這年頭如果有人說在網上被黑了,很可能罪魁禍首是一封電郵。 不管是社會名流,還是身邊的同事,幾乎所有人都因為電郵中過招。這種方式被稱作網絡釣魚(最初以電話為作案工具,后來轉移到網上),只要收件人沒留神點擊了收件箱里的鏈接,黑客就有機會入侵。 如果你用過電郵,可能已經碰到過一些形式比較簡單的網絡釣魚。例如自稱尼日利亞王子或者受困游客的人邀請你加入據說彼此都能賺錢的騙局。只不過大家都已經了解這種把戲,很少有人落入圈套。 如今網絡釣魚已經花樣翻新,形式也比過去復雜得多?,F在人們常常遇到“魚叉式網絡釣魚”,看上去像是熟人或者信任的人發出的郵件,比如你的朋友或銀行、電郵服務商。 這種網絡釣魚很有欺騙性,如果以為電郵是熟悉的公司或者是上司發來,人們就會放下戒心,更有可能點擊鏈接或者填寫表格,黑客就能方便地侵入郵箱。 美國民主黨全國委員會主席約翰·波德斯塔就是這么上當的。當時他點擊了一個以為是谷歌發送的鏈接,俄羅斯黑客就竊取了幾千封涉及政界敏感內容的電郵。無獨有偶,黑客偽裝成蘋果公司發送密碼重置請求,盜取了凱特·阿普頓和詹妮弗·勞倫斯等美國明星的私人照片。 不只是名人,越來越多網絡騙子瞄準了企業員工,扮成上司或者侵入私人電郵賬戶,給通訊錄里的聯系人發送可疑鏈接。由于電郵來自聯系過的發件人,收件者就更有可能受騙。 那么,如何避免網絡釣魚騙局?如果是公司層面,很多都已選擇FireEye或者AreaOne等網絡安全公司開發的防釣魚產品,可以第一時間屏蔽可疑郵件,比如看上去像美國證券交易委員會(SEC)發的電郵。 如果是個人,網絡釣魚郵件經常有一些共同的特征。比如詞語拼寫錯誤或者奇怪的語法就是明顯信號。還有,黑客希望你點擊的文件經常會顯得詭異,例如鏈接里有多余的字母。要是你感覺不對,請刪除郵件,或者換個方式查證到底是不是你認識的人發來的。 不過,防御網絡釣魚最有力的武器還是常識。比方說,你可以多想一下,為什么會突然收到一封重置密碼的郵件?朋友或是家庭成員發郵件讓你點個陌生的鏈接,這不可疑嗎? 歸根結底,我們很難避開網絡釣魚的攻擊,因為詐騙利用的是人性和人類與生俱來的好奇心。所以騙子屢試不爽,而受害者往往損失慘重。(財富中文網) 作者:Jeff John Roberts 譯者:Charlie 審稿:夏林 |
When you hear about someone getting hacked, there's a good chance it started with an email. Everyone from celebrities to your work colleagues fall for the same trick. It's called "phishing" (yes, with a "ph"), and it relies on an unsuspecting someone clicking on a link in his or her inbox, inviting the hackers inside. If you use email, you've already encountered phishing in its crude forms. Those emails from a Nigerian prince or a stranded traveler, who invites you to join some scam where you each make money. But everyone knows about these scams, and so few people fall for this form of phishing. Today, though, phishing comes in new and much more devious forms. Often called "spear-phishing," it relies on scammers sending you a message that looks it from someone you know or trust—for instance, your bank or a friend or your email provider. (Check out our "Data Drop" video above to see how it works). This form of phishing is so effective because people will let their guard down if they think an email is from a known company or their boss. As a result, they are much more likely to click on a link or fill out a form that gives hackers a way into their inbox. This is what happened to John Podesta, the head of the Democratic National Committee, who clicked on a link he thought was from Google, and let Russians steal thousands of sensitive political emails. In the same way, hackers obtained private photos of celebrities like Kate Upton and Jennifer Lawrence by sending them password reset requests that appeared to be from Apple. And it's not just famous people. More and more, scammers are targeting corporate employees with emails that appear to be from their boss. Or they will get into one person's email account and send messages to everyone in their contact list with a suspicious link. Once again, because the email is from a known sender, people are more likely to fall for it. So how can you avoid falling for a phishing scam? In the case of companies, many of them use phishing-detection from cyber-security firms like FireEye or AreaOne, which can screen out suspicious emails—such as ones that appear to be from the SEC—in the first place. As for individuals, there are often a few clues that an email is a phishing attempt. For instance, misspellings or odd grammar are a big giveaway. And the document or that the hackers want you to click will usually show something odd such as extra letters. If you see any of these red flags, delete the email or find another way to check if the sender is real. But the biggest defense to phishing is common sense. Ask yourself, for instance, why you're getting an email to reset your password out of the blue. Or be skeptical about an email that appears to be from a friend or family member asking you to click on a random link. Ultimately, we can't defeat phishing altogether because it relies on human nature and our natural curiosity. That's what makes it so effective—and so dangerous. |