Someone tried to phish my email today. Phishing is a form of electronic attack whereby a malicious person tries to steal personal information by posing as a trusted source. The following email arrived in my inbox:
This email looks like it came from Google. So how did I know it was a phishing attack?
- I have set up two-factor authentication for security alerts on my account. You can activate this from your account page within Google. It means that they will send you a notification two different ways when there is an alert on your account. In this case, I never received that second notification, which made me suspicious.
- Even if I did not have two-factor set up, there is no Google branding on the email — not even the Google logo. That is a huge red flag.
- See the sender information? “firstname.lastname@example.org” screams fake. It just doesn’t look like anything else Google uses. And check this out:
See that “via advmailservice.com?” An actual email provider would never use a third party mailing service to send you a security alert — they would send it themselves.
- I looked up advmailservice.com on WhoIs and saw it is registered in Amsterdam. No thanks.
- Lastly, I right-clicked on that big blue box that says REVIEW YOUR DEVICES NOW, and selected “copy link address.” The result was a string of characters at that advmailservice domain. Again, a real email service does not do that — they have their own websites for account information and will never use a third party.
So this is clearly a phishing attack. I don’t think it was a spear phish (which is where a person is specifically targeted), because the advmailservice domain seems to be a common one for sending out mass emails. Even so, and this is always important, I logged onto my Google account independently of the email (I did not click on any link) and checked for security alerts. There were none.
This is illustrative of how tricky phishing attacks can be. I happen to know what to look for, because several nasty experiences with cyberbullies and the Glenn Greenwald defamation troll gang who tried these techniques on me. But the instinct we have, in part because internet companies and most government services tend to encourage unsafe email practices, is to simply click on links in our emails.
It is a nasty problem, one that had national implications for the Democratic National Committee, but can pose more day-to-day challenges for normal people, as it can give criminals, identity thieves, and even hostile entities access to our private information, financial data, and even health records.
I daresay this problem is getting worse, but solutions to it are few and far between. Relying on smart user behavior, which is the preferred method for defeating phishing attacks, will never be enough — someone will always make a mistake and an attacker will slip in. There needs to be a technological response to it, but there is no sense that they are getting any closer to being available to regular people.