Phishing can be effective

Have you ever gotten an email that looks real but feels wrong, an email trying to get you to click a link in the body of the message? It may have been a phishing attack, and that sort of thing is becoming more and more common.

Fish, which sounds like phish, and has nothing to do with phishing

A typical phishing attack email is a message that tells you that there’s something wrong with one of your online accounts and that you need to click a link and log in right away to do something. That’s the kind of message that tricked John Podesta, the chairman of Hillary Clinton’s presidential election campaign. He got a message saying there was some problem with his gmail account, he clicked the link, got something that probably looked like the gmail login page, and he typed in his username and password. But the message wasn’t from gmail, and the login page didn’t belong to google. Unknown to him at the time, Podesta had just handed over his gmail credentials to criminals who then logged on to his gmail account, downloaded copies of his email, and published them on wikileaks.

That motherboard article shows a screen shot of a similar phishing message sent to someone else on Clinton’s campaign. The message told the staffer that someone had just logged on to his account from the Ukraine, and that he needs to use the link in the email to change his password immediately.

email messages like that prey on our fears, and they work well. If you get an email like that, don’t click anything in the message. Go to gmail (or whatever) via a bookmark or a web search or by typing the address yourself. Then log in and check on your account, changing the password if you need to.

Sometimes phishing messages try to appeal to emotions other than fear. The holiday season sees lots of phishing messages claiming to be from Fedex or UPS telling people to click a link to  track a package. Other effective phishing attacks ask the victim to click a link to make a charitable donation right after a natural disaster.

If you need more evidence of how effective these attacks are, remember that the Target breach happened because someone fell for a phishing attack, or read about how the city of El Paso lost $3.3 million in a phishing scam.

The main character in your story might want to use phishing to take over someone’s email. It’s the kind of thing your readers will find plausible, because they’ve probably heard lots of stories of that happening. They may have even experienced it themselves.

Photo credit to Ching for Fish, Creative Commons.

Advertisements