Recently, I received an email from a client with a suspicious link. Being a cautious litigator, I investigated the email before clicking the link. After speaking with my client, I learned that his email had been hacked. Phishing links, hacking, and identify theft are all on the rise.
The federal Computer Fraud and Abuse Act prohibits, in limited circumstances, unauthorized access to a “protected computer.” Protected computers include those used by financial institutions or computers affecting interstate commerce. Individual states all have their own criminal statutes covering various cyber crimes, including hacking and phishing scams.
Google recently announced a Gmail phishing scheme through Twitter; LinkedIn does a good job of explaining what the attack did, what it could have done, and what it did not do, here. Luckily for many Google users, the attack was more or less benign as it fooled users into giving an application permission to access their Google account, then simply replicated itself by sending similar messages to everyone in the victim’s contacts. It then deleted the messages from the victim’s outbox to cover its tracks. Interestingly, it also phoned-home to Google Analytics to determine how many victims (or suckers) fell for the trick. It could have been far worse, because many people use Google applications to manage their entire digital life.
The nature of this attack raises an interesting question. Why go to all this work to break-and-enter someone’s Google account and leave behind the family jewels which were easily within their grasp? Was this a test by some middle school whiz-kid would-be-hacker to see how many people she could dupe? Or was this a disgruntled Google employee who wanted to send a message to her over-bearing boss? Or is it the Russians again?
We may never know who she (or he) is, but the point of this blog is to reinforce that we must be vigilant in guarding our digital lives. Just this week, several people at my firm received an email with a PDF attached. The email explained it was a document transfer. As a litigation boutique, we are constantly being sent documents from clients, opposing counsel, admins and their associated IT personnel. But this email was not from a law firm, not from a client and had an email address that just looked fishy. The PDF included a link to download documents, which I concluded had to be a phishing attack because no one at my firm knew the sender or was expecting documents to be sent in that fashion. So the message got the shift-delete treatment which sends the email down the digital disposal.
My message here is simple: think twice before you click a link once. Do you know the sender? If so, were you expecting a document transfer? Maybe it’s worth it to pick up the phone and call, or text, the sender and ask “what are you sending me?” I don’t recommend responding to the email because you may well be corresponding with the hacker and not the email owner. And remember: Just because you look paranoid doesn’t mean a hacker isn’t really out to get you. They are.
By the way… How many of you hesitated before clicking the hyperlink in the first sentence in my blog?