I always thought I was too careful to get hacked but something happened last week that showed what I believed was just an illusion. You can never be always careful and the simple fact is that anyone can get hacked. I almost lost my primary email address due to phishing.
Okay, I know it sounds dumb. Someone like me who calls himself a geek and who has been on the internet for a relatively long time should never fall victim to phishing but I almost did.
As a matter of fact, I did and it was due to one tiny browser setting I did wrong. I decided to talk about this because any could fall victim, even the most security conscious internet user.
What is Phishing?
I talked about this extensively in a previous article published last year but in case you missed it, we’ll briefly explain it.
You check your mails to see a seemingly important message from your bank asking you to update your details on their website. There’s a link in the email and thinking it’s a genuine message, you follow the link to update your details. Unknown to you, this email is fake and the website isn’t the real one, you’re actually sending your credit card information and online banking details to someone else.
Phishing is what’s described above and anyone can be a victim. It happens when a hacker gains confidential information from a victim by sending a fake email and directing you to fake website that looks almost real. The easiest way to get hacked online is through phishing and a lot of people do fall victim without even knowing.
For more details on Phising and how to protect yourself, you can read the full article here.
How I almost lost my email
About a week ago, I received an email from someone I considered a “trusted contact”. The particular contact usually sends press releases to my inbox though I don’t always publish them. She’s someone I’ve talked to on phone and to some extent, I can say I know this particular person.
That day, I received a mail from this contact with an attachment labeled invoice.
We didn’t have a pending deal and I was curious to know what the invoice was about, I decided to open it. It was in HTML format and I was redirected to my default mobile browser, Firefox.
I would’ve known right away if I was on my computer but I was on mobile. I’m the kind of person who’s always careful when dealing with links and attachments in emails but I almost paid dearly for my carelessness that day.
I downloaded the attachment and tried opening with Firefox on mobile and it took me to my mobile browser. I had to login to my Gmail account to view the attached invoice. I would’ve detected if the phishing attempt came in form of a link in the email. But an attachment from a trusted business contact was all too convincing.
To make matters worse, I had previously changed my browser settings and selected a very stupid option. I chose to display page title instead of URL in the address bar.
The attachment was actually requesting for my login details, I wasn’t redirected to the regular Gmail login page and I didn’t even know because I couldn’t see the page URL.
The hacker only had to put a certain PHP script in the form action to capture my details even if the “HTML invoice” was being displayed from my local disk.
I entered my details but a failed connection saved me and it was only then I saw the real address displayed in the error message. I had to change my passwords right away to stay on the safer side.
If you choose to display page title instead of the full URL in the address bar, perhaps its time to change it. Also, I think no contact can be labelled “trusted”. I later got a mail from this person explaining that her email account got compromised and she wasn’t the one who actually sent the phishing email.