There’s a particularly nasty phishing scam that’s been doing the rounds this January, and it’s targeting Google’s Gmail account users. The scam, purported to be one of the most pernicious yet, tricks email users into divulging their Google log-in details and has even fooled seasoned IT experts.
Here’s how it works – you have been warned!
- A fake email arrives in your inbox. It may well come from a contact in your own address book, and will contain a rogue attachment that looks like a PDF file.
- When you click on the attachment, you will be directed to a phishing page which is cleverly disguised as the Google sign-in page, where you are asked to log into your account.
- The super cautious user will now take a look at the location bar which shows the following:
Being reassured that it says accounts.google.com, you proceed to sign in.
- If you enter your details, your Gmail account will become compromised, allowing the attacker to go through your messages, message folders and pass on the scam. They can even copy your style of writing, making the emails to others in your address book even more convincing.
Gaining unauthorised entry happens very quickly. With your account compromised, your entire Gmail content, including all your messages, usernames and passwords for this and other accounts are at risk, along with any Cloud based apps you’ve signed up for.
- What’s particularly worrying is that the phishing pages don’t seem to trigger Google’s HTTPS security warnings, which would normally appear when a user lands on an unsafe page.
The sophisticated scam was discovered by Mark Maunder of Wordfence who has recommended a number of protection strategies to guard against this type of phishing attack.
Verify the protocol and hostname
Before you sign into any internet service, checking the browser location bar to verify the protocol and the hostname is imperative. When signing into your Google account or Gmail on Chrome, it should appear like this, preceded by nothing other than a green padlock symbol:
The prefix ‘data:text/html/ is a sign of a fake web page. Beware that this particular scam is not limited to Chrome – it can occur on any browser.
Enable two factor authentication
Where available, enable 2-step verification to make it much harder for an unauthorised user to access your account or service – even if they have your password.
Two Factor Authentication (TFA) is an extra layer of security that requires not only a password and username, but something else that identifies the authorised user. It could be a piece of information that only they know – perhaps the answer to a secret question – or a physical token, such as a code sent by text message to the user’s phone, or a handheld device used for online banking.
For additional protection from internet scams and phishing attacks, you should also follow these general safety rules:
- Always be cautious about any emails from unrecognised senders. If in doubt, check if the email is authenticated, check that the address and the sender name match, and check the message headers to ensure the ‘from’ header is not showing an incorrect name.
- Don’t ever click on any links, open any attachments or download any files that come from unknown senders, however tempted you may be.
- Beware of pop-ups! You should never enter personal information, click on any links or copy web addresses into your browser from a pop-up screen.
- Be careful about email links asking you to submit personal information, even if you think you know the organisation. Phishing websites typically copy the look and feel of a genuine website in an attempt to trick you into divulging sensitive information. If in doubt, call the company direct (but don’t use any phone number given in the suspicious email).
- In any online transaction, only submit personal data if you are sure that the site is secure. Look for the padlock icon on the browser’s status bar, or ‘https:’ in the URL, where the ‘s’ stands for ‘secure’.
- It is good practice to never send your personal or financial details via email, even if you know and trust the recipient. Should their email account get hacked, their as well as your data will be compromised.
- Finally, make sure your computer is protected with a firewall, spam filters, anti-virus and anti-spyware software, and keep them updated at all times for maximum protection.