I've had this post half-written for a couple of months, and in the interim received two more phishing emails following the same pattern. Over the weekend, a peer in the security industry mentioned he had received a phishing scam that followed this pattern but in a more carefully-crafted package tailored to look like an important message from the president of his actual homeowners' association. @GRC_Ninja has a great write-up of that particular event, with some sage advice from an employer's perspective. What follows is my advice from a consumer perspective, and then a dive into the weeds.
Some phishing approaches are carefully crafted, highly targeted, and nigh impossible to recognize as evil. Some phishing approaches are ridiculously lame and downright silly. And then there is this, from the email account of someone I do know and correspond with. Devilishly simple, and yet entirely believable, who wouldn't click on the link to see what the actual message is?
The email appears to be something that Yahoo! Mail could not display in the normal reader window, and which you must open into its own window in order to read. The "error message" at the bottom lends credibility to the scam. Those with digital rights management on their business email might even be used to messages that cannot render in the standard email reader.
Despite appearances though, this is a fake, a fake for which the three best defenses are
- A password manager such as LastPass or 1Password that recognizes website domains and will not enter your password into a fake login screen;
- Two-factor authentication such that if a scammer does get your password, they still cannot log in without also having your device; and
- A DNS resolver such as OpenDNS, that recognizes scam domains and prevents your browser from going there.