Many people think hacking requires years of technical learning. But sometimes the most destructive kind of malicious digital behaviour takes no coding skill whatsoever.
Take this method for gaining access to someone’s email address, recently posted on Symantec’s blog. It describes a way to easily reset an unknowing victim’s email password. And all that is needed is the email address in question and its owner’s cell phone number.
Here’s how it works:
- An attacker can try to log in to a victim’s email address. The attacker can then say he or she forgot the password and, if two-step authentication is in place, ask the email provider to text a code to the cell phone to reset the password.
- Once this is done, the attacker can then send the victim another text asking for the code. The attacker’s text would look something like this: “This is Google. There has been unauthorised activity on your account. Please reply with your verification code.”
- If the victim unknowingly replies to the attacker’s text with the code, the email address is forfeited.
As you can see, this takes almost no technical know-how to execute.
The attack rests on the knee-jerk reaction of the victim. The take-home, of course, is to not fall for these sorts of campaigns. Social engineering and phishing work because people don’t scrutinize the messages they receive.
To the untrained mind, a text asking for a response from an email provider makes sense. But, as Symantec writes, “Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.”
In short, always be defensive and know when someone is trying to dupe you.
You can watch Symantec’s video describing the attack below.
Business Insider Emails & Alerts
Site highlights each day to your inbox.