Today's Gmail Hacking Installment: Protect Your Friends, Too!

As I reported in last month's chronicle of a hacking attack, my wife's Gmail account was taken over a few months ago; all of her correspondence, photos, records, etc from a six-year stretch was zeroed out; and she has spent much of her time since then dealing with the consequences.

And, as I have mentioned, oh, a few million times by now, if you don't want this to happen to you, you will:
   (a) start using Gmail's "two-step" authentication system;
   (b) make sure that any account that matters to you has its own unique password, one that you've never used on any other site; plus
   (c) consider backing up your "cloud" data locally, for instance using Eudora, Thunderbird, or any other email handler to copy your online archives onto your own hard disk. Details on these and other fronts in the posts collected here.

But wait, there's more! You can also help other users. A little while ago, this message showed up in my wife's Gmail inbox, having made its way past the normal spam filters, Click for larger if you can't read it:


The obvious point is: this is a phishing message, and a crude one at that, which you shouldn't reply to. Duh. The less obvious point is that you should use the "Report Phishing" button on Gmail, which comes up as part of the "Reply" menu, rather than just deleting this and moving on.

Why does this matter? For reasons of scale, nearly all of the spam-filtering and fraud-detection efforts by Gmail or other systems are "algorithmic." That is, they're based on automatic scanning of messages to match their contents to known fraudulent patterns. It's a matter of probabilities, which is why the filters aren't perfect. Some new forms of spam are cleverly enough prepared to escape the automatic matching; some "real" messages use enough suspect words or patterns to get trapped or flagged.

So the fine-tuning depends heavily on judgments by real, human users, who start flagging messages as spam, or retrieving them as "not spam." Each of those decisions sends a signal back to Google's (or another company's) algorithms -- and the signal gets extra weight, since it reflects a human judgment of where an algorithm has failed. These are the counterparts of "Like" or "Share" or "+1" signals in social media, and in this case they can quickly shift detection to a pattern the algorithms would have taken longer to catch up with.

The easiest way to handle an obviously fraudulent message is just to delete it. But if you spend two more seconds to click the "Report Phishing" button, you can reduce the likelihood that you or anyone else will see a similar message again. As our friends at the TSA would put it, If you see something, say (or click) something.