Have you give your password to hackers online? Make me feel better!
May 7, 2022 9:00 AM Subscribe
Yesterday at work I received an email from a company that I do lots of work with. It appeared that they were sending me a secure document that normally asks for your email address and your name. However, in the rush of the moment, when it asked for my email address and password, that is what I typed in.
It appears to have then sent spam to my address book of contacts, locked down my email so it deletes everything coming in and going out, and who knows what else. Our company IT is still trying to repair the damage, after working late last night.
I KNOW better than to give my password out!! I am beating myself up as I am sure I am the only person who has done this. If you have a similar story and it turned out ok (I'm pretty sure I have taken down our company computer system) please let me know. I need to know I'm not alone.
It appears to have then sent spam to my address book of contacts, locked down my email so it deletes everything coming in and going out, and who knows what else. Our company IT is still trying to repair the damage, after working late last night.
I KNOW better than to give my password out!! I am beating myself up as I am sure I am the only person who has done this. If you have a similar story and it turned out ok (I'm pretty sure I have taken down our company computer system) please let me know. I need to know I'm not alone.
Best answer: I just got phished on Twitter like a month ago! They spoofed a "login detected" type message to the email in my bio, and I clicked the link and "reset" my password before realizing that that's... not the email my Twitter notifications go to. (I even got 2FA text! Which, of course, was from the hackers very quickly changing my password and recovery info. Whoops.) To make matters more embarrassing, because they changed my recovery email and phone number, there was no way I could get my account back without calling in a bunch of favors from friends of friends, which meant I had to explain how stupid I'd been to several high-up people at Twitter over several days, first to get the account locked down and then to get control back.
Here's the good news: none of those people were even fazed, because this happens all the time. (Arguably they were much more annoyed by how apologetic and self-flagellating I was being than they were about me getting phished in the first place.) If you're too smart to get scammed, scammers will get smarter! Think of it like natural selection; as the prey gets better at evasion, the predator has to get faster, or sneakier, or something. Except it happens much faster than natural selection because they're doing it on purpose.
posted by babelfish at 10:25 AM on May 7, 2022 [2 favorites]
Here's the good news: none of those people were even fazed, because this happens all the time. (Arguably they were much more annoyed by how apologetic and self-flagellating I was being than they were about me getting phished in the first place.) If you're too smart to get scammed, scammers will get smarter! Think of it like natural selection; as the prey gets better at evasion, the predator has to get faster, or sneakier, or something. Except it happens much faster than natural selection because they're doing it on purpose.
posted by babelfish at 10:25 AM on May 7, 2022 [2 favorites]
Best answer: I've never done this, but I know how common it is, and the answer is: pretty common! Scammers are constantly in an arms race to make their phishing tools as genuine and as hard to detect as possible.
If your company IT hasn't forced you to use MFA (multi-factor authentication, meaning an app or a code-generating tool on your own device) in 2022, and they're not doing anything more unusual to limit access (like aggressively managed/controlled company computers or client certificates), this is much more of a them problem than a you problem. Email has always been a major target, especially company/organization email.
If your compromised credentials were used to make off with less than $10,000 USD of company money and your company has business-critical systems that aren't ransomwared, this is a minor breach.
About every other week, I get emails with a subject like "Suspicious Sign-In Attempt" and contents like "Microsoft noticed a suspicious sign-in attempt at your client Initech*, click here to sign into the client's admin portal." I click there (or, realistically, open the link in a web browser profile where I'm already signed into that client's Microsoft environment), and the actual event details are typically like "Michael Bolton* at Initech signed into his email from Tuscon, Arizona, USA, on Monday, Tuesday, Wednesday, and Thursday. On Friday at 2am, time, someone with Michael's email address and password tried to get into his email account from Montreal, Quebec, Canada. The suspicious sign-in failed because they couldn't get past the MFA prompt."
Then I lock Michael's account, change his password for him, and contact him (or have a coworker of his contact him) to get him back into his account. It takes me ten minutes max, and no company data is lost or jeopardized.
*These names are fake, they're references to the Nineties movie Office Space.
posted by All Might Be Well at 10:37 AM on May 7, 2022 [1 favorite]
If your company IT hasn't forced you to use MFA (multi-factor authentication, meaning an app or a code-generating tool on your own device) in 2022, and they're not doing anything more unusual to limit access (like aggressively managed/controlled company computers or client certificates), this is much more of a them problem than a you problem. Email has always been a major target, especially company/organization email.
If your compromised credentials were used to make off with less than $10,000 USD of company money and your company has business-critical systems that aren't ransomwared, this is a minor breach.
About every other week, I get emails with a subject like "Suspicious Sign-In Attempt" and contents like "Microsoft noticed a suspicious sign-in attempt at your client Initech*, click here to sign into the client's admin portal." I click there (or, realistically, open the link in a web browser profile where I'm already signed into that client's Microsoft environment), and the actual event details are typically like "Michael Bolton* at Initech signed into his email from Tuscon, Arizona, USA, on Monday, Tuesday, Wednesday, and Thursday. On Friday at 2am, time, someone with Michael's email address and password tried to get into his email account from Montreal, Quebec, Canada. The suspicious sign-in failed because they couldn't get past the MFA prompt."
Then I lock Michael's account, change his password for him, and contact him (or have a coworker of his contact him) to get him back into his account. It takes me ten minutes max, and no company data is lost or jeopardized.
*These names are fake, they're references to the Nineties movie Office Space.
posted by All Might Be Well at 10:37 AM on May 7, 2022 [1 favorite]
Best answer: You're not alone - there's an entire name for this, because it's so common: Business Email Compromise! Here are 12 examples of large, famous companies losing hundreds of millions of dollars because people responded to fake invoices or attackers impersonating their CEOs. Here's a security expert writing about this, with examples in the replies from knowledgeable people who got tricked.
Agreeing with All Might be Well: when I made an anti-phishing training for the small business where I work, I emphasized that anyone can be tricked in a moment of distraction or stress. Trying to train people to detect/avoid phishing emails isn't enough, for exactly the reasons you experienced. Our company needed to require strong multi-factor authentication for all employee accounts! If at all helpful, I wrote up the story here and made the slides available for reuse under a Creative Commons license.
posted by dreamyshade at 12:22 PM on May 7, 2022 [2 favorites]
Agreeing with All Might be Well: when I made an anti-phishing training for the small business where I work, I emphasized that anyone can be tricked in a moment of distraction or stress. Trying to train people to detect/avoid phishing emails isn't enough, for exactly the reasons you experienced. Our company needed to require strong multi-factor authentication for all employee accounts! If at all helpful, I wrote up the story here and made the slides available for reuse under a Creative Commons license.
posted by dreamyshade at 12:22 PM on May 7, 2022 [2 favorites]
Seconding the sentiments echoed above; passwords are a sucky system and phishing attacks get harder and harder to guard against as they become more sophisticated.
If your company IT department allows it, you may want to try using a password manager for your passwords. While the primary utility is that it keeps password reuse down (which limits the scope of damage a password breach has), it will also help you avoid all but the most sophisticated and difficult-to-achieve phishing attacks, as it will only suggest password fills for the website the password belongs to, and you have to do extra work to use it elsewhere. The hope is that extra work will raise red flags and help you to slow down and investigate.
posted by Aleyn at 2:55 PM on May 7, 2022 [1 favorite]
If your company IT department allows it, you may want to try using a password manager for your passwords. While the primary utility is that it keeps password reuse down (which limits the scope of damage a password breach has), it will also help you avoid all but the most sophisticated and difficult-to-achieve phishing attacks, as it will only suggest password fills for the website the password belongs to, and you have to do extra work to use it elsewhere. The hope is that extra work will raise red flags and help you to slow down and investigate.
posted by Aleyn at 2:55 PM on May 7, 2022 [1 favorite]
Social engineering is a difficult thing to control. Computers can be locked down, but human heart is much harder to guard. Kevin Mitnick, a notorious hacker (now a "security researcher") has a book just on social engineering.
What your company needs to do is get everybody to multi-factor authentication, preferably with a hardware key such as YubiKey or its cousins, the Titan Keys from Google, or the newcomer, the OnlyKey series. If your login requires both a password AND this key (which presumably, you will not lose), then even losing the password in a scenario like the one you just experienced, will NOT MATTER, because the hackers did not steal the key, and thus, STILL unable to enter your network. Every employee gets one, and one key only. Each key can only access one account.
Google implemented this back in 2018 and virtually eliminated phishing attempts that got you. Yes, it is an extra step, but for companies that live on data, it is worth the few extra bucks it will spent per employee, and a slightly more complicated login process. And yes, there are keys that work on mobile as well.
posted by kschang at 5:14 PM on May 7, 2022 [1 favorite]
What your company needs to do is get everybody to multi-factor authentication, preferably with a hardware key such as YubiKey or its cousins, the Titan Keys from Google, or the newcomer, the OnlyKey series. If your login requires both a password AND this key (which presumably, you will not lose), then even losing the password in a scenario like the one you just experienced, will NOT MATTER, because the hackers did not steal the key, and thus, STILL unable to enter your network. Every employee gets one, and one key only. Each key can only access one account.
Google implemented this back in 2018 and virtually eliminated phishing attempts that got you. Yes, it is an extra step, but for companies that live on data, it is worth the few extra bucks it will spent per employee, and a slightly more complicated login process. And yes, there are keys that work on mobile as well.
posted by kschang at 5:14 PM on May 7, 2022 [1 favorite]
Response by poster: Thank you everyone for your understanding and informative responses. Having more information about this issue is helpful for me, as I had not really given it much thought before. I feel like I'm much better equipped to be a good citizen in the world of email. And Babelfish, you made me feel much better, just reading about your story. Thank you.
posted by furtheryet at 8:46 PM on May 7, 2022 [1 favorite]
posted by furtheryet at 8:46 PM on May 7, 2022 [1 favorite]
I’ve never been good at social engineering myself but when I was in high school I used to help my friends dig company directories out of dumpsters so they’d have the right names on tap when talking secretaries out of their bosses’ passwords.
There were rivalries over who could get the most. 90% of the passwords went unused; getting them was a goal unto itself.
Now our youthful hijinx have been automated and turned into a big business. Instead of some bored teenagers with telephones you have an army of professionals constantly probing your online defenses until one day, like everyone, you get distracted for a minute.
If this was happening to you constantly it would be different, but under the circumstances you wouldn’t be human if you didn’t trip up now and again.
posted by Tell Me No Lies at 10:32 PM on May 7, 2022 [3 favorites]
There were rivalries over who could get the most. 90% of the passwords went unused; getting them was a goal unto itself.
Now our youthful hijinx have been automated and turned into a big business. Instead of some bored teenagers with telephones you have an army of professionals constantly probing your online defenses until one day, like everyone, you get distracted for a minute.
If this was happening to you constantly it would be different, but under the circumstances you wouldn’t be human if you didn’t trip up now and again.
posted by Tell Me No Lies at 10:32 PM on May 7, 2022 [3 favorites]
I am a computer professional, and know all about the various types of scams, spams and phishing. And yet a decade ago I was at my computer when an Adobe banner popped up and said, basically, "Hey, the new Acrobat just dropped, should I update it?" I automatically clicked Yes before going "Oh shit, I told Acrobat not to check for updates automatically!"
Luckily it wasn't ransomware, just malware that directed all my web searches to some sort of fly-by-night search engine, but it was the most persistent malware I'd ever encountered, resistant to every damn thing I knew or could find to get rid of it, so when I told my partner I was going to nuke the OS to the ground, they said "I built that computer for you and I'm sort of tired of supporting it. How about I use my yearly bonus and buy you an iMac instead?" So in the long run, at least I got a new computer out of it.
I have felt shame for years about that, but it's mitigated by everyone telling me that they'd have fallen for it, too. It really looked exactly like the Adobe pop-up update banner.
posted by telophase at 12:46 PM on May 9, 2022 [1 favorite]
Luckily it wasn't ransomware, just malware that directed all my web searches to some sort of fly-by-night search engine, but it was the most persistent malware I'd ever encountered, resistant to every damn thing I knew or could find to get rid of it, so when I told my partner I was going to nuke the OS to the ground, they said "I built that computer for you and I'm sort of tired of supporting it. How about I use my yearly bonus and buy you an iMac instead?" So in the long run, at least I got a new computer out of it.
I have felt shame for years about that, but it's mitigated by everyone telling me that they'd have fallen for it, too. It really looked exactly like the Adobe pop-up update banner.
posted by telophase at 12:46 PM on May 9, 2022 [1 favorite]
It happens - and they are getting more and more sophisticated with each passing day.
At least once per week, I have to remind 6 immediate family members that there are scams going around and they should check with me. And, I almost did this myself about a week ago....
posted by rozcakj at 8:25 AM on May 13, 2022
At least once per week, I have to remind 6 immediate family members that there are scams going around and they should check with me. And, I almost did this myself about a week ago....
posted by rozcakj at 8:25 AM on May 13, 2022
« Older What are 5 things I can do right now to protect... | Family Member in the Hospital… What can I do to... Newer »
This thread is closed to new comments.
Like credit card numbers I go under the auspices of "What's the worst that can happen if someone stole the password" and live under the assumption someone has access to it. Limit what they can do before you can change it and do defense in depth with MFA if possible.
posted by geoff. at 9:47 AM on May 7, 2022 [2 favorites]