I like to think that I’m tech savvy and well informed for someone not formally educated in or working in the tech space, but I recently learned about a sophisticated scamming technique that shocked me. It's called "session hijacking," and here's how it happens.
In the case that caught my attention, the victim was a self-employed man who runs a YouTube channel for his company. He received an email about a business opportunity involving advertising on his channel. After communicating back and forth for a bit, the unknown person sent an email discussing pricing that included a link to their website. This link, however, took the victim to a page that hijacked his session, copied information, and allowed the criminal to log in to the victim's Google accounts, including his YouTube channel, and bypass his passwords. From there, the scammer made themselves the manager of the channel and removed the real owner, thereby hijacking the account completely.
The first step to this scam is called “social engineering," in which a scammer plays a role to trick their target into taking some action — in this case, clicking a harmful link in their email.
The second step is what was new to me. When you go to a website and enter your login credentials, that starts what is called an “active session," where your computer sends information to the website’s servers in small pieces called “cookies." In this particular scam, the scammer was able to intercept those cookies and use them on their own computer, creating a copy of their victim’s session, logged in to the website they were on with access to their account. From there they could take over the account. This is why it's called “session hijacking."
So how can you prevent session hijacking from happening?
Avoid Clicking links
You’ve heard it before, but it really is the safest option. If there’s a link in an email you want to click on, open your web browser and type the URL manually. Ideally you would use a link you saved in your favorites or bookmark.
Or instead of clicking on a link, do a Google search for the company name to get there. But be leery of any ‘ads’ sites that appear in the search results – don’t click on those links.
Don’t open the attachment, either
Viruses and malware get passed along in attachments. Only open attachments if you're expecting them from someone you know personally...and even then, be extremely careful. Someone may be spoofing your friend's or family member's account with an .exe file filled with bad news.
Do your due diligence
If you're a business owner or freelancer and you get an email about something like a sponsorship or other opportunity, make sure to take some extra time to vet the person who contacted you. Some questions to ask yourself may be:
- What’s their web presence like? (Remember: use Google to determine this, not a link from their email.)
- Do they have a verifiable mailing address and phone number?
- Call the publicly published number, not the one in the email. Can you make direct contact with the person who emailed you?
Being aware of the techniques scammers use to target their victims takes some of their power away from them. If you’re contacted by someone with a link or attachment in their email, be wary! Vigilance and a few extra minutes could wind up saving you time and money in the end.
Hanscom Federal Credit Union will never send members emails that include links to their Online Access HD login pages. If you receive an email like this, don't click the link. Please contact our Remote Support team immediately at 800-656-4328.
* Note that Hanscom FCU's Credit Score and Report Review requires a hard pull on your credit, which will temporarily reduce your credit score.
Others are reading: