Shortly after several news organizations had email and Twitter accounts hacked into by the Syrian Electronic Army in May this year, Atlantic Media—which owns Quartz, Nextgov and other publications—ran a test to see how many of us would fall victim to something similar. We each received an email that appeared to be from Google and asked us to verify our Google accounts by logging into them at a certain link. Though it looked legitimate, the email came from a third party—in this case our own chief technology officer.
Such tactics, commonly called phishing attacks, trick people into revealing personal information, such as a password that then gives the attacker access to the victim’s email, bank accounts, Twitter, Facebook or other things. In this case, 58 percent of Atlantic Media fell for what was fortunately just a test. But tens of thousands of real attacks of this kind are carried out every month (pdf). Other media companies, including the Financial Times, the Associated Press and even the Onion, have fallen prey to them.
One way to prevent phishing is to check websites very carefully before keying in your username and password. But since most people don’t do that—or even if they do, may get fooled by a site called, say, gmaiI.com (with a capital I) masquerading as gmail.com (with a lower case L)—a prototype piece of software developed by by researchers at Royal Holloway, part of the University of London, does the checking for them (pdf).