So you think you’re savvy when it comes to scams, huh? Maybe you’d never click on a link in an email from someone you don’t know with a funny email address asking to send money to Nigeria — but what if it seemed to come from a coworker you know very well including a link that looks totally legit? That’s apparently how the hack of the Associated Press Twitter account went down, with a scam called “spear-phishing.”
The emailed link that apparently tricked at least one person into clicking on it was cleverly disguised, according to Jim Romanesko (hat tip to Slate for the link). Spear-phishing is sneakier than regular phishing, because it plays on your trust of friends or coworkers. And at an organization like the AP, sending around news links is par for the course.
All that combines to make a pretty believable set-up, as seen in the email below (provided by Romanesko’s source):
Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Please read the following article, it’s very important:
[A different AP staffer]
Unfortunately for the AP, someone hadn’t read the warning that went out less than an hour before the hack attack, reading:
Some users are receiving emails that appear to have a link to a Reuters or Washington Post news story. This email is a phishing attempt that takes users to a bogus site requesting you to log on. Users are advised not click to click on the link and not to enter their logon credentials. If you have already clicked on the link, or entered your logon credentials, please contact the help desk immediately.
While it might be hard to detect a fake email from someone you trust, any time you’re prompted to enter a something like a password, be wary of who you could be giving that information to.