Can you tell a legitimate email or website from a phishing attack? It’s great if you answered yes, but even the techiest and trained eye can be duped, as a Gmail phishing scam just proved.
Since January, a large phishing campaign has been targeting the email provider and, following tremendous success, it has recently expanded to other services. Although a fix is now available and Chrome will immediately inform you it’s not safe, users should still be suspicious of any strange activity.
How does it work? The user receives a personal, informative email from a contact whose account was compromised. Because the hacker actually goes through the Inbox to find some common ground to write about, the email seems legit.
The problem is that it tricks you into clicking on a fake PDF which is no more than an embedded image. Obviously, it doesn’t work and a new tab opens that requests a secondary log-in attempt to Gmail. That’s the scam.
Don’t log in. Instead, immediately report it. If you provide your credentials, the hacker takes over your account and all the information. You probably can’t be suspicious of all emails you receive, but at least take a close look at the address bar, no matter how realistic it all seems. If it reads data:text/html, instead of https://, and right after it contains accounts.google.com/ServiceLogin, the website is a scam.
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection,” Google announced.