“Someone has your password.” Those four words, in an email claiming to be from “The Gmail Team,” set off a series of events that led to the hacking and leaking of private emails sent to and from the Democratic National Committee (DNC).
The email was sent as part of a spear phishing attack against the DNC. Spear phishing works much like other types of phishing attacks. The hackers send an email made to appear that it comes from a trusted source. The idea is to get the recipient to click a link in the email and share private information or become infected with malware from a download.
Spear phishing goes a step further. Instead of a large volume of emails send to random persons, the emails specifically target an individual or group (e.g., employees of a specific company). They appear to come from a trusted source and may include information specific to the target that was gleaned from social media or other sources.
In the case of the DNC hack, an email was sent to Hillary Clinton’s campaign manager, John Podesta. The email said that someone had attempted to login using his credentials and he needed to change his password immediately. Podesta’s chief of staff forwarded the email to the campaign’s IT team to ask if the email was genuine, and a member of the team responded that it was “a legitimate email.” Later, the IT staffer said that he knew the email was a fraud and meant to say “an illegitimate email,” but simply mistyped. That was an unfortunate mistake for the campaign, as someone on the staff ended up clicking on the email link and giving Podesta’s login information to the hackers. (It should be noted that the IT staffer’s email said to immediately change Podesta’s password and gave a link to the correct page to do so, telling the staff to also make sure two-factor authentication was turned on for the account.)
Security company FireEye estimates that 70% of spear phishing emails are opened by the recipient and 50% of those who open the emails click on the link or open the attachment. Spear phishing emails appear to be legitimate. That is how they are so effective. But there are ways to protect yourself and avoid becoming a victim.
One protection is to use two-factor authentication when it is available. Most importantly, do not click on a link in an email asking for a password, account number or other personal data. If you believe that the request may be legitimate, go to the website of the company by manually typing in the actual URL and not by clicking on a link in the email.