How are hackers attacking us now

Let me tell you an interesting story; a story about how hackers are successfully attacking ACC’s email system. And then I’ll tell you some ways to protect yourself. I know this is a little long, but please lend me just a few minutes of your time.

What they do:

Have you gotten a message lately that contained an attachment from someone else at ACC? It probably came from someone you sort of know, but you weren’t expecting anything from them. If you emailed them back to ask if they sent it, they probably sent an email back saying “yes”. You might have even sent them a chat message to ask if it was really from them, and again, they probably told you “yes, open it”. So what happens then? Then you click on the link and get that pesky message that you’ve been logged out. It’ll even helpfully redirect you to a page where you can type in your username and password. Once you do that, it may send you off to another page, or just give you an error message. But it doesn’t matter, because at that point someone else now owns your account.

How they do it:

How does all of this work? A hacker (or more accurately, a phisher) gets access to an ACC employee or student account. They generate that attachment email. But it doesn’t really contain an attachment. It has a link that send you off to a form they built that looks like our log-in page. If you type in your account information now they’ve stolen your account, and they can do the same thing to more faculty, staff, and students.

“But!” you may be thinking right now, “I emailed or chatted online with that person! They said it was really them!” And normally, that’s a good step to take. But remember, that hacker/phisher has access to the account. So when you ask that question, it’s the hacker answering it, not your co-worker, professor, or friend. Nefarious, right?

How can you keep this from happening?

  • First, when you hover over a link you can usually see in your browser if it’s a legitimate ACC or Google address. When you click on an address it will tell you on the address bar if you are at a legitimate ACC or Google Mail address.
  • Even if all that checks out, you should never, ever type in your username and password unless you are 100% sure that you are at the actual, authentic log-in page. The best way to do that is to completely close your browser and then go directly to the log-in link.
  • Finally, if you want to see if someone actually sent you a link, call them. Phishers (at least for now) can’t spoof a person-to-person phone call.

ACC also offers a slightly more complicated, but much safer, form of log-in for email called two-factor authentication. If you carry an iPhone or Android phone you might want to give it a try. Here are the instructions: https://www.google.com/landing/2step/

Back to Top