The Gmail phishing scam that is even fooling the experts
Using convincing messages that appear to come from trusted contacts, hackers can get access to your online accounts
Criminals are getting so good at phishing scams they have devised a new con that is even fooling the experts. The con – which allows hackers access to your Gmail account – has claimed victims including IT professionals.
It starts with you receiving an email from a friend or relative. The subject line could relate to something you have recently discussed with them, and the contents will be written in their style.
The email will contain a PDF that looks plausible, perhaps a family photo or a document you have discussed. If you click on the PDF to get a better look you’ll be taken to a webpage that looks exactly like the Gmail log-in page. But, tap your details in and you’ll actually be giving hackers your password.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Once the criminals have your password they will log in to your account and the con starts again. They will read your inbox and sent messages before emailing your contacts with similar, convincing emails.
While they have access to your email account the hackers will also scour your emails for valuable personal information, especially bank details.
They will also try to see if your email password gives them access to other internet accounts - and if it doesn’t use password reset facilities where passwords can be changed using emails sent to your Gmail account to get access to your various online accounts.
An IT worker at a school explained how a student fell victim to the scam on the Hacker News website.
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
“For example, they went into one student’s account, pulled an attachment with an athletic practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
If you are on the Gmail log-in page make sure the address isn’t prefixed with ‘data:text/html’ in the browser bar. That’s a sign it is a fake website.
“Make sure there is nothing before the host name ‘accounts.google.com’ other than the ‘https://’ and the lock symbol,” says Mark Maunder, chief executive of Wordfence, an internet security service, in the Daily Mail.
“You should also take special note of the green colour and lock symbol that appears on the left. If you can’t verify the protocol and verify the host name, stop and consider what you just clicked on to get to that sign-in page.”
Also, experts recommending that you enable two-step log-in on your Gmail account. This means that as well as entering your password you will also need to enter a code that is sent to your mobile phone in order to log-in to your account when you access it from a new source.
That means a hacker who knows your password still won’t be able to access your account remotely.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com