Ryan Collins, the 36-year-old from Pennsylvania who was arrested for his involvement in the "Celebgate" hack in 2014, already agreed to plead guilty to felony for violating the Computer Fraud and Abuse Act on March 15.
While his guilty plea is not so shocking, his revelation on how he managed to pull the whole thing off with a simple phishing scam is appalling mostly because it should be easy to protect oneself from scams.
The most important thing to remember when dealing with online accounts is that one should never - and it cannot be stressed enough - ever provide your username and password to anyone, even if they say they are the CEO of the company the account is created in.
According to court documents, Collins used email addresses like "email@example.com," "firstname.lastname@example.org" and "email@example.com" to fool his victims into thinking that he is officially an employee of the company and that providing log-in information is necessary.
Collins did not even have to be a member of Hydra and mimic Sunil Bakshi's iconic line "compliance will be rewarded" to get the valuable information he wanted, because he simply used seemingly legitimate and "secure" email addresses to contact his victims and he already had them hook, line and sinker.
So what does one have to do to lessen the chances of falling for phishing scams? Read the simple reminders below and remember to be vigilant with No. 1.
1. NEVER provide your username and password when asked.
It does not matter if you are talking to a friend or someone you know, do not ever give away your log-in information to your account, especially through electronic means. Sure, the people you give the information to may be trustworthy, but there is always the possibility that they can become a victim and your valuable information and account will easily be accessible to the offender.
There are also those who, like Collins, would send an email pretending to be an official representative of a company, but do not fall for it. Companies will never ask for your log-in information for whatever reason, so if you receive an email asking you for it, you should already doubt its legitimacy.
2. Be aware of the telltale signs of a scam.
Take a look at the email addresses Collins used to fool his victims. These all had "helpdesk," "secure" or "protection" on it but also note that the domains used are publicly available - both Gmail and Outlook are available to anyone. Employees who need to officially communicate with clients will use the company-provided email address.
3. Do not panic.
No matter how dire the situation seems to be from the email you receive, it is good to be skeptical. If there is truly an urgent situation that a company needs to address, its public relations arm would make an official statement or announcement about it and, even if you do not stay tuned to its press releases, social media and news outlets would pick it up and you will surely hear about it one way or another.
4. When in doubt, contact the company.
One of the email addresses Collins used does seem legitimate because of the @icloud domain; however, that still does not make it any less fishy. As explained above, companies have no reason to ask for log-in information that can give them access to your account. That is why, before you do anything that you will regret, make sure to validate the information by contacting the company through its hotline or help desk chat. If you do this, you are not only lessening the chances of getting victimized, you are also stopping others from falling victim to the scam.
5. Take extra precautions to secure your account.
If your account gives you an option to enable two-factor authentication, don't hesitate to enable it even if it requires an additional step before you can log in to your account. You know the value of what is in your own account so you should know the value of protecting it.