这年头如果有人说在网上被黑了,很可能罪魁祸首是一封电邮。 不管是社会名流,还是身边的同事,几乎所有人都因为电邮中过招。这种方式被称作网络钓鱼(最初以电话为作案工具,后来转移到网上),只要收件人没留神点击了收件箱里的链接,黑客就有机会入侵。 如果你用过电邮,可能已经碰到过一些形式比较简单的网络钓鱼。例如自称尼日利亚王子或者受困游客的人邀请你加入据说彼此都能赚钱的骗局。只不过大家都已经了解这种把戏,很少有人落入圈套。 如今网络钓鱼已经花样翻新,形式也比过去复杂得多。现在人们常常遇到“鱼叉式网络钓鱼”,看上去像是熟人或者信任的人发出的邮件,比如你的朋友或银行、电邮服务商。 这种网络钓鱼很有欺骗性,如果以为电邮是熟悉的公司或者是上司发来,人们就会放下戒心,更有可能点击链接或者填写表格,黑客就能方便地侵入邮箱。 美国民主党全国委员会主席约翰·波德斯塔就是这么上当的。当时他点击了一个以为是谷歌发送的链接,俄罗斯黑客就窃取了几千封涉及政界敏感内容的电邮。无独有偶,黑客伪装成苹果公司发送密码重置请求,盗取了凯特·阿普顿和詹妮弗·劳伦斯等美国明星的私人照片。 不只是名人,越来越多网络骗子瞄准了企业员工,扮成上司或者侵入私人电邮账户,给通讯录里的联系人发送可疑链接。由于电邮来自联系过的发件人,收件者就更有可能受骗。 那么,如何避免网络钓鱼骗局?如果是公司层面,很多都已选择FireEye或者AreaOne等网络安全公司开发的防钓鱼产品,可以第一时间屏蔽可疑邮件,比如看上去像美国证券交易委员会(SEC)发的电邮。 如果是个人,网络钓鱼邮件经常有一些共同的特征。比如词语拼写错误或者奇怪的语法就是明显信号。还有,黑客希望你点击的文件经常会显得诡异,例如链接里有多余的字母。要是你感觉不对,请删除邮件,或者换个方式查证到底是不是你认识的人发来的。 不过,防御网络钓鱼最有力的武器还是常识。比方说,你可以多想一下,为什么会突然收到一封重置密码的邮件?朋友或是家庭成员发邮件让你点个陌生的链接,这不可疑吗? 归根结底,我们很难避开网络钓鱼的攻击,因为诈骗利用的是人性和人类与生俱来的好奇心。所以骗子屡试不爽,而受害者往往损失惨重。(财富中文网) 作者:Jeff John Roberts 译者:Charlie 审稿:夏林 |
When you hear about someone getting hacked, there's a good chance it started with an email. Everyone from celebrities to your work colleagues fall for the same trick. It's called "phishing" (yes, with a "ph"), and it relies on an unsuspecting someone clicking on a link in his or her inbox, inviting the hackers inside. If you use email, you've already encountered phishing in its crude forms. Those emails from a Nigerian prince or a stranded traveler, who invites you to join some scam where you each make money. But everyone knows about these scams, and so few people fall for this form of phishing. Today, though, phishing comes in new and much more devious forms. Often called "spear-phishing," it relies on scammers sending you a message that looks it from someone you know or trust—for instance, your bank or a friend or your email provider. (Check out our "Data Drop" video above to see how it works). This form of phishing is so effective because people will let their guard down if they think an email is from a known company or their boss. As a result, they are much more likely to click on a link or fill out a form that gives hackers a way into their inbox. This is what happened to John Podesta, the head of the Democratic National Committee, who clicked on a link he thought was from Google, and let Russians steal thousands of sensitive political emails. In the same way, hackers obtained private photos of celebrities like Kate Upton and Jennifer Lawrence by sending them password reset requests that appeared to be from Apple. And it's not just famous people. More and more, scammers are targeting corporate employees with emails that appear to be from their boss. Or they will get into one person's email account and send messages to everyone in their contact list with a suspicious link. Once again, because the email is from a known sender, people are more likely to fall for it. So how can you avoid falling for a phishing scam? In the case of companies, many of them use phishing-detection from cyber-security firms like FireEye or AreaOne, which can screen out suspicious emails—such as ones that appear to be from the SEC—in the first place. As for individuals, there are often a few clues that an email is a phishing attempt. For instance, misspellings or odd grammar are a big giveaway. And the document or that the hackers want you to click will usually show something odd such as extra letters. If you see any of these red flags, delete the email or find another way to check if the sender is real. But the biggest defense to phishing is common sense. Ask yourself, for instance, why you're getting an email to reset your password out of the blue. Or be skeptical about an email that appears to be from a friend or family member asking you to click on a random link. Ultimately, we can't defeat phishing altogether because it relies on human nature and our natural curiosity. That's what makes it so effective—and so dangerous. |