Did you get an email from a friend recently with a PDF attached to open? Be careful it may not be what it seems.
An email scam which aims to trick you into giving up your email login details by sending you a (fake) link to a PDF has been doing the rounds this year (2017).
Making it seem plausible, the scam email is sent from compromised accounts, (aka your friend who has been hacked), using subject lines and file names that make you think it is your friend so that you are more likely to click on it.
The phishing account was detailed in a recent blog post by WordFence, a WordPress security firm.
Here’s how it works:
- The attacker (aka scammer), using a compromised email account, (yours or someone you know) sends emails to your contacts.
- The email contains what appears to be a link to an attachment (often a PDF) hosted on Google Drive.
- You receive this email and think it is ok because you can, in theory, view documents on Google Drive without having to download anything.
- If you click the link, you will be directed to a page masquerading as the Google login page.
- You enter your login details when prompted and just like that, the hacker has access to your account!
- The attacker then starts the process all over again, targeting the most recent of your contacts.
But here’s the really clever bit; the email isn’t just some generic template. It often actually borrows the subject line and (fake) file name from previous emails with the person being targeted, making it seem super plausible.
A commenter on news discussion site Hacker News wrote about his experience of the attack working at a school: “They went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
The school was “hit by this hard right before the holiday break,” they wrote. “Three employees and a handful of students all got hit by the attack within a two hour period. It’s the most sophisticated attack I’ve seen.”
How do I protect myself?
Luckily, there are ways you can protect yourself against this. Security experts recommend you use a different, strong password for every account you have — meaning if your password on one site is compromised, all your other accounts aren’t at risk as well. (There are password manager apps that you can use to store passwords if necessary.)
And you should enable two-factor authentication whenever possible, which means even if your password is compromised hackers can’t get into to your account without access to your phone as well.
On a long enough timeline, everyone gets hacked. But if you’re smart about it, you can limit the damage.