Voluntary Email Hacking via Social Engineering

What is Social Engineering?

define (n): A skill which involves manipulating people based on human’s natural desire to want to help others ultimately for one's own personal gain (Global Knowledge).

In this day and age, just about anything can be hacked. This includes accounts secured with a password. The latest vulnerability concerns email accounts. Hackers are now able to infiltrate email accounts with voluntary information. That’s right, VOLUNTARY. How you may ask? If you read our last article, “Human Vulnerabilities: Don’t be a Victim!”, you learned how technological advances can inadvertently cause vulnerabilities in daily routines such as checking emails and working remotely. Hackers implement social engineering strategies such as phishing attacks to obtain your personal data for their own gain.

That Seems Phishy...

In relation to hacking email accounts, a phishing attack where victims are targeted after research has been conducted on a particular group , referred to as spearphishing, is hackers new preferred method to obtaining information. Now, hackers are able to gain access of a person’s email account by simply using the “Forgot Password” feature used by all major email providers, Gmail, Yahoo, and Hotmail. The only information a hacker needs is your phone number and email address, two of the most commonly exchanged personal data. Whether you are shopping online or at the nearest supermarket, all businesses want to know this information as a way to track customer loyalty and market their brand. When shopping online, always check the site you are on to ensure it is secured with a SSL Certificate, preferably an Extended validated Certificate. Even if you are on a blog and the site asks for your phone number and email address, always check the site for at LEAST a Domain Validated Certificate which validates the domain. Giving out this information does not seem like a big deal until it ends up in the wrong hands. Always use caution.

Check it Out!

Watch the video below to discover how this tactic is executed:

How Does the Hacking Occur?

There is no way possible to remember all 578,358,349 passwords for each account or device you own. This is why when creating an email account, setting up a “Forgot Password” solution is so important. With the advancement of technology, regaining access to an email account where the password has been forgotten has been simplified by intergrading mobile devices. If a password cannot be remembered, a text message can be sent containing a verification code. Hackers have learned how to trick the average email account holder into giving up this precious code, which gives them access to change your existing password and control your personal email account. Normally, a hacker will pretend to be a technical rep from your email provider, send a text message from their cell phone (using a special phone number to seem legit), and say there is suspicious activity regarding the email account. They will then instruct you to reply back with the code for verification purposes. Never comply! Beware of these types of threats and do not become the next victim.

How to Prevent Becoming a Victim

The easiest way to prevent this spearphishing attack is to NEVER give out unsolicited information, no matter the source. If you do feel the source is legitimate, always seek more information by contacting the support help line to inquire more information before panicking and falling into a trap. Also, always be mindful of where you provide your personal data. Only provide your phone number or email address to trusted businesses or online sites. Being aware of where you submit your personal data will also protect you from receiving tons of spam. Using a Malware Scan can also help protect you from such spearphishing attack by monitoring your computer’s environment. Now remember this potential threat and surf the web responsibly.

Sources

Global Knowledge Training LLC (2015)

Grzonkowski, Slawomir. "Password Recovery Scam Tricks Users into Handing over Email Account Access." Symantec Official Blog. Symantec, 16 June 2015. Web.