Boasting about bitcoin profits ‘godsend for cybercriminals’
Google says hype leading to increase in phishing attacks on those talking about it online
Google’s Mark Risher said: “Putting a resume online to say you work at a cryptocurrency company, or sending out a pro-crypto message on a social media network, leads to users getting more targeted attacks.” Photograph: Getty Images/iStockphoto
Boasting about how much money you’re making from bitcoin or other cryptocurrencies is a godsend to cybercriminals, according to Google.
At a press briefing in Munich to mark Safer Internet Day, Mark Risher, director of product management at the internet giant and formerly “spam czar” at Yahoo, said the hype around bitcoin was leading criminals to step up phishing attacks on those talking about it online.
He said any mention by internet users on cybercurrencies significantly increased the likelihood they would be singled out by criminals.
“Putting a resume online to say you work at a cryptocurrency company, or sending out a pro-crypto message on a social media network, leads to users getting more targeted attacks. It is very scary,” he said.
He added that those starting out in trading in cryptocurrency were also at high risk as are those who brag about how well they are doing from bitcoin et al online.
“With crypto or any type of bragging online, what you’re doing to some degree is saying is ‘I’m worth your effort…’ it’s cheap enough and the rewards are high enough to invest in targeted and personalised attacks rather than simply casting the net out more widely,” he said.
Mr Risher, who leads Google’s account security, phishing and identity services teams, joined the company after it acquired Imperium, the security firm he co-founded, for an undisclosed sum in early 2014. Prior to this he worked at Yahoo, where he headed its global product development for security and abuse products to protect over 300 million user accounts.
The security expert said that it felt that cryptocurrencies “were custom-made for phishing attacks” because of the fact they are unregulated.
He stressed that all of us can get duped and that those who fall victim to phishing attacks are not necessarily naive.
“There really is no shame in falling for a phishing attack. It’s important that people don’t feel that way because the best defence right now is reporting it quickly. If you’re embarrassed and don’t tell your IT department or security team then the damage could be much worse,” he said.
“Phishing is really a confidence game and it frequently uses the same tactics used since the start of human conversation, such as adding urgency or suggesting there is an expected payoff and so on,” Mr Risher added.
Google blocks upwards of 20 million email messages a day and Mr Risher said phishing attacks are by far and away the biggest threat to internet users.
“We aren’t concerned about clumsy messages from Nigerian oil ministers but from credible mails that can appear quite convincing,” he said.
Mr Risher said that most internet users can safeguard themselves from using simple steps such as two-factor authentication. This is a protocol that adds an extra layer of authentication to the login process but currently only about 10 per cent of Gmail users have it enabled.
He said that Google and other companies were all moving away from advising users to have long passwords containing a variety of digits.
“A long complicated password does not really save you from phishing attacks or password breaches although it doesn’t mean you should just settle for ‘1,2,3,4,5’ either.
“In practice, long complicated passwords mean that users will likely just find one and use that everywhere, which is worse. It is better for people to use products like password manager systems instead,” Mr Risher added.