LOS ANGELES — At least 2 million people received the email May 16 notifying them that an order they had just made on “Wallmart’s” website was being processed, though none of them had done any such thing.
Still, thousands of people clicked on the link in the email, taking many of them to a harmless Google search results page for “Walmart.” Others weren’t so fortunate. The link led to the invisible download of malware that covertly infected their personal computers, turning them into remotely controlled robots for hackers, according to email security firm Proofpoint Inc.
These sorts of “phishing” attacks are not only becoming more common but also are getting more lethal, with fake emails becoming harder to distinguish from real ones.
In the fake-Wal-Mart attack, people missed clear warning signs — such as the company name being misspelled and the sender’s address being very long and strange. But in another case a month later, an email claiming to be from American Airlines carried no visible hints that it was illegitimate.
The sophisticated attacks are targeting the likes of attorneys, oil executives and managers at military contractors. The phishers are increasingly trying to get proprietary documents and pass codes to access company and government databases.
Nearly every incident of online espionage in 2012 involved some sort of a phishing attack, according to a survey compiled by Verizon Communications Inc., the nation’s largest wireless carrier.
Several recent breaches at financial institutions, media outlets and in the video game industry have started with someone’s log-in information being entered on a false website that was linked to in an email.
As technology firms find ways to make emails safer for consumers, some security experts suggest treating every link skeptically. So if you can never click on a link in an email again, what options are left? Here are some suggestions from security experts:
Open links on an email app on Apple Inc.’s iPad or iPhone. These devices have fewer vulnerabilities so malware is unlikely to stick or get attached by clicking on a bad link. Android devices aren’t as foolproof, but smartphones certainly have fewer holes than personal computers.
A few tech companies are promoting a new technology known as Domain-based Message Authentication, Reporting & Conformance, or DMARC, that offers users a visual indication that an email is coming from the legitimate vendor. For example, real emails from EBay Inc. in Gmail include a key next to the “from” field. In Microsoft Corp.’s Outlook, a green key is the sign.