One of the increasing trends in cyber-crime is hacking into a victim’s email account, either to steal personal and sensitive information or to gather information about them to access their bank account or steal their identity.
In this article we look at how you could become a victim of cyber-crime if the attacker knows only your email address and mobile phone number and, crucially, what you need to remember to mitigate it from happening.
Symantec, who initially warned of the scam, said: “This scam has two things going for it: its simplicity and the fact that people have an overwhelming tendency to trust figures of authority.”
How the scam works (Example: Gmail)
- The attacker visits the Gmail login page and inputs the victim’s email address, and then clicks on ‘need help?’ This is the link you click when you have forgotten your login details
- The attacker then asks to be sent, via SMS, a six-digit verification code to log into the Gmail account
- The victim is then sent, via SMS, the verification code
- The attacker, acting as if they are Google, then sends the victim a text message asking to be sent the verification code
- The SMS from the attacker may read: “This is Google. Google has detected unusual activity on your account. Please reply with your verification code to stop this unauthorized activity.”
- The victim, believing the message is legitimate and coming from Google, replies with the six-digit verification code
- The attacker then uses the verification code to get a temporary password and gain access to the victim’s Gmail account
Symantec have published a video explanation – see this scam in action:
As the processes in place for password recovery are similar across all email providers, including Yahoo and Outlook, as well as Gmail, it is essential you understand your potential risk and how to mitigate your vulnerability.
How can I mitigate my vulnerability?
The most important point to note is that password recovery services will NEVER ask you to respond to them via SMS.
The systems are in place for password recovery, and the services will only tell you the verification code. They will not ask you to reply or respond in any way. Also:
- Always be suspicious of SMS messages asking about verification codes – Did you ask for it?
- Always question the legitimacy of a message before answering a request. Are you expecting the request? Is this how the provider usually contacts you?
- If you are uncertain about a request, contact your email provider for assurance
Symantec conclude: “Remember, just because someone looks like a police officer and sounds like a police officer, that doesn’t mean you should hand over your car keys without seeing some ID first.”
Best practice for email account safety – 2 step verification
Finally, using 2 step verification to access your email account will provide you with an added layer of protection. The 2 step verification process often involves you confirming via your mobile phone that you are accessing your email account. This process is really simple to use and easy to set up. Depending on your email provider you may be able authorise a device so that you only have to use the 2 step verification when you access your email form new devices.
If you have any questions on this, or any aspect on cyber security, please contact us.