E-mail, Identity, & Semantics
When an account is hijacked, a stranger can speak in your name. Fortunately, English grammar is harder than hacking
Illustration: Greg Mably
Because of a recent experience, I have a raging case of clickphobia—the fear of clicking on Internet links. When I encounter a promising-looking link, my trigger finger freezes.
This started a few weeks ago when I got an alarming e-mail from the security department of my e-mail service provider. It said that they were closing inactive accounts, and unless I verified my account by return e-mail, it would be terminated. I was scared to lose my account and typed my information in, but I was suspicious, and I hesitated before clicking the send button. There was a misspelled word, and the graphic of the company logo was a bit fuzzy. On the other hand, losing my e-mail would be disastrous, and the return address appeared to be legitimate. I asked myself: What harm could result from someone having access to my e-mail, and how quickly could a hacker act before I changed my password?
While I was debating the issue, my index finger twitched and the button was clicked. I visualized the packets speeding around the world, and just for an instant I imagined an "unclick" key that would put out an all-points bulletin to stop them at bordering routers. But it was a fait accompli. Even with all the king's horses and all the king's men, the thoughtless click could not be undone.
Well, I commiserated with myself, what could go wrong? Alas, it was only a matter of hours before I discovered the answers to my two questions about harm and speed—a lot, and fast. I was away on a trip, and friends that I encountered gleefully gave me the bad news; meanwhile, my home phone was ringing off the hook. Everyone—and I mean absolutely everyone I knew—was getting e-mail from me pleading for 2000 euros to be wired to London, where I was apparently stranded and broke.
Frantically, I logged into my e-mail, only to be denied access. As I later discovered, the hacker was busy corresponding with my friends in my name to further plead his case (in my imagination, the hacker was definitely a man). Fortunately, it didn't sound right to ask Americans, who use dollars, to wire euros to London, where they use pounds. And even though the hacker presumably knew his way around computers, his English wasn't up to snuff. One friend showed me the e-mail the hacker sent her when she replied to the original message with, "Bob, is this really you?" The reply was, "Yes, it really are me."
Another friend, having gotten the scam message, did some tricks with it and determined that the hacker was in Lagos, Nigeria. We've all received Nigerian scam e-mails for years, so this was unsurprising, and in fact the wording and syntax of this message were very similar. It's amazing that after all these years, they—whoever they are—continue to persevere with unlikely, poorly worded scams. Someone must fall for them, but please—just not one of my friends!
Of course, I took a lot of ribbing, especially from friends with whom I have worked on cybersecurity issues. I felt, and still feel, like a complete dunce. Nevertheless, these phishing attacks are insidious. You get a sales confirmation for something you didn't buy, so you click on the link on the bottom that says "report a problem." Big mistake. You get an e-mail from your credit card company saying that there has been suspicious activity on your account, and they need to verify that it is you. Or you hear from your bank about an overdraft.
This all leaves me very mad and feeling helpless. We engineers brought the world closer together with a beautiful network, and a few people are tarnishing it for everyone else. I'm a believer in the wisdom of the crowd, but the corollary is the tyranny of the crowd.
I'm not sure what to do other than accept the risk and live with it. To that end, I've been practicing with the computer turned off. Soon I will turn the computer on, meander over to my e-mail, and see if I've conquered my clickphobia.
This article originally appeared in print as "Clickphobia."