March 24, 2016, started off like any other day. As I hit snooze on my cell phone alarm, I turned over in my bed, scrolled through my social media, and checked a few emails from the surprisingly large amount that had already accumulated. One email from financial aid asked me for my username and password to verify some processes. Still sleepy from a late night of studying, I input my information and fell back asleep.
When I woke up 15 minutes later to my second alarm, I knew something was wrong. My Gmail account alerted me that there was a new login to my school email. Confused, I checked the authorized users on my school email and found that someone from Lagos, Nigeria, was snooping around my email.
I was phished (pronounced like the animal). Phishing is a cybercrime where an attacker disguises themselves as a legitimate institution or professional and attempts to extract sensitive information, usually through email and/or phone calls. For the month of February 2018, Symantec reported that one in 3331 emails were phishing emails.
Often times, phishing requires a form of social engineering – attackers exploiting human psychology to gain access to information or systems. Like many school emails, Brown has a specific format for its users’ email addresses: [email protected] Whenever I see this, I tend to trust the email. Furthermore, the insistence of the email and lack of broken, computer-generated English didn’t set off my “this is spam” mental alerts.
While inherently a simple cyber attack, my attacker’s reach grew at a logarithmic rate because of Brown’s connected GSuite network. Within 15 minutes, the attacker sent the same email to the rest of the Brown community. Shortly after unauthorizing the attacker, I started receiving multiple emails and Facebook messages from Brown staff and students who had received a copy of the phishing email from my account. Brown’s head of IT sent out a university-wide email explaining that a phishing attack compromised a students’ email (me) and kindly asked for everyone to avoid the email. Ashamed, I knew I was the person they were talking about. A few seconds after that, Brown’s IT services emailed me that my school email would be shut down until I walked to their office to show them I had set up two-factor authentication and reset my password.
While I was busy being embarrassed that my malware attack was publicly known, I had forgotten that scores of my sensitive data was stored on my school Google account. Equipped with unlimited data storage, my Drive had piles upon piles of essays, personal documents, and unfortunately, tax documents. Thankfully at that time, my Drive was extremely unorganized. I used naming conventions for my documents like “should probably do this soon” for my taxes. To this day, however, I don’t know if any of those files were compromised.
- Set up strong authentication processes
For a long time, Gmail would send me suggestions of updating to two-factor authentication. I deemed the thirty-second process was too arduous and never bothered to set it up. Doing so would have saved me from this entire ordeal, though. If you have the option, whatever the software or service you’re using strongest authentication process is, set it up right away.
- Provide technical literacy on social engineering and phishing scams
Hackers prey on the compassion of humans. During her introduction to the Internet, my grandmother called my mother one day exclaiming that a site wanted to give her a free iPad. My mom explained quickly that it was an ad to lure my grandmother in, and there was no free iPad at the end of the journey.
Surprisingly, statistics show that the only correlation between phishing victims is the amount of time spent on the Internet. Criminologist Rutger Leukfeldt from NHL University of Applied Sciences reviewed data on Dutch citizens who reported falling victim to cybercrime. Intuitively, this makes sense. If you check your email four times more than your colleague, you’re more likely to come across an email and absentmindedly be phished like me.
As technology evolves, so does malware. With tools like natural language processing, automated phishing emails could start looking less like a Nigerian prince promising riches and more like an email from a colleague. Staying on top of these trends while constantly updating your own security processes will make sure your information is safe, and help protect everyone else in your network. Simply check your accounts and update your passwords every now and then. Trust me, from personal experience, it can happen to you too.