The majority of the time your online accounts get ‘hacked’, it is because of social engineering more than technical vulnerabilities. This is applicable for normal folks like us and obviously high-value targets face the full ‘brute force’ of the technical attacks. Social engineering hacks or ‘phishing’ makes you believe that the communication mostly via email is from a person you know and trust and it makes you click a link in the email that will further ask for your login details. Once you enter those in, bam! They’re in.
Yesterday, I got an unusual email from my dad :
Fortunately, it rang plenty of alarm bells when I opened the email. First, the tone of the email was casual and if you know my dad, his emails even with his sons are extremely formal. Even the ones he sends as personal emails start and end very officiously.
Second, it asked me to click on an allegedly Google Docs link. My dad (and his assistant) are barely able to use email let alone Google Docs. Sometimes I wish they were more technically savvy but in spite of trying several times, I haven’t been able to teach him. In fact, his email is operated entirely by his assistant and we communicate with him via his assistant (we call her Maushi so it’s not that formal of an arrangement). He dictates his email to her and she types it out and sends it to us. Third, if it was some kind of official work, he would call me and tell me about it several times within the span of that call. This email was way too short to be anything from him. Finally, if you hover over the link in the email, it doesn’t point to Google Docs and also, the To: field in the email was blank indicating the use of BCC: My brother confirmed that he too got the same email and so did another family friend.
Anyway, my suspicions were confirmed when I directly called his assistant and told her to change their email password. Obviously, she hadn’t sent the email. But I learnt something more scary. Couple of weeks ago, my dad had received a similar email (except it asked for money to be wired) purportedly from my brother. But instead of calling him first, they exchanged a few emails with the spammer and only when it got a little too suspicious, did they call my brother. However, the spammer correctly targeted my dad’s fondness for wanting to send money even when we explicitly always tell him that we don’t want any. Luckily, he did not send any money but I’m sure he must’ve clicked some link in the email that may have given them access to his address book. It must be similar to the script that lets Twitter/Facebook/LinkedIn to import your address book.
This post is just meant to warn you to not trust any email containing links from your personal contacts especially if it sounds a little suspicious. Always call or Whatsapp them to first confirm whether it really came from them. The few minutes (or hours) you wait for their reply may end up saving you a lot of trouble.