Falling for an email phishing scam at the office

September 11, 2015
Justin Bazan, OD

Dr. Justin Bazan is the owner of Park Slope Eye in Brooklyn, NY. He serves as a spokesperson to the Vision Council and is on their advisory board the Better Vision Institute. He is a member of the New York State Optometric Association and the American Op

My front desk team sent me an email that indicated they shared a Google document with me. We share documents with each other all of the time. When the email signature appeared slightly different, my first thoughts were, “Shoot! This isn’t right. I bet we have been hacked!”

It was the typical manic Monday morning of opening up the inbox which had been stacking emails while we were away all weekend. That crushing feeling of an insurmountable workload had teamed up with some uncleared cobwebs and resulted in a diabolical email debacle. The short of it is we gave our Gmail login credentials to a hacker who used them to send a phishing email to our contacts.

More from Dr. Bazan: 10 reasons why my practice doesn't have a phone

Why did you open it?

My front desk team sent me an email that indicated they shared a Google document with me. We share documents with each other all of the time. When the email signature appeared slightly different, my first thoughts were, “Shoot! This isn’t right. I bet we have been hacked!”

Then my mind flashed to a couple of emails that had come in since Friday afternoon. The emails Friday were “Vital Information” and the best-selling follow-up “DO NOT OPEN EMAIL TITLED ‘VITAL INFORMATION’-IT IS A HACK.” My next thought was “That knucklehead Aaron probably just opened that email and just spammed our contacts!”

More from Dr. Bazan: HIPAA in the age of social media

I Gchatted with Aaron and found out he got the first email, and before seeing the second message opened the “shared” document. Why, man? Why?!? Why did you open that email!?!?!?! Those were my next thoughts. However, this was no ordinary email hack. Upon investigation, it was the most sophisticated phishing email I had ever seen. Here is why Aaron still has a job.

Next: Lookalike login fooled us

 

Lookalike login fooled us

We were working closely with a company to help resolve a problem we were having with its product. The email “Vital Information” was from a person we were working with at that company.

We are accustomed to using Gdocs, Dropbox, and other cloud-based apps when working on projects. The email itself was created in a way to mimic this normal task of logging on and viewing the document. It looked really really good.

Now here comes the mind-blowing sneaky and sophisticated part. When you click the link to view the document, it brings up a screen that is the exact login screen that we are accustomed to seeing. Nothing appeared out of the ordinary, the link seemed legit, and when what appeared to be the normal Google login screen appeared, Aaron simply entered the login information like he normally does.

However, in reality he had just given the hacker free reign over our Gmail account.

More technology: 5 ways to improve in-office purchasing

I was curious why the link didn’t set off the normal alarms. I typically will see a warning that the link is suspicious. However, this link looked so legit because the hacker was using a link that pointed to a Google URL for Gdocs! Wow! These criminals are so smart. Because the link really did point to a shared Gdoc, it passed the test, and no warning was given.

The link brought up the spoofed Gdoc login page. This was a first of its kind and a very clever way to pass through both current security measures and the “smell” test.

Aaron, you get a pass on this one. I understand why you were duped. We knew the sender, it’s not uncommon to share Gdocs with him, the link pointed to a Google URL, and the sign-in page looked normal. This truly was something that could have happened to even the shrewdest of email users.

Next: Taking back control of our account

 

Taking back control of our account

After the hacker had control of our Gmail account, he used our account to send a similar phishing email to everyone in our contact list.

I snapped into action. First order of business was to take back control of our account. Luckily, Aaron was still signed in to our Gmail account. If he had signed out or had been kicked out by the hacker, we would have had to begin the process of account recovery.

To regain control, I asked Aaron to access the account login details section, which is found at the bottom right of the inbox. Next, he signed out of all other web sessions, which should have booted out the hacker. Then, we immediately changed our account password. Finally, I researched how to handle a Gmail hack.

More from Dr. Bazan: How to respond to a bad online review

Fortunately (or unfortunately, depending on your point of view), such hacks are such a common occurrence that Google offers a step-by-step guide. I followed the steps listed and quickly discovered that the hacker had already changed some settings to suit his needs. In fewer than five minutes, I was able to regain control of our account and ensure that our settings were restored.

I immediately sent out warnings via social media (Facebook, Pinterest). Because our Gmail account wasn’t operational, I sent a blast out via Mail Chimp warning patients and others on our list that any recent mailings were not from us.

Victim even by the book

We fell victim to the most sophisticated phishing attack that I had ever seen. It passed the smell test, and we had our defenses up (as you should, too). A good anti-virus program, reliable firewall, virtual private network (VPN), and an anti-malware program are up and running. Our browser has protective extensions. We use only reputable torrent sites and work with credible users. We were doing things by the book.

So, if ever you find yourself in a similar position, I hope that this blueprint for recovery can help. Carry on, Aaron!

Related Content:

News