… are rapidly becoming a serious threat. These are based largely on social engineering — so the only defense is to be alert and extremely cautious about any email you receive that is not from a well-known source like a personal friend. Brian Krebs has some analysis and practical advice:
(…) This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.
(…) Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.
If I see any emails purporting to be from the popular services like LinkedIn, Facebook, Twitter — I just delete. I don’t even bother to scan the content. As you will see from Brian, the quality of spoofing keeps getting better – so that you have to pay very close attention to discriminate an attack email (most non-geek users cannot safely discriminate). E.g. Brian discusses the following bad news:
My view is “Why bother? Just delete”. The above are examples of an escalating war mounted for profit – it is just going to get worse.
Important final note: If you use Gmail you should really consider switching to 2-step authentication. With 2-step enabled you will not have to worry about a hijacked email account again (unless you give the bad guys your credentials). Brian recommends 2-step, as did we in this earlier Gmail post.