Larry Magid: Gmail anti-phishing technology looks promising
Phishing is one of the internet’s biggest security risks. That’s when a scammer sends you an email that appears to come from a legitimate source, like your bank or a government agency. There’s usually a
link for you to click that takes you to a website that may look exactly like the real one, but it’s designed to trick you into providing information — such as log-in credentials — that can be used for a number of nefarious purposes.
Phishing attacks are often part of financial crimes, to get access to your bank accounts, credit cards, or other ways to separate you from your money. But they can also be used to hack an organization or even a political campaign. They are extremely dangerous and far too effective, which is one of the reasons I urge people not to click on links that come via email, especially if they lead to a site that asks you to log-in with confidential credentials. Instead, type in what you know to be the real address of the site and double-check by looking at the address bar to make sure it’s the correct URL. If you bank at Chase, for example, their web address should end in chase.com.
Aside from users being careful, there are technologies designed to prevent phishing but one of the more promising ones is being implemented by Google. The company announced that it’s incorporating the Brand Indicators for Message Identification, or BIMI, into its hugely popular Gmail service.
BIMI will enable companies to display their logos within Gmail to assure users that the message is coming from them. Of course, there are ways to display a logo without any authentication. It’s easy to copy and paste any logo from a website to another website or an email, but BIMI requires that the company using it has also employed another technology, called Domain-based Message Authentication, Reporting, and Conformance (DMARC) by authenticating the sender’s domain.
This is an important part of the equation, because it’s easy to spoof a domain name. Years ago, as an experiment, I sent myself some emails that appeared to come from the domain Whitehouse.gov, simply by changing the “from” address in my email client. A savvy user who knew how to trace the origin of an email could have determined that the mail didn’t actually come from the White House, but it would not only require them to know what to look for but also take the time to investigate, something very few people would even think about doing with their incoming messages.
According to a Google web page, DMARC requires that incoming messages be authenticated by technology protocols that “verify that messages are authentic.” If messages don’t pass these tests, they will trigger the organization’s DMARC policy and will not be verified. Organizations that create DMARC tests can configure their services in three ways to handle unverified messages: They can take no action on the message, they can mark the message as spam and deliver to the recipient’s Gmail spam folder, or they can tell receiving servers to reject the message. DMARC is set up by sending organizations, it’s not something that individuals can configure.
BIMI builds upon DMARC by displaying the logos of authenticated users within a specified area of the email client. Again, don’t be fooled simply because a logo is part of an email. It must be displayed in what Google calls “avatar slots in the Gmail User Interface (UI).”
While these technologies will go a long way towards protecting people, you should never be lured into a false sense of security. Just as you wouldn’t let down your guard against a fire in your home because you have a smoke detector, you should still be very careful about any incoming emails that contain links, especially if they lead to a website that asks for your log-in credentials or any other confidential information.
When I get an email from a bank, an insurance company, or any other organization that requires a log-in, I first look at the web address to make sure it looks legitimate, but then — just to be sure — I type in the web address as an added precaution. I also look at the address I land on not only to make sure it’s legitimate but to verify that I didn’t misspell it. One common trick is for scammers to register domain addresses that are almost identical to real ones, knowing that some people will make typographical errors when typing in a domain name.
Even with all these precautions, if something seems like it might not be right, I call the institution. I recently got an email from a bank with a different address than I expected, Everything else looked legitimate but I still wasn’t sure so I called the bank, which verified that it was a legitimate email.
Also, be careful with websites you find via a search engine. A couple of years ago I Googled “HP phone support” in an effort to find the number of HP’s printer support department to help me figure out how to fix a paper jam. I found a site that looked like it belonged to HP and called the number. When the person asked permission to install remote control software on my PC, I became suspicious because — while remote control software is sometimes used by legitimate tech support departments, there’s no way it could resolve a printer jam. I looked more carefully at the site and noticed that its web address did not end in HP.com. I got out in time but a friend of mine wound up having her computer infected with malware by falling for a similar tech support scam.
I’m glad that Google will be employing technologies like BIMI and DMARC to help protect us against scam artists, but even with those technologies, I have no intention of letting my guard down.