Cyberattack: How we were phished by professional hackers
All right, so Graham, I got hacked.
Dan, you are a seasoned tech reporter, you know everything that there is to know, how did that happen?
I'm glad I fooled you, I know nothing You cover technology, I cover cyber security.
I was incredibly.
I clicked the link on the email.
But you get emails all the time, I'm sure you ignore it.
Emails that look like phishing before, what got you.
The problem is that it came from a trusted source.
One of our colleagues.
Here at CBS News.
So of course, like a dummy, I clicked the link.
I saw emergency, alert, emergency, alert, so I emergency alert.
But wait, no no, like a trusted person didn't actually send you the email, you just thought it was a trusted person.
That's exactly right [LAUGH] Because I was hacked for two weeks on purpose And so were you.
What did you fall for?
That's the thing.
So I kind of wanted to say how stupid of you to click this but I was probably worse than this.
I fell for PR pitches or what looked like PR pitches.
Some Some time they referenced people close to me and sometimes they just had really attractive messages and one of them was like you are invited to a food and beer festival and I thought mm-hm and I clicked the link and immediately Dale that I had put the whole company in danger.
For a liitle while I felt slightly less stupid when I read the stats that one in seven email can be a A phishing attack email, and then I clicked another link and, I went back to feeling stupid.
And, one that made me feel the worst was one that said, we want to let you know that yout tweeter account has been hacked and, to show the screen grab of what looked like my own hacked.
All I had to do was check My own account, and see my own Twitter page, and know that it was fine.
But instead I clicked the screen grab.
Did that email come from me?
It appeared to come from you, yeah.
It said, just so you know, your account's been hacked.
I thought it was you!
[LAUGH] I clicked the same email, that looked like it was coming from you.
We're easy targets, and this company should be wary of us.
Every company should be [UNKNOWN] of every single employee.The thing is with fishing it's really easy to fall for this because and an attacker will spend a lot of time, more time than your eye expected Crafting these campaigns that are designed to fool us.
So let's talk about what to do, knowing that.
I myself, since we did this experiment, have gotten several emails that I'm pretty sure are legitimate.
But I don't even want to respond to that but some of them are from former colleagues and friends and I need to figure out how to click the links in those email and respond to them without worrying that they are actually hackers that are trying to get them what should I do.
I put the thin foil hat on first
But after I'm done with the crazy conspiracy theories, I try to be as sober as possible and I tried to gain not react emotionally to an email.
So when you and I got those attack emails that said, hey, your accounts been hacked, that's an emotional trigger.
I try not to have an emotional reaction.
[UNKNOWN] It's hard because these emails are crafted and designed to make us feel emotional.
What else should I do?
So I guess we're talking about kind of hovering over the link, make sure it's legit.
If it says this is a CNN article, it should say CNN.com.
Did I not say that?
Even looks like it's as skimpy as news article.
You can hover over the link and make sure that it actually direct the CBS news.
But the email address, the sender, that's important too, right?
It might look like it's that person's email address.
Instead of it saying, let's say dan.patterson@ whatever.com I wanna make sure that it lines up to yours email@example.com.
Make sure that the little periods and dashes are all axactly as you expect them t be.
And also, the number one lesson I think I learned, was don't download anything.
If it's a word doc from someone you're working with, and it says this is an edit to the story we're working on together.
Or it says it's coming from HR, and you need to review new company policies, never download it unless you're 100% sure that that person actually sent it.
So, what you're telling me is that never trust any email, or any message all pony and And design it for me, right?
Basically, I mean we can't live with our lives getting a thousand emails a day while we're going.
Never trust anything.
But we have to at least be skeptical for us.
We have to think to ourselves, does this fit the normal pattern of the person sending it to me.
Do they normally have typos in their emails?
So if you are not skeptical or dubious.
So your emails will continue to, like me, get tricked and every single time we'll click the links.
But if you're like Graham, then you will be a little more cautious with your email tactics and strategy.
But hey, look, phishing can happen to everyone and we should just expect this, right?
It's the new normal.
Yeah, but I wouldn't advise anyone to be like me.