If you use Gmail, pay attention! Security experts have announced that there is a very effective phishing scam out there, and you are a target. This scam, which has only been growing over the past couple of months, is also hitting other email providers, too. However, it’s quite difficult to detect.
According to researchers at WordFence, who make a security tool for WordPress, this is a pretty serious attack and can have quite an impact, even for those who are up on security.
Here’s how it works:
You get an email from someone you trust…like a friend or family member or Google. The email, however, is actually not from them. It just looks like it is. Attached to the email is an attachment, which, when opened, links to a fake Google sign-in page. Everything about this Google sign-in page looks legit…but the address in the address bar is not…and here’s where it gets tricky. The address bar actually has a URL that looks real: https://accounts.google.com. However, before that address is whats called a “data URI”. Google it. This is NOT a URL. Instead, it allows the hackers to get your username and password as soon as you enter them into the fake login screen. To make things even worse, once they sign into your actual inbox, they use your information, including attachments and emails, to target your contacts.
Protecting Yourself From This Scam
If you are a Google Chrome user, you can protect yourself by taking a look at the address bar before clicking anything. A green lock symbol is your indicator that it is safe to browse. However, there are some scammers out there who have created their own site that are HTTPS-protected…which also means they will have a green lock. So, also take a look at the address.
Another thing that you can do is add in two-step authentication, which is an extra layer of security. Ultimately, it will help to lower the odds that your account will be compromised. You also might want to consider a security token, as well. If you don’t use two-step authentication with every account that offers it (Facebook, Twitter, iCloud etc), you’re a bit foolish my friend.
Google is aware of the issue, and they are working on improving security for their users. In the meantime, remain vigilant as you browse.
Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.