider right away.