I thought it was bad previously, but in 2026 I’ve noticed a big rise in emails trying to scam me into clicking a link – known as phishing. Phishing describes an email that entices the recipient to open it and maybe click a link, which then installs some malware on the computer. This could be something that logs keystrokes and sends them to another system on the Internet.
You’ve likely have received emails like that, purporting to come from Microsoft or PayPal or some other company you recognize, and urging you to click a link to fix something to do with your account. Just since Sunday, I’ve received many phishing emails, including:
- To our A/P department, purporting to come from me, giving the ok to pay an invoice from a fake CEO training course in my name
- Domain-name expiry notifications
- Anti-virus order receipts and click/call if that’s a mistake
- Fake DocuSign emails for contracts/receipts
I’ve read many books on hacking, from both sides of the ethical fence, and it always strikes me that security checklists and security reviews of SQL Server environments are all well and good, but there are a few missing things that I think are worth considering.
Check It Out!
For instance, does your company provide training or guidance on recognizing and avoiding phishing emails? Such phishing emails could be cleverly targeted, especially if hackers are going after a specific company and make an email look like it’s coming from a source the DBA trusts. If a DBA clicked a phishing link and unknowingly installed malware on a personal laptop, say, and then connected to a work system, the hackers could capture the DBA’s login credentials.
Such phishing emails could be cleverly targeted, especially if hackers are going after a specific company and make an email look like it’s coming from a source the DBA trusts. Hacking books have plenty of descriptions of this being done to companies like banks and defense contractors.
A way to test people in your company would be to create a fake email with a link that takes them to a web page showing that they’ve clicked something they shouldn’t have, and to be wary in future – or just to keep track of what proportion of recipients in the company were fooled into clicking the link.
Another thing to be wary of is social engineering. This is where a hacker calls someone on the phone, pretending to be someone who needs some information that can help them break into a computer system, and fools the person into giving that information out. I’ve read about this being used many times in the past, and is a relatively common technique used by phone scammers. “Hello, we’re from Microsoft support and your computer has been hacked…”
Finally, one of the things you might consider for your company is engaging the services of a third-party company that does what’s called penetration testing. These people will deliberately try to hack into your environment, with your permission, to discover security weaknesses that you can then patch before a malicious hacker tries to break in. Sometimes this is known as ethical hacking, and you can actually learn how to do it yourself, to think about security from the attacker’s perspective and assess your own environment for security flaws.
Call to Action
If you’re responsible for databases that contain any information that you don’t want someone to have unauthorized access to, you need to make sure that your security doesn’t have any problems. That includes making sure that the users are educated about ways that they can be duped into giving out info or installing malware, and testing your system’s defenses to see if they can be broken. You can be sure that someone out there will try to get in sooner or later.
PS A few interesting books on hacking that spring to mind:
- @War: The Rise of the Military-Internet Complex
- Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (I actually crossed paths with Mitnick when I was at DEC – R.I.P.)
- The Art of Deception: Controlling the Human Element of Security
- (where the word comes from) Hackers: Heroes of the Computer Revolution