We can stop phishing attacks
Phishing is one of the most common attacks faced by Users on a daily basis. Unfortunately you don't need to be phished for the attacker to get your information. Every time one of your contacts is phished, your contact information is swept up in the attack. Long story short, most of our contact information is already floating around in the darker corners of the Web.
1. Enable 2-Step Verification
Google, Dropbox, Linkedin, Microsoft, and many other companies offer and actively encourage Two Factor Authentication(2FA). 2FA stops phishing attacks in their tracks. You can set up Google's 2-Step Verification in 5 minutes. It's an extra layer of security. Most people only have one layer – their password – to protect their account. With 2-Step Verification, if a bad guy hacks through your password layer, he'll still need your phone to get into your account.
2. Install Google's Password Alert Chrome extension
The Password Alert extension helps protect against phishing attacks. If you enter your Google Account password or Google for Work password anywhere other than Google's sign-in page, you’ll receive an alert, so you can quickly change your password if needed.
Ideally the alert gives you enough time to escape before the attacker sets the hook! It's also a good way to keep yourself honest. You shouldn't be using your email address and email account password combination for other sites and services. Sensitive services deserve their own credentials.
3. Take the Google Security Checkup
The Google Security Checkup helps protect your Google Account by taking you through a review of important settings in your Google Account. It's good to do a security checkup at least twice a year.
Bonus #4. Report Phishing Sites
Did you know you can reporting a phishing site to Google? You sure can! Google responds very quickly to new phishing sites, which pop up on the servers of otherwise legitimate web sites every second.
Bonus #5 for Google Apps Admins
Turn on Admin Alerts! Google continues to expand and improve Google Apps Domain alerts for Super Admins or any other Users you'd like to receive alerts.
Admittedly a stage 1 phishing attack isn't very intimidating. Your email address is probably worth fractions of a fraction of a penny on the black market. The real security threat comes in the stage 2 and 3 attacks. These are becoming much more sophisticated.
For example. I phish you at a 100 person company. Once I have access to your account, I immediately - programmatically - copy your contact list. I now have a list that likely includes the 99 other employees, easy to determine via the domain aka @yourcompany.com. I have a simple web crawler that cross references my new contact list with information freely available online. This is script kiddie hacking and I already know the hierarchy of your organization, including contact information. I know who the CEO and CFO are for example. I can make a good guess at who would handle inbound and outbound payments or W2 and 401K documents for employees and much more. Now we move on to spear phishing attacks - we select specific targets and create target-specific content. If we still have access to compromised accounts we can even intercept and redirect traffic.
What many of us don't understand about these attacks is how little effort (read:investment) is involved on the part of the bad guys. We're not talking about manual labor, we're talking about programmatic attacks. Once I have a working program, I can scale it almost limitlessly. Netflix runs its entire operation on Amazon. These bad guys have access to their own infrastructures as well, shaddy operations located far away from tech savvy jurisdictions.
People ask me all the time, "what's in it for them?" ... it's a simple answer, money. The bad guys take our money. Bad guys don't have venture capital, angel investors, and 'successful exits'. They're phishing us because it pays.