Should you really be clicking on those links you just received in your email?
Despite all the headlines about zero-day threats and state-sponsored attacks, the rather less dramatic truth is that the majority of security incidents start with a user simply clicking on a malicious link or opening a dangerous attachment – threats that we’ve been tackling for many years.
The reason why these attacks continue to be so widely deployed is that they work so well, employing crafty social engineering to dupe users into clicking without thinking, giving malware an opportunity to implant itself onto a vulnerable computer or taking the unsuspecting victims to a phishing page designed to steal their passwords.
With the extraordinary increase in popularity of smartphones in the last ten years, the problem of clicking on dangerous links has become even greater. That’s because it’s not necessarily as easy to tell where a link will take you on a mobile phone as it is on a desktop or laptop computer.
On Apple iPhones, for instance, there is a way to view a URL before you click (press and hold a link to open a window that displays a link’s URL) but it’s a palaver compared to simply hovering your mouse over a link. And even then, the limitations of a mobile device’s screen size may mean that you can’t see the *full* URL, or the use of a URL redirection service might disguise the link’s true destination.
So I, for one, am pleased to see Google do its bit to make the internet that little bit safer.
Google announced last week that it is bringing anti-phishing security checks to its Gmail app for iOS, displaying a warning when a user clicks on a suspicious link in a Gmail message on an iPhone or iPad.
This link leads you to an untrusted site. Are you sure you want to proceed to <example>.com?
In Google’s own words, you are recommended to use caution before proceeding “because the link is likely unsafe. Only proceed if you’re confident there’s no risk.”
You certainly should be cautious, as chances are that the link you have been sent is likely to take you to harmful phishing page.
If you do decide to click on a link that Google knows to be dangerous you’ll see an even more strongly-worded warning against visiting the URL:
Warning – phishing (web forgery) suspected
The site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal or other sensitive information.
You can continue to <example URL> at your own risk.
It’s important to point out that the new features will not benefit every iPhone owner who has a Gmail webmail account. I suspect most iPhone owners use the standard Mail app, provided by Apple, to read their email – and only a small proportion download a third-party app, such as Google’s Gmail app, to check their inbox.
All the same, I can easily picture that this new functionality in the Gmail app will be of benefit to many iOS users who might otherwise be duped into visiting a dangerous website and handing over their personal information.
The new functionality will roll out across the Gmail app’s iOS userbase over the next two weeks or so.
Just be sure not to think that the feature will detect *every* attempt to phish your credentials – there will always be a need for users to exercise caution over what links they click on, whatever safety nets are put in place.
And don’t fret too much if you don’t own an Apple iPhone. A similar feature has been available in Gmail’s Android app since May.
written by Graham Cluley, ESET We Live Security