Anyone Can Get Phished

You might remember one of our recent articles, "The Three Factors of Authentication: A Fraudster's Playground." We talked about how even the most common ways we protect our online lives – what we know (passwords), what we have (phones, OTPs), and what we are (biometrics) – are constantly under attack.

Recent news has brought this topic even closer to home, and it involves someone we in the security community deeply respect: Troy Hunt. Troy, a renowned security expert and the creator of Have I Been Pwned (HIBP), recently shared that he fell victim to a sneaky phishing attack that targeted his Mailchimp account.

For those unfamiliar, phishing is a deceptive tactic where fraudsters try to trick you into giving up sensitive information, like passwords or credit card details, often by pretending to be a legitimate organization in an email or message. In Troy's case, he received an email that looked like it was from Mailchimp, claiming there was a spam complaint and that he needed to log in to resolve it. Being tired and a bit jet-lagged, he clicked the link and entered his credentials, only to realize moments later it was a fake site. The attackers immediately used this access to export his blog's mailing list, containing around 16,000 records.

These attacks are becoming increasingly sophisticated, using social engineering to play on our emotions like fear or urgency. As Troy himself admitted, even someone as security-savvy as him can have a moment of weakness, especially when tired or distracted. That’s why in our previous article, we emphasized the constant evolution of these threats and the need for vigilance.

What truly stood out in this situation was Troy's immediate and open disclosure of the incident. He published a detailed blog post just 34 minutes after realizing what had happened, explaining exactly how he was tricked. We commend Troy for his transparency. It's this kind of openness that helps us all learn and become more aware of the threats we face online. By sharing his experience, Troy has provided a powerful real-world example of how even the most vigilant among us can be targeted.

Let's all take this as a reminder to stay alert, especially when we're feeling tired or rushed. Always double-check links, and if something feels off, it probably is. Troy’s experience, while unfortunate, serves as a valuable lesson for us all in the ongoing battle against online fraud.

About myNetWatchman

Georgia-based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 35 billion exposed credential pairs and protects over 800 million users for their clients.